Transcript X31-20051024-030 Sprint_NFCC_concerns

Network Firewall Configuration
and Control Concerns
Brent Hirschman ([email protected])
October 24, 2005
Major Concerns for Security
Greatest concern for security is impact on
RF Resources
•Handset viruses becoming significant concern
•Intrusion Detection system needs to be included
•Need to “Shut Down” Rogues
Security Architecture Concerns
•Parallel architectures for QoS, Security, AAA
•Introduction of new Protocols
•Intrusion Detection System Impact
1
Architecture Concerns
Basic NFCC Architecture
NNI
Session NLSP or PFCP
Mgr
Profile
Mgr
User
Profile
DB
RAN
2
Traffic
Filters
IP Ntwk
Ntwk
Pres.
Agent
Intrusion Detection and Prevention Systems
NNI
RAD or DIA
VAAA
RAN
Access Router
PDSN
HAAA
IP Ntwk
Intrusion
Detection
System
3
HA
IP Ntwk
Intrusion
Detection and Prevention
System
Architecture Concerns
Additional Capability of Intrusion Detection
Change
Filters
and tell
PM of
change
and
cause.
RAN
4
NNI
Session NLSP or PFCP
Mgr
Profile
Mgr
Intrusion
Detection
System
Traffic
Filters
User
Profile
DB
IP Ntwk
Ntwk
Pres.
Agent
Architecture Concerns
- Basic AAA Picture
NNI
RAD or DIA
VAAA
RAN
5
Access Router
PDSN
HAAA
IP Ntwk
HA
User
Profile
DB
Architecture Concerns
Basic NFCC Architecture
NNI
Session NLSP or PFCP
Mgr
Profile
Mgr
User
Profile
DB
RAN
6
Traffic
Filters
IP Ntwk
Ntwk
Pres.
Agent
Architecture Concerns
Basic QoS Architecture
NNI
Visited
PDP
RAN
7
PEP
COPS-PR
IP Ntwk
Home
PDP
PEP
User
Profile
DB
Architecture Concerns
Overlay Architecture – Why so many protocols?
NNI
AAA/SM/
PDP
RAD/DIA
NSLP/PFCP
COPS-PR
AAA/PM/
PDP
User
Profile
DB
RAN
8
PDSN/TF/
PEP
IP Ntwk
HA/NPA/
PEP
Protocol Changes needed
RADIUS/DIAMETER – Need Peering and
negotiation – only DIAMETER
COPS-PR – Need Visited and Home PDP –
needed in world of Remote HAs.
NSLP/PFCP – Need for new protocol? Can we
put it in another protocol?
Can we design a single protocol to do all this?
9