Transcript VoIP Mobility & Security

VoIP Mobility & Security
Securing Fixed-Mobile
and Wireless VoIP
Convergence Services
Scott Poretsky
Director of Quality Assurance
Reef Point Systems
2
Agenda
 FMC Top Driver for Technical Innovation in Networking
Industry
 FMC Creates New Security Vulnerabilities and Solutions
 FMC Requires Defense-In-Depth Network Security
Strategy
 Security Gateways Must be Validated for Network
Deployments
 Conclusions
3
Agenda
 FMC Top Driver for Technical Innovation in
Networking Industry
 FMC Creates New Security Vulnerabilities and Solutions
 FMC Requires Defense-In-Depth Network Security
Strategy
 Security Gateways Must be Validated for Network
Deployments
 Conclusions
4
FMC Designed for Mass Market
• User-controlled
reachability
Consumers on the go…
• Ubiquitous access to
services
• Single user identity
across multiple locations
FMC enables a
consistent user
experience
At work…
At home…
• Requires scalable,
ubiquitous security
solutions
Working remotely…
Service Providers are Unifying Domains –
Different Networks, User Identities & Applications
5
FMC Enables Revenue-Generating
Blended Services





Presence
Push-to (Push-to-Talk, Push-to-View, etc.)
VoIP and Rich Calls (with Video)
Mobile Instant Messaging
Mobile Video, VideoConferencing, Multiparty
Gaming, IPTV
6
Service Provider FMC Deployments
 Unlicensed Mobile Access (UMA)



BT
T-Mobile
TeliaSonera
 IP Multimedia Subsystem (IMS)



Telecom Italia
Telefonica
Sprint
7
Millions of New Endpoints
Requires Massive Scalability
 New mobile data services and other multimedia services offered over
wireless and converged networks create orders of magnitude more
endpoints than wireline networks today
 Annual global sales of dual mode mobile phones are likely to exceed
100 million during the final year of this decade*
 Need to secure all endpoints simultaneously
*ABI Research May 05
8
Agenda
 FMC Today’s #1 Driver for Technical Innovation in
Networking Industry
 FMC Creates New Security Vulnerabilities and
Solutions
 FMC Requires Defense-In-Depth Network Security
Strategy
 Security Gateways Must be Validated for Network
Deployments
 Conclusions
9
FMC Security Vulnerabilities
ATM/FR/IP/MPLS
Mobile
Data Network
Broadband Access/IP TV
Fixed Mobile
Converged
IP Network
PSTN
Cable/
DSL
Public
IP Network
Wireless LAN
• Requires secure and authorized access to network
• More users=more miscreants
• Single network=more damage from network attack
10
FMC Security Solutions
Mobile handsets subscribers are able freely roam to make voice calls
and access Internet services.

Secure Access – IPsec between Mobile Subscriber and Network

DoS Prevention – Stateful Firewall at mobile/core edge to protect

User Authentication – AAA to authorize mobile subscribers for

Stability with Security Scaling - 100s of thousands of subscribers
FMC Core, Internet, and Mobile Stations
services and Certificates for mobile subscriber to authorize IPsec
peer
11
FMC Network Architectures
 Unlicensed Mobile Access (UMA)



3GPP standard for mobile/Wi-Fi Convergence
Based upon IETF protocols – IPsec, IKE, RADIUS, EAP-Sim
Controller = UNC
 IP Multimedia Subsystem (IMS)



3GPP standard for universal mobile access
Based upon IETF protocols – SIP, IPsec, IKE, DIAMETER
Controller = CSCF
12
UMA FMC Security Architecture
Mobile
Phone
RAN
Gaming
UNC
Dual-Mode
Phone
INC
WiFi
Video
Wireless
Laptop
SeGW
AAA
Converged
Home
HLR
Presence
Broadband
Voice
User Equipment
Access
UMA Core
Applications
Security Gateway Protects UMA Core, Internet, and User Equip
13
IMS FMC Security Architecture
Mobile
Phone
RAN
Gaming
INC
AAA
Dual-Mode
Phone
HLR
WiFi
Video
Wireless
Laptop
HSS
SeGW
CSCFs
Converged
Home
Presence
Broadband
Voice
User Equipment
Access
IMS Core
Applications
Security Gateway Offload for CSCF – Protect and Scale
14
IMS Session Model
Mobile
Phone
RAN
AAA
Dual-Mode
Phone
Gaming
INC
HLR
WiFi
Wireless
Laptop
Video
HSS
Control Connection SeGW
“Registered User”
CSCFs
Converged
Home
Presence
Broadband
Voice
User Equipment
Access
IMS Core
Applications
IMS changes call model to “always on” versus on-demand
15
Poor Approach to Security for FMC
Integrated Control and Forwarding
Application
Servers
End-to-End Communication
SIP Control Path
SIP Media Streams
SIP
Terminal
Any IP connection (e.g.
GPRS, EDGE, WCDMA,
WLAN, xDSL)
SIP
Terminal
Packet-switched
network
IP-based services
between terminals
All Traffic Goes Through FMC Core
Reducing Performance, Scalability, And Protection
16
Security Gateway Approach for FMC
Separating Control Plane From Forwarding
Application
Servers
End-to-End Communication
SIP Control Path
SIP Media Streams
SIP
Terminal
Any IP connection (e.g.
GPRS, EDGE, WCDMA,
WLAN, xDSL)
SIP
Terminal
Packet-switched
network
IP-based services
between terminals
Separation of Control Plane and Forwarding Plane
Increases Security, Performance and Scalability
17
IPsec and SIP Enabled
Mobile Devices
 FMC dependent upon handset vendors
implementing devices with IPsec, IKE, and SIP
support
 Motorola and Nokia have announced FMC
programs
18
Agenda
 FMC Today’s #1 Driver for Technical Innovation in
Networking Industry
 FMC Creates New Security Vulnerabilities and Solutions
 FMC Requires Defense-In-Depth Network
Security Strategy
 Security Gateways Must be Validated for Network
Deployments
 Conclusions
19
Defense in Depth Safeguards FMC Networks
Zone 1: Subscriber Protection
Mobile
Phone
RAN
Malicious Packet
Filtering
UNC
Gaming
IPSEC
Encrypt/Decrypt
Dual-Mode
Phone
WiFi
Video
Wireless
Laptop
SeGW
Stateful SIP
Firewall
SIP DOS
Protection
Converged
Home
CSCFs
Presence
Broadband
Voice
User Equipment
Access
FMC Core
Internet Applications
Secures the Transmission Between the Subscriber and Wireless Network
20
Defense in Depth Safeguards FMC Networks
Zone 2: FMC Core Protection
IPsec Encryption/
Decryption
IKE DOS
Protection
Mobile
Phone
RAN
Gaming
UNC
QoS and Policing
Dual-Mode
Phone
Stateful
Firewall
WiFi
Wireless
Laptop
SeGW
IP DOS
Protection
CSCFs
Anti-Spoofing
Converged
Home
Video
Presence
Broadband
SIP DOS
Protection
ECMP
User Equipment
Access
FMC Core
Voice
Internet Applications
Ensures a Highly Available, Predictable and Secure Network Core
21
Defense in Depth Safeguards FMC Networks
Zone 3: Internet Gateway
Mobile
Phone
Gaming
RAN
Mobile
Virus
Dual-Mode
Phone
UNC
Stateful Firewall
WiFi
Wireless
Laptop
Internet
Worms
DOS
Attacks
Converged
Home
User
Authentication
Video
SeGW
Codec QoS
And Policing
CSCFs Malicious
Packet
Filtering
Presence
Broadband
Voice
User Equipment
Access
FMC Core
Internet Applications
Protects Core Network Resources
22
Stateful Firewall Fundamental to
Defense in Depth
 Stateful Firewall protects User Equip, FMC
Core, and Interent
Pinhole
 Stateful firewalls must be SIP aware
 SIP ALG must dynamically manage each
session (up to 100s of 1000s)
 SIP ALG must rate limit SIP control and media
for each session
RTP media
SIP Control
Alternative is Stateless Firewall or no Firewall – Not a Solution
for Secure VoIP
23
Agenda
 FMC Today’s #1 Driver for Technical Innovation in
Networking Industry
 FMC Creates New Security Vulnerabilities and Solutions
 FMC Requires Defense-In-Depth Network Security
Strategy
 Security Gateways Must be Validated for Network
Deployments
 Conclusions
24
IPsec Benchmark Parameters
 Total Number of IPsec tunnels
 IPsec Tunnel Establishment Rate

IKE DOS Protection
 Total SAs (IKE and IPsec)
UNC
UE
RAN
SeGW
IPSecTunnel
CSCFs
25
Stateful Firewall Benchmark
Parameters
 Total Number of Stateful Firewall Sessions
 Stateful Session Establishment Rate
 SIP ALG

SIP Control
• Total Number of SIP Sessions Established
• SIP Session Establishment Rate (CAPS)
–
–
–
–

With and Without Media
Established Call Load
SIP DOS Protection
TCP Reassembly
RTP Media
• Total Number of RTP Media Streams
• Number of RTP Media Streams per SIP Control Session
26
Solution-Agnostic Benchmarks
 Benchmarks must apply for any FMC solution:




UA<->SIP Server<->UA
UA<->SBC<->UA
UA<->CSCF or UNC<->UA
UA<->SEG<->CSCF<->SEG<->UA
 Enables Devices to be compared
 Enables FMC solutions to be compared
27
Conclusions: FMC Cannot Succeed
Without Comprehensive Security
 Vulnerabilities created by mobile packet
core being exposed to the public Internet
 Security is not optional; it’s a must
 Converged IP backbone must support,
prioritize & appropriately handle voice,
video and mobile services
 Scaling is unprecedented. Number of
subscribers requires stable and high
scaling security gateways
28
Contact
Scott Poretsky
Reef Point Systems
8 New England Executive Park
Burlington, MA 01803 USA
main +1 781 505 8300 / fax +1 781 505 8316
[email protected]
www.reefpoint.com
29
30