Transcript IMS and Security

IMS and Security
Sri Ramachandran
NexTone
Traditional approaches to Security - The “CIA”
principle
 Confidentiality

Am I communicating with the right system or user?
 Can another system or user listen in?
 Integrity

Have the messages been tampered with?
 Availability

Can the systems that enable the communication
service be compromised?
CONFIDENTIAL © 2006, NexTone Communications. All rights
2
The Demarcation Point – Solution for protecting
networks and multiple end systems
 Create a trust boundary by using a firewall
 Firewalls and NATs use the “Authorization”
principle of Confidentiality
Trusted
Private IP
Address
space
Untrusted
Unauthorized stream
“The” Network
Authorized stream
CONFIDENTIAL © 2006, NexTone Communications. All rights
3
Solutions for separate control and data streams
 FTP, BitTorrent, RTSP, SIP have separate
control and data streams
 Data streams are ephemeral
 Solution: Use Application Layer Gateway (ALG)

Scan control stream for attributes of data stream
 2 approaches to building ALGs

Dedicated purpose
 Deep packet inspector/scanner
CONFIDENTIAL © 2006, NexTone Communications. All rights
4
Characteristics of Session Services
 Signaling and media may traverse different
networks
 Intermediate systems for signaling and media
are different
 Signaling and media networks may be
independently secured
 Signaling and media have different quality
characteristics

Media is latency, jitter and packet loss sensitive
 Reliable delivery of signaling messages is more
important than latency and jitter
CONFIDENTIAL © 2006, NexTone Communications. All rights
5
Denial of Service (DoS) Concepts
 Multiple layers:

Layer 3/4 - prevention or stealing of session layer
processing
 Layer 5: - prevention and/or stealing of application
layer processing (prevention of revenue loss)
 Theft of service

Unable to honor Service Level Agreement
 Resource over-allocation
 Resource lock-in
CONFIDENTIAL © 2006, NexTone Communications. All rights
6
Components of a complete security solution
 Ability to create a trust boundary for session services
independent of data
 Ability to strongly authenticate users and end devices at
all session network elements or networks
 Ability to encrypt at the trust boundary
 Prevent denial of service attacks on service
intermediaries

Hardened OS, Intrusion Detection/Prevention
 Secure management of network elements

IPSec, HTTPS, SSH
 Allow network or flow based correlation and aggregation
CONFIDENTIAL © 2006, NexTone Communications. All rights
7
Convergence of Services
Back Office
Collaboration
IPTV
VoIP
Back Office
Application
Application
Service Delivery/
Session Control
Service Delivery/
Session Control
Transport
Internet
Triple play services
Wirelesse
TV
Internet
Voice
Vertically integrated apps
Transport
Terminals
CONFIDENTIAL © 2006, NexTone Communications. All rights
8
Back Office
Application
Service Delivery/
Session Control
Service Delivery/
Session Control
CONFIDENTIAL © 2006, NexTone Communications. All rights
Collaboration
IPTV
Back Office
Application
Transport
Presence
VoIP
Collaboration
IPTV
Internet
VoIP
Network to Service Centric
Transport
9
Back Office
Collaboration
IPTV
Presence
VoIP
Collaboration
IPTV
Presence
VoIP
Migration to IMS
Back Office
Application
Application
Service Delivery/
Session Control
Service Delivery/
Session Control
CSCF
Transport
Transport
Wireline
CONFIDENTIAL © 2006, NexTone Communications. All rights
HSS
Wireless
10
Back Office
Application
Collaboration
IPTV
Presence
VoIP
Collaboration
IPTV
Back Office
Back Office
Back Office
Application
Application
Service Delivery/
Session Control
Transport
Presence
IPTV
Internet
VoIP
Wirelesse
TV
Internet
Voice
Triple play services
Vertically integrated apps
VoIP
Collaboration
Path to IMS
Transport
Service Delivery/
Session Control
Transport
Application
CSCF HSS
Service Delivery/
Session Control
Transport
Wireline Wireless
Terminals
Separate Applications
Converged Network
CONFIDENTIAL © 2006, NexTone Communications. All rights
Common
Session Control
IMS
11
CableLabs PacketCable 2.0 Reference Architecture
Peer
Network
Interconnect
DHCP
Time
Operational
Support Systems
ENUM
PAC
NMS & EMS
CDF
PSTN
Core
PSTN GW
SG
SLF
Application
Presence
Server
HSS
Application
Server
MG
I-CSCF
S-CSCF
Policy
Server
PacketCable
Multimedia
PacketCable
Multimedia
Edge
TURN Server
P-CSCF
STUN Server
PacketCable
Application Manager
Access
Network
CMTS
DOCSIS
NAT &
Firewall
Traversal
IMS Service
Delivery
BGCF
MGC
CMS
Compatible
with
E-MTAs
Provisioning,
Management,
Accounting
Media Proxy
PacketCable
1.5 Endpoints
Re-use
PacketCable
PSTN
gateway
components
Border Element
Interconnect
Proxy
DNS
1.5
E-MTA
Cable
Modem
Cable
Modem
Different
UE
UE
types of
CONFIDENTIAL
clients © 2006, NexTone Communications. All rights
Cable
Modem
Cable
Modem
IMS
Elements
adopted and
enhanced
for Cable
Other
Access
Point
NAT &
Firewall
UE
UE
UE
Local
Network
12
Issues with IMS today
 Access differentiates IMS flavors
 IMS functions and value misunderstood
 Bridge from ‘legacy’ to IMS networks mostly
underplayed
 Ignores Web 2.0 and non-SIP based sessions
 Focus on pieces inside ‘walled garden’ – not on
interconnecting
 Not enough focus on applications
CONFIDENTIAL © 2006, NexTone Communications. All rights
13
Access Defines IMS Components
Visited Network
SeGW + UNC
P-CSCF +
C-BGF
WiFi
(UMA)
Internet
WiMAX,
WiFi
BB
Internet
DSL
BB
Cable
CONFIDENTIAL © 2006, NexTone Communications. All rights
Home Network
PDG +
P-CSCF +
C-BGF
IMS
Core
A-BCF +
C-BGF +
P-CSCF
P-CSCF +
App Manager +
C-BGF
14
Secure Border Function (SBF)




Similar concept to a firewall
Is alongside CSCF network elements
Thwarts DoS/DDoS attacks
Uses established techniques to do firewall/NAT
traversal
 Adds previously non-existent Rate based
Admission Control capabilities
CONFIDENTIAL © 2006, NexTone Communications. All rights
15
SBF Logical Security Architecture
Analytics/
Post-processing
Reporting &
Monitoring
Alarming &
Closed Loop
Control
Layer 7 – Application Call Admission Control with Authentication/Authorization
Layer 5 – SIP
SIP Control with Rate Admission Control
Network based
Correlation
• Theft of service
mitigation
• SPAM/SPIT prevention
•SIP Protocol vulnerabilities
•DoS protection
Layer 4 – TCP/UDP
TCP/IP Stack in Operating System
•Hardened OS
•DoS protection
Layer 3 - IP
Packet Filter
Layer 2 - Ethernet
Queue/Buffer Management
CONFIDENTIAL © 2006, NexToneSIGNALING
Communications. All rights
Packet rate mgmt
MEDIA
16
SBF
Consolidation of Functions
Application
SBC-S
Access & Interconnect
Session Management
Access &
Interconnectivity
A-BCF
PDG
PDG
WAP/WAG
WAG
WiFi
CONFIDENTIAL © 2006, NexTone Communications. All rights
WiMAX
I-BCF
SeGW
BGF
Edge
UMA
BB
17
Benefits of SBF
 Security for both signaling and media
 Signaling and media can be disaggregated or
integrated
 Can be integrated with any signaling or media
element to protect it
 Consolidates all access types
CONFIDENTIAL © 2006, NexTone Communications. All rights
18
Thank You!
For further comments and discussion:
[email protected]
www.nextone.com/blog
CONFIDENTIAL © 2006, NexTone Communications. All rights
19