1 / 19

IMS and Security

IMS and Security. Sri Ramachandran NexTone. Traditional approaches to Security - The “CIA” principle. C onfidentiality Am I communicating with the right system or user? Can another system or user listen in? I ntegrity Have the messages been tampered with? A vailability

gil
Download Presentation

IMS and Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IMS and Security Sri Ramachandran NexTone

  2. Traditional approaches to Security - The “CIA” principle • Confidentiality • Am I communicating with the right system or user? • Can another system or user listen in? • Integrity • Have the messages been tampered with? • Availability • Can the systems that enable the communication service be compromised?

  3. The Demarcation Point – Solution for protecting networks and multiple end systems • Create a trust boundary by using a firewall • Firewalls and NATs use the “Authorization” principle of Confidentiality Untrusted Trusted Private IP Address space Unauthorized stream “The” Network Authorized stream

  4. Solutions for separate control and data streams • FTP, BitTorrent, RTSP, SIP have separate control and data streams • Data streams are ephemeral • Solution: Use Application Layer Gateway (ALG) • Scan control stream for attributes of data stream • 2 approaches to building ALGs • Dedicated purpose • Deep packet inspector/scanner

  5. Characteristics of Session Services • Signaling and media may traverse different networks • Intermediate systems for signaling and media are different • Signaling and media networks may be independently secured • Signaling and media have different quality characteristics • Media is latency, jitter and packet loss sensitive • Reliable delivery of signaling messages is more important than latency and jitter

  6. Denial of Service (DoS) Concepts • Multiple layers: • Layer 3/4 - prevention or stealing of session layer processing • Layer 5: - prevention and/or stealing of application layer processing (prevention of revenue loss) • Theft of service • Unable to honor Service Level Agreement • Resource over-allocation • Resource lock-in

  7. Components of a complete security solution • Ability to create a trust boundary for session services independent of data • Ability to strongly authenticate users and end devices at all session network elements or networks • Ability to encrypt at the trust boundary • Prevent denial of service attacks on service intermediaries • Hardened OS, Intrusion Detection/Prevention • Secure management of network elements • IPSec, HTTPS, SSH • Allow network or flow based correlation and aggregation

  8. Back Office Application Service Delivery/ Session Control Transport Convergence of Services Triple play services Vertically integrated apps Collaboration Internet IPTV VoIP Internet TV Wirelesse Voice Back Office Application Service Delivery/ Session Control Transport Terminals

  9. Back Office Back Office Application Application Service Delivery/ Session Control Service Delivery/ Session Control Transport Transport Network to Service Centric VoIP Collaboration VoIP Internet Presence IPTV IPTV Collaboration

  10. Back Office Back Office Application Application Service Delivery/ Session Control Service Delivery/ Session Control Transport Transport Migration to IMS VoIP VoIP Collaboration Collaboration Presence IPTV Presence IPTV CSCF HSS Wireless Wireline

  11. Triple play services Vertically integrated apps VoIP Collaboration Presence IPTV VoIP Collaboration Collaboration Presence IPTV Internet IPTV VoIP Internet TV Wirelesse Voice Back Office Application Back Office Back Office Back Office CSCF HSS Application Application Application Transport Service Delivery/ Session Control Service Delivery/ Session Control Service Delivery/ Session Control Wireless Wireline Terminals Transport Transport Transport Path to IMS Common Session Control IMS Separate Applications Converged Network

  12. PacketCable Multimedia IMS Elements adopted and enhanced for Cable NAT & Firewall Traversal CableLabs PacketCable 2.0 Reference Architecture Provisioning, Management, Accounting Re-use PacketCable PSTN gateway components IMS Service Delivery Compatible with E-MTAs Different types of clients

  13. Issues with IMS today • Access differentiates IMS flavors • IMS functions and value misunderstood • Bridge from ‘legacy’ to IMS networks mostly underplayed • Ignores Web 2.0 and non-SIP based sessions • Focus on pieces inside ‘walled garden’ – not on interconnecting • Not enough focus on applications

  14. Access Defines IMS Components Visited Network SeGW + UNC P-CSCF + C-BGF WiFi (UMA) Home Network Internet PDG + P-CSCF + C-BGF WiMAX, WiFi IMS Core A-BCF + C-BGF + P-CSCF Internet BB DSL P-CSCF + App Manager + C-BGF BB Cable

  15. Secure Border Function (SBF) • Similar concept to a firewall • Is alongside CSCF network elements • Thwarts DoS/DDoS attacks • Uses established techniques to do firewall/NAT traversal • Adds previously non-existent Rate based Admission Control capabilities

  16. SBF Logical Security Architecture Reporting & Monitoring Alarming & Closed Loop Control Network based Correlation Analytics/ Post-processing Call Admission Control with Authentication/Authorization • Theft of service mitigation • SPAM/SPIT prevention Layer 7 – Application SIP Control with Rate Admission Control • SIP Protocol vulnerabilities • DoS protection Layer 5 – SIP TCP/IP Stack in Operating System Layer 4 – TCP/UDP • Hardened OS • DoS protection Layer 3 - IP Packet Filter Layer 2 - Ethernet Queue/Buffer Management Packet rate mgmt SIGNALING MEDIA

  17. Consolidation of Functions SBF Application SBC-S A-BCF I-BCF Access & Interconnect Session Management PDG PDG SeGW BGF WAP/WAG WAG Edge Access & Interconnectivity WiFi WiMAX UMA BB

  18. Benefits of SBF • Security for both signaling and media • Signaling and media can be disaggregated or integrated • Can be integrated with any signaling or media element to protect it • Consolidates all access types

  19. Thank You! For further comments and discussion: sri@nextone.com www.nextone.com/blog

More Related