IMS and Security Sri Ramachandran NexTone
Mar 27, 2015
IMS and Security
Sri Ramachandran
NexTone
2 CONFIDENTIAL © 2006, NexTone Communications. All rights
Traditional approaches to Security - The “CIA” principle
Confidentiality Am I communicating with the right system or user? Can another system or user listen in?
Integrity Have the messages been tampered with?
Availability Can the systems that enable the communication
service be compromised?
3 CONFIDENTIAL © 2006, NexTone Communications. All rights
The Demarcation Point – Solution for protecting networks and multiple end systems
Create a trust boundary by using a firewall Firewalls and NATs use the “Authorization”
principle of Confidentiality
UntrustedTrusted
“The” Network
Private IPAddressspace
Authorized stream
Unauthorized stream
4 CONFIDENTIAL © 2006, NexTone Communications. All rights
Solutions for separate control and data streams
FTP, BitTorrent, RTSP, SIP have separate control and data streams
Data streams are ephemeral Solution: Use Application Layer Gateway (ALG)
Scan control stream for attributes of data stream
2 approaches to building ALGs Dedicated purpose Deep packet inspector/scanner
5 CONFIDENTIAL © 2006, NexTone Communications. All rights
Characteristics of Session Services
Signaling and media may traverse different networks
Intermediate systems for signaling and media are different
Signaling and media networks may be independently secured
Signaling and media have different quality characteristics Media is latency, jitter and packet loss sensitive Reliable delivery of signaling messages is more
important than latency and jitter
6 CONFIDENTIAL © 2006, NexTone Communications. All rights
Denial of Service (DoS) Concepts
Multiple layers: Layer 3/4 - prevention or stealing of session layer
processing Layer 5: - prevention and/or stealing of application
layer processing (prevention of revenue loss)
Theft of service Unable to honor Service Level Agreement Resource over-allocation Resource lock-in
7 CONFIDENTIAL © 2006, NexTone Communications. All rights
Components of a complete security solution
Ability to create a trust boundary for session services independent of data
Ability to strongly authenticate users and end devices at all session network elements or networks
Ability to encrypt at the trust boundary Prevent denial of service attacks on service
intermediaries Hardened OS, Intrusion Detection/Prevention
Secure management of network elements IPSec, HTTPS, SSH
Allow network or flow based correlation and aggregation
8 CONFIDENTIAL © 2006, NexTone Communications. All rights
Convergence of Services
Back Office
Application
Service Delivery/Session Control
Transport
Back Office
Application
Service Delivery/Session Control
Transport
Vo
ice
Inte
rne
t
TV
Terminals
Wir
ele
sse
Vo
IP
Co
lla
bo
rati
on
IPT
V
Inte
rne
t
Vertically integrated apps Triple play services
9 CONFIDENTIAL © 2006, NexTone Communications. All rights
Network to Service Centric
Back Office
Application
Service Delivery/Session Control
Transport
Back Office
Application
Service Delivery/Session Control
Transport
Co
lla
bo
rati
on
IPT
V
Inte
rne
t
Vo
IP
Vo
IP
Pre
se
nce
IPT
V
Co
lla
bo
rati
on
10 CONFIDENTIAL © 2006, NexTone Communications. All rights
Migration to IMS
Back Office
Application
Service Delivery/Session Control
Transport
Back Office
Application
Service Delivery/Session Control
Transport
Vo
IP
Pre
se
nce
IPT
V
Co
lla
bo
rati
on
Vo
IP
Pre
se
nce
IPT
V
Co
lla
bo
rati
on
CSCF HSS
Wireline Wireless
11 CONFIDENTIAL © 2006, NexTone Communications. All rights
Path to IMS
Back Office
Application
Transport
Vo
ice
Inte
rne
t
TV
Terminals
Wir
ele
sse
Vertically integrated apps
Back Office
Application
Service Delivery/Session Control
Transport
Vo
IP
Co
lla
bo
rati
on
IPT
V
Inte
rne
t
Triple play services
Back Office
Application
Service Delivery/Session Control
Transport
Vo
IP
Pre
se
nce
IPT
V
Co
lla
bo
rati
on
Back Office
Application
Service Delivery/Session Control
Transport
Vo
IP
Pre
se
nce
IPT
V
Co
lla
bo
rati
on
CSCF HSS
Wireline Wireless
IMSConverged NetworkCommon
Session ControlSeparate Applications
12 CONFIDENTIAL © 2006, NexTone Communications. All rights
CableLabs PacketCable 2.0 Reference Architecture
LocalNetwork
AccessNetwork
OperationalSupport Systems
Interconnect
Core Application
PacketCableMultimedia
Edge
PresenceServer
S-CSCFCMS Policy
Server
STUN Server P-CSCF
I-CSCF
PS
TN
Pee
rN
etw
ork
PSTN GW
MG
MGC
SG
ApplicationServer
Border Element
Media Proxy
Interconnect Proxy
Pac
ketC
abl
e
1.5
End
poin
ts
TURN Server
Other
Access Point
ENUM NMS & EMS CDF
TimeDHCP
Cable Modem
CMTS
Cable Modem
Cable Modem
NAT & Firewall
Cable Modem
PacketCable Application Manager
SLF
BGCF
UE UE UE UE UE
DNS
HSS
DOCSIS
1.5 E-MTA
PAC
Compatible with
E-MTAs
NAT & Firewall
Traversal
PacketCable Multimedia
Provisioning, Management,Accounting
Different types of clients
IMS Service Delivery
IMS Elements
adopted and enhanced for Cable
Re-use PacketCable
PSTN gateway
components
13 CONFIDENTIAL © 2006, NexTone Communications. All rights
Issues with IMS today
Access differentiates IMS flavors IMS functions and value misunderstood Bridge from ‘legacy’ to IMS networks mostly
underplayed Ignores Web 2.0 and non-SIP based sessions Focus on pieces inside ‘walled garden’ – not on
interconnecting Not enough focus on applications
14 CONFIDENTIAL © 2006, NexTone Communications. All rights
Access Defines IMS Components
WiFi(UMA)
WiMAX,WiFi
BB
BB
IMSCore
SeGW + UNCP-CSCF +
C-BGF
PDG +P-CSCF +
C-BGF
A-BCF +C-BGF +P-CSCF
P-CSCF +App Manager +
C-BGF
Internet
Visited Network
Home Network
Cable
DSL
Internet
15 CONFIDENTIAL © 2006, NexTone Communications. All rights
Secure Border Function (SBF)
Similar concept to a firewall Is alongside CSCF network elements Thwarts DoS/DDoS attacks Uses established techniques to do firewall/NAT
traversal Adds previously non-existent Rate based
Admission Control capabilities
16 CONFIDENTIAL © 2006, NexTone Communications. All rights
SBF Logical Security Architecture
Layer 2 - Ethernet
Layer 3 - IP
Layer 4 – TCP/UDP
Layer 5 – SIP
Layer 7 – Application
Queue/Buffer Management
TCP/IP Stack in Operating System
Packet Filter
Analytics/Post-processing
SIP Control with Rate Admission Control
Call Admission Control with Authentication/Authorization
Reporting &Monitoring
Alarming &Closed Loop
Control
•Hardened OS•DoS protection
SIGNALING MEDIA
Network basedCorrelation
• Theft of service mitigation• SPAM/SPIT prevention
•SIP Protocol vulnerabilities•DoS protection
Packet rate mgmt
17 CONFIDENTIAL © 2006, NexTone Communications. All rights
Consolidation of Functions
Access & Interconnectivity
Access & InterconnectSession Management
Application
WAP/WAG WAG
PDG PDG SeGW
SBC-S A-BCF
WiFi WiMAX UMA
Edge
BGF
BB
I-BCF
SBF
18 CONFIDENTIAL © 2006, NexTone Communications. All rights
Benefits of SBF
Security for both signaling and media Signaling and media can be disaggregated or
integrated Can be integrated with any signaling or media
element to protect it Consolidates all access types
19 CONFIDENTIAL © 2006, NexTone Communications. All rights
Thank You!
For further comments and discussion:[email protected]
www.nextone.com/blog