06_deltas fmc 4-fmc 3 security (ft workshop 180609)
DESCRIPTION
NSNTRANSCRIPT
1 © Nokia Siemens Networks
18th June 2009
Nokia Siemens Networks Fixed Mobile Convergence
Deltas between FMC 4.x/IMS 6.x and FMC 3.x/IMS 5.xSecurity
2 © Nokia Siemens Networks
Introduction and overview of the deltas between FMC 4.x/IMS 6.x and FMC 3.x/IMS 5.x ( IMPACT’s)
Detailed Technical presentations of the Deltas
OAM
Agenda
Charging
Shared iFC
Routing incl. Emergency, LI and Media Release
IMS 6.2/FMC 4.2 Key Features
Summary of FMC Documentation
Provisioning
Network Dimensioning and PlanningPerformance
Security
3 © Nokia Siemens Networks
IMS 5.0 IMS 6.0• Blocking of IMPUs and IMPIs after multiple
unsuccessful registration attempts – Intended to block dictionary attacks– After a client unsuccessfully tries to register multiple times in a row
within a time interval it will be blocked for further registrations for a specific amount of time
– Number of tries, time interval and blocking time can be configured
• TLS support for Gm interface:– In addition to the HTTP Digest authentication a TLS tunnel can be
established to provide confidentiality and integrity protection between UE and P-CSCF.
– TLS tunnel is setup before initial Register and stays up during the complete registration
Deltas between FMC 4.x/IMS 6.x and FMC 3.x/IMS 5.xSecurity on CMS 8200, CFX 5000 (1)
4 © Nokia Siemens Networks
IMS 5.0 IMS 6.0• HSS Subscriber Provisioning GUI:
– HTTPS is supported for the provisioning GUI– Digest password is hidden from the administrator
Deltas between FMC 4.x/IMS 6.x and FMC 3.x/IMS 5.xSecurity on CMS 8200, CFX 5000 (2)
5 © Nokia Siemens Networks
IMS 6.0 IMS 6.1• IBCF (Interworking Border Control Function):
– New role on CFX 5000 for IP peering– Main security features:
Pinholing, NAT, IP version interworking DoS protection on Ic interface Enforcement of Service Level Agreements
• Changes at Gm Interface: – Enhancements of DoS protection:
Counting of valid requests of registered subscribers: Invite, Subscribe, Message, ...
Deltas between FMC 4.x/IMS 6.x and FMC 3.x/IMS 5.xSecurity on CMS 8200, CFX 5000 (3)
6 © Nokia Siemens Networks
IMS 6.1 IMS 6.2• Special LAN Separation (for FT):
– On an S-CSCF a separate LAN for Charging is supported– On the P-CSCF and I/S-CSCF the ENUM traffic is moved from the
OAM LAN to IMS LAN 1 (used for MW, ISC, Cx, ...)– On the HSS, a separate LAN for Provisioning is supported
• Password Encryption on the Cx interface:– The HTTP Digest password transmitted on Cx in a Cx MAA
message shall be encrypted to protect it from eavesdropping.– This is a temporary solution until full Zb support is available (IMS
7.1)
Deltas between FMC 4.x/IMS 6.x and FMC 3.x/IMS 5.xSecurity on CMS 8200, CFX 5000 (4)
7 © Nokia Siemens Networks
FMC 3.x FMC 4.x• FRN 2590 R13.0: Security on the h8k and HiPath
SOAP Server Interface– SOAP/XML methods authorized for a specific server interface can
be restricted– Optional protection of the SOAP/XML interfaces via mutually
authenticated TLS
• FRN 2591 R13.0: SFTP protection of CDR delivery– Secure FTP protection of CDR delivery to the billing server by a
push from the hiQ 4200/hiQ 8000 is provided
Deltas between FMC 4.x/IMS 6.x and FMC 3.x/IMS 5.xSecurity on HiQ (1)
8 © Nokia Siemens Networks
• FRN 5006NWT: SIP Registration P-Access_Network-Info Header Handling for Security – The port number (token) from the P-Access-Network-Info header is
parsed. – It will be determined if the received token matches one of the
tokens provisioned for the calling subscriber. – Depending on this the call is continues or not
Deltas between FMC 4.x/IMS 6.x and FMC 3.x/IMS 5.xSecurity on HiQ (2)