IMS and Security

Sri Ramachandran

NexTone

2 CONFIDENTIAL © 2006, NexTone Communications. All rights

Traditional approaches to Security - The “CIA” principle

Confidentiality Am I communicating with the right system or user? Can another system or user listen in?

Integrity Have the messages been tampered with?

Availability Can the systems that enable the communication

service be compromised?

3 CONFIDENTIAL © 2006, NexTone Communications. All rights

The Demarcation Point – Solution for protecting networks and multiple end systems

Create a trust boundary by using a firewall Firewalls and NATs use the “Authorization”

principle of Confidentiality

UntrustedTrusted

“The” Network

Private IPAddressspace

Authorized stream

Unauthorized stream

4 CONFIDENTIAL © 2006, NexTone Communications. All rights

Solutions for separate control and data streams

FTP, BitTorrent, RTSP, SIP have separate control and data streams

Data streams are ephemeral Solution: Use Application Layer Gateway (ALG)

Scan control stream for attributes of data stream

2 approaches to building ALGs Dedicated purpose Deep packet inspector/scanner

5 CONFIDENTIAL © 2006, NexTone Communications. All rights

Characteristics of Session Services

Signaling and media may traverse different networks

Intermediate systems for signaling and media are different

Signaling and media networks may be independently secured

Signaling and media have different quality characteristics Media is latency, jitter and packet loss sensitive Reliable delivery of signaling messages is more

important than latency and jitter

6 CONFIDENTIAL © 2006, NexTone Communications. All rights

Denial of Service (DoS) Concepts

Multiple layers: Layer 3/4 - prevention or stealing of session layer

processing Layer 5: - prevention and/or stealing of application

layer processing (prevention of revenue loss)

Theft of service Unable to honor Service Level Agreement Resource over-allocation Resource lock-in

7 CONFIDENTIAL © 2006, NexTone Communications. All rights

Components of a complete security solution

Ability to create a trust boundary for session services independent of data

Ability to strongly authenticate users and end devices at all session network elements or networks

Ability to encrypt at the trust boundary Prevent denial of service attacks on service

intermediaries Hardened OS, Intrusion Detection/Prevention

Secure management of network elements IPSec, HTTPS, SSH

Allow network or flow based correlation and aggregation

8 CONFIDENTIAL © 2006, NexTone Communications. All rights

Convergence of Services

Back Office

Application

Service Delivery/Session Control

Transport

Back Office

Application

Service Delivery/Session Control

Transport

Vo

ice

Inte

rne

t

TV

Terminals

Wir

ele

sse

Vo

IP

Co

lla

bo

rati

on

IPT

V

Inte

rne

t

Vertically integrated apps Triple play services

9 CONFIDENTIAL © 2006, NexTone Communications. All rights

Network to Service Centric

Back Office

Application

Service Delivery/Session Control

Transport

Back Office

Application

Service Delivery/Session Control

Transport

Co

lla

bo

rati

on

IPT

V

Inte

rne

t

Vo

IP

Vo

IP

Pre

se

nce

IPT

V

Co

lla

bo

rati

on

10 CONFIDENTIAL © 2006, NexTone Communications. All rights

Migration to IMS

Back Office

Application

Service Delivery/Session Control

Transport

Back Office

Application

Service Delivery/Session Control

Transport

Vo

IP

Pre

se

nce

IPT

V

Co

lla

bo

rati

on

Vo

IP

Pre

se

nce

IPT

V

Co

lla

bo

rati

on

CSCF HSS

Wireline Wireless

11 CONFIDENTIAL © 2006, NexTone Communications. All rights

Path to IMS

Back Office

Application

Transport

Vo

ice

Inte

rne

t

TV

Terminals

Wir

ele

sse

Vertically integrated apps

Back Office

Application

Service Delivery/Session Control

Transport

Vo

IP

Co

lla

bo

rati

on

IPT

V

Inte

rne

t

Triple play services

Back Office

Application

Service Delivery/Session Control

Transport

Vo

IP

Pre

se

nce

IPT

V

Co

lla

bo

rati

on

Back Office

Application

Service Delivery/Session Control

Transport

Vo

IP

Pre

se

nce

IPT

V

Co

lla

bo

rati

on

CSCF HSS

Wireline Wireless

IMSConverged NetworkCommon

Session ControlSeparate Applications

12 CONFIDENTIAL © 2006, NexTone Communications. All rights

CableLabs PacketCable 2.0 Reference Architecture

LocalNetwork

AccessNetwork

OperationalSupport Systems

Interconnect

Core Application

PacketCableMultimedia

Edge

PresenceServer

S-CSCFCMS Policy

Server

STUN Server P-CSCF

I-CSCF

PS

TN

Pee

rN

etw

ork

PSTN GW

MG

MGC

SG

ApplicationServer

Border Element

Media Proxy

Interconnect Proxy

Pac

ketC

abl

e

1.5

End

poin

ts

TURN Server

Other

Access Point

ENUM NMS & EMS CDF

TimeDHCP

Cable Modem

CMTS

Cable Modem

Cable Modem

NAT & Firewall

Cable Modem

PacketCable Application Manager

SLF

BGCF

UE UE UE UE UE

DNS

HSS

DOCSIS

1.5 E-MTA

PAC

Compatible with

E-MTAs

NAT & Firewall

Traversal

PacketCable Multimedia

Provisioning, Management,Accounting

Different types of clients

IMS Service Delivery

IMS Elements

adopted and enhanced for Cable

Re-use PacketCable

PSTN gateway

components

13 CONFIDENTIAL © 2006, NexTone Communications. All rights

Issues with IMS today

Access differentiates IMS flavors IMS functions and value misunderstood Bridge from ‘legacy’ to IMS networks mostly

underplayed Ignores Web 2.0 and non-SIP based sessions Focus on pieces inside ‘walled garden’ – not on

interconnecting Not enough focus on applications

14 CONFIDENTIAL © 2006, NexTone Communications. All rights

Access Defines IMS Components

WiFi(UMA)

WiMAX,WiFi

BB

BB

IMSCore

SeGW + UNCP-CSCF +

C-BGF

PDG +P-CSCF +

C-BGF

A-BCF +C-BGF +P-CSCF

P-CSCF +App Manager +

C-BGF

Internet

Visited Network

Home Network

Cable

DSL

Internet

15 CONFIDENTIAL © 2006, NexTone Communications. All rights

Secure Border Function (SBF)

Similar concept to a firewall Is alongside CSCF network elements Thwarts DoS/DDoS attacks Uses established techniques to do firewall/NAT

traversal Adds previously non-existent Rate based

Admission Control capabilities

16 CONFIDENTIAL © 2006, NexTone Communications. All rights

SBF Logical Security Architecture

Layer 2 - Ethernet

Layer 3 - IP

Layer 4 – TCP/UDP

Layer 5 – SIP

Layer 7 – Application

Queue/Buffer Management

TCP/IP Stack in Operating System

Packet Filter

Analytics/Post-processing

SIP Control with Rate Admission Control

Call Admission Control with Authentication/Authorization

Reporting &Monitoring

Alarming &Closed Loop

Control

•Hardened OS•DoS protection

SIGNALING MEDIA

Network basedCorrelation

• Theft of service mitigation• SPAM/SPIT prevention

•SIP Protocol vulnerabilities•DoS protection

Packet rate mgmt

17 CONFIDENTIAL © 2006, NexTone Communications. All rights

Consolidation of Functions

Access & Interconnectivity

Access & InterconnectSession Management

Application

WAP/WAG WAG

PDG PDG SeGW

SBC-S A-BCF

WiFi WiMAX UMA

Edge

BGF

BB

I-BCF

SBF

18 CONFIDENTIAL © 2006, NexTone Communications. All rights

Benefits of SBF

Security for both signaling and media Signaling and media can be disaggregated or

integrated Can be integrated with any signaling or media

element to protect it Consolidates all access types

19 CONFIDENTIAL © 2006, NexTone Communications. All rights

Thank You!

For further comments and discussion:sri@nextone.com

www.nextone.com/blog