PRESENTATION TITLE By Author Name email id

1
(No Transcript)
2
VoIP Mobility Security
Securing Fixed-Mobile and Wireless VoIP
Convergence Services
Scott PoretskyDirector of Quality Assurance Reef
Point Systems
3
Agenda

• FMC Top Driver for Technical Innovation in
  Networking Industry
• FMC Creates New Security Vulnerabilities and
  Solutions
• FMC Requires Defense-In-Depth Network Security
  Strategy
• Security Gateways Must be Validated for Network
  Deployments
• Conclusions

4
Agenda

• FMC Top Driver for Technical Innovation in
  Networking Industry
• FMC Creates New Security Vulnerabilities and
  Solutions
• FMC Requires Defense-In-Depth Network Security
  Strategy
• Security Gateways Must be Validated for Network
  Deployments
• Conclusions

5
FMC Designed for Mass Market

• User-controlled reachability
• Ubiquitous access to services
• Single user identity across multiple locations
• Requires scalable, ubiquitous security solutions

Consumers on the go
FMC enables a consistent user experience
At home
At work
Working remotely
Service Providers are Unifying Domains
Different Networks, User Identities
Applications
6
FMC Enables Revenue-Generating Blended Services

• Presence
• Push-to (Push-to-Talk, Push-to-View, etc.)
• VoIP and Rich Calls (with Video)
• Mobile Instant Messaging
• Mobile Video, VideoConferencing, Multiparty
  Gaming, IPTV

7
Service Provider FMC Deployments

• Unlicensed Mobile Access (UMA)
• BT
• T-Mobile
• TeliaSonera
• IP Multimedia Subsystem (IMS)
• Telecom Italia
• Telefonica
• Sprint

8
Millions of New Endpoints Requires Massive
Scalability

• New mobile data services and other multimedia
  services offered over wireless and converged
  networks create orders of magnitude more
  endpoints than wireline networks today
• Annual global sales of dual mode mobile phones
  are likely to exceed 100 million during the final
  year of this decade
• Need to secure all endpoints simultaneously

ABI Research May 05
9
Agenda

• FMC Todays 1 Driver for Technical Innovation in
  Networking Industry
• FMC Creates New Security Vulnerabilities and
  Solutions
• FMC Requires Defense-In-Depth Network Security
  Strategy
• Security Gateways Must be Validated for Network
  Deployments
• Conclusions

10
FMC Security Vulnerabilities
ATM/FR/IP/MPLS
Mobile
Cable/DSL
Data Network
Broadband Access/IP TV
Fixed MobileConvergedIP Network
PublicIP Network
PSTN
Wireless LAN

• Requires secure and authorized access to network
• More usersmore miscreants
• Single networkmore damage from network attack

11
FMC Security Solutions

• Mobile handsets subscribers are able freely roam
  to make voice calls and access Internet services.
  
• Secure Access IPsec between Mobile Subscriber
  and Network
• DoS Prevention Stateful Firewall at mobile/core
  edge to protect FMC Core, Internet, and Mobile
  Stations
• User Authentication AAA to authorize mobile
  subscribers for services and Certificates for
  mobile subscriber to authorize IPsec peer
• Stability with Security Scaling - 100s of
  thousands of subscribers

12
FMC Network Architectures

• Unlicensed Mobile Access (UMA)
• 3GPP standard for mobile/Wi-Fi Convergence
• Based upon IETF protocols IPsec, IKE, RADIUS,
  EAP-Sim
• Controller UNC
• IP Multimedia Subsystem (IMS)
• 3GPP standard for universal mobile access
• Based upon IETF protocols SIP, IPsec, IKE,
  DIAMETER
• Controller CSCF

13
UMA FMC Security Architecture
Mobile Phone
RAN
UNC
Gaming
Dual-Mode Phone
INC
WiFi
Video
Wireless Laptop
SeGW
AAA
HLR
Presence
Converged Home
Broadband
Voice
Applications
UMA Core
Access
User Equipment
Security Gateway Protects UMA Core, Internet, and
User Equip
14
IMS FMC Security Architecture
Mobile Phone
RAN
Gaming
INC
Dual-Mode Phone
WiFi
Video
Wireless Laptop
HSS
SeGW
CSCFs
Converged Home
Presence
Broadband
Voice
Applications
Access
User Equipment
IMS Core
Security Gateway Offload for CSCF Protect and
Scale
15
IMS Session Model
Mobile Phone
RAN
Gaming
INC
Dual-Mode Phone
WiFi
Video
Wireless Laptop
HSS
Control Connection Registered User
SeGW
CSCFs
Converged Home
Presence
Broadband
Voice
Applications
Access
IMS Core
User Equipment
IMS changes call model to always on versus
on-demand
16
Poor Approach to Security for FMC Integrated
Control and Forwarding

Application Servers
End-to-End Communication
SIP Control Path
SIP Media Streams
SIPTerminal
SIPTerminal
Packet-switched network
IP-based services between terminals
Any IP connection (e.g. GPRS, EDGE, WCDMA, WLAN,
xDSL)
All Traffic Goes Through FMC Core Reducing
Performance, Scalability, And Protection
17
Security Gateway Approach for FMCSeparating
Control Plane From Forwarding

Application Servers
End-to-End Communication
SIP Control Path
SIP Media Streams
SIPTerminal
SIPTerminal
Packet-switched network
IP-based services between terminals
Any IP connection (e.g. GPRS, EDGE, WCDMA, WLAN,
xDSL)
Separation of Control Plane and Forwarding
Plane Increases Security, Performance and
Scalability
18
IPsec and SIP Enabled Mobile Devices

• FMC dependent upon handset vendors implementing
  devices with IPsec, IKE, and SIP support
• Motorola and Nokia have announced FMC programs

19
Agenda

• FMC Todays 1 Driver for Technical Innovation in
  Networking Industry
• FMC Creates New Security Vulnerabilities and
  Solutions
• FMC Requires Defense-In-Depth Network Security
  Strategy
• Security Gateways Must be Validated for Network
  Deployments
• Conclusions

20
Defense in Depth Safeguards FMC NetworksZone 1
Subscriber Protection
Mobile Phone
Malicious Packet Filtering
RAN
UNC
Gaming
IPSEC Encrypt/Decrypt
Dual-Mode Phone
WiFi
Video
Wireless Laptop
SeGW
Stateful SIP Firewall
CSCFs
Converged Home
SIP DOS Protection
Presence
Broadband
Voice
Internet Applications
FMC Core
Access
User Equipment
Secures the Transmission Between the Subscriber
and Wireless Network
21
Defense in Depth Safeguards FMC Networks Zone 2
FMC Core Protection
IPsec Encryption/Decryption
Mobile Phone
IKE DOS Protection
RAN
Gaming
UNC
QoS and Policing
Dual-Mode Phone
Stateful Firewall
WiFi
Video
Wireless Laptop
SeGW
IP DOS Protection
CSCFs
Anti-Spoofing
Converged Home
Presence
Broadband
SIP DOS Protection
Voice
Internet Applications
FMC Core
Access
User Equipment
Ensures a Highly Available, Predictable and
Secure Network Core
22
Defense in Depth Safeguards FMC NetworksZone 3
Internet Gateway
Mobile Phone
RAN
Gaming
MobileVirus
UserAuthentication
UNC
Dual-Mode Phone
Stateful Firewall
WiFi
Video
Wireless Laptop
Internet Worms
Codec QoS And Policing
SeGW
Malicious Packet Filtering
CSCFs
DOSAttacks
Converged Home
Presence
Broadband
Voice
Internet Applications
User Equipment
Access
FMC Core
Protects Core Network Resources
23
Stateful Firewall Fundamental to Defense in Depth

• Stateful Firewall protects User Equip, FMC Core,
  and Interent
• Stateful firewalls must be SIP aware
• SIP ALG must dynamically manage each session (up
  to 100s of 1000s)
• SIP ALG must rate limit SIP control and media for
  each session

Pinhole
RTP media
SIP Control
Alternative is Stateless Firewall or no Firewall
Not a Solution for Secure VoIP
24
Agenda

• FMC Todays 1 Driver for Technical Innovation in
  Networking Industry
• FMC Creates New Security Vulnerabilities and
  Solutions
• FMC Requires Defense-In-Depth Network Security
  Strategy
• Security Gateways Must be Validated for Network
  Deployments
• Conclusions

25
IPsec Benchmark Parameters

• Total Number of IPsec tunnels
• IPsec Tunnel Establishment Rate
• IKE DOS Protection
• Total SAs (IKE and IPsec)

UNC
UE
RAN
SeGW
CSCFs
26
Stateful Firewall Benchmark Parameters

• Total Number of Stateful Firewall Sessions
• Stateful Session Establishment Rate
• SIP ALG
• SIP Control
• Total Number of SIP Sessions Established
• SIP Session Establishment Rate (CAPS)
• With and Without Media
• Established Call Load
• SIP DOS Protection
• TCP Reassembly
• RTP Media
• Total Number of RTP Media Streams
• Number of RTP Media Streams per SIP Control
  Session

27
Solution-Agnostic Benchmarks

• Benchmarks must apply for any FMC solution
• UAlt-gtSIP Serverlt-gtUA
• UAlt-gtSBClt-gtUA
• UAlt-gtCSCF or UNClt-gtUA
• UAlt-gtSEGlt-gtCSCFlt-gtSEGlt-gtUA
• Enables Devices to be compared
• Enables FMC solutions to be compared

28
Conclusions FMC Cannot Succeed Without
Comprehensive Security

• Vulnerabilities created by mobile packet core
  being exposed to the public Internet
• Security is not optional its a must
• Converged IP backbone must support, prioritize
  appropriately handle voice, video and mobile
  services
• Scaling is unprecedented. Number of subscribers
  requires stable and high scaling security gateways

29
Contact
Scott Poretsky Reef Point Systems 8 New England
Executive Park Burlington, MA 01803 USA main 1
781 505 8300 / fax 1 781 505 8316 sporetsky_at_reefp
oint.com www.reefpoint.com
30
(No Transcript)