IMS and Security - PowerPoint PPT Presentation

1 / 19
About This Presentation
Title:

IMS and Security

Description:

IMS and Security. Sri Ramachandran. NexTone. 2. CONFIDENTIAL 2006, NexTone Communications. All rights. Traditional approaches to Security - The 'CIA' principle ... – PowerPoint PPT presentation

Number of Views:106
Avg rating:3.0/5.0
Slides: 20
Provided by: SridharRam5
Category:

less

Transcript and Presenter's Notes

Title: IMS and Security


1
IMS and Security
  • Sri Ramachandran
  • NexTone

2
Traditional approaches to Security - The CIA
principle
  • Confidentiality
  • Am I communicating with the right system or user?
  • Can another system or user listen in?
  • Integrity
  • Have the messages been tampered with?
  • Availability
  • Can the systems that enable the communication
    service be compromised?

3
The Demarcation Point Solution for protecting
networks and multiple end systems
  • Create a trust boundary by using a firewall
  • Firewalls and NATs use the Authorization
    principle of Confidentiality

Untrusted
Trusted
Private IP Address space
Unauthorized stream
The Network
Authorized stream
4
Solutions for separate control and data streams
  • FTP, BitTorrent, RTSP, SIP have separate control
    and data streams
  • Data streams are ephemeral
  • Solution Use Application Layer Gateway (ALG)
  • Scan control stream for attributes of data stream
  • 2 approaches to building ALGs
  • Dedicated purpose
  • Deep packet inspector/scanner

5
Characteristics of Session Services
  • Signaling and media may traverse different
    networks
  • Intermediate systems for signaling and media are
    different
  • Signaling and media networks may be independently
    secured
  • Signaling and media have different quality
    characteristics
  • Media is latency, jitter and packet loss
    sensitive
  • Reliable delivery of signaling messages is more
    important than latency and jitter

6
Denial of Service (DoS) Concepts
  • Multiple layers
  • Layer 3/4 - prevention or stealing of session
    layer processing
  • Layer 5 - prevention and/or stealing of
    application layer processing (prevention of
    revenue loss)
  • Theft of service
  • Unable to honor Service Level Agreement
  • Resource over-allocation
  • Resource lock-in

7
Components of a complete security solution
  • Ability to create a trust boundary for session
    services independent of data
  • Ability to strongly authenticate users and end
    devices at all session network elements or
    networks
  • Ability to encrypt at the trust boundary
  • Prevent denial of service attacks on service
    intermediaries
  • Hardened OS, Intrusion Detection/Prevention
  • Secure management of network elements
  • IPSec, HTTPS, SSH
  • Allow network or flow based correlation and
    aggregation

8
Convergence of Services
Triple play services
Vertically integrated apps
Collaboration
Internet
IPTV
VoIP
Internet
Voice
TV
Wirelesse
Back Office
Application
Service Delivery/ Session Control
Transport
Terminals
9
Network to Service Centric
VoIP
Internet
VoIP
Collaboration
IPTV
Presence
IPTV
Collaboration
10
Migration to IMS
VoIP
VoIP
Collaboration
Collaboration
Presence
IPTV
Presence
IPTV
CSCF
HSS
Wireless
Wireline
11
Path to IMS
Common Session Control
IMS
Converged Network
Separate Applications
12
CableLabs PacketCable 2.0 Reference Architecture
Provisioning, Management, Accounting

Re-use PacketCable PSTN gateway components
IMS Service Delivery
Compatible with E-MTAs
Different types of clients
13
Issues with IMS today
  • Access differentiates IMS flavors
  • IMS functions and value misunderstood
  • Bridge from legacy to IMS networks mostly
    underplayed
  • Ignores Web 2.0 and non-SIP based sessions
  • Focus on pieces inside walled garden not on
    interconnecting
  • Not enough focus on applications

14
Access Defines IMS Components
Visited Network
SeGW UNC P-CSCF C-BGF
WiFi (UMA)
Home Network
PDG P-CSCF C-BGF
Internet
WiMAX, WiFi
IMS Core
A-BCF C-BGF P-CSCF
Internet
BB
DSL
P-CSCF App Manager C-BGF
BB
Cable
15
Secure Border Function (SBF)
  • Similar concept to a firewall
  • Is alongside CSCF network elements
  • Thwarts DoS/DDoS attacks
  • Uses established techniques to do firewall/NAT
    traversal
  • Adds previously non-existent Rate based Admission
    Control capabilities

16
SBF Logical Security Architecture
Reporting Monitoring
Alarming Closed Loop Control
Network based Correlation
Analytics/ Post-processing
Call Admission Control with Authentication/Authori
zation
  • Theft of service mitigation
  • SPAM/SPIT prevention

Layer 7 Application
SIP Control with Rate Admission Control
  • SIP Protocol vulnerabilities
  • DoS protection

Layer 5 SIP
TCP/IP Stack in Operating System
Layer 4 TCP/UDP
  • Hardened OS
  • DoS protection

Layer 3 - IP
Packet Filter
Layer 2 - Ethernet
Queue/Buffer Management
Packet rate mgmt
SIGNALING
MEDIA
17
Consolidation of Functions
SBF
Application
SBC-S
A-BCF
I-BCF
Access Interconnect Session Management
PDG
PDG
SeGW
BGF
WAP/WAG
WAG
Edge
Access Interconnectivity
WiFi
WiMAX
UMA
BB
18
Benefits of SBF
  • Security for both signaling and media
  • Signaling and media can be disaggregated or
    integrated
  • Can be integrated with any signaling or media
    element to protect it
  • Consolidates all access types

19
Thank You!
For further comments and discussion sri_at_nextone.c
om www.nextone.com/blog
Write a Comment
User Comments (0)
About PowerShow.com