We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byMegan Houston
Modified over 2 years ago
IMS and Security Sri Ramachandran NexTone
2 CONFIDENTIAL © 2006, NexTone Communications. All rights Traditional approaches to Security - The CIA principle Confidentiality Am I communicating with the right system or user? Can another system or user listen in? Integrity Have the messages been tampered with? Availability Can the systems that enable the communication service be compromised?
3 CONFIDENTIAL © 2006, NexTone Communications. All rights The Demarcation Point – Solution for protecting networks and multiple end systems Create a trust boundary by using a firewall Firewalls and NATs use the Authorization principle of Confidentiality Untrusted Trusted The Network Private IP Address space Authorized stream Unauthorized stream
4 CONFIDENTIAL © 2006, NexTone Communications. All rights Solutions for separate control and data streams FTP, BitTorrent, RTSP, SIP have separate control and data streams Data streams are ephemeral Solution: Use Application Layer Gateway (ALG) Scan control stream for attributes of data stream 2 approaches to building ALGs Dedicated purpose Deep packet inspector/scanner
5 CONFIDENTIAL © 2006, NexTone Communications. All rights Characteristics of Session Services Signaling and media may traverse different networks Intermediate systems for signaling and media are different Signaling and media networks may be independently secured Signaling and media have different quality characteristics Media is latency, jitter and packet loss sensitive Reliable delivery of signaling messages is more important than latency and jitter
6 CONFIDENTIAL © 2006, NexTone Communications. All rights Denial of Service (DoS) Concepts Multiple layers: Layer 3/4 - prevention or stealing of session layer processing Layer 5: - prevention and/or stealing of application layer processing (prevention of revenue loss) Theft of service Unable to honor Service Level Agreement Resource over-allocation Resource lock-in
7 CONFIDENTIAL © 2006, NexTone Communications. All rights Components of a complete security solution Ability to create a trust boundary for session services independent of data Ability to strongly authenticate users and end devices at all session network elements or networks Ability to encrypt at the trust boundary Prevent denial of service attacks on service intermediaries Hardened OS, Intrusion Detection/Prevention Secure management of network elements IPSec, HTTPS, SSH Allow network or flow based correlation and aggregation
8 CONFIDENTIAL © 2006, NexTone Communications. All rights Convergence of Services Back Office Application Service Delivery/ Session Control Transport Back Office Application Service Delivery/ Session Control Transport Voice Internet TV Terminals Wirelesse VoIP Collaboration IPTV Internet Vertically integrated apps Triple play services
9 CONFIDENTIAL © 2006, NexTone Communications. All rights Network to Service Centric Back Office Application Service Delivery/ Session Control Transport Back Office Application Service Delivery/ Session Control Transport Collaboration IPTV Internet VoIP Presence IPTV Collaboration
10 CONFIDENTIAL © 2006, NexTone Communications. All rights Migration to IMS Back Office Application Service Delivery/ Session Control Transport Back Office Application Service Delivery/ Session Control Transport VoIP Presence IPTV Collaboration VoIP Presence IPTV Collaboration CSCFHSS Wireline Wireless
11 CONFIDENTIAL © 2006, NexTone Communications. All rights Path to IMS Back Office Application Transport Voice Internet TV Terminals Wirelesse Vertically integrated apps Back Office Application Service Delivery/ Session Control Transport VoIP Collaboration IPTV Internet Triple play services Back Office Application Service Delivery/ Session Control Transport VoIP Presence IPTV Collaboration Back Office Application Service Delivery/ Session Control Transport VoIP Presence IPTV Collaboration CSCFHSS Wireline Wireless IMS Converged Network Common Session Control Separate Applications
12 CONFIDENTIAL © 2006, NexTone Communications. All rights CableLabs PacketCable 2.0 Reference Architecture Compatible with E-MTAs NAT & Firewall Traversal PacketCable Multimedia Provisioning, Management, Accounting Different types of clients IMS Service Delivery IMS Elements adopted and enhanced for Cable Re-use PacketCable PSTN gateway components
13 CONFIDENTIAL © 2006, NexTone Communications. All rights Issues with IMS today Access differentiates IMS flavors IMS functions and value misunderstood Bridge from legacy to IMS networks mostly underplayed Ignores Web 2.0 and non-SIP based sessions Focus on pieces inside walled garden – not on interconnecting Not enough focus on applications
14 CONFIDENTIAL © 2006, NexTone Communications. All rights Access Defines IMS Components WiFi (UMA) WiMAX, WiFi BB IMS Core SeGW + UNC P-CSCF + C-BGF PDG + P-CSCF + C-BGF A-BCF + C-BGF + P-CSCF P-CSCF + App Manager + C-BGF Internet Visited Network Home Network Cable DSL Internet
15 CONFIDENTIAL © 2006, NexTone Communications. All rights Secure Border Function (SBF) Similar concept to a firewall Is alongside CSCF network elements Thwarts DoS/DDoS attacks Uses established techniques to do firewall/NAT traversal Adds previously non-existent Rate based Admission Control capabilities
16 CONFIDENTIAL © 2006, NexTone Communications. All rights SBF Logical Security Architecture Layer 2 - Ethernet Layer 3 - IP Layer 4 – TCP/UDP Layer 5 – SIP Layer 7 – Application Queue/Buffer Management TCP/IP Stack in Operating System Packet Filter Analytics/ Post-processing SIP Control with Rate Admission Control Call Admission Control with Authentication/Authorization Reporting & Monitoring Alarming & Closed Loop Control Hardened OS DoS protection SIGNALINGMEDIA Network based Correlation Theft of service mitigation SPAM/SPIT prevention SIP Protocol vulnerabilities DoS protection Packet rate mgmt
17 CONFIDENTIAL © 2006, NexTone Communications. All rights Consolidation of Functions Access & Interconnectivity Access & Interconnect Session Management Application WAP/WAGWAG PDG SeGW SBC-SA-BCF WiFiWiMAXUMA Edge BGF BB I-BCF SBF
18 CONFIDENTIAL © 2006, NexTone Communications. All rights Benefits of SBF Security for both signaling and media Signaling and media can be disaggregated or integrated Can be integrated with any signaling or media element to protect it Consolidates all access types
19 CONFIDENTIAL © 2006, NexTone Communications. All rights Thank You! For further comments and discussion:
The leader in session border control for trusted, first class interactive communications.
For trusted, first class interactive communications.
1 Carrier VoIP Security: Threats and Defenses. 2 Agenda Security Philosophy VoIP Basics (IETF SIP-based) VoIP Threats Fundamental VoIP Security Mechanisms.
Copyright © 2007 Telcordia Technologies Challenges in Securing Converged Networks Prepared for : Telcordia Contact: John F. Kimmins Executive Director.
Carleton University 1 February 25th, 2014 Voice over IP Presenter: Tony Hutchinson System Engineering Manager.
Winter 2001 VoN Developers Conference -- January 24, 2001 SIP Proxies Jonathan Rosenberg Chief Scientist.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Living in a Network Centric World IT305: Computer Networks – Chapter 1.
ITU-T Mobility, 3G and Beyond and NGN Tatiana Kurakova, Telecommunication Standardization Sector Engineer 24 June 2004, Victoria Falls, Zimbabwe.
22 June 2005 EU workshop on NGN - Brussels 1 ETSI TISPAN NGN status: Potential policy and regulatory issues Martin Niekus ETSI TISPAN Vice Chairman Lucent.
ITU-TSG16 ITU-T Standardization Seminar – Madrid, December 2002 H.323 and some Security-related issues – a presentation in two parts Simão Ferraz.
International Telecommunication Union IP NGN Security Framework Mikhail Kader, Distinguished Systems Engineer, Cisco, Russia ITU-T Workshop.
John Bean Managing Director, Europe, Middle East and Africa 2 June 2014 © 2010, Peering Partner's. All rights reserved.
Network+ Guide to Networks 5 th Edition Chapter 11 Voice and Video Over IP.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 1 NG security: What is a BCF.
Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice. Overcoming the SOA Network Fallacy Roberto Medrano.
1 Global Standards, the Key Enabler for the Next Generation Network Anthony Wiles Manager, ETSI PTCC David Boswarthick Technical.
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Next Generation Network Complementing The Internet For Converged Service.
VON Developers Conference -- July 2000 SIP Proxies Jonathan Rosenberg Chief Scientist.
1 Digital Home and Human Factor Workshop Sophia Antipolis October 22, 2004 Milan Erbes ETSI AT-N WG Chairman.
By Tilak De Silva Chief Global & Network Officer Sri Lanka Telecom Ltd.
1 Veraz Networks Proprietary and Confidential * Veraz proprietary information notice: This document and the contents therein are the property of Veraz.
Introduction to the MUSE FMC architecture Dávid Jocha Gábor Kovács
U N L E A S H I N G A S E R V I C E S R E N A I S S A N C E SIP SIP Security Jonathan Rosenberg Chief Scientist.
1 The Role of the Transport Layer in Delivering an Assured Elastic Service Chris Christou (Booz Allen Hamilton/GIG EWSE) ICCRG 12 February 2007.
NGN and its Standardization September 27, 2006 NEC Corporation ITU-T NGN security requirements (Y.2701) editor Takashi Egawa NGN: Next Generation Network.
1 © 2007 Avaya Inc. All rights reserved. Understanding SIPs Role in Intelligent Communications Tom Doria Director – Avaya P2P Technical Business Development.
IM May 24, 2000 Introduction to SIP Jonathan Rosenberg Chief Scientist.
Copyright© 2006 Telcordia Technologies, Inc. Are You Delivering Quality Service? APNOMS 2006 Busan, Korea September 27-29, 2006 Dr. Ed Pinnes Telcordia.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 11: Its a Network Introduction to Networking.
© 2016 SlidePlayer.com Inc. All rights reserved.