Presentation is loading. Please wait.

Presentation is loading. Please wait.

IMS and Security Sri Ramachandran NexTone. 2 CONFIDENTIAL © 2006, NexTone Communications. All rights Traditional approaches to Security - The CIA principle.

Similar presentations


Presentation on theme: "IMS and Security Sri Ramachandran NexTone. 2 CONFIDENTIAL © 2006, NexTone Communications. All rights Traditional approaches to Security - The CIA principle."— Presentation transcript:

1 IMS and Security Sri Ramachandran NexTone

2 2 CONFIDENTIAL © 2006, NexTone Communications. All rights Traditional approaches to Security - The CIA principle Confidentiality Am I communicating with the right system or user? Can another system or user listen in? Integrity Have the messages been tampered with? Availability Can the systems that enable the communication service be compromised?

3 3 CONFIDENTIAL © 2006, NexTone Communications. All rights The Demarcation Point – Solution for protecting networks and multiple end systems Create a trust boundary by using a firewall Firewalls and NATs use the Authorization principle of Confidentiality Untrusted Trusted The Network Private IP Address space Authorized stream Unauthorized stream

4 4 CONFIDENTIAL © 2006, NexTone Communications. All rights Solutions for separate control and data streams FTP, BitTorrent, RTSP, SIP have separate control and data streams Data streams are ephemeral Solution: Use Application Layer Gateway (ALG) Scan control stream for attributes of data stream 2 approaches to building ALGs Dedicated purpose Deep packet inspector/scanner

5 5 CONFIDENTIAL © 2006, NexTone Communications. All rights Characteristics of Session Services Signaling and media may traverse different networks Intermediate systems for signaling and media are different Signaling and media networks may be independently secured Signaling and media have different quality characteristics Media is latency, jitter and packet loss sensitive Reliable delivery of signaling messages is more important than latency and jitter

6 6 CONFIDENTIAL © 2006, NexTone Communications. All rights Denial of Service (DoS) Concepts Multiple layers: Layer 3/4 - prevention or stealing of session layer processing Layer 5: - prevention and/or stealing of application layer processing (prevention of revenue loss) Theft of service Unable to honor Service Level Agreement Resource over-allocation Resource lock-in

7 7 CONFIDENTIAL © 2006, NexTone Communications. All rights Components of a complete security solution Ability to create a trust boundary for session services independent of data Ability to strongly authenticate users and end devices at all session network elements or networks Ability to encrypt at the trust boundary Prevent denial of service attacks on service intermediaries Hardened OS, Intrusion Detection/Prevention Secure management of network elements IPSec, HTTPS, SSH Allow network or flow based correlation and aggregation

8 8 CONFIDENTIAL © 2006, NexTone Communications. All rights Convergence of Services Back Office Application Service Delivery/ Session Control Transport Back Office Application Service Delivery/ Session Control Transport Voice Internet TV Terminals Wirelesse VoIP Collaboration IPTV Internet Vertically integrated apps Triple play services

9 9 CONFIDENTIAL © 2006, NexTone Communications. All rights Network to Service Centric Back Office Application Service Delivery/ Session Control Transport Back Office Application Service Delivery/ Session Control Transport Collaboration IPTV Internet VoIP Presence IPTV Collaboration

10 10 CONFIDENTIAL © 2006, NexTone Communications. All rights Migration to IMS Back Office Application Service Delivery/ Session Control Transport Back Office Application Service Delivery/ Session Control Transport VoIP Presence IPTV Collaboration VoIP Presence IPTV Collaboration CSCFHSS Wireline Wireless

11 11 CONFIDENTIAL © 2006, NexTone Communications. All rights Path to IMS Back Office Application Transport Voice Internet TV Terminals Wirelesse Vertically integrated apps Back Office Application Service Delivery/ Session Control Transport VoIP Collaboration IPTV Internet Triple play services Back Office Application Service Delivery/ Session Control Transport VoIP Presence IPTV Collaboration Back Office Application Service Delivery/ Session Control Transport VoIP Presence IPTV Collaboration CSCFHSS Wireline Wireless IMS Converged Network Common Session Control Separate Applications

12 12 CONFIDENTIAL © 2006, NexTone Communications. All rights CableLabs PacketCable 2.0 Reference Architecture Compatible with E-MTAs NAT & Firewall Traversal PacketCable Multimedia Provisioning, Management, Accounting Different types of clients IMS Service Delivery IMS Elements adopted and enhanced for Cable Re-use PacketCable PSTN gateway components

13 13 CONFIDENTIAL © 2006, NexTone Communications. All rights Issues with IMS today Access differentiates IMS flavors IMS functions and value misunderstood Bridge from legacy to IMS networks mostly underplayed Ignores Web 2.0 and non-SIP based sessions Focus on pieces inside walled garden – not on interconnecting Not enough focus on applications

14 14 CONFIDENTIAL © 2006, NexTone Communications. All rights Access Defines IMS Components WiFi (UMA) WiMAX, WiFi BB IMS Core SeGW + UNC P-CSCF + C-BGF PDG + P-CSCF + C-BGF A-BCF + C-BGF + P-CSCF P-CSCF + App Manager + C-BGF Internet Visited Network Home Network Cable DSL Internet

15 15 CONFIDENTIAL © 2006, NexTone Communications. All rights Secure Border Function (SBF) Similar concept to a firewall Is alongside CSCF network elements Thwarts DoS/DDoS attacks Uses established techniques to do firewall/NAT traversal Adds previously non-existent Rate based Admission Control capabilities

16 16 CONFIDENTIAL © 2006, NexTone Communications. All rights SBF Logical Security Architecture Layer 2 - Ethernet Layer 3 - IP Layer 4 – TCP/UDP Layer 5 – SIP Layer 7 – Application Queue/Buffer Management TCP/IP Stack in Operating System Packet Filter Analytics/ Post-processing SIP Control with Rate Admission Control Call Admission Control with Authentication/Authorization Reporting & Monitoring Alarming & Closed Loop Control Hardened OS DoS protection SIGNALINGMEDIA Network based Correlation Theft of service mitigation SPAM/SPIT prevention SIP Protocol vulnerabilities DoS protection Packet rate mgmt

17 17 CONFIDENTIAL © 2006, NexTone Communications. All rights Consolidation of Functions Access & Interconnectivity Access & Interconnect Session Management Application WAP/WAGWAG PDG SeGW SBC-SA-BCF WiFiWiMAXUMA Edge BGF BB I-BCF SBF

18 18 CONFIDENTIAL © 2006, NexTone Communications. All rights Benefits of SBF Security for both signaling and media Signaling and media can be disaggregated or integrated Can be integrated with any signaling or media element to protect it Consolidates all access types

19 19 CONFIDENTIAL © 2006, NexTone Communications. All rights Thank You! For further comments and discussion:


Download ppt "IMS and Security Sri Ramachandran NexTone. 2 CONFIDENTIAL © 2006, NexTone Communications. All rights Traditional approaches to Security - The CIA principle."

Similar presentations


Ads by Google