Presentation is loading. Please wait.

Presentation is loading. Please wait.

2 VoIP Mobility & Security Scott Poretsky Director of Quality Assurance Reef Point Systems Securing Fixed-Mobile and Wireless VoIP Convergence Services.

Published byHarold Gilbert Modified over 8 years ago

Similar presentations

Presentation on theme: "2 VoIP Mobility & Security Scott Poretsky Director of Quality Assurance Reef Point Systems Securing Fixed-Mobile and Wireless VoIP Convergence Services."— Presentation transcript:

1

2 2 VoIP Mobility & Security Scott Poretsky Director of Quality Assurance Reef Point Systems Securing Fixed-Mobile and Wireless VoIP Convergence Services

3 3 Agenda  FMC Top Driver for Technical Innovation in Networking Industry  FMC Creates New Security Vulnerabilities and Solutions  FMC Requires Defense-In-Depth Network Security Strategy  Security Gateways Must be Validated for Network Deployments  Conclusions

4 4 Agenda  FMC Top Driver for Technical Innovation in Networking Industry  FMC Creates New Security Vulnerabilities and Solutions  FMC Requires Defense-In-Depth Network Security Strategy  Security Gateways Must be Validated for Network Deployments  Conclusions

5 5 FMC Designed for Mass Market Consumers on the go… At home… At work… User-controlled reachability Ubiquitous access to services Single user identity across multiple locations Requires scalable, ubiquitous security solutions FMC enables a consistent user experience Working remotely… Service Providers are Unifying Domains – Different Networks, User Identities & Applications

6 6 FMC Enables Revenue-Generating Blended Services  Presence  Push-to (Push-to-Talk, Push-to-View, etc.)  VoIP and Rich Calls (with Video)  Mobile Instant Messaging  Mobile Video, VideoConferencing, Multiparty Gaming, IPTV

7 7 Service Provider FMC Deployments  Unlicensed Mobile Access (UMA)  BT  T-Mobile  TeliaSonera  IP Multimedia Subsystem (IMS)  Telecom Italia  Telefonica  Sprint

8 8 Millions of New Endpoints Requires Massive Scalability  New mobile data services and other multimedia services offered over wireless and converged networks create orders of magnitude more endpoints than wireline networks today  Annual global sales of dual mode mobile phones are likely to exceed 100 million during the final year of this decade*  Need to secure all endpoints simultaneously *ABI Research May 05

9 9 Agenda  FMC Today’s #1 Driver for Technical Innovation in Networking Industry  FMC Creates New Security Vulnerabilities and Solutions  FMC Requires Defense-In-Depth Network Security Strategy  Security Gateways Must be Validated for Network Deployments  Conclusions

10 10 FMC Security Vulnerabilities Fixed Mobile Converged IP Network PSTN Data Network Mobile Broadband Access/IP TV Wireless LAN ATM/FR/IP/MPLS Cable/ DSL Public IP Network Requires secure and authorized access to network More users=more miscreants Single network=more damage from network attack

11 11 FMC Security Solutions Mobile handsets subscribers are able freely roam to make voice calls and access Internet services.  Secure Access – IPsec between Mobile Subscriber and Network  DoS Prevention – Stateful Firewall at mobile/core edge to protect FMC Core, Internet, and Mobile Stations  User Authentication – AAA to authorize mobile subscribers for services and Certificates for mobile subscriber to authorize IPsec peer  Stability with Security Scaling - 100s of thousands of subscribers

12 12 FMC Network Architectures  Unlicensed Mobile Access (UMA)  3GPP standard for mobile/Wi-Fi Convergence  Based upon IETF protocols – IPsec, IKE, RADIUS, EAP-Sim  Controller = UNC  IP Multimedia Subsystem (IMS)  3GPP standard for universal mobile access  Based upon IETF protocols – SIP, IPsec, IKE, DIAMETER  Controller = CSCF

13 13 UMA FMC Security Architecture User Equipment Access Dual-Mode Phone Mobile Phone Wireless Laptop RAN WiFi Broadband SeGW UMA Core Converged Home Applications Presence Gaming Video Voice INC Security Gateway Protects UMA Core, Internet, and User Equip HLR AAA UNC

14 14 IMS FMC Security Architecture User Equipment Access Dual-Mode Phone Mobile Phone Wireless Laptop RAN WiFi Broadband SeGW IMS Core Converged Home Applications Presence Gaming Video Voice INC CSCFs Security Gateway Offload for CSCF – Protect and Scale HLR AAA HSS

15 15 IMS Session Model User Equipment Access Dual-Mode Phone Mobile Phone Wireless Laptop RAN WiFi Broadband SeGW IMS Core Converged Home Applications Presence Gaming Video Voice INC CSCFs IMS changes call model to “always on” versus on-demand HLR AAA HSS Control Connection “Registered User”

16 16 Poor Approach to Security for FMC Integrated Control and Forwarding All Traffic Goes Through FMC Core Reducing Performance, Scalability, And Protection Packet-switched network Any IP connection (e.g. GPRS, EDGE, WCDMA, WLAN, xDSL) Application Servers IP-based services between terminals End-to-End Communication SIP Control Path SIP Media Streams SIP Terminal

17 17 Security Gateway Approach for FMC Separating Control Plane From Forwarding Separation of Control Plane and Forwarding Plane Increases Security, Performance and Scalability Packet-switched network Any IP connection (e.g. GPRS, EDGE, WCDMA, WLAN, xDSL) SIP Terminal Application Servers IP-based services between terminals End-to-End Communication SIP Control Path SIP Media Streams

18 18 IPsec and SIP Enabled Mobile Devices  FMC dependent upon handset vendors implementing devices with IPsec, IKE, and SIP support  Motorola and Nokia have announced FMC programs

19 19 Agenda  FMC Today’s #1 Driver for Technical Innovation in Networking Industry  FMC Creates New Security Vulnerabilities and Solutions  FMC Requires Defense-In-Depth Network Security Strategy  Security Gateways Must be Validated for Network Deployments  Conclusions

20 20 Defense in Depth Safeguards FMC Networks Zone 1: Subscriber Protection User Equipment Access Dual-Mode Phone Mobile Phone Wireless Laptop RAN WiFi Broadband SeGW FMC Core Converged Home Internet Applications Presence Gaming Video Voice UNC CSCFs IPSEC Encrypt/Decrypt Stateful SIP Firewall SIP DOS Protection Malicious Packet Filtering Secures the Transmission Between the Subscriber and Wireless Network

21 21 Defense in Depth Safeguards FMC Networks Zone 2: FMC Core Protection User Equipment Access Dual-Mode Phone Mobile Phone Wireless Laptop RAN WiFi Broadband SeGW FMC Core Converged Home Internet Applications Presence Gaming Video Voice UNC CSCFs IPsec Encryption/ Decryption IP DOS Protection QoS and Policing Stateful Firewall SIP DOS Protection ECMP Ensures a Highly Available, Predictable and Secure Network Core IKE DOS Protection Anti-Spoofing

22 22 Defense in Depth Safeguards FMC Networks Zone 3: Internet Gateway User Equipment Access Dual-Mode Phone Mobile Phone Wireless Laptop RAN WiFi Broadband SeGW Converged Home Presence Gaming Video Voice UNC CSCFs DOS Attacks Internet Worms Mobile Virus Protects Core Network Resources User Authentication Malicious Packet Filtering Codec QoS And Policing Stateful Firewall FMC Core Internet Applications

23 23 Stateful Firewall Fundamental to Defense in Depth  Stateful Firewall protects User Equip, FMC Core, and Interent  Stateful firewalls must be SIP aware  SIP ALG must dynamically manage each session (up to 100s of 1000s)  SIP ALG must rate limit SIP control and media for each session Pinhole RTP media Alternative is Stateless Firewall or no Firewall – Not a Solution for Secure VoIP SIP Control

24 24 Agenda  FMC Today’s #1 Driver for Technical Innovation in Networking Industry  FMC Creates New Security Vulnerabilities and Solutions  FMC Requires Defense-In-Depth Network Security Strategy  Security Gateways Must be Validated for Network Deployments  Conclusions

25 25 IPsec Benchmark Parameters  Total Number of IPsec tunnels  IPsec Tunnel Establishment Rate  IKE DOS Protection  Total SAs (IKE and IPsec) RAN IPSecTunnel UE SeGW UNC CSCFs

26 26 Stateful Firewall Benchmark Parameters  Total Number of Stateful Firewall Sessions  Stateful Session Establishment Rate  SIP ALG  SIP Control Total Number of SIP Sessions Established SIP Session Establishment Rate (CAPS) –With and Without Media –Established Call Load –SIP DOS Protection –TCP Reassembly  RTP Media Total Number of RTP Media Streams Number of RTP Media Streams per SIP Control Session

27 27 Solution-Agnostic Benchmarks  Benchmarks must apply for any FMC solution:  UA SIP Server UA  UA SBC UA  UA CSCF or UNC UA  UA SEG CSCF SEG UA  Enables Devices to be compared  Enables FMC solutions to be compared

28 28 Conclusions: FMC Cannot Succeed Without Comprehensive Security  Vulnerabilities created by mobile packet core being exposed to the public Internet  Security is not optional; it’s a must  Converged IP backbone must support, prioritize & appropriately handle voice, video and mobile services  Scaling is unprecedented. Number of subscribers requires stable and high scaling security gateways

29 29 Contact Scott Poretsky Reef Point Systems 8 New England Executive Park Burlington, MA 01803 USA main +1 781 505 8300 / fax +1 781 505 8316 sporetsky@reefpoint.com www.reefpoint.com

30 30

Download ppt "2 VoIP Mobility & Security Scott Poretsky Director of Quality Assurance Reef Point Systems Securing Fixed-Mobile and Wireless VoIP Convergence Services."

Similar presentations

Voice over WiMax Development Trends Amnon Gavish VP TBU Business Development

Voice over WiMax Development Trends Amnon Gavish VP TBU Business Development
The leader in session border control for trusted, first class interactive communications.

The leader in session border control for trusted, first class interactive communications.
IMS and Security Sri Ramachandran NexTone. 2 CONFIDENTIAL © 2006, NexTone Communications. All rights Traditional approaches to Security - The CIA principle.

IMS and Security Sri Ramachandran NexTone. 2 CONFIDENTIAL © 2006, NexTone Communications. All rights Traditional approaches to Security - The CIA principle.
Saif Bin Ghelaita Director of Technologies & Standards TRA UAE

Saif Bin Ghelaita Director of Technologies & Standards TRA UAE
SIP Trunking A VASP Perspective Thomas Roel Convergence Sales Engineer 651.796.7043

SIP Trunking A VASP Perspective Thomas Roel Convergence Sales Engineer
Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.

Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.
SIP & SS7 (SIP-02) Monday - 09/10/07, 10:00-10:45am.

SIP & SS7 (SIP-02) Monday - 09/10/07, 10:00-10:45am.
GMI 2006 Carrier-Driven Interoperability February 2006.

GMI 2006 Carrier-Driven Interoperability February 2006.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
UMA (Unlicensed Mobile Access) El Ayoubi Ahmed Hjiaj Karim.

UMA (Unlicensed Mobile Access) El Ayoubi Ahmed Hjiaj Karim.
Entire contents © 2009 Gartner, Inc. All rights reserved. | Page 1 “Giving Voice to 4G” Gartner Dataquest Akshay Sharma Research Director Feb. 2009 Option.

Entire contents © 2009 Gartner, Inc. All rights reserved. | Page 1 “Giving Voice to 4G” Gartner Dataquest Akshay Sharma Research Director Feb Option.
Research Seminar on Telecommunications Business IPSEC BUSINESS Henri Ossi.

Research Seminar on Telecommunications Business IPSEC BUSINESS Henri Ossi.
IP Multimedia Subsystem (IMS) James Rafferty, Cantata Technology August 10, 2006.

IP Multimedia Subsystem (IMS) James Rafferty, Cantata Technology August 10, 2006.
1 © NOKIA IPv6 / June 2003 / Jari Hamalainen Nokia North American Global IPv6 Summit San Diego, CA, U.S.A. June 26th, 2003 IPv6 Enabling Peer-to-Peer IMS.

1 © NOKIA IPv6 / June 2003 / Jari Hamalainen Nokia North American Global IPv6 Summit San Diego, CA, U.S.A. June 26th, 2003 IPv6 Enabling Peer-to-Peer IMS.
IP Multimedia Subsystem (IMS) 江培文. Agenda Background IMS Definition IMS Architecture IMS Entities IMS-CS Interworking.

IP Multimedia Subsystem (IMS) 江培文. Agenda Background IMS Definition IMS Architecture IMS Entities IMS-CS Interworking.
1 7. Convergence of fixed and mobile networks basing on IP Multimedia Subsystem (IMS) paradigm. 7.1. Fixed-mobile convergence, IMS definition, standardization.

1 7. Convergence of fixed and mobile networks basing on IP Multimedia Subsystem (IMS) paradigm Fixed-mobile convergence, IMS definition, standardization.
IMS Workshop- Summary James Rafferty August 10. 2006.

IMS Workshop- Summary James Rafferty August
6 The IP Multimedia Subsystem Selected Topics in Information Security – Bazara Barry.

6 The IP Multimedia Subsystem Selected Topics in Information Security – Bazara Barry.
FIXED MOBILE CONVERGENCE  Sravanthi  Suparna  Swathi  Shilpa.

FIXED MOBILE CONVERGENCE  Sravanthi  Suparna  Swathi  Shilpa.
Fixed Mobile Convergence T-109.7510 Research Seminar on Telecommunications Business Johanna Heinonen.

Fixed Mobile Convergence T Research Seminar on Telecommunications Business Johanna Heinonen.

Similar presentations

Ads by Google