2 VoIP Mobility & Security Scott Poretsky Director of Quality Assurance Reef Point Systems Securing Fixed-Mobile and Wireless VoIP Convergence Services.

Slides:

Advertisements

Similar presentations

Voice over WiMax Development Trends Amnon Gavish VP TBU Business Development

Advertisements

The leader in session border control for trusted, first class interactive communications.

IMS and Security Sri Ramachandran NexTone. 2 CONFIDENTIAL © 2006, NexTone Communications. All rights Traditional approaches to Security - The CIA principle.

Saif Bin Ghelaita Director of Technologies & Standards TRA UAE

SIP Trunking A VASP Perspective Thomas Roel Convergence Sales Engineer

Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.

SIP & SS7 (SIP-02) Monday - 09/10/07, 10:00-10:45am.

GMI 2006 Carrier-Driven Interoperability February 2006.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

UMA (Unlicensed Mobile Access) El Ayoubi Ahmed Hjiaj Karim.

Entire contents © 2009 Gartner, Inc. All rights reserved. | Page 1 “Giving Voice to 4G” Gartner Dataquest Akshay Sharma Research Director Feb Option.

Research Seminar on Telecommunications Business IPSEC BUSINESS Henri Ossi.

IP Multimedia Subsystem (IMS) James Rafferty, Cantata Technology August 10, 2006.

1 © NOKIA IPv6 / June 2003 / Jari Hamalainen Nokia North American Global IPv6 Summit San Diego, CA, U.S.A. June 26th, 2003 IPv6 Enabling Peer-to-Peer IMS.

IP Multimedia Subsystem (IMS) 江培文. Agenda Background IMS Definition IMS Architecture IMS Entities IMS-CS Interworking.

1 7. Convergence of fixed and mobile networks basing on IP Multimedia Subsystem (IMS) paradigm Fixed-mobile convergence, IMS definition, standardization.

IMS Workshop- Summary James Rafferty August

6 The IP Multimedia Subsystem Selected Topics in Information Security – Bazara Barry.

FIXED MOBILE CONVERGENCE  Sravanthi  Suparna  Swathi  Shilpa.

Fixed Mobile Convergence T Research Seminar on Telecommunications Business Johanna Heinonen.

IMS – The future of Fixed Mobile Convergence EduCause Walt Magnussen Ph.D. 12 October, 2010.

Doc.: IEEE /0408r0 Submission March 2004 Colin Blanchard, BTSlide 1 3GPP WLAN Interworking Security Colin Blanchard British Telecommunications.

Testing SIP Services Over IP. Agenda  SIP testing – advanced scenarios  SIP testing - Real Life Examples.

 3G is the third generation of tele standards and technology for mobile networking, superseding 2.5G. It is based on the International Telecommunication.

IMS- The Inevitable Choice for Telecom Operators Viet-Dung DAM The 2 nd VNTelecom Seminar Telecom Paris Tech, 05/ /05/2009.

CHAPTER 15 & 16 Service Provider VoIP Applications and Services Advanced Enterprise Applications.

IMS – IP Multimedia Subsystem SINDHUJA GADDE UIN :

Jim Grams Azaire Networks Chief Technology Officer WiFi and 3G Convergence Made Easy.

Colombo, Sri Lanka, 7-10 April 2009 Multimedia Service Delivery on Next Generation Networks Pradeep De Almeida, Group Chief Technology Officer Dialog Telekom.

6. Next Generation Networks A. Transition to NGN B

Fixed Mobile Convergence

SIP Explained Gary Audin Delphi, Inc. Sponsored by

generic access network

IMS & QOS IMS Alphabet Soup and the need for Unified Policy Management Matt Tooley CableMatrix Technologies, Inc.

“Securing IP Multimedia Subsystem (IMS) infrastructures …,” M. Tsagkaropoulos UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

19/09/2015 NGN related standardization issues: Service Platform TTA (Korea) GSC-9, Seoul 1 SOURCE: KT TITLE:NGN related standardization issues:

Support Services & IP Multimedia Subsystem (IMS)

June 2006 Roles of Session Border Controllers in IMS Networks CANTO - June 2006.

UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless Telecommunications Laboratory M. Tsagkaropoulos “Securing.

Completing the Convergence Puzzle: A Survey and A Roadmap IEEE Wireless Communications ‧ June 2009 DJAMAL-EDDINE MEDDOUR, USMAN JAVAID, AND NICOLAS BIHANNIC,

IP Multimedia Subsystems By Vamsee K Pemmaraju. Agenda IMS Example IMS Example Overview Overview Basic Principles Basic Principles Architecture Architecture.

March 15, 2008 PM of FMC 1 Rich Watson Director of Technical Marketing DiVitas Networks – Mountain View March 15, 2008.

1 FMC: Driving the Transition to IMS Ken Kuenzel VP and Founder Covergence Inc.

Greg Pisano Director, Market Development Brooktrout Technology.

Evolution towards the Next Generation Network

Teachers Name : Suman Sarker Telecommunication Technology Subject Name : Mobile & Wireless Communication-2 Subject Code : 9471 Semester :7th Department.

1 Presentation_ID © 1999, Cisco Systems, Inc. Cisco All-IP Mobile Wireless Network Reference Model Presentation_ID.

INTRODUCTION. 1.1 Why the Internet Protocol Multimedia Subsystem 1.2 Where did it come from?

Telecom in Transition Global Telecommunications is in a time of dramatic transition –Traditional telephone service was just about voice –We now live in.

1 Presentation_ID Mobile Wireless Internet Forum (MWIF)

Implementing VoIP in a wireless world Herman Abel Product Manager Aculab (booth 402) Phone:

UTStarcom Confidential1 FMC: Driving the Transition to IMS Guanglu Wang Director Intl mSwitch Product Management September 10, 2007 Guanglu Wang Director.

Slide title In CAPITALS 50 pt Slide subtitle 32 pt Ericsson IMS CANTO 2005, St. Kitts Antonio Gómez Business Unit Systems.

1 © 2006 Nokia Fixed Mobile Convergence The future of communication networks János Kurtz 11/05/2006.

Ασύρματες και Κινητές Επικοινωνίες Ενότητα # 9: Σύγκλιση Σταθερών και Κινητών Επικοινωνιών (Fixed-Mobile Convergence) Διδάσκων: Βασίλειος Σύρης Τμήμα:

Doc.: IEEE /345r0 Submission May 2002 Albert Young, Ralink TechnologySlide 1 Enabling Seamless Hand-Off Across Wireless Networks Albert Young.

Enabling Converged Services Changing the Way the World Communicates Jim Dondero Vice-President Global Solutions Marketing CANTO, June 21st.

© 2007 Level 3 Communications, LLC. All Rights Reserved. 1 Beyond SIP Trunking What’s Next ? September 11, 2007 Michael Remacle.

Intelligent Interconnects in the VoIP Peering Environment John Longo VP Product Marketing & Management, NextPoint.

S Postgraduate Course in Radio Communications. Interoperability between 3G and WLAN using IMS Antti Keurulainen,

“End to End VoIP“ The Challenges of VoIP Access to the Enterprise Charles Rutledge VP Marketing Quintum Technologies

SIP & How It Relates To YOUR Business. Jeff S. Olson Director of Marco Carrier Services David Bailey-Aldrich Technology.

4G WIRELESS SYSTEM Presented By S. RAVINDER 06U61A0435.

INTERNET PROTOCOL TELEVISION (IP-TV)

INTERNET PROTOCOL TELEVISION (IP-TV)

“Giving Voice to 4G” Gartner Dataquest Akshay Sharma Research Director

Accelerating IMS Deployment

“Giving Voice to 4G” Gartner Dataquest Akshay Sharma Research Director

Presentation transcript:

2 VoIP Mobility & Security Scott Poretsky Director of Quality Assurance Reef Point Systems Securing Fixed-Mobile and Wireless VoIP Convergence Services

3 Agenda  FMC Top Driver for Technical Innovation in Networking Industry  FMC Creates New Security Vulnerabilities and Solutions  FMC Requires Defense-In-Depth Network Security Strategy  Security Gateways Must be Validated for Network Deployments  Conclusions

4 Agenda  FMC Top Driver for Technical Innovation in Networking Industry  FMC Creates New Security Vulnerabilities and Solutions  FMC Requires Defense-In-Depth Network Security Strategy  Security Gateways Must be Validated for Network Deployments  Conclusions

5 FMC Designed for Mass Market Consumers on the go… At home… At work… User-controlled reachability Ubiquitous access to services Single user identity across multiple locations Requires scalable, ubiquitous security solutions FMC enables a consistent user experience Working remotely… Service Providers are Unifying Domains – Different Networks, User Identities & Applications

6 FMC Enables Revenue-Generating Blended Services  Presence  Push-to (Push-to-Talk, Push-to-View, etc.)  VoIP and Rich Calls (with Video)  Mobile Instant Messaging  Mobile Video, VideoConferencing, Multiparty Gaming, IPTV

7 Service Provider FMC Deployments  Unlicensed Mobile Access (UMA)  BT  T-Mobile  TeliaSonera  IP Multimedia Subsystem (IMS)  Telecom Italia  Telefonica  Sprint

8 Millions of New Endpoints Requires Massive Scalability  New mobile data services and other multimedia services offered over wireless and converged networks create orders of magnitude more endpoints than wireline networks today  Annual global sales of dual mode mobile phones are likely to exceed 100 million during the final year of this decade*  Need to secure all endpoints simultaneously *ABI Research May 05

9 Agenda  FMC Today’s #1 Driver for Technical Innovation in Networking Industry  FMC Creates New Security Vulnerabilities and Solutions  FMC Requires Defense-In-Depth Network Security Strategy  Security Gateways Must be Validated for Network Deployments  Conclusions

10 FMC Security Vulnerabilities Fixed Mobile Converged IP Network PSTN Data Network Mobile Broadband Access/IP TV Wireless LAN ATM/FR/IP/MPLS Cable/ DSL Public IP Network Requires secure and authorized access to network More users=more miscreants Single network=more damage from network attack

11 FMC Security Solutions Mobile handsets subscribers are able freely roam to make voice calls and access Internet services.  Secure Access – IPsec between Mobile Subscriber and Network  DoS Prevention – Stateful Firewall at mobile/core edge to protect FMC Core, Internet, and Mobile Stations  User Authentication – AAA to authorize mobile subscribers for services and Certificates for mobile subscriber to authorize IPsec peer  Stability with Security Scaling - 100s of thousands of subscribers

12 FMC Network Architectures  Unlicensed Mobile Access (UMA)  3GPP standard for mobile/Wi-Fi Convergence  Based upon IETF protocols – IPsec, IKE, RADIUS, EAP-Sim  Controller = UNC  IP Multimedia Subsystem (IMS)  3GPP standard for universal mobile access  Based upon IETF protocols – SIP, IPsec, IKE, DIAMETER  Controller = CSCF

13 UMA FMC Security Architecture User Equipment Access Dual-Mode Phone Mobile Phone Wireless Laptop RAN WiFi Broadband SeGW UMA Core Converged Home Applications Presence Gaming Video Voice INC Security Gateway Protects UMA Core, Internet, and User Equip HLR AAA UNC

14 IMS FMC Security Architecture User Equipment Access Dual-Mode Phone Mobile Phone Wireless Laptop RAN WiFi Broadband SeGW IMS Core Converged Home Applications Presence Gaming Video Voice INC CSCFs Security Gateway Offload for CSCF – Protect and Scale HLR AAA HSS

15 IMS Session Model User Equipment Access Dual-Mode Phone Mobile Phone Wireless Laptop RAN WiFi Broadband SeGW IMS Core Converged Home Applications Presence Gaming Video Voice INC CSCFs IMS changes call model to “always on” versus on-demand HLR AAA HSS Control Connection “Registered User”

16 Poor Approach to Security for FMC Integrated Control and Forwarding All Traffic Goes Through FMC Core Reducing Performance, Scalability, And Protection Packet-switched network Any IP connection (e.g. GPRS, EDGE, WCDMA, WLAN, xDSL) Application Servers IP-based services between terminals End-to-End Communication SIP Control Path SIP Media Streams SIP Terminal

17 Security Gateway Approach for FMC Separating Control Plane From Forwarding Separation of Control Plane and Forwarding Plane Increases Security, Performance and Scalability Packet-switched network Any IP connection (e.g. GPRS, EDGE, WCDMA, WLAN, xDSL) SIP Terminal Application Servers IP-based services between terminals End-to-End Communication SIP Control Path SIP Media Streams

18 IPsec and SIP Enabled Mobile Devices  FMC dependent upon handset vendors implementing devices with IPsec, IKE, and SIP support  Motorola and Nokia have announced FMC programs

19 Agenda  FMC Today’s #1 Driver for Technical Innovation in Networking Industry  FMC Creates New Security Vulnerabilities and Solutions  FMC Requires Defense-In-Depth Network Security Strategy  Security Gateways Must be Validated for Network Deployments  Conclusions

20 Defense in Depth Safeguards FMC Networks Zone 1: Subscriber Protection User Equipment Access Dual-Mode Phone Mobile Phone Wireless Laptop RAN WiFi Broadband SeGW FMC Core Converged Home Internet Applications Presence Gaming Video Voice UNC CSCFs IPSEC Encrypt/Decrypt Stateful SIP Firewall SIP DOS Protection Malicious Packet Filtering Secures the Transmission Between the Subscriber and Wireless Network

21 Defense in Depth Safeguards FMC Networks Zone 2: FMC Core Protection User Equipment Access Dual-Mode Phone Mobile Phone Wireless Laptop RAN WiFi Broadband SeGW FMC Core Converged Home Internet Applications Presence Gaming Video Voice UNC CSCFs IPsec Encryption/ Decryption IP DOS Protection QoS and Policing Stateful Firewall SIP DOS Protection ECMP Ensures a Highly Available, Predictable and Secure Network Core IKE DOS Protection Anti-Spoofing

22 Defense in Depth Safeguards FMC Networks Zone 3: Internet Gateway User Equipment Access Dual-Mode Phone Mobile Phone Wireless Laptop RAN WiFi Broadband SeGW Converged Home Presence Gaming Video Voice UNC CSCFs DOS Attacks Internet Worms Mobile Virus Protects Core Network Resources User Authentication Malicious Packet Filtering Codec QoS And Policing Stateful Firewall FMC Core Internet Applications

23 Stateful Firewall Fundamental to Defense in Depth  Stateful Firewall protects User Equip, FMC Core, and Interent  Stateful firewalls must be SIP aware  SIP ALG must dynamically manage each session (up to 100s of 1000s)  SIP ALG must rate limit SIP control and media for each session Pinhole RTP media Alternative is Stateless Firewall or no Firewall – Not a Solution for Secure VoIP SIP Control

24 Agenda  FMC Today’s #1 Driver for Technical Innovation in Networking Industry  FMC Creates New Security Vulnerabilities and Solutions  FMC Requires Defense-In-Depth Network Security Strategy  Security Gateways Must be Validated for Network Deployments  Conclusions

25 IPsec Benchmark Parameters  Total Number of IPsec tunnels  IPsec Tunnel Establishment Rate  IKE DOS Protection  Total SAs (IKE and IPsec) RAN IPSecTunnel UE SeGW UNC CSCFs

26 Stateful Firewall Benchmark Parameters  Total Number of Stateful Firewall Sessions  Stateful Session Establishment Rate  SIP ALG  SIP Control Total Number of SIP Sessions Established SIP Session Establishment Rate (CAPS) –With and Without Media –Established Call Load –SIP DOS Protection –TCP Reassembly  RTP Media Total Number of RTP Media Streams Number of RTP Media Streams per SIP Control Session

27 Solution-Agnostic Benchmarks  Benchmarks must apply for any FMC solution:  UA SIP Server UA  UA SBC UA  UA CSCF or UNC UA  UA SEG CSCF SEG UA  Enables Devices to be compared  Enables FMC solutions to be compared

28 Conclusions: FMC Cannot Succeed Without Comprehensive Security  Vulnerabilities created by mobile packet core being exposed to the public Internet  Security is not optional; it’s a must  Converged IP backbone must support, prioritize & appropriately handle voice, video and mobile services  Scaling is unprecedented. Number of subscribers requires stable and high scaling security gateways

29 Contact Scott Poretsky Reef Point Systems 8 New England Executive Park Burlington, MA USA main / fax

30