Reef Architecture and Zones. Reef Architecture -Structure of a ‘Typical’ Caribbean Reef (Goreau)
2 VoIP Mobility & Security Scott Poretsky Director of Quality Assurance Reef Point Systems Securing...
-
Upload
harold-gilbert -
Category
Documents
-
view
219 -
download
1
Transcript of 2 VoIP Mobility & Security Scott Poretsky Director of Quality Assurance Reef Point Systems Securing...
2
VoIP Mobility & Security
Scott PoretskyDirector of Quality Assurance Reef Point Systems
Securing Fixed-Mobile and Wireless VoIP
Convergence Services
3
Agenda
FMC Top Driver for Technical Innovation in Networking Industry
FMC Creates New Security Vulnerabilities and Solutions
FMC Requires Defense-In-Depth Network Security Strategy
Security Gateways Must be Validated for Network Deployments
Conclusions
4
Agenda
FMC Top Driver for Technical Innovation in Networking Industry
FMC Creates New Security Vulnerabilities and Solutions
FMC Requires Defense-In-Depth Network Security Strategy
Security Gateways Must be Validated for Network Deployments
Conclusions
5
FMC Designed for Mass MarketConsumers on the go…
At home… At work…
• User-controlled reachability
• Ubiquitous access to services
• Single user identity across multiple locations
• Requires scalable, ubiquitous security solutions
FMC enables a FMC enables a consistent user consistent user
experienceexperience
Working remotely…
Service Providers are Unifying Domains Service Providers are Unifying Domains – – Different Networks, User Identities & ApplicationsDifferent Networks, User Identities & Applications
6
FMC Enables Revenue-Generating Blended Services
Presence Push-to (Push-to-Talk, Push-to-View, etc.) VoIP and Rich Calls (with Video) Mobile Instant Messaging Mobile Video, VideoConferencing, Multiparty
Gaming, IPTV
7
Service Provider FMC Deployments Unlicensed Mobile Access (UMA)
BT T-Mobile TeliaSonera
IP Multimedia Subsystem (IMS) Telecom Italia Telefonica Sprint
8
Millions of New Endpoints Requires Massive Scalability
New mobile data services and other multimedia services offered over wireless and converged networks create orders of magnitude more endpoints than wireline networks today
Annual global sales of dual mode mobile phones are likely to exceed 100 million during the final year of this decade*
Need to secure all endpoints simultaneously
*ABI Research May 05
9
Agenda
FMC Today’s #1 Driver for Technical Innovation in Networking Industry
FMC Creates New Security Vulnerabilities and Solutions
FMC Requires Defense-In-Depth Network Security Strategy
Security Gateways Must be Validated for Network Deployments
Conclusions
10
FMC Security Vulnerabilities
Fixed MobileConvergedIP Network
PSTN
Data Network
Mobile
Broadband Access/IP TV
Wireless LAN
ATM/FR/IP/MPLSCable/DSL
PublicIP Network
• Requires secure and authorized access to network• More users=more miscreants• Single network=more damage from network
attack
11
FMC Security Solutions
Mobile handsets subscribers are able freely roam to make voice calls and access Internet services.
Secure Access – IPsec between Mobile Subscriber and Network
DoS Prevention – Stateful Firewall at mobile/core edge to protect FMC Core, Internet, and Mobile Stations
User Authentication – AAA to authorize mobile subscribers for services and Certificates for mobile subscriber to authorize IPsec peer
Stability with Security Scaling - 100s of thousands of subscribers
12
FMC Network Architectures Unlicensed Mobile Access (UMA)
3GPP standard for mobile/Wi-Fi Convergence Based upon IETF protocols – IPsec, IKE, RADIUS, EAP-Sim Controller = UNC
IP Multimedia Subsystem (IMS) 3GPP standard for universal mobile access Based upon IETF protocols – SIP, IPsec, IKE, DIAMETER Controller = CSCF
13
UMA FMC Security Architecture
User Equipment Access
Dual-ModePhone
MobilePhone
WirelessLaptop
RAN
WiFi
Broadband
SeGW
UMA Core
ConvergedHome
Applications
PresencePresence
GamingGaming
VideoVideo
VoiceVoice
INC
Security Gateway Protects UMA Core, Internet, and User EquipSecurity Gateway Protects UMA Core, Internet, and User Equip
HLRAAA
UNC
14
IMS FMC Security Architecture
User Equipment Access
Dual-ModePhone
MobilePhone
WirelessLaptop
RAN
WiFi
Broadband
SeGW
IMS Core
ConvergedHome
Applications
PresencePresence
GamingGaming
VideoVideo
VoiceVoice
INC
CSCFs
Security Gateway Offload for CSCF – Protect and ScaleSecurity Gateway Offload for CSCF – Protect and Scale
HLRAAA
HSS
15
IMS Session Model
User Equipment Access
Dual-ModePhone
MobilePhone
WirelessLaptop
RAN
WiFi
Broadband
SeGW
IMS Core
ConvergedHome
Applications
PresencePresence
GamingGaming
VideoVideo
VoiceVoice
INC
CSCFs
IMS changes call model to “always on” versus on-demandIMS changes call model to “always on” versus on-demand
HLRAAA
HSSControl Connection“Registered User”
16
Poor Approach to Security for FMC Integrated Control and Forwarding
All Traffic Goes Through FMC CoreAll Traffic Goes Through FMC CoreReducing Performance, Scalability, And ProtectionReducing Performance, Scalability, And Protection
Packet-switched network
Any IP connection (e.g. GPRS, EDGE, WCDMA,
WLAN, xDSL)
Application Servers
IP-based services between terminals
End-to-End CommunicationSIP Control PathSIP Media Streams
SIPTerminal
SIPTerminal
17
Security Gateway Approach for FMCSeparating Control Plane From Forwarding
Separation of Control Plane and Forwarding PlaneSeparation of Control Plane and Forwarding PlaneIncreases Security, Performance and ScalabilityIncreases Security, Performance and Scalability
Packet-switched network
Any IP connection (e.g. GPRS, EDGE, WCDMA,
WLAN, xDSL)
SIPTerminal
SIPTerminal
Application Servers
IP-based services between terminals
End-to-End CommunicationSIP Control PathSIP Media Streams
18
IPsec and SIP Enabled Mobile Devices
FMC dependent upon handset vendors implementing devices with IPsec, IKE, and SIP support
Motorola and Nokia have announced FMC programs
19
Agenda
FMC Today’s #1 Driver for Technical Innovation in Networking Industry
FMC Creates New Security Vulnerabilities and Solutions
FMC Requires Defense-In-Depth Network Security Strategy
Security Gateways Must be Validated for Network Deployments
Conclusions
20
Defense in Depth Safeguards FMC NetworksZone 1: Subscriber Protection
User Equipment Access
Dual-ModePhone
MobilePhone
WirelessLaptop
RAN
WiFi
Broadband
SeGW
FMC Core
ConvergedHome
Internet Applications
PresencePresence
GamingGaming
VideoVideo
VoiceVoice
UNC
CSCFs
IPSEC Encrypt/Decrypt
Stateful SIPFirewall
SIP DOS Protection
Malicious PacketFiltering
Secures the Transmission Between the Subscriber and Secures the Transmission Between the Subscriber and Wireless NetworkWireless Network
21
Defense in Depth Safeguards FMC Networks Zone 2: FMC Core Protection
User Equipment Access
Dual-ModePhone
MobilePhone
WirelessLaptop
RAN
WiFi
Broadband
SeGW
FMC Core
ConvergedHome
Internet Applications
PresencePresence
GamingGaming
VideoVideo
VoiceVoice
UNC
CSCFs
IPsec Encryption/Decryption
IP DOS Protection
QoS and Policing
StatefulFirewall
SIP DOS Protection
ECMP
Ensures a Highly Available, Predictable and Secure Ensures a Highly Available, Predictable and Secure Network CoreNetwork Core
IKE DOS Protection
Anti-Spoofing
22
Defense in Depth Safeguards FMC NetworksZone 3: Internet Gateway
User Equipment Access
Dual-ModePhone
MobilePhone
WirelessLaptop
RAN
WiFi
Broadband
SeGW
ConvergedHome
PresencePresence
GamingGaming
VideoVideo
VoiceVoice
UNC
CSCFsDOSAttacks
Internet Worms
MobileVirus
Protects Core Network ResourcesProtects Core Network Resources
UserAuthentication
Malicious PacketFiltering
Codec QoSAnd Policing
Stateful Firewall
FMC Core Internet Applications
23
Stateful Firewall Fundamental to Defense in Depth
Stateful Firewall protects User Equip, FMC Core, and Interent
Stateful firewalls must be SIP aware SIP ALG must dynamically manage each
session (up to 100s of 1000s) SIP ALG must rate limit SIP control and
media for each session
Pinhole
RTP media
Alternative is Stateless Firewall or no Firewall – Not a Alternative is Stateless Firewall or no Firewall – Not a Solution Solution
for Secure VoIPfor Secure VoIP
SIP Control
24
Agenda
FMC Today’s #1 Driver for Technical Innovation in Networking Industry
FMC Creates New Security Vulnerabilities and Solutions
FMC Requires Defense-In-Depth Network Security Strategy
Security Gateways Must be Validated for Network Deployments
Conclusions
25
IPsec Benchmark Parameters
Total Number of IPsec tunnels IPsec Tunnel Establishment Rate
IKE DOS Protection
Total SAs (IKE and IPsec)
RAN
IPSecTunnel
UE
SeGW
UNC
CSCFs
26
Stateful Firewall Benchmark Parameters Total Number of Stateful Firewall Sessions Stateful Session Establishment Rate SIP ALG
SIP Control• Total Number of SIP Sessions Established• SIP Session Establishment Rate (CAPS)
– With and Without Media– Established Call Load – SIP DOS Protection– TCP Reassembly
RTP Media• Total Number of RTP Media Streams• Number of RTP Media Streams per SIP Control Session
27
Solution-Agnostic Benchmarks
Benchmarks must apply for any FMC solution: UA<->SIP Server<->UA UA<->SBC<->UA UA<->CSCF or UNC<->UA UA<->SEG<->CSCF<->SEG<->UA
Enables Devices to be compared Enables FMC solutions to be compared
28
Conclusions: FMC Cannot Succeed Without Comprehensive Security Vulnerabilities created by mobile
packet core being exposed to the public Internet
Security is not optional; it’s a must
Converged IP backbone must support, prioritize & appropriately handle voice, video and mobile services
Scaling is unprecedented. Number of subscribers requires stable and high scaling security gateways
29
Contact
Scott PoretskyReef Point Systems8 New England Executive ParkBurlington, MA 01803 USA main +1 781 505 8300 / fax +1 781 505 [email protected]
30