IMS and Security Sri Ramachandran NexTone. 2 CONFIDENTIAL © 2006, NexTone Communications. All rights Traditional approaches to Security - The CIA principle.

Slides:

Advertisements

Similar presentations

The leader in session border control for trusted, first class interactive communications.

Advertisements

Copyright © 2007 Telcordia Technologies Challenges in Securing Converged Networks Prepared for : Telcordia Contact: John F. Kimmins Executive Director.

Colombo, Sri Lanka, 7-10 April 2009 Preferential Telecommunications Service Access Networks Lakshmi Raman, Senior Staff Engineer Intellectual Ventures.

Pune, India, 13 – 15 December 2010 ITU-T Kaleidoscope 2010 Beyond the Internet? - Innovations for future networks and services Ivan Gaboli, Virgilio Puglia.

All rights reserved © 2005, Alcatel Grid services over IP Multimedia Subsystem  Antoine Pichot, Olivier Audouin, Alcatel  GridNets ’06.

Voice and Data Encryption over mobile networks July 2012 IN-NOVA TECNOLOGIC IN-ARG SA MESH VOIP.

1 IP Telephony (VoIP) CSI4118 Fall Introduction (1) A recent application of Internet technology – Voice over IP (VoIP): Transmission of voice.

SIP Trunking A VASP Perspective Thomas Roel Convergence Sales Engineer

Addressing Security Issues IT Expo East Addressing Security Issues Unified Communications SIP Communications in a UC Environment.

Application Server Based on SoftSwitch

Johan Garcia Karlstads Universitet Datavetenskap 1 Datakommunikation II Signaling/Voice over IP / SIP Based on material from Henning Schulzrinne, Columbia.

SIP Explained Gary Audin Delphi, Inc. Sponsored by

Muse confidential Service Rich Access Networks: The Service Plane Solution Edith Gilon – de Lumley Bell Labs R&I, Alcatel-Lucent BroadBand Europe Antwerp,

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Nicolas FISCHBACH Senior Manager, IP Engineering/Security - COLT Telecom - version 1.0 Voice over IP (VoIP)

The study and demonstration on SIP security vulnerabilities Mahidhar Penigi Vamsi Krishna Karnati.

Solutions for SIP The SIP enabler We enable SIP communication for business What the E-SBC can do for you.

Enabling SIP to the Enterprise Steve Johnson, Ingate Systems Security: How SIP Improves Telephony.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

IMS Workshop- Summary James Rafferty August

Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 

January 23-26, 2007 Ft. Lauderdale, Florida IP Communications, Secure – By Design Roger W. Farnsworth.

School of Information Technologies Revision NETS3303/3603 Week 13.

Enterprise Infrastructure Solutions for SIP Trunking

Deployment of the VoIP Servers BY: Syed khaja Najmuddin Ahmed Anil Kumar Marikukala.

VoIP Security Sanjay Kalra Juniper Networks September 10-12, 2007 Los Angeles Convention Center Los Angeles, California 3 VoIP Issues.

Colombo, Sri Lanka, 7-10 April 2009 Multimedia Service Delivery on Next Generation Networks Pradeep De Almeida, Group Chief Technology Officer Dialog Telekom.

IT Expo SECURITY Scott Beer Director, Product Support Ingate

SIP Explained Gary Audin Delphi, Inc. Sponsored by

Lab #2 CT1406 By Asma AlOsaimi. "Security has been a major concern in today’s computer networks. There has been various exploits of attacks against companies,

Ingate & Dialogic Technical Presentation SIP Trunking Focused.

Service Oriented VoIP (SOVoIP): True Convergence of Data and Voice Networks Presented By Mohammed Jubaer Arif Supervisors Dr Shanika Karunasekera and Dr.

VoIP security : Not an Afterthought. OVERVIEW What is VoIP? Difference between PSTN and VoIP. Why VoIP? VoIP Security threats Security concerns Design.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Welcome to the Human Network Matt Duke 11/29/06.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Support Services & IP Multimedia Subsystem (IMS)

x Evolution Architecture Functional Proposal Abstract: This contribution proposes a new architectural network element called an.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

June 2006 Roles of Session Border Controllers in IMS Networks CANTO - June 2006.

2 VoIP Mobility & Security Scott Poretsky Director of Quality Assurance Reef Point Systems Securing Fixed-Mobile and Wireless VoIP Convergence Services.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

VoIP Security in Service Provider Environment Bogdan Materna Chief Technology Officer Yariba Systems.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Sridhar Ramachandran Chief Technology Officer Core Session Controller.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

Teachers Name : Suman Sarker Telecommunication Technology Subject Name : Mobile & Wireless Communication-2 Subject Code : 9471 Semester :7th Department.

1 Presentation_ID © 1999, Cisco Systems, Inc. Cisco All-IP Mobile Wireless Network Reference Model Presentation_ID.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Living in a Network Centric World Network Fundamentals – Chapter 1.

Telecom in Transition Global Telecommunications is in a time of dramatic transition –Traditional telephone service was just about voice –We now live in.

5 Firewalls in VoIP Selected Topics in Information Security – Bazara Barry.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Living in a Network Centric World Network Fundamentals – Chapter 1.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Living in a Network Centric World Network Fundamentals – Chapter 1.

VoIP Security Sip.EDU workshop February 2007 Walt Magnussen, Ph.D. Director TAMU ITEC.

1 Chapter 4. Protocols and the TCP/IP Suite Wen-Shyang Hwang KUAS EE.

Network Components Basics!. Network HUB  Used to connect multiple Ethernet devices together  Layer 1 of the OSI model  Not used much today.

To Rent or Buy the IP PBX? Maybe it’s Both…. Building a VoIP Solution That Enables Both.

Intelligent Interconnects in the VoIP Peering Environment John Longo VP Product Marketing & Management, NextPoint.

Lab #2 NET332 By Asma AlOsaimi. "Security has been a major concern in today’s computer networks. There has been various exploits of attacks against companies,

“End to End VoIP“ The Challenges of VoIP Access to the Enterprise Charles Rutledge VP Marketing Quintum Technologies

Version 4.0 Living in a Network Centric World Network Fundamentals – Chapter 1.

SIP & How It Relates To YOUR Business. Jeff S. Olson Director of Marco Carrier Services David Bailey-Aldrich Technology.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

1Security for Service Providers – Dave Gladwin – Newport Networks – SIP ’04 – 22-Jan-04 Security for Service Providers Protecting Service Infrastructure.

Chapter 1: Explore the Network

Instructor Materials Chapter 1: Explore the Network

Chapter 1: Explore the Network

The study and demonstration on SIP security vulnerabilities

Accelerating IMS Deployment

Enterprise Infrastructure Solutions for SIP Trunking

Ingate & Dialogic Technical Presentation

Presentation transcript:

IMS and Security Sri Ramachandran NexTone

2 CONFIDENTIAL © 2006, NexTone Communications. All rights Traditional approaches to Security - The CIA principle Confidentiality Am I communicating with the right system or user? Can another system or user listen in? Integrity Have the messages been tampered with? Availability Can the systems that enable the communication service be compromised?

3 CONFIDENTIAL © 2006, NexTone Communications. All rights The Demarcation Point – Solution for protecting networks and multiple end systems Create a trust boundary by using a firewall Firewalls and NATs use the Authorization principle of Confidentiality Untrusted Trusted The Network Private IP Address space Authorized stream Unauthorized stream

4 CONFIDENTIAL © 2006, NexTone Communications. All rights Solutions for separate control and data streams FTP, BitTorrent, RTSP, SIP have separate control and data streams Data streams are ephemeral Solution: Use Application Layer Gateway (ALG) Scan control stream for attributes of data stream 2 approaches to building ALGs Dedicated purpose Deep packet inspector/scanner

5 CONFIDENTIAL © 2006, NexTone Communications. All rights Characteristics of Session Services Signaling and media may traverse different networks Intermediate systems for signaling and media are different Signaling and media networks may be independently secured Signaling and media have different quality characteristics Media is latency, jitter and packet loss sensitive Reliable delivery of signaling messages is more important than latency and jitter

6 CONFIDENTIAL © 2006, NexTone Communications. All rights Denial of Service (DoS) Concepts Multiple layers: Layer 3/4 - prevention or stealing of session layer processing Layer 5: - prevention and/or stealing of application layer processing (prevention of revenue loss) Theft of service Unable to honor Service Level Agreement Resource over-allocation Resource lock-in

7 CONFIDENTIAL © 2006, NexTone Communications. All rights Components of a complete security solution Ability to create a trust boundary for session services independent of data Ability to strongly authenticate users and end devices at all session network elements or networks Ability to encrypt at the trust boundary Prevent denial of service attacks on service intermediaries Hardened OS, Intrusion Detection/Prevention Secure management of network elements IPSec, HTTPS, SSH Allow network or flow based correlation and aggregation

8 CONFIDENTIAL © 2006, NexTone Communications. All rights Convergence of Services Back Office Application Service Delivery/ Session Control Transport Back Office Application Service Delivery/ Session Control Transport Voice Internet TV Terminals Wirelesse VoIP Collaboration IPTV Internet Vertically integrated apps Triple play services

9 CONFIDENTIAL © 2006, NexTone Communications. All rights Network to Service Centric Back Office Application Service Delivery/ Session Control Transport Back Office Application Service Delivery/ Session Control Transport Collaboration IPTV Internet VoIP Presence IPTV Collaboration

10 CONFIDENTIAL © 2006, NexTone Communications. All rights Migration to IMS Back Office Application Service Delivery/ Session Control Transport Back Office Application Service Delivery/ Session Control Transport VoIP Presence IPTV Collaboration VoIP Presence IPTV Collaboration CSCFHSS Wireline Wireless

11 CONFIDENTIAL © 2006, NexTone Communications. All rights Path to IMS Back Office Application Transport Voice Internet TV Terminals Wirelesse Vertically integrated apps Back Office Application Service Delivery/ Session Control Transport VoIP Collaboration IPTV Internet Triple play services Back Office Application Service Delivery/ Session Control Transport VoIP Presence IPTV Collaboration Back Office Application Service Delivery/ Session Control Transport VoIP Presence IPTV Collaboration CSCFHSS Wireline Wireless IMS Converged Network Common Session Control Separate Applications

12 CONFIDENTIAL © 2006, NexTone Communications. All rights CableLabs PacketCable 2.0 Reference Architecture Compatible with E-MTAs NAT & Firewall Traversal PacketCable Multimedia Provisioning, Management, Accounting Different types of clients IMS Service Delivery IMS Elements adopted and enhanced for Cable Re-use PacketCable PSTN gateway components

13 CONFIDENTIAL © 2006, NexTone Communications. All rights Issues with IMS today Access differentiates IMS flavors IMS functions and value misunderstood Bridge from legacy to IMS networks mostly underplayed Ignores Web 2.0 and non-SIP based sessions Focus on pieces inside walled garden – not on interconnecting Not enough focus on applications

14 CONFIDENTIAL © 2006, NexTone Communications. All rights Access Defines IMS Components WiFi (UMA) WiMAX, WiFi BB IMS Core SeGW + UNC P-CSCF + C-BGF PDG + P-CSCF + C-BGF A-BCF + C-BGF + P-CSCF P-CSCF + App Manager + C-BGF Internet Visited Network Home Network Cable DSL Internet

15 CONFIDENTIAL © 2006, NexTone Communications. All rights Secure Border Function (SBF) Similar concept to a firewall Is alongside CSCF network elements Thwarts DoS/DDoS attacks Uses established techniques to do firewall/NAT traversal Adds previously non-existent Rate based Admission Control capabilities

16 CONFIDENTIAL © 2006, NexTone Communications. All rights SBF Logical Security Architecture Layer 2 - Ethernet Layer 3 - IP Layer 4 – TCP/UDP Layer 5 – SIP Layer 7 – Application Queue/Buffer Management TCP/IP Stack in Operating System Packet Filter Analytics/ Post-processing SIP Control with Rate Admission Control Call Admission Control with Authentication/Authorization Reporting & Monitoring Alarming & Closed Loop Control Hardened OS DoS protection SIGNALINGMEDIA Network based Correlation Theft of service mitigation SPAM/SPIT prevention SIP Protocol vulnerabilities DoS protection Packet rate mgmt

17 CONFIDENTIAL © 2006, NexTone Communications. All rights Consolidation of Functions Access & Interconnectivity Access & Interconnect Session Management Application WAP/WAGWAG PDG SeGW SBC-SA-BCF WiFiWiMAXUMA Edge BGF BB I-BCF SBF

18 CONFIDENTIAL © 2006, NexTone Communications. All rights Benefits of SBF Security for both signaling and media Signaling and media can be disaggregated or integrated Can be integrated with any signaling or media element to protect it Consolidates all access types

19 CONFIDENTIAL © 2006, NexTone Communications. All rights Thank You! For further comments and discussion: