At their most basic level, networks interconnect people and machines and provide for the free and secure flow of information between them. In a perfect world, simple designs based on homogenous access and consistent infrastructure accomplish this. For simple networks in a benign world, there would be no need for security. Unfortunately the real world is not simple and it is by no means benign. Today’s networks have evolved from the simple network of Watson and Bell to a very complex web that spans the world. Using these networks, voice, video, and data are exchanged over a variety of competing access technologies and carried to their destinations using a variety of infrastructure technologies. As technology has allowed these networks to continue to evolve and expand, the opportunity to utilize these networks in ever more innovative ways to provide better communications has expanded. As opportunity expands, the temptation to intercept, interrupt, and redirect this communication for a variety of reasons
continues to grow with it. This is why network security must exist.
Much of the technology used for security in IMS is the result of what has been learned from the creation and implementation of previous networks. IMS security is implemented at multiple levels. Security is maintained at the access level and at the network infrastructure level for both the signaling sessions and any resulting bearer sessions.
Borrowing from and expanding on what was learned during VoIP deployment in the wireline network, the P-CSCF, I-CSCF and S-CSCF elements provide services for both the access level and the network level. These CSCF elements share a large degree of functionality with the session border controllers in today’s VoIP networks and, indeed, many companies are leveraging this to build the CSCF elements for the IMS networks as fixed-mobile convergence begins to become a reality.
The role of these elements is to provide a standards-based mechanism for controlled access to the mobile network, to provide for roaming, and to interface with applications. This includes providing various security functions, such as interfacing to existing HSS systems for authorization, preventing denial of service attacks, providing firewall and spam protection services, as well as providing mechanisms for legal interception while preventing unauthorized interception. Since IMS is an overlay technology, it does not rely on on the underlying IP transport technologies for security. IMS uses SIP for both access and infrastructure signaling, and the security work for IMS parallels the continuing work for SIP security, in general. Unlike existing VoIP networks, which are evolving to require security, the IMS network architecture specifies it at the outset. This “designing in” of security overcomes many of the problems that are beginning to appear in VoIP networks. These issues include unauthorized
eavesdropping, theft of service, spoofing of network elements, and, in some cases, purposeful service disruption with the intent of damaging the competition.
As the world moves towards ubiquitous service offerings over converged networks, the technology powering the networks will continue to become more complex. As the complexity increases, the security mechanisms must also continue to evolve to ensure reliability and inspire confidence in the end users. The IMS architecture and the corresponding security mechanisms will ensure that this happens, which will lead to increased opportunities for everyone.
Nathan Franzmeier is chief executive officer of Emergent Network Solutions. For more information, please visit the company online at www.emergent-netsolutions.com.