Is It Just an Illusion, or is the IMS Network “In Need of More Security?”

By Eric Rasmussen

The obvious strength of IMS is that it provides mobile operators with a clear path to T he past 6-18 months, the IP Multimedia Subsystem (News - Alert) (IMS) has really enjoyed the limelight, managing top billing as the ‘Next Big Thing’—the architecture that will pull back the curtain to reveal Fixed Mobile Convergence ( News - Alert) (FMC) brought to life, but only after pulling more than a few dazzling new services out of its hat. By now it’s hard to deny that IMS is here to stay, but it’s also hard to ignore the fact that IMS has started to raise more than a few eyebrows —and many questions—in the security world. While some may be lured in by the flashy promises of IMS, security savvy telecom leaders are starting to wonder whether, after the show is over, IMS won’t skip town, leaving us with networks that turn out to be ‘In need of More Security.’ advanced revenue-generating services on an all-IP network. However, what may not be so evident to service providers deploying IMS is this architecture also has the potential to introduce new IP-related security vulnerabilities. IMS-based networks enable service providers to link many networks together, both mobile and fixed, creating the potential for more access to devices and networks than ever before. However, as networks and devices increase their interconnections, this creates a potential free-for-all as the bad guys look for new ways to exploit networks that were, until recently, sufficiently secure. While 3GPP, 3GPP2 and other standards bodies have defined many important aspects of IMS and FMC security—such as authorization and authentication—there is still a great deal of work to be done to ensure that the IMS architecture is secure. Perhaps more importantly, this work will continue for the foreseeable future, as attacks will continue to evolve to exploit new weaknesses. As a result, it is critical that mobile operators deploying IMS architectures take steps to protect their networks from the introduction of additional risks.

Where once major threats to networks revolved solely around uptime and reliability of the network and/or services (a la Denial-of-Service attacks), the stakes have become much higher in recent years. Attacks have shifted to targeting vulnerabilities within software and network infrastructure for the purposes of theft and financial gain, with hacking now becoming big business. For example, McAfee (News - Alert) recently reported that more than 80 percent of mobile operators have been hit by mobile infections involving some type of malware, and Kaspersky Labs has tracked a 300 percent increase in mobile malware between 2005 and 2006. Without taking necessary precautions to secure all layers of the IMS network, operators are placing the integrity of their networks – as well as their service revenue, corporate reputation, and even their users – at risk.

So what are these additional steps? Simply put, securing the IMS network means implementing security measures to protect all layers (transport, control and services), as well as network users and traffic, from the myriad and constantly changing attacks that are currently the bane of most operators running IP-based networks. Zero-day vulnerabilities, buffer overflows, SQL injections, viruses, worms, Trojans, and other internal and external threats are all part of this landscape, and operators need technologies that protect against each of them.

What this means for service providers is that they must deploy a variety of technologies that work together to minimize threats and decrease the severity of ongoing attacks by providing protection for all layers of the IMS network. For example, threats originating from the Internet—including application and signaling attacks on the server—require deep inspection firewalls, as well as intrusion detection and prevention (IDP). This includes installing stateless firewalls that can determine whether a packet is permitted into the network by analyzing basic information in the packet headers, as well as stateful inspection firewalls that monitor and control the flow of traffic between networks by tracking the state of sessions and dropping packets that are not part of authorized sessions. Firewalls can also help operators control fraudulent activities, mitigate threats from hackers, and provide added visibility into network operations. These firewalls also need to be scalable enough to handle the volume of traffic that flows through them so that the network performance is not negatively impacted.

Intrusion (News - Alert) detection and prevention systems (IDP) complement the role of firewalls by monitoring and analyzing network traffic for signs of attacks at the application level and then dropping traffic that is deemed to be from a malicious user. IDP systems are designed to detect the presence of attacks within the traffic that is permitted to flow into the network, performing this function by using stateful signatures that scan for attacks based on known patterns. However, in today’s environment of constantly evolving threats, mobile operators require solutions that can protect against unknown patterns and attacks as well. For example, many of the most significant threats involve so-called zero-day exploits, or attacks that leverage vulnerabilities for which there is no signature or software patch. Attackers using such vulnerabilities can easily breeze past security technologies that rely solely on signature-based technology. Defeating these criminals requires use of IDP systems that use protocol and traffic anomaly detection, which can identify attacks for which a signature may not yet be known. Together, these solutions control the ongoing threat landscape that looms on the horizon for converged, all-IP networks.

IMS is not an illusion, and IMS networks are certainly here to stay. And while we can certainly expect great things of IMS, it is yet to be seen just how good the show will be. However, as we sit back and prepare to be dazzled and amazed, we would do well not to let ourselves become too comfortable in our seats, or when the whole thing is over we may find our pockets have been relieved of more than just loose change. In fact, it is more important than ever that we observe the unfolding of IMS very intently, and without allowing ourselves to become diverted by all of the smoke and mirrors. Most importantly, we must ensure that our IMS networks include security for all layers and that they feature built-in protection for infrastructure, services, and users. Now is the time to make sure that, when the smoke clears, we aren’t left with a rabbit, a top hat, and networks that are In need of More Security. ”

Eric Rasmussen is Director, Mobile Operator Marketing, at Juniper Networks (News - Alert). He focuses on developing routing, security, and IMS/FMC solutions for mobile carriers globally. For more information, visit the company online at www.juniper.net.