IMS’ three-layered architecture for separate application, control and transport functions allows for an open IP-based communications platform rather than a monolithic, closed architecture (see Figure 1). This approach decouples the service delivery components from the physical network, making it possible for services to be independent of the network over which they are delivered — with the goal of reducing the service provider’s cost of developing services and deploying those services faster, across more access networks and to broader markets.
The very distributed and open nature of the IMS architecture is a new network (and business) paradigm, and with it comes a range of security threats and new network dimensions that demand a new generation of security solutions.
IMS Functional Elements and Their Inherent Security Risk
IMS functional elements (i.e., Proxy, Serving and Interrogating Call Session Control Functions, Border
Gateway (News - Alert)
Control Functions, Media Resource Control
Functions, Home Subscriber Servers, Application Servers, etc.) communicate via standard reference points instead of interfaces (see Figure 2). Unlike an interface where any device can communicate to a particular element, a reference point is a well-defined set of rules that associate two functions. Reference points provide a controlled and restrictive set of specifications that describe all communications between two functional elements, including protocols for the various types of signaling and bearer traffic. Reference points specify how IMS entities interact with their peers and dictate which entities are allowed to utilize a particular function. Regardless of the reference point types, all IMS signaling and communications are based on IP protocols.
Having functional entities separated by IP reference points ensures interoperability between vendor equipment, application flexibility and the reuse of common components for any type of multimedia services that may arise over time. However, this architecture has its own set of drawbacks. Distributing core network functions that are connected together over IP ultimately means more opportunity to break the architecture from a security perspective. Compounding this problem is the fact that IMS products are not unified by a common security model. Differences in functional level and performance capabilities between vendor implementations of security necessitate a common security fabric (i.e., a next-generation security platform) that manages and controls all vital communications.
This common platform must secure and control access to the IMS network, protect the IMS core infrastructure and applications, and do this at Tier-1 service provider deployment performance and scalability levels.
IMS Access Security Requirements
IMS access borders have a rigorous set of security challenges, in particular because of their projected scale and performance requirements. IMS network dimensions (i.e., number of concurrent users, devices and active sessions), as with other fixed-mobile convergence (FMC) networks, are expected to be an order of magnitude greater than today’s generation of fixed-line VoIP, CDMA and GSM networks.
The primary goal of IMS access security is to keep unauthorized users and traffic from penetrating the network. Access security within the IMS framework is designed to only allow authenticated traffic access to the IMS core elements. The user is authenticated and a secure connection is established between the user and the IMS network.
The authentication process depends on the application. Mobile (3GPP) applications require that all signaling between the user and the network be encrypted. In contrast, wireline (TISPAN) authentication procedures do not require encryption, but with FMC on the horizon, encryption will be a ubiquitous requirement.
Furthermore, authorized user traffic needs to be monitored and controlled for service and quality assurance. For instance, the IMS network must have the ability to ensure proper bandwidth and priority is given to a particular application flow, but it also must protect from theft of service within application flows (i.e., prevent users from receiving streaming video bandwidth while only paying for streaming audio).
Legacy security devices, such as firewalls, routers and session border controllers, will be challenged to handle these access functions at the expected IMS network scale (e.g., the average IMS user will have multiple always-on active sessions concurrently [presence, email, registration, IM, voice, etc.] — all of which must be monitored and controlled for security, QoS and bandwidth theft).
Infrastructure and Core Network
Besides guarding against unauthorized entry from “last mile” access networks and controlling which services are delivered, IMS’ network peering borders, core network elements and protocols must all be protected from intrusion and attacks.
Network-to-network border security protects the IMS network from unauthorized access via other networks — especially the Internet, which will be a common access network for roaming users. IP peering between service provider networks opens up potential threats to the IMS core. Fully controlling the network border requires a combination of stateful firewall, application layer gateway (ALG), packet/flow filtering, address translation, virtual private networking (VPN) and encryption capabilities between peering networks. Firewalls and packet filters are necessary to protect against undesired packet flows (i.e., allowing voice traffic from one network, but not another). Network address translation (NAT), although not a security capability, is used to obscure visibility into the IMS networks address structure and is most effective when used with other security functions. VPNs compartmentalize the security problem by partitioning the underlying network itself, and encrypted sessions authenticate and secure the information that flows between networks (see Figure 3).
Security threats also come from within, therefore it is critical that the IMS network have a mechanism of protecting itself from its own operators. The concept of IMS Security Zones must be implemented into the security model to effectively protect from internal threats. For example, because subscriber and charging information can be stolen or tampered with on the HSS and S-CSCF, it would make sense to have these elements under a high-security zone via protocol, station and IP-port restrictions and enforcements to a small subset of operators. On the other hand, the P-CSCF and Gateway GPRS Node would fall under a public-security zone, where less restrictive protocol, station, and IP-port policies are implemented due to the nature of the public domain. Rather than using multiple security devices to achieve zoning and control of the network, virtualization technology cost-effectively achieves this within a single platform (see Figure 4).
Network attacks such as denial of service (DoS) attacks (from inside or outside the network) are designed to exploit design and implementation weaknesses in the protocols and stacks of network elements. The IMS network must be able to thwart flood, sweep, scan, malformed packets, spoofing and fragmentation attacks against IP, UDP, TCP, ICMP, IGMP, SIP, RTP, RTSP and IKE protocols.
To perform these comprehensive functions, the IMS security solution required must be able to perform deep packet inspection in real-time, maintain service transparency and not affect the underlying performance of the network.
Meeting Security Challenges of the New Network Paradigm
IMS seeks to streamline service providers’ internal systems and operations by eliminating the “silo” approach to carrier infrastructure (i.e., by serving all access networks — and subscribers — with a common core infrastructure and set of applications.) To maintain efficiency, a single platform is needed to provide the security functions for the entire infrastructure (subscriber device, access network, core network and applications), rather than create new “silos.”
Platforms tasked with protecting the various facets of the IMS network must be able to authenticate and encrypt sessions, filter and throttle sessions, and enforce service policies, all the while doing these functions at wire-speed. Securing the next-generation (i.e., IMS) network is complex and requires purpose-built next-generation solutions (i.e., “Security Gateways”) far more comprehensive than traditional firewalls, routers and session border controllers in terms of security (every major security function), scalability (up to hundreds of thousands of concurrent registered users and sessions), performance (wire speed at maximum scalability and with all
major security functions active) and carrier-class availability (99.999%).
Cam Cullen is Vice President of Product Management, Reef Point Systems. For more information, please visit the company online at www.reefpoint.com.