The issue of security in the network is one of the most important aspects to address in the new mobile environment. Service providers are delivering VoLTE services to replace the legacy circuit-switched voice calls. They need to ensure that all of the IP network-based services required for VoLTE calls are protected.
LTE (News - Alert) networks are based on IP, and it is leaving circuit-switched voice calls behind. Upgrading the technology ensures a more flexible and extensible network infrastructure, but it also means that service providers need to address the new and little understood security concerns that come with this new architecture.
Multiple threats for individual calls
The SIP and IMS infrastructure are critical to establishing a call session for the customer. SIP messages are generated from a consumer device and propagated directly into the control plane infrastructure. This creates the potential for malicious SIP attacks into the service provider network. It is also possible that a poorly written SIP application could create malformed data or unwittingly generate a DDoS attack. The SBC and IMS components such as the P-CSCF and S-CSCF must be protected against these threats.
All of these services within the communications path require DNS to connect the call session from one function to the next. But DNS is a vulnerable Internet service which can be disrupted in various ways.
Lately, there has been an increase in the number of DDoS amplification attacks. This type of attack occurs when an attacker sends a small request to a server that creates a fairly large response. When the request is sent, the attacker changes the source IP address to the IP address of the intended victim. Because DNS relies on stateless UDP (News - Alert) and is an open and trusting protocol, it is possible to amplify the bandwidth of the attack from the original source over 40 times through the DNS server by the time it reaches the destination. This floods the victim with an overwhelming amount of data that overloads their network connections.
Service providers need to enhance their DNS infrastructures to handle the increased load of DNS requests and institute rules to protect the infrastructure from becoming disabled. If DNS is not working, none of the services within the LTE network will work.
Once a call session is established, the data path between the packet gateway and the Internet needs to be protected. Service providers need to protect their networks and their subscribers from threats that originate from the Internet. They need S/Gi firewalls to protect the data path from the typical types of Internet threats as well as those that target the service provider infrastructure and their customers’ devices.
Security policies need to be installed at appropriate control points in the communications path to identify and filter the threats. Security procedures should be applied at every part of the network where it makes sense.
In the control plane, firewalls must be placed between the subscribers and the key internal network functions such as the SBC, x-CSCF, and SIP AS. These services also need to have content- and session-aware security policies that can discern the good calls from the malicious attacks that take advantage of the open nature of the SIP and Diameter call signaling protocols.
This also means that firewalls must be established at the perimeter of the data network. S/Gi firewalls in the data path adjacent to the Internet protect the network and subscribers from high speed and high volume DDoS attacks. They also protect against TCP sweep attacks that force devices on the network to wake up and create a storm of signaling messages. Other security functions need to be implemented to ensure that RTP voice communications are valid, along with the RTSP protocol that delivers call session information to the service provider for accounting and billing purposes.
Security is not a cherry cordial
Years ago, a colleague told me that security is like a chocolate covered cherry. There is a hard outer shell, which is the security perimeter protecting the network. Once an attacker is able to penetrate this hard outer coating, they have access to the soft and exposed cherry and all the assets that it contains.
With the introduction of advanced security threats and attacks that target specific applications and protocols, this analogy no longer holds true. It is essential for the service provider – and really, all organizations responsible for data networks – to implement a multi-layered security infrastructure that can identify and mitigate the threats at every control point in the network. As service providers continue to build their LTE networks and implement VoLTE call capabilities, they will need to determine where it makes logical and financial sense to incorporate security policies within all of the infrastructure components.
Frank Yue is the Technical Marketing Manager for the Service Provider vertical at F5 Networks. Mr. Yue has over 15 years of experience building large-scale networks and working with high performance application technologies, including deep packet inspection, network security, and application delivery. He is based in North Carolina and is a scuba diving instructor in his spare time.
Edited by Maurice Nagle