Nortel’s IMS Security Strategy

 By Rich Tehrani          

I had a chance to talk about Nortel’s IMS strategy with Eric Bezille, Nortel’s IMS product marketing As IMS becomes a more important part of service provider networks it is crucial that security in IMS networks is as good as it can be. Achieving real security in IMS (IP Multimedia Subsystem)  (News - Alert) ) networks is very complicated and relies on passing secure data between network partners. manager for Europe and Asia.

“From our standpoint,” says Bezille, “IMS is an evolution for us rather than a brand new thing, given the fact that we are already involved in multiple technologies involving convergence such as SIP and we’re involved in all kinds of services on top of voice that serve the end user across many different contexts using different devices and working across different access networks.”

“So our strategy in IMS is really to make sure that what we have deployed already in the market based on Voice over IP will work okay in an IMS world,” says Bezille. “Fixed-mobile convergence [FMC] services exist today and there is a strong evolution and growth that we see driving operators to deploy pre-IMS solutions and to evolve them into IMS as well,” says Bezille.

“As for IMS security, there are different aspects of this,” said Bezille, “but the best aspect is the value of IMS providing a separation between the control layer and the application layer. There is a definite benefit from IMS in the sense that it simplifies the way the network is organized. It also simplifies the way you manage security across-the-board because it is a standardized environment rather than having people manage applications any way they want, with all different kinds of protocols, and user databases scattered everywhere, managing access security everywhere and having application downloads occur everywhere. With IMS you have an organized core network, an ordered way to manage user identification, authorization and application access. So in this sense, just having things standardized is helpful in terms of security.”

Bezille elaborates: “Therefore, our approach is first to accept the standards. It’s very important. We saw an initiative three years ago about converging things and easing access to call resources and so on. But the fact is that it was not really standardized across the board. It was not even standardized for one type of access, to be honest. Now you see that standardization is ongoing for the core network and not for one type of access only but for multiple types of access. You have IMS 3GPP in wireless and you have TISPAN for fixed networks, but the TISPAN next-gen architecture incorporates IMS concepts but does not use them exclusively, so in a sense you can say that those different standards are converging. You see that as well in cable networks, where the standard is called PacketCable MultiMedia [PCMM]. This standard is also converging with TISPAN and IMS 3GPP. For the first time you see a real convergence in the standardization of these architectures, so one of Nortel’s main strategies is to provide standards compliancy and interoperability proof points.”

“Okay, you could say that this is all just marketing,” says Bezille, “but we sponsored and participated in the GMI 2006 [Global MultiService Forum (News - Alert) Interoperability 2006] event, which conducts tests of multi-vendor interoperability to make sure they can achieve Fixed Mobile Convergence [FMC] and support the IMS service framework. With five Internet operators and multiple IMS vendors, it was the biggest IMS interoperability testing event for years, providing close to 100 different interoperability testing scenarios involving IMS applications, such as IMS with non-IMS users, IMS users on one network with IMS users from another network. It was very broad. Nortel actually funded a large part of it, and it involved Acme Packet (News - Alert), BT, Cisco, Empirix, ETRI, KT Technology Labs, NTT, Sonus, Verizon, Vodafone and others. But the point I’m making is that the first aspect of an IMS security strategy really involves standardization because that is a cornerstone for things being secured, talking the same language, respecting the same set of interfaces and the same mode of protection and security. So one important aspect of IMS is bringing a centralized way to authenticate and authorize end users.”

“From the HSS [Home Subscriber Server] you can really manage subscriber identity and make sure everyone is authenticated and authorized in the same way,” says Bezille. “At the same time it simplifies the end user’s life, but it’s mainly ensuring a higher level
of security.”

What Bezille said sounded good, since there could be concern about the actual security of being automatically logged on when a person moves from one device to the next. I then asked Bezille how an equipment vendor could ensure security within the core network.

“There are different aspects of that,” says Bezille. “The challenge centers on providing security when the user exercises the capability of going from one type of access to another, yet staying on the same call. So, you might first use your laptop and then the fixed phone or perhaps your cellular phone. These are not brand new scenarios for us, we doing that today, such as the Orange Business Together service that integrates your mobile phones into your office network. Our technology is such that business people can access a set of services from their laptop, but they can also access them from their mobile phone in a consistent way too. Or, when they receive a ring tone when they receive a call, for instance, they can get their devices to ring at the same time or to ring in sequence. People can program the way they want to be reached and the way the service should behave. But most importantly, all of their access is secured. For instance, one of the basic principles for security on 3GPP IMS allows for different levels of possibilities to authenticate the end user. You can do it with a sim card. You can also do it with a username and password, and so you can ensure security and the authentication across different devices and different forms of access.”

“For us it’s not that much of a debate because our expertise originated with our work in the enterprise space where IP is already all over the place,” says Bezille. “We are coming with wireline VoIP expertise where, again, the plateau has been very high and we have grabbed a strong market share. So for us it’s more of, say, ‘Hey, with our VoIP experience and IP services know-how, we can propagate advanced services through converged networks, organize our own IMS solutions that can deal with wireless access, as well as wireline and cable’. So it’s not a matter of trying to extend mobile expertise into an IP world. We already have expertise, technology and very specific functionalities we have created and tested in the VoIP market. And we have devised some innovative functions in this domain relating to security. For instance, in the VoIP network we can already intelligently evolve both end users and the network. Say that they started with a non-secure network for some reason; our solutions have specific features where we can migrate the users and the whole network into a fully secure network without service interruption. It’s important to be able to evolve your customer and enable a smooth migration into a higher-level security architecture. There are some ways to maintain ease of use from the end user’s perspective, but at the same time to improve security and standards compliancy, such as using an IPsec-based VPN.”

I was curious as to whether this security solution is automatically implemented in newly-deployed IMS networks.

“It depends,” said Bezille. “IPsec normally yes, if your system is compliant. There’s a functionality we call Flex Mode which can be used to move some nodes or end users from non-secured behavior to secured behavior. This is a function of IT that we put in place on our own solutions.”

“Of course, there are some situations where network operators realize they need specific functionalities that are not yet offered and so they contribute to the standard for the next versions,” says Bezille. “So you’ll see an initiative like A-IMS [Advances to IMS], made by Verizon (News - Alert) and a couple of other contributors, where they recommend a kind of improvement to the standards and one part of this improvement is linked to the security aspects of IMS. And you see some other initiatives from other vendors as well as many operators. So you can expect that the security aspect is evolving into the standard for IMS as well. Much of this security is not just linked to the core itself but is linked to the end user. Everyone must work hard to ensure that the end user, going from one type of access to another, still enjoys secure communications. Consider the multiple devices that can now be used by one user to connect to an IMS network. It increases the complexity and difficulty of network security and so on. But, having laptops and all kinds of devices trying to connect to the network forces providers and enterprises to be much more careful with what they use and to determine if they are protected at the end user device as well. There are ways to assess VPNs and do security so we can ultimately have some policy enforcement for the end user device. We can have it accept and work with specific firewall software that we want to see on their device and so on. Technology originally used by enterprises to make sure that all their laptops were fully secure has led the way to service provider and enterprise solutions that allow for an additional level of control, security-wise, for various other end user devices.”