2

VoIP Mobility & Security

Scott PoretskyDirector of Quality Assurance Reef Point Systems

Securing Fixed-Mobile and Wireless VoIP

Convergence Services

3

Agenda

FMC Top Driver for Technical Innovation in Networking Industry

FMC Creates New Security Vulnerabilities and Solutions

FMC Requires Defense-In-Depth Network Security Strategy

Security Gateways Must be Validated for Network Deployments

Conclusions

4

Agenda

FMC Top Driver for Technical Innovation in Networking Industry

FMC Creates New Security Vulnerabilities and Solutions

FMC Requires Defense-In-Depth Network Security Strategy

Security Gateways Must be Validated for Network Deployments

Conclusions

5

FMC Designed for Mass MarketConsumers on the go…

At home… At work…

• User-controlled reachability

• Ubiquitous access to services

• Single user identity across multiple locations

• Requires scalable, ubiquitous security solutions

FMC enables a FMC enables a consistent user consistent user

experienceexperience

Working remotely…

Service Providers are Unifying Domains Service Providers are Unifying Domains – – Different Networks, User Identities & ApplicationsDifferent Networks, User Identities & Applications

6

FMC Enables Revenue-Generating Blended Services

Presence Push-to (Push-to-Talk, Push-to-View, etc.) VoIP and Rich Calls (with Video) Mobile Instant Messaging Mobile Video, VideoConferencing, Multiparty

Gaming, IPTV

7

Service Provider FMC Deployments Unlicensed Mobile Access (UMA)

BT T-Mobile TeliaSonera

IP Multimedia Subsystem (IMS) Telecom Italia Telefonica Sprint

8

Millions of New Endpoints Requires Massive Scalability

New mobile data services and other multimedia services offered over wireless and converged networks create orders of magnitude more endpoints than wireline networks today

Annual global sales of dual mode mobile phones are likely to exceed 100 million during the final year of this decade*

Need to secure all endpoints simultaneously

*ABI Research May 05

9

Agenda

FMC Today’s #1 Driver for Technical Innovation in Networking Industry

FMC Creates New Security Vulnerabilities and Solutions

FMC Requires Defense-In-Depth Network Security Strategy

Security Gateways Must be Validated for Network Deployments

Conclusions

10

FMC Security Vulnerabilities

Fixed MobileConvergedIP Network

PSTN

Data Network

Mobile

Broadband Access/IP TV

Wireless LAN

ATM/FR/IP/MPLSCable/DSL

PublicIP Network

• Requires secure and authorized access to network• More users=more miscreants• Single network=more damage from network

attack

11

FMC Security Solutions

Mobile handsets subscribers are able freely roam to make voice calls and access Internet services.

Secure Access – IPsec between Mobile Subscriber and Network

DoS Prevention – Stateful Firewall at mobile/core edge to protect FMC Core, Internet, and Mobile Stations

User Authentication – AAA to authorize mobile subscribers for services and Certificates for mobile subscriber to authorize IPsec peer

Stability with Security Scaling - 100s of thousands of subscribers

12

FMC Network Architectures Unlicensed Mobile Access (UMA)

3GPP standard for mobile/Wi-Fi Convergence Based upon IETF protocols – IPsec, IKE, RADIUS, EAP-Sim Controller = UNC

IP Multimedia Subsystem (IMS) 3GPP standard for universal mobile access Based upon IETF protocols – SIP, IPsec, IKE, DIAMETER Controller = CSCF

13

UMA FMC Security Architecture

User Equipment Access

Dual-ModePhone

MobilePhone

WirelessLaptop

RAN

WiFi

Broadband

SeGW

UMA Core

ConvergedHome

Applications

PresencePresence

GamingGaming

VideoVideo

VoiceVoice

INC

Security Gateway Protects UMA Core, Internet, and User EquipSecurity Gateway Protects UMA Core, Internet, and User Equip

HLRAAA

UNC

14

IMS FMC Security Architecture

User Equipment Access

Dual-ModePhone

MobilePhone

WirelessLaptop

RAN

WiFi

Broadband

SeGW

IMS Core

ConvergedHome

Applications

PresencePresence

GamingGaming

VideoVideo

VoiceVoice

INC

CSCFs

Security Gateway Offload for CSCF – Protect and ScaleSecurity Gateway Offload for CSCF – Protect and Scale

HLRAAA

HSS

15

IMS Session Model

User Equipment Access

Dual-ModePhone

MobilePhone

WirelessLaptop

RAN

WiFi

Broadband

SeGW

IMS Core

ConvergedHome

Applications

PresencePresence

GamingGaming

VideoVideo

VoiceVoice

INC

CSCFs

IMS changes call model to “always on” versus on-demandIMS changes call model to “always on” versus on-demand

HLRAAA

HSSControl Connection“Registered User”

16

Poor Approach to Security for FMC Integrated Control and Forwarding

All Traffic Goes Through FMC CoreAll Traffic Goes Through FMC CoreReducing Performance, Scalability, And ProtectionReducing Performance, Scalability, And Protection

Packet-switched network

Any IP connection (e.g. GPRS, EDGE, WCDMA,

WLAN, xDSL)

Application Servers

IP-based services between terminals

End-to-End CommunicationSIP Control PathSIP Media Streams

SIPTerminal

SIPTerminal

17

Security Gateway Approach for FMCSeparating Control Plane From Forwarding

Separation of Control Plane and Forwarding PlaneSeparation of Control Plane and Forwarding PlaneIncreases Security, Performance and ScalabilityIncreases Security, Performance and Scalability

Packet-switched network

Any IP connection (e.g. GPRS, EDGE, WCDMA,

WLAN, xDSL)

SIPTerminal

SIPTerminal

Application Servers

IP-based services between terminals

End-to-End CommunicationSIP Control PathSIP Media Streams

18

IPsec and SIP Enabled Mobile Devices

FMC dependent upon handset vendors implementing devices with IPsec, IKE, and SIP support

Motorola and Nokia have announced FMC programs

19

Agenda

FMC Today’s #1 Driver for Technical Innovation in Networking Industry

FMC Creates New Security Vulnerabilities and Solutions

FMC Requires Defense-In-Depth Network Security Strategy

Security Gateways Must be Validated for Network Deployments

Conclusions

20

Defense in Depth Safeguards FMC NetworksZone 1: Subscriber Protection

User Equipment Access

Dual-ModePhone

MobilePhone

WirelessLaptop

RAN

WiFi

Broadband

SeGW

FMC Core

ConvergedHome

Internet Applications

PresencePresence

GamingGaming

VideoVideo

VoiceVoice

UNC

CSCFs

IPSEC Encrypt/Decrypt

Stateful SIPFirewall

SIP DOS Protection

Malicious PacketFiltering

Secures the Transmission Between the Subscriber and Secures the Transmission Between the Subscriber and Wireless NetworkWireless Network

21

Defense in Depth Safeguards FMC Networks Zone 2: FMC Core Protection

User Equipment Access

Dual-ModePhone

MobilePhone

WirelessLaptop

RAN

WiFi

Broadband

SeGW

FMC Core

ConvergedHome

Internet Applications

PresencePresence

GamingGaming

VideoVideo

VoiceVoice

UNC

CSCFs

IPsec Encryption/Decryption

IP DOS Protection

QoS and Policing

StatefulFirewall

SIP DOS Protection

ECMP

Ensures a Highly Available, Predictable and Secure Ensures a Highly Available, Predictable and Secure Network CoreNetwork Core

IKE DOS Protection

Anti-Spoofing

22

Defense in Depth Safeguards FMC NetworksZone 3: Internet Gateway

User Equipment Access

Dual-ModePhone

MobilePhone

WirelessLaptop

RAN

WiFi

Broadband

SeGW

ConvergedHome

PresencePresence

GamingGaming

VideoVideo

VoiceVoice

UNC

CSCFsDOSAttacks

Internet Worms

MobileVirus

Protects Core Network ResourcesProtects Core Network Resources

UserAuthentication

Malicious PacketFiltering

Codec QoSAnd Policing

Stateful Firewall

FMC Core Internet Applications

23

Stateful Firewall Fundamental to Defense in Depth

Stateful Firewall protects User Equip, FMC Core, and Interent

Stateful firewalls must be SIP aware SIP ALG must dynamically manage each

session (up to 100s of 1000s) SIP ALG must rate limit SIP control and

media for each session

Pinhole

RTP media

Alternative is Stateless Firewall or no Firewall – Not a Alternative is Stateless Firewall or no Firewall – Not a Solution Solution

for Secure VoIPfor Secure VoIP

SIP Control

24

Agenda

FMC Today’s #1 Driver for Technical Innovation in Networking Industry

FMC Creates New Security Vulnerabilities and Solutions

FMC Requires Defense-In-Depth Network Security Strategy

Security Gateways Must be Validated for Network Deployments

Conclusions

25

IPsec Benchmark Parameters

Total Number of IPsec tunnels IPsec Tunnel Establishment Rate

IKE DOS Protection

Total SAs (IKE and IPsec)

RAN

IPSecTunnel

UE

SeGW

UNC

CSCFs

26

Stateful Firewall Benchmark Parameters Total Number of Stateful Firewall Sessions Stateful Session Establishment Rate SIP ALG

SIP Control• Total Number of SIP Sessions Established• SIP Session Establishment Rate (CAPS)

– With and Without Media– Established Call Load – SIP DOS Protection– TCP Reassembly

RTP Media• Total Number of RTP Media Streams• Number of RTP Media Streams per SIP Control Session

27

Solution-Agnostic Benchmarks

Benchmarks must apply for any FMC solution: UA<->SIP Server<->UA UA<->SBC<->UA UA<->CSCF or UNC<->UA UA<->SEG<->CSCF<->SEG<->UA

Enables Devices to be compared Enables FMC solutions to be compared

28

Conclusions: FMC Cannot Succeed Without Comprehensive Security Vulnerabilities created by mobile

packet core being exposed to the public Internet

Security is not optional; it’s a must

Converged IP backbone must support, prioritize & appropriately handle voice, video and mobile services

Scaling is unprecedented. Number of subscribers requires stable and high scaling security gateways

29

Contact

Scott PoretskyReef Point Systems8 New England Executive ParkBurlington, MA 01803 USA main +1 781 505 8300 / fax +1 781 505 8316sporetsky@reefpoint.comwww.reefpoint.com

30