NGN networks and security

APPIN’S PROPOSED NGN FRAMEWORK FEATURES Intact QoS of Communication Source Address Authentication Interdomain security via SEGs Domain based approach... ACCESS DOMAIN Access Domain Se

NGN Networks and Security

GVHD :Ths.Hà Văn Kha Ly SVTH :Mai Thanh Minh Phan Anh Dũng

NGN Architecture

The NGN functions are divided into service and transport strata.

End-user functions are connected to the NGN by the user-to-network interface (UNI).

Other networks are interconnected through the network-to-network interface (NNI).

The application-to-network interface (ANI) forms a boundary with respect to party application providers.

third-Realization example

NGN SECURITY ARCHITECTURE – BEST PRACTICE

 Security Requirements for

 Architecture

 Protocols

 Network interconnection (e.g between carriers)

 Node administration and management (security recommendations have been made by Telcordia’s GR815 and ITU’s

Telecommunications Security Manual for node Security)

 Service management

 End-user access

EXAMPLE

 Slovak Telecom (ST) is the market leader in telecommunication services in Slovakia and one of

the largest companies in the Slovak economy.

 The deployment of an IP-based NGN network will also enable future delivery of new

broadband services such as

 Voice over IP

 Multimedia conferencing

 Unified messaging,

 Gaming and music downloads

 Enhanced Internet service,

 Integrated personal computer and phone applications

EXAMPLE (CONTD.)

 The NGN solution deployed by Slovak Telecom includes:

 Alcatel 5020 Softswitch controlling 28 geographically distributed 7505 Media Gateways, which provide the necessary

bridges between the voice and data worlds

 To prepare for the deployment of broadband services, 309 locations have been equipped with 1540 Litespan

multiservice nodes consolidating phone and DSL access

 The transport network has been enhanced with IP/MPLS equipment, based on the Alcatel 7670 Routing Switch

Platform, while network management is implemented with the Alcatel 1300 Convergent Management Centre

 This converged management centre offers major OPEX savings as it offers a coherent management for lines across their

TDM and NGN installed base

EXAMPLE

 Telenor is Norway's largest telecommunications group, with substantial international mobile operations.

 Considering that VoIP based services in the business market forecasted to grow to 25% in 2007, and that by then a

substantial part of Norway’s 2000 largest companies will have converted to a combined Mobile/IP solution for enterprise communications, Telenor is using its NGN service rollout as a key message to the market, confirming that they continue to offer leading edge solutions to their customers.

 To achieve this, Telenor’s Next Generation Network will be powered by an Alcatel A5020 Softswitch handling both

H323 and SIP calls Typically, enterprise workers will be connected by IP-PBX’es To achieve the advanced services as e.g IVR controlled follow-me, a layered numbering plan as well as PnP based CLIP/CLIR requested, a VPN service is created on the Alcatel OSP.

NGN Security Appin’s Approach

Threats

Attacks

Destruction Corruption

Disclosure Interruption

 Appin’s NGN Security framework will focus on securing the core network

 Focus here will be identify potential major threats and risks and mitigation techniques

required against them

APPIN’S NGN FRAMEWORK FEATURES (ITU-T REC X.805)

NGN Framework Features

Confidentiality

Integrity

Non repudiation Interoperability

Availability

Single Sign on

APPIN’S PROPOSED NGN FRAMEWORK

FEATURES

Intact QoS of Communication

Source Address Authentication

Interdomain security via SEGs

Domain based approach

CONCERNS OF OPERATOR

• Control of dynamic media sessions (outbound and inbound)

• Network Address Translation (NAT) traversal

• Performance : network latency and jitter

• Scalability

• Unauthorized signalling and media messages

• Call admission and policy control

• Internetwork message inspection

Concerns of an operator

(Basis for consulting)

EXAMPLE - IMPLEMENTATION

IPSEC AND OSS

 After a thorough threat analysis of NGN Carriers, IPSec came out as a clear option to implement security at Network or

Packet Processing layer of NGN communication architecture

 IPSec is especially useful for implementing VPNs and for remote user access over a dial-up connection to a private

IPSEC IMPLEMENTATION

IPSEC IN NGN

IPSEC DPI

 Appin’s NGN security framework is adept to the usage of DPI over IPSec communication

 Heuristic based approach for packet inspection shall be implemented on DPI

 Generally, DPI doesn’t work on IPSec due to encrypted ESP packets are assumed by DPI

engine in normal approach as ESP-NULL because they happened to have correct bytes which look like self-describing padding in the encrypted part.

 Heuristic checks assure that IPSec’s ESP NULL packets are properly identified and inspected

and not passed over as being ESP Encrypted

IMPLEMENTATION REQUIREMENTS

 From an NGN point of view, the servers and gateways will be equipped with an integral IPsec machine,

either in software or, preferably, as a hardware plug-in (security and performance aspect)

 A Security Server (SecS) is required to control and manage the overall security environment The feature

options of this SecS are:

 VPN policy (access control for VPN groups)

 X.509 digital certificate manage-cross-certification with other certification authorities

 Remote management of VPN clients

 Standardized key generation and key distribution

IMPLEMENTATION REQUIREMENTS (CONTD.)

 The key management protocols are:

 IKE

 PKINIT (Public Key Initial authentication) and Kerberos

 PKCROSS, which is used for cross-domain key management

 All signalling control (e.g Real-Time Control Protocol RTCP) and even media streams (including RTP and UDP) are

encrypted Media and signalling streams are encrypted for confidentiality and even optionally for the purpose of message integrity using the Message Authentication Code (MAC).

NGN Layer based security

• Application Layer Gateways (ALG’s)

• Session Border Controllers (SBCs)

• Deep Packet Inspection

PE/P Devices

AAA Servers

Trust Network

• CE/PE interface

• Address Specific Packet Filters (ACLs)

• Peer interface on PE router security

• Private Address Space usage

• Routing authentication

• Separation of CE/PE links

• DP authentication

MPLS SECURITY

MPLS SECURITY EXAMPLE - CE-PE SECURITY

MPLS SECURITY EXAMPLE - CE-PE SECURITY

(CONTD.)

 In the part where the NGN equipment is connected to the bearer network, the general solution is dual home

of CE to PE

 Currently, Huawei's routers support layer-2 features So the AG/UMG/Softswitch can be connected to the AR

directly, thus dispensing with the convergence switch

 Huawei's routers support fast fault detection (FFD) and correlation between FFD and routing protocol

 Therefore, the E-VRRP (Evaluation of Virtual Router Redundancy Protocol) and IP FRR (IP Fast ReRouting)

technologies can be used to implement fast protection switching between CE and dual PE.

Application Layer Security

 ITU T recommends Middleware security for Application layer

 Middleware recommendation also includes IMS Security

 Middleware Service will simplify and unify service creation

 It will curb exposure of available network capabilities to third parties

 Inherent increase of security threats and increase in the risk of attacks on network resources will be

minimized

APPLICATION LAYER SECURITY

 End-to-End Application layer security based on standard such as

 XML Digital Signatures

 XML Encryption

 SAML (Security Assertion Markup Language)

 Intrusion detection and prevention (IDP)

 Deep packet inspection system protecting applications middleware against SQL injection

attacks which are not mitigated by existing solutions

IDP Architecture

ACCESS DOMAIN

 Access Domain Security

 Authentication will be performed on transport layer, Service (IMS) layer and Application

layer.

 Network Access Control (IP-CAN Security) using:

 User/User terminal authentication

 Link layer authentication mechanism like PPPoA/ PPPoE, 802.1x with EAP/ AKA, MAC

address/ line authentication

 Access control lists (ACLs) & application.

ACCESS DOMAIN SECURITY

EXAMPLES(CONTD.)

• Access Control to IMS (domain)

– Token based SIP request for IMS edge authentication

– NGN-SLA (Service Level Authentication) between UE and S-CSCF.

– Authentication options to be supported

» Full IMS security (Authentication & Key Agreement (AKA) as defined by 3GPP (plus NAT

traversal)

» Residential Gateway for legacy equipment

» NASS bundled authentication.

– IMS security shall be independent of access IP-CAN security.

ACCESS DOMAIN SECURITY (CONTD.)

 Access Control to services and applications:

 SIP signaling with HTTP Digest authentication

 Utilization of IP packet/session information like

 Address

 Protocol ID

 User ID

 XCAP for presence

ACCESS DOMAIN SECURITY (CONTD.)

NETWORK DOMAIN SECURITY

• Packet Filtering

• Stateful Inspection IMS firewall for signaling (NO RTP)

• Tropology hiding (THIG)

• Bandwidth fraud protection

• Access Control by signaled pinhole firewall for media(RTP) in SC at UNI and NNI.

• Split DNS architecture and DNS TSIC for Zone Infrastructure.

• Protection against DOS attacks.

Minimum site Perimeter Security

NETWORK DOMAIN SECURITY (CONTD.) – NODE PROTECTION

Node Protection File control

• ACL Authorization

• Restrictive default permissions Granular File Access rules

• User specific rules

• Capability to allow to sensitive resources only through approved programs

• Administrator defined critical files prohibiting change

NETWORK DOMAIN SECURITY (CONTD.)

• Process Controls-Administrator

– Subsets sharing of root authority among different administrators based on their functional roles

– Audit controls

• Will track user names from initial authentications to create secure and useful audit trails with full integrity

• Administrators will be able to select which events to audit in addition to the default start-up and shutdowns

• Other auditing options can include user logins ,logouts access to resources and change directory commands.

• Will prevent tempering of audit files by anyone while it is running on the machine

• Will protect the audit records and have facilities for routing logs to a centralized audit system ,making the audit data

truly reliable

NETWORK DOMAIN SECURITY (CONTD.)

NGN SECURITY SOLUTIONS

 The solutions include:

 Stateful inspection firewalls examine the transport layer based on the active policy and make decisions to allow or deny a

packet

 Proxy-based firewalls (i.e Back-2-Back User Agents) provide application layer awareness and thus better control for VoIP

traffic

 Application Layer Gateways (ALG’s) operate similar to proxy based firewalls but tend to facilitate the traversal of VoIP

traffic (e.g to resolve NAT issues) rather than enforcing granular security policy

 Session Border Controllers (SBCs), that are used to route VoIP traffic and provide a level of QoS, fall under the category of

Proxy-based firewalls

 Deep Packet Inspection provides the ability to enforce policy and inspection controls on the entire packet.

NGN SECURITY STEP WISE APPROACH

IP NGN Security Actions

Identify

Principal Actions Relevant Technologies

Identifying and assigning trust-levels to subscribers, networks, devices, services, and traffic is a crucial first step to infrastructure security

 Identify and authenticate subscribers and subscriber devices (where

possible)

 Associate security profiles with each subscriber and device

 Associate network addresses and domain identifiers subscriber devices

 Classify traffic, protocols, applications, and services at trust-boundaries

 Inspect traffic headers and payloads to identify subscribers, protocols,

services, and applications

 Authentication, Authorization, and Accounting (AAA) Servers

 Extensible Authentication Protocols

 Deep Packet Inspection

 Network-Base Application Recognition

 Service Control Engines / Application Performance Assurance

IP NGN Security Actions

Monitor

Any device that touches a packet or delivers a service can provide data describing policy compliance, subscriber behavior, and network health

Principal Actions Relevant Technologies

 Gather performance- and security-relevant data inherent to routers and

switches

 Log transactional and performance data at access and service gateways

 Link IP traffic with specific subscribers devices, and origins whenever possible

 Deploy protocol-, traffic-, and service-inspection for reporting and detection

 Develop behavior baselines for comparison to real-time measurements

 Employ command / change accounting

 Netflow

 SNMP / RMON / SysLog

 Network / Traffic Analysis Systems

 Intrusion Detection Systems

 Virus- / Message-Scanning Systems

 Deep Packet Inspection

 Packet Capturing Tools

 SPAN / RSPAN

 Authentication, Authorization, and Accounting (AAA) Servers

 DHCP / DNS Servers

45

IP NGN Security Actions

Correlate

Important macro trends and events can often go unrecognized until other numerous – seemingly unrelated – events are correlated

Principal Actions Relevant Technologies

 Assure time synchronization throughout network and service infrastructures

 Collect and collate data from distributed, disparate monitoring services

 Analyze and correlate data to identify trends and macro-level events

 Security Information Management Systems (SIMS)

 Netflow Analysis Systems

 Event Correlation Systems

 Behavioral Analysis Systems

 Anomaly Detection Systems

46

IP NGN Security Actions

Harden

Hardening is the application of tools and technologies to prevent known – or unknown – attacks from affecting network or service

infrastructures

Principal Actions Relevant Technologies

 Deploy layered security measures – defense-in-depth

 Authenticate control-, and management-plane traffic

 Authenticate and limit management access to devices, servers, and services

 Prevent Denial of Service (DoS) attacks – state attacks, resource exhaustion,

protocol manipulation, buffer overflows

 Validate traffic sources to prevent spoofing

 Access Control Lists

 Authentication, Authorization, and Accounting (AAA) systems

 Reverse-Path Forwarding Checks

 Control-Plane Policing

 Role-based control interfaces

 Memory and CPU thresholds

 Intrusion Detection Systems

 High-Availability Architectures

 Load Balancing

47

IP NGN Security Actions

Isolate

Isolating is a critical design practice then helps prevent access to critical resources, protect data, and limit the scope of disruptive events

Principal Actions Relevant Technologies

 Limit and control access to (and visibility into) transport-, operations-, and

service-delivery infrastructures

 Prevent visibility and access between different services, customers…

 Create network zones to isolate based on functionality – DNS, network

management, service delivery, access…

 Define strict boundaries between networks, operational layers, and services

of different trust-levels

 Encrypt sensitive traffic to prevent unauthorized access

 Virtual Private Networks

 Virtual Routing and Forwarding

 Demarcation / Functional Separation Zones

 Access Control Lists

48