Deployment of Broadband through NGN Security Aspects in NGN

1.1 Introduction
Security in telecommunication is the body of technologies, processes and practices
designed to protect networks, programs and data from attack, damage or unauthorized
access. Security includes both cyber security and physical security. Ensuring cyber
security in telecommunication requires coordinated efforts throughout an information
system.
Telecommunication solutions are usually required to handle with unique types of
protocols such as, VoIP, SIP, SS7, etc. Those protocols need to have security controls as
they are popular vectors for attackers who are targeting Telecom companies.
IMS is a new evolution in telecommunication and is suspectible of following threat
factor:-

 Network openess: Access independence, a variety of ways to access

 All based on IP: IMS technology is floating entirely on IP network it directly faces
the attacks from the Internet.
 Terminal intelligent: Accessing terminal has a variety of attacks
 Convergent service : IMS network faces the security threats from the traditional
telecom system

1.2 Types of Threats in IMS network

 Eavesdropping: Attacker listens or steals SIP messages
 Registration loop hole : Attacker sends registration message along with stolen ID of
 Subscriber.
 Proxy server attack：When fake server gets control all traffic from subscriber.
 Message tampering：SIP sends plain messages. This message is not secure and
 can be accessed.
 Denial of Service：The attacker sends a large number of datagrams in a short period
of time, causing degradation of performance or completely stopping services.thus the
services are temporarily or permanently unreachable or unavailable.
 Intensification：With more coverage and sends more false request that is resulting
the services disable.

1.3 IMS Security policy

There are many mechanisms for authentication and access control, defined to meet the
needs of inherited terminals and to enable faster deployment. The most common
dimensions are:

“Deployment of Broadband through Next Generation Network” 1 of 10

For Restricted Circulation

Deployment of Broadband through NGN Security Aspects in NGN

1.3.1 Privacy:- Anti-user sensitive information disclosure, anti-network topology leak,

signaling encryption
1.3.2 Availability:- Operating system security consolidation, database security reinforcement,
security patch mechanism, IP anti-attack, anti-DoS / DDoS attacks, anti-SIP malformed
packet attacks, anti-SIP business logic attacks, Web application security, anti-RTP
malformed packet attacks.
1.3.3 Data Integrity:- IPSec, TLS (Transport Layer Security), HTTPS, SNMP and other
security protocols in the integrity of protection, system software integrity protection, etc.
1.3.4 Communication Security:- Transmission security isolation (such as VLAN and VPN),
network element security isolation, etc.
1.3.5 Access Control:- ACL (Access Control List) control, OAM table access control, pinhole
media firewall, CAC (Call Admission Control), black and white list control mechanism,
media bandwidth control, OAM security management mechanism.
1.3.6 Authentication and Authirization:- AKA (Authentication and Key Agreement)
authentication, SIP \ HTTP Digest authentication, digital certificate and other user access
authentication, user decentralization, system and software to minimize the authorization
1.3.7 Non-repudiation:- Logs ,alarms, and the use of digital certificates for process
certification.
1.3.8 Data Confidentiality:- Signaling encryption, OAM transmission encryption, IP
transmission encryption, and encryption of user passwords and so on.

1.4 IMS Connectivity

Based on the ITU E.408 and security policy of IMS network, the IMS is divided into several
logic areas. Subnets or devices located in the same logical zone have the same or similar
security requirements. The different zones commutate with each other through the
VPN/VLAN.And the IMS can support SSH connectivity. The diagram is as below-

“Deployment of Broadband through Next Generation Network” 2 of 10

For Restricted Circulation

Deployment of Broadband through NGN Security Aspects in NGN

Each site is divided into the following zones:

1.4.1 Access zone: LMGs, P-CSCF (access side) and access session border controllers (A-
SBCs) locate in this zone. LMG will connect to MPLS network through S9300 series
LSW in each LMG location. P-CSCF access IP belongs to this zone, this ensures the
LMG can directly register to IMS through P-CSCF and this data need to go through
Firewall.
A-SBC core side signaling IP also belongs to this zone. For ADSL subscriber, soft clients
or SIP phone will register to A-SBC access side IP, then A-SBC will register to IMS
through this core side signaling IP and this data need to go through Firewall.

1.4.2 Core Signaling zone: All the core side IMS network elements will connect to this zone
and interconnect to each other in this zone only and this data didn’t need to go through
Firewall.
1.4.3 Media zone: MRFP, SBC, media part of IM-MGW locates in this zone. As per the
requirement of BSNL corporate team, the media part will not pass the firewall and
directly connect to router. So all the media part will connect to one pair of S9306 LSW
first then to router.
1.4.4 O&M zone: CGP maintenance interface, SPG web-portal login interface and other
operation and maintenance related interfaces belong to this zone and this data need to go
through Firewall.
1.4.5 Provisioning zone: SPG (south & north), NE northbound interface and BSNL CRM
system (south interface) should be in this IP segment only and this data need to go
through Firewall..
1.4.6 Billing: CCF, Billing mediation and billing center belong to billing zone and this data
need to go through Firewall..

“Deployment of Broadband through Next Generation Network” 3 of 10

For Restricted Circulation

Deployment of Broadband through NGN Security Aspects in NGN

1.4.7 LI zone: XM module (OMU) and Xalted LIG belong to this zone and this data did not
need to go through Firewall..
1.4.8 Border zone: MGCFs, IM-MGWs, and interconnection session border controllers (I-
SBCs) locate in this zone to integrate with existing PSTN/PLMN or other operator`s
network and this data need to go through Firewall.

1.5 IMS Security architecture

“Deployment of Broadband through Next Generation Network” 4 of 10

For Restricted Circulation

Deployment of Broadband through NGN Security Aspects in NGN

1.5.1 IMS and Internet isolation

 NIDS/NIPS, Firewall to separate the IMS and Internet
 SBC to protect the IMS from the access network and other network
1.5.2 Terminal Access Security
 Support multiple authentication mode e.g HSS support AKA/HTTP Digest/Early
IMS/NBA/GBA, etc
 CSCF support TLS encryption
 IMS solution geographical redundancy
1.5.3 Signaling Plane Security
 IMS component communication support SIP OVER TLS
 IMS component support authentication and authorization mechanism based on
identifiers Media Plane Security
 Support SRTP
1.5.4 Operation & Maintenance Security
 OMC-S support role based login and management
 Log and warning real-time notification
 All the operate and visiting will save in the logs
1.6 IMS and Internet Isolation
For IMS and Internet isolation Firewall is deployed in the network in MIXED mode. For
Mpls Subnet it works as a transparent device while for BGP or NAT solution it works as a
Gateway Device. In NGN firewall is deployed between Access and Core Switches. For
Core side firewall is directly connected with gigabit Ethernet cable while for access side
firewall is connected to Nids/Nips and Nids/Nips is connected to Access Switch.

“Deployment of Broadband through Next Generation Network” 5 of 10

For Restricted Circulation

Deployment of Broadband through NGN Security Aspects in NGN

In the above diagram Firewall ports B, D, F, and H are connected with Core Switch Ports
and ports A, C, E, and G are connected with Access Switch Ports.
In Zone-based security, firewall policies are applied to the Zones. The firewall allows only
that IP which are defined in it. All else are blocked by firewall.
In case of intrusion the NIDS detects the IP from which the attack is occurred and NIPS
block and blacklist that IP to avoid any perspective cyber-attack from that IP in future.

1.7 Terminal Access Security

In the IMS network, due to the independence of access, access to a variety of user
types, IMS network must have a variety of types of user access to the legitimacy of
access, to prevent unauthorized users through the theft of other accounts registered
to the IMS

“Deployment of Broadband through Next Generation Network” 6 of 10

For Restricted Circulation

Deployment of Broadband through NGN Security Aspects in NGN

1.7.1 SBC(P-CSCF)
Important security defense network element for IMS network access. The SBC6000
capability :
• SIP signaling encryption
• Pinhole media firewall
• SIP header processing
• Traffic control
• Signaling and media proxy
• ACL (Access Control List)
• TCP / IP anti-attack
• user access control
• Call access control
• Anti-DoS (Denial of Service) / DDoS(Distributed Denial of Service) attacks

1.7.2 HSS for the authentication

 IMS AKA (authentication and Key agreement )authentication: For the ISIM card IMS
subscribers, to ensure the IMS network and user information security and data integrity.
 SIP Digest/HTTP Digest: For the SIP soft client, to verify the username and password.
tuples.

“Deployment of Broadband through Next Generation Network” 7 of 10

For Restricted Circulation

Deployment of Broadband through NGN Security Aspects in NGN

1.8 Signaling Plane Security

1.8.1 Security threats of Signaling plane

 Signalling DoS / DDoS attacks :
 Signalling flood attack,
 SIP large packet attacks,
 SIP broadcast DoS attack,
 Incomplete SIP session attack
 SIP business logic attacks:
 Session interference,
 Session hijacking and stealing,
 Caller ID cheat,
 Billing fraud,
 Illegal anonymous call
 User sensitive information disclosure
 Intruders intercept the SIP signaling , and get the IMS subscriber’s identity
information, passwords, call session information etc.

1.8.2 IMS Security policy for the signaling plane treats

(A) Anti-signalling DoS / DDoS attack:

• IMS SBC: The signaling anti-attack module performs DoS / DDoS attack behavior
identification, discards the attack packets, adds the attacker to the
blacklist, and limits the speed of the signaling packets. Filtering the SIP
malformed packets, and clearing the bad signaling packets.

• IMS Core: The flow control policy of the NEs detected the CPU usage and adjusts the
system traffic volume.

(B) Anti-SIP business logic attacks:

IMS based on the protocol stack and business application progress check
the SIP packets, includes the SIP header field check, parameter logic
check. On the SBC, CSCF, AS will check the SIP logic security, the attack
message directly corrected or discarded.
(C) Anti- User sensitive information disclosure
IMS provides signaling encryption (SIP over TLS) between the IMS Core
and the terminal so that packets cannot be cracked by illegal users.

1.8.3 Threats at the Diameter Sh and Cx interface

Spoofing, Tampering, Denial of Service, Elevation of Privilege which will lead
the user information lose of integrity and confidentiality.

“Deployment of Broadband through Next Generation Network” 8 of 10

For Restricted Circulation

Deployment of Broadband through NGN Security Aspects in NGN

1.8.4 IMS Diameter Security plan

Diameter is the application layer protocol, the diameter stack as below:

• In the diameter protocol stack, the IPSec(IP Security) provides the Hop –to-Hop
connectivity security, the TLS(Transport Level Security provides the transport level
security. IMS (Sh/Cx) support the IPSec and TLS both.
• An SQL injection detection system validate all messages before they are translated
into queries for the HSS.
• IMS offers additional safety mechanisms for handling signaling bursts, including
enhanced congestion and overload flow control.

1.9 Media Plane Security

1.9.1 Threats in Media Plane

• RTP session invade
In a normal session, the intruders inject an RTP message to the normal session for
session interference
• RTP bandwidth stealing
Users unauthorized use of RTP session bandwidth, to get more resources but pay less.
• RTP malformed message attack
Send a large number of RTP packets that do not conform to the protocol specification, to
consume a large amount of NE and network processing capability.

1.9.2 IMS media plane security policy

• Anti-RTP session invade
The SBC can dynamically create legal media stream information (IP quinters)
based on the results of signaling negotiations. Media streams go through the SBC, but
only the media stream matching the IP Quintus's can be forwarded. Unmatched media
streams are discarded to prevent media streaming attacks.
• Anti-RTP bandwidth stealing
The PCRF and SBC will provide the session based on the QoS guarantees for
real time session, according the codec type to arrange the fixed bandwidth . To
avoid unauthorized user steal the bandwidth. The MRFP will check the UE media
bandwidth ,the MRFP will discard media messages that exceed the restricted bandwidth.

“Deployment of Broadband through Next Generation Network” 9 of 10

For Restricted Circulation

Deployment of Broadband through NGN Security Aspects in NGN

• Anti-RTP malformed message attack

The boundary network element SBC of the IMS provides the RTP filtering
mechanism to check the correctness of the RTP codec. Signaling and media layer will
cooperate. The media layer checks the type of media stream, if the type of stream does
not match the specified media type, the media stream will be discarded.

1.10 IMS OMC-S system security policy

• Users management
• Role-based rights management
• Domain-based users rights management
• Password security policy

1.10.1 IMS OSS system security policy

• Privilege management: The system users of different subsidiaries have different
privilege. In the system, the System Admin has the highest privileges to perform all
operations. Only one staff can be assigned as the System Admin. The staff can be
assigned as different role with different privilege.

“Deployment of Broadband through Next Generation Network” 10 of 10

For Restricted Circulation

Deployment of Broadband through NGN Security Aspects in NGN

1.10.2 Database: Make used of the Oracle DB security policy/tools.

• Minimize the installation: Based on fulfill the requirement of service, reducing the
system size, improve the startup and security.
• Database authority management: The application account is locked, only
authorized account can log in the database.
• Logs management: Operations related to database security are automatically
logged.

1.10.3 IMS OSS system security

The IMS OSS system employs logical association of data, encryption of important data, and
details of operation logs to ensure the security of the system.

Logical Protection between Data:

In the OSS the objects are interrelated instead of being independent. In this case, it
cannot operate the data if don’t know the interrelation between the data.

Encryption Protection for Important Data:

The OSS system performs hierarchical encryption protection for the important data to
ensure the security of the system.

Detailed Operation Log

The OSS system records all operations performed on the system into log for future
check. Querying the operation log, it can get the information about the operations
by login staff in a period of time, such as logging in, adding, modifying, deleting, and
logging out.

Transmission channel encryption

OSS uses encryption channel to transfer the important data to the IMS NE, like the
SFTP, HTTPS, SSL.

“Deployment of Broadband through Next Generation Network” 11 of 10

For Restricted Circulation