Beruflich Dokumente
Kultur Dokumente
1.1 Introduction
Security in telecommunication is the body of technologies, processes and practices
designed to protect networks, programs and data from attack, damage or unauthorized
access. Security includes both cyber security and physical security. Ensuring cyber
security in telecommunication requires coordinated efforts throughout an information
system.
Telecommunication solutions are usually required to handle with unique types of
protocols such as, VoIP, SIP, SS7, etc. Those protocols need to have security controls as
they are popular vectors for attackers who are targeting Telecom companies.
IMS is a new evolution in telecommunication and is suspectible of following threat
factor:-
Based on the ITU E.408 and security policy of IMS network, the IMS is divided into several
logic areas. Subnets or devices located in the same logical zone have the same or similar
security requirements. The different zones commutate with each other through the
VPN/VLAN.And the IMS can support SSH connectivity. The diagram is as below-
1.4.1 Access zone: LMGs, P-CSCF (access side) and access session border controllers (A-
SBCs) locate in this zone. LMG will connect to MPLS network through S9300 series
LSW in each LMG location. P-CSCF access IP belongs to this zone, this ensures the
LMG can directly register to IMS through P-CSCF and this data need to go through
Firewall.
A-SBC core side signaling IP also belongs to this zone. For ADSL subscriber, soft clients
or SIP phone will register to A-SBC access side IP, then A-SBC will register to IMS
through this core side signaling IP and this data need to go through Firewall.
1.4.2 Core Signaling zone: All the core side IMS network elements will connect to this zone
and interconnect to each other in this zone only and this data didn’t need to go through
Firewall.
1.4.3 Media zone: MRFP, SBC, media part of IM-MGW locates in this zone. As per the
requirement of BSNL corporate team, the media part will not pass the firewall and
directly connect to router. So all the media part will connect to one pair of S9306 LSW
first then to router.
1.4.4 O&M zone: CGP maintenance interface, SPG web-portal login interface and other
operation and maintenance related interfaces belong to this zone and this data need to go
through Firewall.
1.4.5 Provisioning zone: SPG (south & north), NE northbound interface and BSNL CRM
system (south interface) should be in this IP segment only and this data need to go
through Firewall..
1.4.6 Billing: CCF, Billing mediation and billing center belong to billing zone and this data
need to go through Firewall..
1.4.7 LI zone: XM module (OMU) and Xalted LIG belong to this zone and this data did not
need to go through Firewall..
1.4.8 Border zone: MGCFs, IM-MGWs, and interconnection session border controllers (I-
SBCs) locate in this zone to integrate with existing PSTN/PLMN or other operator`s
network and this data need to go through Firewall.
In the above diagram Firewall ports B, D, F, and H are connected with Core Switch Ports
and ports A, C, E, and G are connected with Access Switch Ports.
In Zone-based security, firewall policies are applied to the Zones. The firewall allows only
that IP which are defined in it. All else are blocked by firewall.
In case of intrusion the NIDS detects the IP from which the attack is occurred and NIPS
block and blacklist that IP to avoid any perspective cyber-attack from that IP in future.
In the IMS network, due to the independence of access, access to a variety of user
types, IMS network must have a variety of types of user access to the legitimacy of
access, to prevent unauthorized users through the theft of other accounts registered
to the IMS
1.7.1 SBC(P-CSCF)
Important security defense network element for IMS network access. The SBC6000
capability :
• SIP signaling encryption
• Pinhole media firewall
• SIP header processing
• Traffic control
• Signaling and media proxy
• ACL (Access Control List)
• TCP / IP anti-attack
• user access control
• Call access control
• Anti-DoS (Denial of Service) / DDoS(Distributed Denial of Service) attacks
IMS AKA (authentication and Key agreement )authentication: For the ISIM card IMS
subscribers, to ensure the IMS network and user information security and data integrity.
SIP Digest/HTTP Digest: For the SIP soft client, to verify the username and password.
tuples.
• IMS SBC: The signaling anti-attack module performs DoS / DDoS attack behavior
identification, discards the attack packets, adds the attacker to the
blacklist, and limits the speed of the signaling packets. Filtering the SIP
malformed packets, and clearing the bad signaling packets.
• IMS Core: The flow control policy of the NEs detected the CPU usage and adjusts the
system traffic volume.
• In the diameter protocol stack, the IPSec(IP Security) provides the Hop –to-Hop
connectivity security, the TLS(Transport Level Security provides the transport level
security. IMS (Sh/Cx) support the IPSec and TLS both.
• An SQL injection detection system validate all messages before they are translated
into queries for the HSS.
• IMS offers additional safety mechanisms for handling signaling bursts, including
enhanced congestion and overload flow control.