SIP Security and the IMS Core (continued)
IMS as the Heart of the Network
The role of an IMS core is to enable service providers to roll out new services rapidly and deliver them to any device over any network. It is the glue that sits between the service layer and the network layer. Whilst these elements can be expected to provide some level of resilience to attacks, pragmatic service providers are looking to create a protected zone in which these highly valuable assets can be located.
So we are in effect talking about creating a DMZ for the signalling through the use of 'signalling firewalls'. The job of the signalling firewall is to protect the core elements from accidental overload, malicious attack, malformed signalling messages and irrelevant protocols.
Protect the core with signalling firewalls
Providing protection for the core requires more than a conventional firewall, it requires a firewall that can understand SIP signalling. This requires a resilient hardware based solution capable of rejecting any unwanted traffic whilst admitting legitimate traffic at a rate which can be supported by the core elements. Not a trivial task - lets look at the requirements one by one.
Requirement 1: Must stand up under attack
A basic requirement of any signalling firewall is that it must remain operational under all attack conditions. Before we get carried away with all of the exotic and innovative application layer attacks, the basics must be in place. The TCP SYN flood, for example, is one of the oldest attacks around and probably one of the most common exploits used to cause resource starvation in vulnerable targets. The IMS core may not need to even respond to any TCP traffic if the SIP signalling is carrier using UDP, thus TCP traffic can be rejected at the perimeter of the IMS. Similarly logic exploits like the Ping of death, should simply be blocked by the firewall at the IMS perimeter. A minimum requirement for the signalling firewall is that is should stand up to vulnerability tests such as ISIC - IP Stack Integrity Checker and Nessus.
SIP signalling traffic must also be viewed with considerable suspicion, malformed SIP messages should be discarded and not passed through to the IMS core elements. Resistance to this type of attack can be determined by testing against suites such at the IETF SIP Torture test developed through the SIPiT Events or the PROTOS Test-Suite, developed by the University of Oulu.
Requirement 2: Must prevent propagation of attacks
This is the logical extension of the first requirement. The signalling firewall must identify and discards malicious traffic in order to protect the core. Many protocols can simply be discarded, as described in Requirement 1 above, as they have no relevance to the SIP proxies. Thus the IMS elements are effectively protected from both transport and application layer attacks.
Requirement 3: Must preserve an operational service through pacing
Now that the basics are in place we must turn our attention to the applications themselves. The rate of SIP signalling can be the cause of problems for the Softswitch and not just through malicious intent, for example, following the hurricanes in Florida when the power was restored, this caused all the IP phones to register at the same time. This resulted in the service failing due to the rate of registrations. In these situations the core elements must be protected by pacing both registrations and call attempts. The signalling firewall should deliver the registrations and call invitations to the Softswitch at a rate that it can sustain.
Requirement 4: Must preserve network anonymity through topology hiding
Topology hiding features prominently in most service providers' requirements. As the SIP signalling passes through various servers on route to its destination, the SIP messages acquires information about where the message came from and what devices it passed through. Since global networks are made up of a mesh of service provider networks this information gets passed from network to network. It is therefore important to strip all this information from the signalling prior to it being passed from one network to another. This prevents internal network addresses and client address details from being propagated. This benefits the service provider by effectively shielding both network and subscriber from prying eyes.
Requirement 5: Must preserve service quality and protect revenue through media policing
VoIP fraud is still in its infancy, but given the recent publicity surrounding the fraud charges against two individuals in the US, we are likely to see more attempts to steal VoIP services.
There are many innovative ploys to steal services. When SIP establishes a call it uses a server to locate and communicate with the destination, once the addresses of the source and destination have been exchanged there is no reason why the two parties cannot communicate directly - without the intervention of the server. Thus, a party can request a voice call which, once establish can be renegotiated as a video call without the knowledge of the SIP servers from which the billing may be derived. The service provider is unaware of the addition bandwidth being used. This results in loss of revenue and potential degradation of service quality for other users.
To prevent this service theft (toll fraud) it is necessary to link the media path with the signalling path. This is carried out by session border controllers, or in the case of a TISPAN IMS, by a combination of the P-CSCF and A-BGF managing the signalling and media respectively. The signalling and media elements exchange information to ensure that the media remains within the requested limits, any deviation from the requested bandwidth can be blocked.
A key benefit of this process is to preserve the Quality of Service of calls, particularly within the access networks, by preventing over-booking of the network resources.
|
IPsec and VoIP
