Professional Documents
Culture Documents
Femto-Cell
Security Requirements
Sipera Systems
Internet Transformation
Todays Internet
Transactional
In-band Signaling
VPN
E-Commerce
Enterprises
Enterprises
Consumers
Consumers
Application
Capability
Old Internet
Collaboration
Out-band Signaling
SOA
Enterprises
Enterprises
IMS
Web 2.0
Carriers
Carriers
Consumers
Consumers
OS Focused
Viral Threats
State-Full
Security
State-less
Protocol Aware
Domain Aware
Real-time
Sipera Systems
Security Layers
Apps.
L6 L7
End Points
L4 L6
Visiting
L1 L3
Access
Home
Sipera
Focus
Standards
Focus
Glossary
End Points
L1 L3
Data Store
Client Space
Device Management
Visiting
Local Data Caching
Access Aware Policy
Access
L1 L3
QoS
Aggregation Point
Sipera Systems
Home
Data Store
Applications Interface
Service Control Environment
Foreign Network Peering Points
Application
Layer Security
Sipera Systems
Enablement
Features
Real-time IP services
requires special attention to security
IMS Offers a large suite of services that can be accessed through Cellular Network as well as via Internet.
Offering IMS services creates possibilities of zombies attack and hacker attacks .
Attacks are possible despite subscription authentication & IPSec/TLS encryption.
PDSN/PDG provides authentication and encryption but
does not protect against zombie and hacker attacks.
Call
Server
PDG
IMS core
PDSN
DOrA
CSCF
Media
Gateway
Femto
GW
Internet
Mobile
Access
Broadband
~ 1/2 Billion
users
Protocol fuzzing
Flood attacks
Distributed attacks
Zombies
Stealth attacks
Bad guys could be
IMS SPAM
customers
Zombies
BAD GUYS
Sipera Systems
SIP
Server
PBX
Registrar
Media
Server
MGW
Download Tools
+
Valid Subscription
APPs
Server
IVR
MGW
AuthTool, Cain & Abel, NetDude, Oreka, PSIPDump, SIPomatic, SIPv6 Analyzer,
VOIPong, VOMIT, Wireshark
VoIP/SIP Signaling
Manipulation tools
Sipera Systems
SIP
Signaling attacks
on end users
SIP
Media attacks
RTP/
RTCP
Fuzzing
>20000
Misuse/Spoofing
19
Fuzzing
10
Reconnaissance
Session Anomalies
Floods
Flood
>60
Stealth
Misuse/Spoofing
Distributed Flood
>40
Spam
Total
21
Total
>20108
Total
36
SGW
IPCS
SIP Core
ICMP Flood
TCP Syn Flood
HTTP Fuzzing
Valid IPSec
tunnels
Microsoft OS Virus
Legitimate IKE traffic
Un-authorized Ping to CSCF
ICMP Flood
OS Virus
SIP Core
Sipera Systems
Femto-cell
Deployment Model
VoIP
Infrastructure
F/W NAT
Traversal
SIP
AS
Domain
Policies
AAA
DMZ
Internal F/W
Sipera
IPCS 520
L4-L7 IPS
Secure
Sip
Trunking
External F/W
Femto
Internet
Sipera
IPCS 310
Femto
Femto
Enterprise
Sipera Systems
Femto-Cell Integration
Sipera
IPCS EMS
Femto
Broadband
AAA
HSS
Apps
Chrg
Internet Access
& IP Core
Out-of-Band
Network
Border
Router
Sipera IPCS
(other nodes)
SIP Server
Call Server
SGW
MGCF
MRFC
BGCF
SGF
P/S/I CSCF
SLF/PDF/IBCF
IMS core
Sipera
IPCS
DOrA
Mobile
Access
&Core
ABGF
IBGF
PDSN
MGW
MRFP
T-MGF
Media Gateway
IP-IP GW
Sipera Systems
10
Feature Enablement
F/W NAT Traversal
TFTP Config Proxy
Reverse HTTP Proxy
AAA server
VoIP Infrastructure
DMZ
3. Authenticate
incoming user
Internal
Firewall
+NAT
External
Firewall
+NAT
Wireless Core
Sipera
IPCS
3. Media RTP
4. Signaling
over TCP/UDP
1.
Sipera Systems
11
Sipera Overview
Company
Sipera Systems
12