Professional Documents
Culture Documents
Security Concerns
DoS attacks and overloads of next gen voice service infrastructure User/device authentication and authorization User privacy and confidentiality Service fraud Service topology exposure Illegal wiretapping SPIT Trade performance for security
0%
Everyone worries about security DoS attacks and overloads are biggest worry
80%
Source: Service Provider Plans for Next Gen Voice 2006 (July 2006)
IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
SIP message & MIME attachment filtering/inspection Signaling rate monitoring & policing Bandwidth monitoring & policing Call gapping - destination number Call gappping - source/destination CSCF or UE QoS marking/mapping control
4 O&T
3 Services
Solution requirements
_ SBC DoS self-protection
Internet
2 & O&T
Transit
PSTN
Access control - static & dynamic Trusted & untrusted paths with policed queues IDS capabilities
_ Embedded web servers - IP phones _ Java apps liability or asset? SQL _ Authentication _ SIP message & MIME attachment filtering _ Secure OS environment
Solution requirements
Slammer Michelangelo
Types of fraud
Internet
2 MPLS
PSTN
Solution requirements
_ Access control _ Authentication subscriber & SIP signaling elements _ Authorization subscriber _ Admission control subscriber limits - # sessions & bandwidth _ QoS marking/mapping control _ Bandwidth policing A
1 DiffServ-3
Who is at risk?
Solution requirements
Solution requirements
_ Access control dynamic, IDS-like _ Authentication _ Admission control subscriber limits (#) _ Trust chains - pre-established technical & business relationships
The Internet
The Federnet
F F
I
F
Net-Net
Security issues are very complex and multi-dimensional Security investments are business insurance decisions
_ _ _ _ Life DoS attack protection Health SLA assurance Property service theft protection Liability SPIT & virus protection
Degrees of risk
_ _ _ _ Internet-connected ITSP ` Facilities-based HIP residential services Facilities-based HIP business services Peering
High Low
Protect against SBC DoS attacks & overloads (malicious & non-malicious)
Prevent DoS attacks on service infrastructure & subscribers Monitor, report & record attacks & attackers; provide audit trails
Acme Packet Net-Net SD flawlessly passed all of CT Labs grueling attack tests
Total of 34 different test cases, using over 4600 test scripts No failed or dropped calls, even for new calls made during attacks No lost RTP packets during attacks Protected the service provider equipment did not allow flood attacks into core, stopped packets at edge SD performance not impacted during attack
SD CPU utilization - only 10% increase Signaling latency - only 2 ms average increase RTP jitter less than 1 ms increase (not measurable by test equipment)
Network processor
Network processor