InfoSecurity

November 23, 2006
NGNs: Bridging the old and new!

NEW DELHI -- Next Generation Networks IP Multimedia Subsystem (IMS) is a key emerging technology and reference platform, which will provide a means to bridge the old and the new capabilities as well as support new multimedia applications and services. In order to support VoIP and other value added services on a converged IP network, service providers need to have their IP network designed, maintained, and able to support an ongoing security program with controls to prevent, detect, and correct vulnerabilities resulting in maximum availability for the end-users.

The Bell Labs Security Framework was developed to help the customers - service providers, government, and enterprises - understand in a modular way to incorporate the right level of security in their solution from design, planning, implementation, maintenance, and ongoing assessments.

Convergence Plus spoke to Uma Chandrashekhar, technical manager, Advanced Network Security and Reliability Group, Bell Labs, Lucent Technologies, USA, on the implementation of a new proactive framework within the company as well as within the products. Excerpts:

Convergence Plus: What are the expected security challenges in NGNs?

Uma Chandrashekhar: In Next Generation Networks, IP Multimedia Subsystem (IMS) is a key emerging technology and reference platform, which will provide a means to bridge the old and the new capabilities as well as support new multimedia applications and services.

The convergence aspects and new capabilities bundled together - triple play are challenges to maintain the balance of security, availability, and quality such that the attacks do not propagate from one domain to another. For example, the advent of next generation IP networks carrying converged voice and data traffic obliterates the inherent, built-in security provided by traditional telecommunications networks. In modern converged IP networks we now have the situation where numerous, powerful, intelligent end-user devices that can be used to launch network attacks are attached to these networks. The signaling/control and management information is carried in-band with user information thereby making it susceptible to attack as well. Network operations or management security is often neglected when network security is being considered and frequently provides a back-door entry into IP networks. Since the insider threat represents a potential for significant financial loss, this situation is a recipe for disaster.

CP: How are operators planning to overcome the specific challenges of managing security and combating fraud in NGNs?

UC: Operators are constantly looking at ways to managing security such that it meets regulatory compliance mandates as well as protecting their customer data and the how their network responds to constant threats. Some technology areas that are being used as it relates to IMS are:

• Authentication techniques at per packet and Session level for IMS (validating the user)
• Measures to ensure that session resources (e.g., IP address allocation) are not misused. e.g., IP address of an active session can be mis-appropriated during a small window of session termination and continue the session after

CP: How are carriers preparing to protect their customers' end-systems?

UC: Since there is no one solution to protect customers’ data and end-systems, carriers generally deploy a variety of techniques similar to the defense in depth concept. Some of these techniques include the network based antivirus, strong encryption (IPSEC support), PKI/ digital certificates on the end devices and remotely delete the end-device data, if it is reported stolen (e.g. SCREAM – UK).

CP: What security measures would be required to prevent denial-of-service attacks?

UC: There are a number of security measures that can be used to recognise and minimise the impact of a denial-of-service (DoS) attack. From experience, some of the preventive measures are: to plan and design network or IT solution with defense in depth principles, customer education and training to implement security updates, firewalls in infrastructure or IT elements, hardening of the operating system, ports, and interfaces, Access Control Lists (ACLs) for IP traffic processing systems, host based Intrusion Detection System (IDS), network based IDS, alarms, logging, event analysis and traffic control measures, measures to prevent IP address spoofing, Zero-day virus prevention measures, network based SPAM filters, periodic audits and measurable and enforceable SLAs.

In order to support VoIP and other value added services on a converged IP network, service providers need to have their IP network designed, maintained, and able to support an ongoing security program with controls to prevent, detect, and correct vulnerabilities resulting in maximum availability for the end-users.

CP: How effective are the comprehensive standards for security?

UC: A few years ago, the industry was focusing on security primarily in a piecemeal approach e.g., focusing just on access control or patch management, we at Bell Labs, Lucent Technologies decided we need to develop a more proactive holistic approach. We really needed a strong way and a framework of looking at network security similar to the way we look at performance and reliability in our networks. This is when we invented the Bell Labs Security Framework, which basically is a holistic approach to addressing network security.

The Bell Labs Security Framework was developed to help our customers -Service Providers, Government, and Enterprises- understand in a modular way to incorporate the right level of security in their solution from design, planning, implementation, maintenance, and ongoing assessments.

Basically, every network is subjected to a set of threats and within every network element or component or service there are a unique set of threats, which could exploit vulnerabilities resulting in undesirable impact. We started implementing this proactive framework within our own company as- part of our corporate network, as well, within our products. And we thought this is such a great thing, wouldn't it be great if the industry also understands this and is able to align because our customers need seamless security solutions.

And bottom line, the Bell Labs Security Framework became the foundation of which is now ITU-T X 805 standard. And it's a comprehensive standard for looking at network security holistically, regardless of the network size, regardless of the technology, and you can actually focus in on what the specific things you want to look at for IMS versus voiceover IP, versus just plain IP service, versus a - wireless network, WiFi network, etc.

Lucent actually played a significant role in the definition of X805, the basis of X805 is the Bell Labs Security Framework; in particular, my team was the team that actually developed this framework. And basically, we felt it was a critical - for the industry to understand, the key things you need to think about when you look at network security, and this is the way Lucent is addressing security.

This contribution has been well accepted within the government agencies, within a number of carriers/service providers, and also, Lucent is now working worldwide with these customers to help them better understand their security needs and security program aspects, using ITU-T X.805 and using the intellectual property that's been developed around that. Now the ITU X.805, based on the Bell Labs Security Framework, has also been adopted in the ISO 18028-2. ISO 18028-2 became a standard in February 2006.

This means the IT industry as well as the Telecom industry have adopted a single same framework for addressing network security. Bell Labs and Lucent are helping to introduce seamless secure and reliable solutions for the industry. IMS is one of these solutions.

CP: Is the government mandating some minimum levels of security from carriers?

UC: Currently there are no global government mandates for carriers on security except for regulation and legislation, which indirectly enforce minimum-security requirements in specific areas for each of vertical market segments.

For example, in the health industry in the US, we have Health Insurance Portability and Accountability Act (HIPAA) of 1996 or e-Health focusing on privacy rights of the users. Or the regulatory requirements in the public companies as it relates to accurate reporting and integrity of the data (SoX). Alternatively, we also have Communications Assistance for Law Enforcement Act (CALEA) and billing and fraud protection.

CP: Are there any approved ways to solve the SIP and NAT firewall problems?

UC: From a standards perspective, there are a number of solutions. One solution is the Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs) or STUN. This protocol is defined in RFC 3489. Another solution is the Cascaded IPSec tunnels or Transport Layer Security (TLS) are potential solutions that can be used in different environments.

CP: What security challenges are they creating?

UC: Recent threats requires us to protect our solutions from all angles accidental, deliberate disruption, our people, economy especially since the networks are critical to the health and safety national security and economic viability of the global industry.

Thus, today’s environment requires us to think of planning, designing, implementing and maintaining NGN solutions in such a way that we are protected against deliberate disruption, protecting people, economy, and global security, reducing vulnerabilities to threats, and of course, managing disruptions to cause least possible damage.