SUMMARY

1 Background and challenges

2 IMS Solution
3 Deployment scenarios
4 Security
5 Interfaces and protocols
6 Registration and session
7 Service functions

62
 Security architecture
A. Architecture

• IP multimedia subsystem (IMS) network security architecture is divided into

three layers or three planes.

• The three layers are the application security layer, network security layer, and
device security layer.

• The three planes are the control plane, user plane, and management plane.

• Each intersecting layer and plane provides different services and has its own
security mechanisms to deal with security threats. Figure 1 shows the security
architecture.

IMS Project Security 63

 Security architecture
A. Architecture

Figure 13 Security architecture

IMS Project Security 64
 Security architecture
B. Security layers
Security Layer Description
Device security layer •Protects the operating system (OS), database, and software that provide support for IMS services.OS security is
essential for network entity (NE) performance and ensuring the legitimacy of user operations. If an OS is compromised,
it becomes vulnerable to attacks and viruses, which may lead to service interruption, information loss, data corruption,
and reduced system efficiency. OS security is implemented through the following four phases:
• Installation and configuration: Settings that take effect during and after operating system installation is
implemented, including minimum OS installation, rights management, and system settings.
• System patch installation: Compliance with requirements when installing and verifying OS patches for
equipment on the live network. Do not install operating system patches without approval.
• System hardening: The carrier grade platform (CGP) hardens OS security in terms of services, passwords, file
and directory properties, and kernel parameters to ensure that IMS NEs provide the same level of host
security capabilities without affecting normal IMS services.
• System log management: Centralized management and backup mechanisms are established for logs.
•Database security is essential to maintenance of NE system data security and assurance of legitimate user operations.
Database security policies and measures include database rights management and establishment of a database security
architecture.
•System software security protects the integrity of software and patch packages for IMS NEs and prevents them from
being tampered with or corrupted by unauthorized programs. A common security measure is to use a digital signature
on software digests.
•Security hardening for the virtualization layer is required for NEs to run properly and subscribers to perform
authorized operations. The security policies and measures are provided by the virtualization platform. Security
measures such as security hardening for the host OS and VM isolation are recommended.
IMS Project Security 65
 Security architecture
B. Security layers

Security Layer Description

Network security •Provides zone division, network isolation, and packet filtering security policies to protect all IMS network
layer resources and services.
•IMS security in the access domain includes user authentication and signaling protection. In user
authentication, user terminals that request access to the IMS network must be authenticated. In signaling
protection, secure channels are established between NEs.
•IMS security in the network domain mainly involves communication security between IMS internal nodes
(such as the ATS9900, CSC3300, and HSS9860), as well as communication security between network
nodes of different carriers.
Application security Protects IMS upper-layer applications such as user access control, service applications, user accounts,
layer user data, system logs, and charging data.
The application security layer provides multiple mechanisms to secure the application data in terms of
transmission, exchange, storage, and processing and to ensure integrity, confidentiality, and availability
during data transmission, storage, and processing. The protection mechanisms include user identity
authentication, access control, rights management, and privacy protection. In addition, the application
security layer controls traffic and monitors unauthorized packets to ensure that the IMS network
continues to run properly.

Table 10 Security layer

IMS Project Security 66
 Security architecture
B. Security layers

Figure 14 Mapping between the security layer and the device-OSI reference model
IMS Project Security 67
 Security architecture
C. Security planes
Security Plane Description
Control plane Protects the header fields and parameters included in each signaling message and
protocol. It ensures that signaling streams on the IMS network are normal.
Common security policies include unauthorized user access restriction,
malformed Session Initiation Protocol (SIP) packet attack defense, denial of service
(DoS)/distributed denial of service (DDoS) attack defense, and SIP service logic
attack defense.

User plane Protects the Real-Time Transport Protocol (RTP) sessions and bandwidth at the
media plane. It ensures that media streams on the IMS network are normal.
Common security policies include RTP session injection restriction, RTP bandwidth
theft restriction, and malformed RTP packet attack defense.

Management plane Protects operation, administration, and maintenance (OAM) management. It

ensures that IMS network OAM is normal. Common security policies include
account security, data transmission security, authentication and authorization,
security alarm mechanism, and web security.
Table 11 Security planes
IMS Project Security 68
 Security architecture
D. Security dimensions

Eight Dimension Major Measures

Access control •Access control list (ACL)
•OAM access control
•Firewall pinhole for media streams
•Call admission control (CAC)
•Blacklist and whitelist mechanism
•Media bandwidth control
•OAM security management
Authentication and •User access control, including Authentication and Key Agreement (AKA), SIP/Hypertext Transfer
authorization Protocol (HTTP) authentication, and digital certificate
•Rights- and domain-based management
•Minimum authorization for the system and software
Non-repudiation •Logs and alarms
•Authentication using digital certificates
Data confidentiality •Signaling encryption
•OAM transmission encryption
•IP transmission encryption
•User password encryption

IMS Project Security 69

 Security architecture
D. Security dimensions
Eight Dimension Major Measures
Communication security •Transmission security isolation using virtual local area networks (VLANs) or virtual private networks (VPNs)
•NE plane security isolation
•Remote maintenance security
Data integrity •Integrity provided by protocols, such as IP Security (IPSec), Transport Layer Security (TLS), Hypertext Transfer
Protocol Secure (HTTPS), and Simple Network Management Protocol (SNMP)
•Software integrity
Availability •OS security hardening
•Database security hardening
•Patch security
•IP attack defense
•DoS/DDoS attack defense
•Malformed SIP packet attack defense
•SIP service logic attack defense
•Web application security
•Malformed RTP packet attack defense
Privacy •Sensitive user information protection
•Network topology protection
•Signaling encryption

Table 12 Security dimensions

IMS Project Security 70
 Security policies
B. Overall security policies

To address the existing security threats and challenges, IP multimedia

subsystem (IMS) provides hierarchical security policies from the perspectives of
networking, service application, and operation management.

These hierarchical policies establish multiple lines of defense for the IMS
network security. Each line of defense uses a different security policy.

If a security policy fails, the other policies in the hierarchy effectively protect the
IMS network against attacks and ensure IMS services.

IMS Project Security 71

 Security policies
B. Overall security policies

IMS security is designed to accomplish the following goals:

• Confidentiality: Key information is protected against disclosure to unauthorized

users or network entities (NEs).

• Integrity: Data cannot be changed without authorization.

• Availability: Network or data access is allowed only for authorized NEs to avoid
service denial and network interruption.

• Traceability: Historical events are provided for identifying and analyzing security
issues that occur on the IMS network.

• Controllability: Information content and transmission are controllable, including the

capability to protect against hacker attacks and password attacks.

IMS Project Security 72

 Security policies
B. Overall security policies

The ultimate goals of IMS security policies are the following:

• Software security: The IMS network cannot be illegally accessed, and IMS
software cannot be illegally duplicated, tampered with, or infected with
viruses.

• Data security: IMS network data cannot be obtained without authorization.

• Management security: Security incidents can be handled while the IMS

network is running. Common handling measures include establishment of a
security management system, security audit, and risk analysis.

IMS Project Security 73

 Security policies
C. NE security capabilities

On the IMS network, each NE uses a different service logic and a unique
network location, which makes the NEs vulnerable to different security threats.

To address this issue, different security mechanisms and measures must be

configured for different NEs from the entire IMS solution perspective.

IMS Project Security 74

 Security policies
C. NE security capabilities

Figure 15 Major security capabilities provided by IMS NEs

IMS Project Security 75
 Security policies
C. NE security capabilities

Product NE Network Major Security Capability

Location
CloudSE29 Access User access•The A-SBC plays an import role in security defense on the access zone of the
80 side zone IMS network. It provides firewall pinhole for media streams, Session Initiation
session Protocol (SIP) header field processing, traffic control, signaling and media
border proxy, ACL, and TCP/IP attack defense capabilities to implement the following
controller functions:SIP signaling encryption
(A-SBC) •Malformed SIP packet attack defense
•User access control
•Call control
•Denial of service (DoS)/distributed denial of service (DDoS) attack defense
Interconn Interworking •The I-SBC plays an important role in security defense when the IMS network
ect side zone interworks with other networks. It provides firewall pinhole for media
session streams, SIP header field processing, ACL, and IP Security (IPSec) capabilities
border to implement the following functions:Malformed SIP packet attack defense
controller •Denial of service (DoS)/distributed denial of service (DDoS) attack defense
(I-SBC) •Transmission encryption
IMS Project Security 76
 Security policies
C. NE security capabilities
Product NE Network Major Security Capability
Location
CloudSE2 Proxy-call Session The P-CSCF provides SIP signaling filtering, flow control, SIP service logic
980 session control zone attack defense, and access authentication capabilities. It also works with
control device control devices, such as the SBC, to implement authentication and
function authorization on IP bearer resources.
(P-CSCF)
UAC3000 Access User access The AGCF authenticates H.248, Media Gateway Control Protocol (MGCP), and
gateway zone primary rate access (PRA) users when they attempt to access the IMS
control network. This prevents users from launching malformed packet attacks.
function
(AGCF)
UGC3200 MGCF Interworking The MGCF implements the call control function (for example, blacklist and
zone whitelist functions) for circuit switched (CS) users when they attempt to
access the IMS network. This prevents calls from unauthorized users. The
MGCF also provides the malformed SIP packet attack defense capability to
prevent CS users from launching malformed SIP packet attacks to the IMS
network. In addition, the MGCF intercepts calls originated from unauthorized
IMS Project Security 77
private branch exchange (PBX) users.
 Security policies
C. NE security capabilities
Product NE Network Major Security Capability
Location
OMU Carrier Operation, The CGP provides security capabilities for host infrastructures, including OS security,
grade administration database security, and log security. The CGP also provides security management
platform and for the OMU clients and web user interfaces (WebUIs) to ensure OAM security. In
(CGP) maintenance addition, the CGP provides IP attack defense capabilities to ensure security for IMS
(OAM) zone NEs.
NOTE:The OS and database security policies of the MAE Access/U2020 and SBC are not
provided by the CGP. For details, see the MAE Access/U2020 product documentation
and SBC product documentation.
SPG2800 Service OAM zone The SPG provides the data transmission security capability to secure service
provisionin provisioning data for the IMS network. The SPG also provides a web portal for user
g gateway access management and centralized authentication to ensure service provisioning
(SPG) security.
NOTE:To minimize the security risks of the third-party open-source software, you are
advised to perform the following operations:
•Upgrade the SPG2800 to the latest version, in which the third-party open-source
software will also be updated.
•If you are still using the SPG2800 of the current version, log in to the official website
of third-party open-source software and check the known security issues
IMS Project Security 78
 Security policies
C. NE security capabilities
Product NE Network Major Security Capability
Location
iCG9815 Charging OAM zone The CCF provides call detail record (CDR) transmission security, CDR storage security, and user
collection rights management on CDR consoles to ensure that offline CDRs can be securely sent to the billing
function center.
(CCF)
CSC3300 Interrogatin Session control The I-CSCF is a contact point within a home IMS network and provides topology hiding and SIP
g-call zone signaling filtering capabilities.
session
control
function (I-
CSCF)
Serving-call Session control •The S-CSCF provides the following security capabilities:Malformed SIP packet attack defense
session zone •SIP service logic attack defense
control •SIP signaling filtering
function (S- •Traffic control
CSCF) •User authentication
Interconnect Interworking The I-BCF is located between the IMS network and other IP networks, such as another IMS
ion border zone network or an H.323 network. It provides the routing topology hiding capability to ensure that
control information about network topology is not disclosed.
function (I-
BCF)
IMS Project Security 79
 Security policies
C. NE security capabilities
Product NE Network Major Security Capability
Location
Unified USCDB Session The USCDB stores the subscriber data of the IMS network. It provides security
Subscriber control zone capabilities for data transmission, data storage, and user access
Center authentication to prevent loss or disclosure of subscriber data.
Database
(USCDB)
HSS9860 Home Session The HSS provides the traffic control security capability on the IMS network to
Subscripti control zone ensure that the HSS can run properly in the case of DoS/DDoS attacks.
on Server
(HSS)
ENS ENS Session -
control zone
MRP6600 Media Session -
resource control zone
function
processor
(MRFP)
IMS Project Security 80
 Security policies
C. NE security capabilities

Product NE Network Major Security Capability

Location
MRP6600 Interconn Session The I-BGF provides the firewall pinhole for media streams and media
ection control zone bandwidth control capabilities. When the I-BGF works with the I-BCF/P-CSCF
border to process voice and video streams, it provides security capabilities
gateway against RTP session injection and RTP bandwidth theft.
function
(I-BGF)
ATS9900 ATS Service The AS provides various services such as malicious call rejection, malicious
application communication identification, anonymous call rejection, and outgoing call
zone barring, to protect IMS subscribers against malicious call interference and
ensure IMS network service application security. For example, the outgoing
call barring service prevents unauthorized subscribers from making outgoing
calls. The AS also provides the flow control function to ensure that messages
with the higher priority will be processed preferentially in the case of
DoS/DDoS attacks.

IMS Project Security 81

 Security policies
C. NE security capabilities

Product NE Network Major Security Capability

Location
Business BSS BSS/OSS Firewalls are deployed between the BSS and the IMS network to ensure data
support transmission security.
system OSS BSS/OSS Firewalls are deployed between the OSS and the IMS network to ensure data
(BSS)/Oper transmission security.
ating
support
system
(OSS)
MAE EMS OAM zone The MAE Access/U2020 provides security capabilities for infrastructures, such
Access/U2 as OS security, database security, and log security. It also provides user access
020 management and MAE Access/U2020 client security management to ensure
OAM security of the IMS network.

Table 13 IMS security capability by NE type

IMS Project Security 82