Fixed Mobile Convergence (News - Alert) (FMC) is a standards-based, next-generation network architecture that promises ubiquitous access to voice, video and data services on any mobile or wireline device. Although this network architecture enables providers to offer competitive, new revenue-generating services to their customers, it can also introduce network security concerns. As stated in a February 2007 report by McAfee (News - Alert), the number of mobile security incidents reported increased by 500 percent from 2005 to 2006. Also, the same report stated that 83 percent of mobile operators were affected by mobile infections. Half of the operators surveyed admitted seeing attacks during past three months, an occurrence previously considered highly unusual for mobile operators.

 

FMC security might be more challenging than many are anticipating since the concept of network security is changing. Currently, network security is focus primarily on transport layer security. This single layer focus will be significantly expanded to a complex, multi-layer security matrix including the need to secure the control and signaling layers (SIP, DIAMETER, SIP-T, SIGTRAN, etc.) and service/application layer security. In addition, security for all layers will need to include integrated policy enforcement and secure access technology using multi-protocol Authentication, Authorization, and Accounting (AAA) services. Failure to implement multi-layer security exposes providers to a loss of network integrity, service revenue, and potentially corporate reputation.

 

Securing an FMC network requires security of all network layers (IP Transport/Packet Handling Layer, Policy and Control Layer and Application & Service Layer) to protect from the vast and constantly changing network attacks that providers are facing daily from both inside and outside of the network. External threats are typically widely publicized and include threats such as zero-day vulnerabilities, buffer overflows, SQL injections, viruses, worms and Trojans. Internal threats are often overlooked but are typically more common than external threats. Implementing multi-layered security helps to protect against both external and internal threats.

 

The most vital areas to secure are: the data plan, network protocols, access to the infrastructure and Lawful enforcement. Data plan security focuses on anti-spoofing, IP fragment filtering and Access Control Lists (ACL) to drop all inbound traffic with a suspicious source IP address or IP address ranges.

 

Network protocol security includes functionalities like BGP Session Security, Secure FTP and Secure Shell (SSH). Lawful enforcements includes CALEA (or other governments approved), Lawful Intercept (LI) and mirroring.

 

Providers must install stateless firewalls that can determine whether a packet is permitted into the network by analyzing basic information in the packet headers, as well as stateful inspection firewalls that monitor and control the flow of traffic between networks by tracking the state of sessions and dropping packets that are not part of authorized sessions. Firewalls must be capable of scaling to handle the volume of traffic flow so that the network’s performance is not negatively impacted. Additional security includes Virtual Private Networks (VPN) using IPSec for authenticating/encrypting IP packets, Secure Sockets Layer (SSL) and Transport Layer Security (TLS).

 

For example, Firewalls with SIP protocol awareness can provide confidentiality by detecting and mitigating toll fraud (when hacker utilizes PBX (News - Alert) for long-distance calling) or eavesdropping (man-in-the-middle attack). SIP Firewalls should prevent hackers from listening to voice mails, accesses call logs, company directories and SIP-based control systems. SIP firewalls also protect SIP servers, IP-phones and SIP control systems from Worms, Trojans, DoS attacks and viruses,

 

In addition, firewalls with GTP (GPRS tunneling protocol, used in GSM and UMTS networks) awareness can detect and prevent over billing attacks, SGSN and GGSN spoofing, flooding, bandwidth saturation, worms and roaming (2G and 3G) agreements violations.

 

Intrusion (News - Alert) detection and prevention systems (IDP) lend additional support to the role of firewalls by monitoring and analyzing network traffic for signs of attacks at the Application and Service layer. IDP can drop traffic that is deemed to be from a malicious user. These systems are designed to detect the presence of attacks within permitted traffic flow to the network by using stateful signatures that scan for attacks based on known patterns. These signatures should be easily customizable in order to fit into different provider requirements and specific concerns. In today’s environment of constantly evolving threats, mobile operators require solutions that can protect against both unknown and known patterns. Many of the most significant threats involve ‘zero-day’ attacks, or unknown pattern attacks that leverage vulnerabilities for which there is no signature or software patch.

 

The ability of operators’ IP networks to support aspects such as QoS and security appears to have been assumed, rather than defined. There is no point in having a complex control system of defining network policies and QoS, if the infrastructure cannot reliably and securely support the policies demanded of it. Providers must deploy a variety of technologies that work together to minimize threats and decrease the severity of ongoing attacks by providing protection for all layers of the FMC network, while maintaining high performance networking.

 

FMC promises ubiquitous access to voice, video and data services on any mobile or wireline device by converging fixed and mobile networks. However, implementing a FMC network is only the beginning. It is also critical for providers to ensure that they include security for all network layers to protect the infrastructure, services, and users. Providers moving towards this architecture must consider the security ramifications to the network.

 

 -----