Sophisticated attacks require real time intrusion detection and analytics
This article focuses on mobile network security rather than on the devices themselves. The author claims that although the security issues around mobile devices are highly relevant, it is one only of several areas which needs to be carefully considered in an end-to-end network security perspective. The transition to all-IP networks are calling for new tools and solutions.
As the article will show, mobile operators are facing new security risks and vulnerabilities 1 2 by the transition to all-IP networks and the introduction of new services like Voice over LTE (VoLTE). Cost effective real-time intrusion detection and analysis is an essential capability in today’s security solutions to enable detailed threat and vulnerability analysis in order to protect critical network resources. In fact, some Asian and American operators, that operate with highly advanced networks and have implemented VoLTE, have already successfully introduced specific tools and solutions.
Since the first internet based Voice over IP (VoIP) services was launched based on open standards Session Initiation Protocol (SIP), work has been carried out on a continuous basis in order to deal with several security issues. The main objective has been to prevent different kinds of attacks and threats like signaling flooding and malformed messages, - and to define and implement countermeasures for these. Networks based on the IP Multimedia Subsystem (IMS) architecture count on several security and authentication mechanisms defined by the 3GPP standardization organization for protecting the network domain, access domain and media plane. At the access and network edge, Session Boarder Controllers (SBC), acting as a SIP-signaling and media plane firewall, shielding the core from malicious and Denial of Service (DoS/DDoS) attacks as well as providing topology hiding, media policing and many more functions.
European mobile operators are now preparing and verifying their core and radio networks for the introduction of voice and video services over all-IP LTE networks. Efforts are being made to verify end-to-end interoperability and security based on IMS service profiles, defining a minimum set of mandatory features. In order to protect the VoIP and IMS core network from today’s and tomorrow’s sophisticated threats and attacks, there is a need to detect signaling anomalies that could lead to a potential security threat or instability at an early stage. To enable this, each signaling header and message have to be analyzed in detail. Another challenge is to detect attacks initiated by a small number of malformed messages sent to different entry points in the core network which (may) result in a denial of service attack later on.
To be able to fully analyze the potential threats in real time and the variations in traffic levels, a VoIP/IMS aware Intrusion Detection System (IDS) may provide a visualization of the actual situation and automatically list SIP anomaly messages and trigger alarms. IDS would help operators not only to increase the level of protection and automate actions but also shorten problem detection and analysis phase and thus permit them to take actions before customers are impacted.
When evaluating different options for implementing a VoIP/IMS aware IDS system it is important to consider several factors, like the location of the IDS functionality within the core network. Others are the system's capability and the performance required for doing deep packet inspection of all the headers and message parameters. Existing network resources may have performance limitations or lack the required functionality for real time monitoring. Another important factor is the ability to discovering symptoms of security threats early, e.g. arbitrary attacks.
A non-intrusive solution based on a single centralized controller with distributed probes has the benefit of detecting traffic patterns from multiple detection points, also inside a VoIP/IMS core network. This would enable the early detection of symptoms of security threats, e.g. arbitrary attacks.
In the case of a VoIP or IMS system already in operation, a security audit is recommended as a first step to evaluate potential risks. This should ideally provide a detailed security risk analysis and assessment with severity ranks. If the operator is in the stage of planning, selecting or rolling-out a new IMS infrastructure, another option is to perform security testing before final decisions are taken.
Based on the results from the audit or the security testing, respectively, the operator can decide upon actions to be taken to implement the proper countermeasures of the threats and vulnerabilities identified.
Peter Snygg is Solution Manager in Blue Telecom Consulting, an international telecommunications consultancy that offers innovative and specialized consulting services and solutions to Operators, System Integrators and Network Equipment Vendors. Snygg is responsable for the solutions in the IMS area and Works at the company’s Stockholm office.
- Next-Gen Security Strategies for Mobile Network Infrastructure, Heavy Reading, Vol. 8, November 2010: heavyreading.com.
- Average DDoS Attack Size Growing Dramatically In 2013, 2.7Gbps In June. Findings from Arbor's Active Threat Level Analysis System show that DDoS continues to be a global threat, Information Week, Dark Reading, 8/2 -2013: darkreading.com.