Sophisticated attacks require real time intrusion detection and analytics
Mobile network security is on top of the operators’ agenda and is discussed extensively at network security conferences and other industry events. This is partly due to the fact that security threats and attacks are increasing in numbers and becoming more and more sophisticated. At a recent international Network Security Conference, a range of topics around mobile network security policy were thoroughly discussed. The overriding impression was, though, that the network security issue seemed to be focused almost purely on the end devices and the security around these. Little was mentioned regarding the implications of moving from a circuit switched network to an all IP network and thus the exposure of the VoIP/IMS network to new security issues.
This blog post focuses on mobile network security rather than on the devices themselves. Although the security issues around mobile devices are highly relevant, it is only one of several areas that need to be carefully considered in an end-to-end network security perspective. The transition to all-IP networks are calling for new tools and solutions. Mobile operators are facing new security risks and vulnerabilities  by the transition to all-IP networks and the introduction of new services like Voice over LTE (VoLTE). Cost effective real-time intrusion detection and analysis is an essential capability in today’s security solutions to enable detailed threat and vulnerability analysis in order to protect critical network resources. In fact, some Asian and American operators, that operate with highly advanced networks and have implemented VoLTE, have already successfully introduced specific tools and solutions.
Since the first internet based Voice over IP (VoIP) services was launched based on open standards Session Initiation Protocol (SIP), work has been carried out on a continuous basis in order to deal with several security issues. The main objective has been to prevent different kinds of attacks and threats like signaling flooding and malformed messages, – and to define and implement countermeasures for these. Networks based on the IP Multimedia Subsystem (IMS) architecture count on several security and authentication mechanisms defined by the 3GPP standardization organization for protecting the network domain, access domain and media plane. At the access and network edge, Session Boarder Controllers (SBC), acting as a SIP-signaling and media plane firewall, shielding the core from malicious and Denial of Service (DoS/DDoS) attacks as well as providing topology hiding, media policing and many more functions.
European mobile operators are now preparing and verifying their core and radio networks for the introduction of voice and video services over all-IP LTE networks. Efforts are being made to verify end-to-end interoperability and security based on IMS service profiles, defining a minimum set of mandatory features. In order to protect the VoIP and IMS core network from today’s and tomorrow’s sophisticated threats and attacks, there is a need to detect signaling anomalies that could lead to a potential security threat or instability at an early stage. To enable this, each signaling header and message have to be analyzed in detail. Another challenge is to detect attacks initiated by a small number of malformed messages sent to different entry points in the core network which may result in a denial of service attack later on.
To be able to fully analyze the potential threats in real time and the variations in traffic levels, a VoIP/IMS aware Intrusion Detection System (IDS) may provide a visualization of the actual situation and automatically list SIP anomaly messages and trigger alarms. IDS would help operators not only to increase the level of protection and automate actions but also shorten problem detection and analysis phase and thus permit them to take actions before customers are impacted.
When evaluating different options for implementing a VoIP/IMS aware IDS system it is important to consider several factors, like the location of the IDS functionality within the core network. Others are the system’s capability and the performance required for doing deep packet inspection of all the headers and message parameters. Existing network resources may have performance limitations or lack the required functionality for real time monitoring. Another important factor is the ability to discovering symptoms of security threats early, e.g. arbitrary attacks.
A non-intrusive solution based on a single centralized controller with distributed probes has the benefit of detecting traffic patterns from multiple detection points, also inside a VoIP/IMS core network. This would enable the early detection of symptoms of security threats, e.g. arbitrary attacks.
In the case of a VoIP or IMS system already in operation, a security audit is recommended as a first step to evaluate potential risks. This should ideally provide a detailed security risk analysis and assessment with severity ranks. If the operator is in the stage of planning, selecting or rolling-out a new IMS infrastructure, another option is to perform security testing before final decisions are taken.
Based on the results from the audit or the security testing, respectively, the operator can decide upon actions to be taken to implement the proper countermeasures of the threats and vulnerabilities identified.
- Next-Gen Security Strategies for Mobile Network Infrastructure, Next-Gen Security Strategies for Mobile Network Infrastructure, Heavy Reading: view article
- Average DDoS Attack Size Growing Dramatically In 2013, 2.7Gbps In June. Findings from Arbor’s Active Threat Level Analysis System show that DDoS continues to be a global threat, Information Week, Dark Reading: view article