 GVHD :Ths.Hà Văn Kha Ly SVTH :Mai Thanh Minh Phan Anh Dũng     ! "#$ "  NGN SECURITY ARCHITECTURE – BEST PRACTI CE  %&'$       !  "  #$%&'(#)$ #*+!  "  ,-  %"  *." !  #  / ""+  (  *  (0  12  2  00 NGN SECURI TY ARCHITECTURE – BEST PRACTICE EXAMPLE  "##!""+ "  #+(-  +"+  "  3"(  *+  )4.    ,(".  ( EXAMPLE (CONTD.)  # "#5  '67687% 9'6'*."  "  #++  ".:6;" <&'=6/ "0/  # (1*/<. 9>96 ?.&:66@"*@  #"ABC,D"A+ #0*  EXAMPLE  #E.    @3( " +7'F7669.   +$7666"" * 1(+ .#".4 A  #".#$  '6768  G:7:(#.  (-HD$#""" (3+-.  @/(1@/(<.3" C % #)# [...]... Plane 8 Security Dimensions Attacks All of this requires NGN- specific expertise APPIN’S NGN F RAMEWO R K  Objective  Appin recommends the model for NGN Security Framework based on  Standards  Practices  Appin’s NGN Security framework will focus on securing the core network  Focus here will be identify potential major threats and risks and mitigation techniques required against them A PP I N... properly identified and inspected and not passed over as being ESP Encrypted I MP L EM EN T A T I O N R E QUI R EM E N T S  From an NGN point of view, the servers and gateways will be equipped with an integral IPsec machine, either in software or, preferably, as a hardware plug-in (security and performance aspect)  A Security Server (SecS) is required to control and manage the overall security environment.. .NGN Security Exercise Scope (ITU X.805 Standard) SECURITY LAYERS Threats Services Security Corruption Privacy Availability Data Integrity Communication Data Confidentiality Vulnerabilities Authentication Access Control Applications Security Non-Repudiation Destruction Removal Disclosure Interruption Infrastructure Security End-User Plane Control Plane Management Plane 8 Security Dimensions... sessions (outbound and inbound) Network Address Translation (NAT) traversal • Performance : network latency and jitter • Scalability • Unauthorized signalling and media messages • • Call admission and policy control Internetwork message inspection EXAMPLE - IMPLEMENTATION IPSEC AND OSS  After a thorough threat analysis of NGN Carriers, IPSec came out as a clear option to implement security at Network...  Standardized key generation and key distribution I MP L EM EN T A T I O N R E QUI R EM E N T S ( C O N T D )  The key management protocols are:   PKINIT (Public Key Initial authentication) and Kerberos   IKE PKCROSS, which is used for cross-domain key management All signalling control (e.g Real-Time Control Protocol RTCP) and even media streams (including RTP and UDP) are encrypted Media and. .. encrypted for confidentiality and even optionally for the purpose of message integrity using the Message Authentication Code (MAC) NGN Layer based security • Address Space and Routing Separation • • NGN Core Network - Private Addresses Trust network MPLS VPN Network Layer Application Layer • Stateful inspection firewalls • • Application Layer Gateways (ALG’s) • • • XML Security Middleware – IMS • •... E-VRRP (Evaluation of Virtual Router Redundancy Protocol) and IP FRR (IP Fast ReRouting) technologies can be used to implement fast protection switching between CE and dual PE Application Layer Security  ITU T recommends Middleware security for Application layer  Middleware recommendation also includes IMS Security  Middleware Service will simplify and unify service creation  It will curb exposure of... capabilities to third parties  Inherent increase of security threats and increase in the risk of attacks on network resources will be minimized APPL IC AT ION L AYE R SECU R IT Y  End-to-End Application layer security based on standard such as  XML Digital Signatures  XML Encryption  SAML (Security Assertion Markup Language)  Intrusion detection and prevention (IDP)  Deep packet inspection system... Packet Processing layer of NGN communication architecture  IPSec is especially useful for implementing VPNs and for remote user access over a dial-up connection to a private network  IPSec is especially useful for implementing VPNs and for remote user access over a dial-up connection to a private network  A big advantage of IPSec is that security arrangements can be handled without requiring changes... request for IMS edge authentication – NGN- SLA (Service Level Authentication) between UE and S-CSCF – Authentication options to be supported » Full IMS security (Authentication & Key Agreement (AKA) as defined by 3GPP (plus NAT traversal) » » – Residential Gateway for legacy equipment NASS bundled authentication IMS security shall be independent of access IP-CAN security ACCESS DO MAI N SECURIT Y (CONT . Integrity Availability Privacy 8 Security Dimensions Management Plane Control Plane Vulnerabilities Threats Attacks Destruction Corruption Disclosure Interruption Removal Applications Security Services Security Infrastructure. ! "#$ "  NGN SECURITY ARCHITECTURE – BEST PRACTI CE  %&'$      . Plane Vulnerabilities Threats Attacks Destruction Corruption Disclosure Interruption Removal Applications Security Services Security Infrastructure Security SECURITY LAYERS End-User Plane +<-4