06_Deltas FMC 4-FMC 3 Security (FT Workshop 180609)

1 © Nokia Siemens Networks

18th June 2009

Nokia Siemens Networks Fixed Mobile Convergence

Deltas between FMC 4.x/IMS 6.x and FMC 3.x/IMS 5.xSecurity


Introduction and overview of the deltas between FMC 4.x/IMS 6.x and FMC 3.x/IMS 5.x ( IMPACT’s)

Detailed Technical presentations of the Deltas

OAM

Agenda

Charging

Shared iFC

Routing incl. Emergency, LI and Media Release

IMS 6.2/FMC 4.2 Key Features

Summary of FMC Documentation

Provisioning

Network Dimensioning and PlanningPerformance

Security


IMS 5.0 IMS 6.0• Blocking of IMPUs and IMPIs after multiple

unsuccessful registration attempts – Intended to block dictionary attacks– After a client unsuccessfully tries to register multiple times in a row

within a time interval it will be blocked for further registrations for a specific amount of time

– Number of tries, time interval and blocking time can be configured

• TLS support for Gm interface:– In addition to the HTTP Digest authentication a TLS tunnel can be

established to provide confidentiality and integrity protection between UE and P-CSCF.

– TLS tunnel is setup before initial Register and stays up during the complete registration

Deltas between FMC 4.x/IMS 6.x and FMC 3.x/IMS 5.xSecurity on CMS 8200, CFX 5000 (1)


IMS 5.0 IMS 6.0• HSS Subscriber Provisioning GUI:

– HTTPS is supported for the provisioning GUI– Digest password is hidden from the administrator



IMS 6.0 IMS 6.1• IBCF (Interworking Border Control Function):

– New role on CFX 5000 for IP peering– Main security features:

Pinholing, NAT, IP version interworking DoS protection on Ic interface Enforcement of Service Level Agreements

• Changes at Gm Interface: – Enhancements of DoS protection:

Counting of valid requests of registered subscribers: Invite, Subscribe, Message, ...



IMS 6.1 IMS 6.2• Special LAN Separation (for FT):

– On an S-CSCF a separate LAN for Charging is supported– On the P-CSCF and I/S-CSCF the ENUM traffic is moved from the

OAM LAN to IMS LAN 1 (used for MW, ISC, Cx, ...)– On the HSS, a separate LAN for Provisioning is supported

• Password Encryption on the Cx interface:– The HTTP Digest password transmitted on Cx in a Cx MAA

message shall be encrypted to protect it from eavesdropping.– This is a temporary solution until full Zb support is available (IMS

7.1)



FMC 3.x FMC 4.x• FRN 2590 R13.0: Security on the h8k and HiPath

SOAP Server Interface– SOAP/XML methods authorized for a specific server interface can

be restricted– Optional protection of the SOAP/XML interfaces via mutually

authenticated TLS

• FRN 2591 R13.0: SFTP protection of CDR delivery– Secure FTP protection of CDR delivery to the billing server by a

push from the hiQ 4200/hiQ 8000 is provided

Deltas between FMC 4.x/IMS 6.x and FMC 3.x/IMS 5.xSecurity on HiQ (1)


• FRN 5006NWT: SIP Registration P-Access_Network-Info Header Handling for Security – The port number (token) from the P-Access-Network-Info header is

parsed. – It will be determined if the received token matches one of the

tokens provisioned for the calling subscriber. – Depending on this the call is continues or not

Deltas between FMC 4.x/IMS 6.x and FMC 3.x/IMS 5.xSecurity on HiQ (2)

06_Deltas FMC 4-FMC 3 Security (FT Workshop 180609)

Documents

Transcript of 06_Deltas FMC 4-FMC 3 Security (FT Workshop 180609)