Security in A-IMS

The Advances to IP Multimedia Subsystem (A-IMS)[1] is a mobile multimedia service system, which was released by Verizon Wireless, the second largest mobile operator in the USA, along with its suppliers Cisco, Lucent, Motorola, Nortel and Qualcomm, in July 2006. Based on the 3rd Generation Partnership Project 2 (3GPP2)’s Multimedia Domain (MMD), the A-IMS architecture not only integrates all the service functions based on the Session Initiation Protocol (SIP) of the IP Multimedia Subsystem (IMS) and Multimedia Domain (MMD), but also supports the non-SIP applications. As for network operation, it makes some extension and supplement to the security of the IMS/MMD network, such as the addition of the Security Operation Center (SOC) and posture agent.

1 Service Functions Supported by A-IMS
The A-IMS not only inherits all the service functions from the IMS/MMD, but also makes enhancement and extension in security, mobility, policy, Quality of Service (QoS), peering, accounting, legal monitoring, emergency call and presence.

2 A-IMS System Architecture
Figure 1 shows the A-IMS system architecture. Its major Network Elements (NE) are the IP Gateway (IPGW), Bearer Management (BM), Application Management (AM), Policy Management (PM), Security Management (SM), Service Broker (SB), Service Data Management (SDM) and Access Terminal (AT). The SM, PM, BM, IPGW and AT are related to security.

    Although the names of the A-IMS NEs are different from those of the IMS NEs[2] of 3GPP and MMD NEs[3] of 3GPP2, the A-IMS NEs, except SM, are parallel to the IMS NEs defined by 3GPP, 3GPP2, and even TISPAN[4]. For example, the AM, SDM and PM are corresponding to the Call Session Control Function (CSCF), Home Subscriber Server (HSS) and Policy Decision Function (PDF) in the IMS, respectively. As the core of the SOC, the SM is responsible for collecting the information of security events in the A-IMS NEs, completing intrusion detection, controlling equipment operation, and distributing security policies. It is also in charge of the posture evaluation for mobile teminals. According to the compatibility between terminals and network equipment, it decides whether the terminals are allowed to access, and which kinds of services they can enjoy.

3 Security threats to IMS
The security threats to the IP-based IMS system include the following:

    (1) Detection Threat
    Through scanning the network’s topology, hackers can identify easy-to-attack devices without hassle.

    (2) DDoS Attack
    Distributed Denial of Service (DDoS) is the most dangerous attack to the current IP network. It can cause any high-performance system to crash.

    The A-IMS pays special attention to solutions to the detection and prevention of this kind of attack.

    (3) Interrupting and Taking over Equipment
    This attack belongs to the broker attack. Usually, it illegally accesses the special devices (by means like illegally adding a route into the routing table) along with detection.

    (4) Illegal Service Use and Service Fraud
    This means the unauthorized use of network resources.

    (5) Zero Day Attack
    It attacks the network on some special day.

    (6) Stealing Private Information from Host or AT
    It is the behavior of collecting private information from the AT by spy software and malicious programs, including transferring personal information, eavesdropping SIP calls, and recording and reporting service use ratios.

    The A-IMS improves the security mechanism in IMS/MMD, adds new NEs like the SM, and establishes a new security system. It realizes the prevention, monitoring and control of attacks.

4 A-IMS Inherits IMS’s Security System
The A-IMS inherits all the security characteristics of theIMS/MMD, such as authentication, encryption and the protection algorithm for data integrity.

    Therefore, it has the same algorithms with the IMS/MMD in legality checking for SIP users, and the data privacy and integrity[5-7]. Moreover, the algorithms have considered the support to the non-SIP applications. (A-IMS’s inheritance from the IMS security system mentioned in this paper refers to its succession of the authentication and encryption mechanism, however, there are some changes in detail.)

    (1) Authentication Algorithm
    There is Lay-2 initial access authentication, IP mobile service authentication and SIP application authentication in the A-IMS system. Moreover, the authentication is necessary for secure communications between NEs. The A-IMS has different authentication algorithms for integrated devices and non-integrated devices.

    For integrated devices, the A-IMS employs 3GPP2 Authentication and Key Agreement/IP Security (AKA/IPSec) to SIP application, while using specific authentication protocols to non-SIP application, such as Transport Layer Security (TLS).

    For non-integrated devices, it uses 3GPP2 AKA/IPSec or TLS to SIP application, while also adopting specific authentication protocols to non-SIP application such as TLS.

    (2) Encryption and Data Protection
    The A-IMS also uses the encryption and data integrity algorithms, as shown in Table 1.

5 A-IMS Security System Enhancement
Compared with the IMS, the A-IMS enhances the integrated security and unified security management, SOC, device admission control, and security policies.

5.1 Integrated Security and Unified Security Management
Since the A-IMS has to handle network traffic at Gigabit rates, it integrates security mechanism into every NE in the system to avoid the network “bottleneck”. The NEs dispersed in different locations can work under unified security policies by the SOC distributing the policies and by the SM checking security events. In this way, unified security management in the entire network is fulfilled. For instance, the SOC can use the integrated security mechanism to distribute the security policies like the traffic standard to every NE, identify, distinguish and trace any abnormal behavior through local and remote measurements, and then quickly block the spread of viruses. This unified integrated security mechanism greatly improves the security of the entire system compared with that of the IMS/MMD.

5.2 SOC
The SOC, mainly used in centralized monitoring, reporting and processing, is the most important entity newly added into the A-IMS, and is the core of security management of the entire system. It, through making and distributing policies, collects the security information from the NEs like AM, checks service status, and identifies, analyzes and handles outside intrusions. It provides mature and robust protection to the A-IMS. Besides, the SOC has the capabilities of accident management and judicial investigation assistance, which helps crisis handling.

    Since the SOC is crucial for the security of the entire network, it is usually necessary to use redundant devices and Uninterruptible Power Supply (UPS) for the reliability of SOC hardware. Moreover, the authorization of SOC operators should be clearly defined, and nobody except authorized persons can log in the SOC.

    Background monitoring should also be conducted for operations of any SOC operators, and careful auditing on the security rules of internal information of the SOC is a must to ensure its normal operation.

5.3 Device admission control
Device admission control is a kind of network behavior that decides if the terminal is allowed to access the network. Moreover, it determines the service levels for the accessed terminals according to their security postures.

    The A-IMS classifies terminals into three types: the voice-only closing terminal, the advanced terminal supporting voice and data, and the personal computer with EV-DO ability. The last two are Intelligent Agent Technology (IAT) terminals, and are the major objects of device admission control of the A-IMS.

    Device admission control is a major part for security enhancement. The access control measures, such as authorization and encryption, are used to implement device admission control in the A-IMS network. Moreover, the A-IMS has a new function of security agent that can verify the security status of the AT and determine the security level for its access. If the security agent runs in the IAT, it is called Posture Agent (PA); if it works in such network devices as the AM and BM, it is Mobile Security Agent (MSA).

5.3.1 PA
The PA in the IAT is an important part for device admission control. It collects the posture information about the AT (including if the version of the operating system is authorized, and whether it has patched correctly), and sends the results to the SM through the IPGW.

    In an initial IAT access, the SM checks the information report of the device posture sent by the PA, and, according to the related security policies, decides an initial policy corresponding to the IPGW: a limited or a full access. If it is a limited access, the related security policies will download to the BM so that the devices connect to the SIP service port for emergency call handling on a specific AM only through the BM. Moreover, Web traffic will be transferred to the update server that asks users to download the updated software.

    The benefits of the device admission control based on the PA are the following:

• It ensures the consistency of security policies between user equipment and the network, and prevents worms, viruses, and spy and malicious software in advance. It helps operators pay more attention to the precaution rather than be busy in handling security events, which greatly improves the security of the A-IMS network.
• It offers a measure for checking and controlling the AT connected to the network with no need to consider the specific access modes. This improves the adaptation capability and scalability of the network.
• It refuses incompatible and uncontrollable terminal devices, avoiding any impact on network availability.
• It can reduce the operational payment caused by the identification and repair of incompatible, unmanageable and infected systems.
• It protects vulnerable, incompatible and uncontrollable terminal devices from attacks, which also improves the availability of the network.

5.3.2 MSA
The MSA, which lies on the NEs like the AM and BM, cooperates with the PA to implement the function of device admission control. Moreover, it can monitor equipment status according to the requirements of the SM, assist the SM in checking and removing threat of “Zero Day”, and reduce the maintenance cost in system attack repair, which is very important when multiple access modes exist in the network (like WiFi and broadband access). With the capability of reverse firewall, the MSA can analyze the behavior during checking threats rather than only relying on users’ signature, which is very important for preventing the “Zero Day” attack.

    The MSA has all the functions the PA has. In addition, it has the following functions:

• Host intrusion prevention
• Blocking the spy ware
• Preventing buffer overflow attack
• Providing capability of distributed reverse firewall
• Stopping malicious mobile code intrusion
• Ensuring the integrity of the operating system
• Auditing the log
• Enhancing QoS application

5.4 Security Policies
The security policies are those that the SOC asks the system to run automatically when a security event happens in the network.

5.4.1 Hierarchy of Security Agents
The security policies play an important role in the A-IMS. By them, the SM can implement security management, DDoS prevention, access control, intrusion prevention, authorization and device admission control. The SM uses a
built-in Mobile Security Agent Major Controller (MSA-MC) to control the MSAs of other NEs.

    The MSA in the IAT collects the information about the host, and then sends the information to the MSA-MC. According to the related policies, the MSA-MC preprocesses the relevant information, and sends the results to the Home Security Management (H-SM), where the SM will make posture evaluation and abnormal behavior checking, and determine a security level for the access.

5.4.2 Multi-level Management Model of SOC
With the SOC, the A-IMS fulfills multi-level policy control. The national SOC distributes security policies to local SMs, implementing the unified security management in the entire network.

5.5 Precaution of DDoS
The A-IMS employs the self-learning algorithm to prevent DDoS. The algorithm can learn the traffic model to adapt itself to a special network condition. For example, it can learn SIP behavior to determine a proper traffic threshold. The A-IMS can distinguish legal, suspected and malicious traffic, and only legal traffic is allowed to pass its NEs.

    The function of DDoS precaution usually runs in an unremarkable background model. When the system is suspected to be attacked, the traffic diversion mechanism will be activated to redirect traffic to the protection system for analysis and control, and then return legitimate traffic to the network.

5.6 Security Log and Report
All the A-IMS NEs, including AM, BM, IPGW, AP and SDM, support standard registration and report of security events. The warning of security events will be sent to the security incident management subsystem to conduct persistent storage, analysis and auditing. The subsystem, as a log collection station, employs near real-time transmission to implement real-time monitoring of security operations.

    The A-IMS log transmission is based on the IP Flow Information Export (IPFIX) protocol, Security Device Event Exchange (SDEE) protocol, Simple Network Management Protocol version 3 (SNMPv3) and Syslog protocol.

6 Conclusions
In the IMS/MMD, the network security is divided into intra-domain security and cross-domain security. The former is further subdivided into access security and core network security. The A-IMS improves the access security by introducing the mechanisms such as PA, MSA, two-way firewall and IDS/IPS, while it employs the policy-based centralized security management mechanism that makes every NE in the control of the central SOC and greatly enhances the core network security.

    Generally, compared with the IMS/MMD, the A-IMS greatly improves the
intra-domain security. As for the cross-domain security, the A-IMS inherits the original mechanism of the IMS/MMD and uses the IPSec to implement the cross-domain communication encryption.

    Overall, the security mechanism of the A-IMS is stronger then that of the IMS/MMD.

    (1) The SOC/SM is introduced into the A-IMS for multi-level security management of the network, which fulfills the integral and centralized control of system security.

    (2) The A-IMS proposes the concept of security policy. The security policies help implement the automatic control of network security.

    (3) The A-IMS emphasizes the unified security management of the overall system. It integrates security management into every NE. The SM collects and analyzes security events in the NEs, and makes proper handling according to the security policies.

    (4) The A-IMS employs two-way firewall and IDS/IPS to protect both the network and terminals from being attacked.

    (5) The A-IMS proposes the concept of PA and MSA. The PA is set up in the IAT for checking the version and patches of the operating system and firewall of terminals. This enforces terminals to reach the security level required by the network.

    The A-IMS stands for the research direction of the IMS security. However, the A-IMS standardization is still in the stage of network framework description, and has many unclear details such as terminals’ support (compatibility) of PA, content of exchanged security information, and the specific definition of security policies. The specifications about compatibility of terminals specially need to be written into widely recognized 3GPP/3GPP2 standards because they require the support of handset manufacturers in the world. Besides, the complexity of the A-IMS security system increases the difficulty of system implementation. For example, the faulty system design will affect the system’s stability, thus hindering the popularization of its application. Nevertheless, the A-IMS has advanced security concepts, which can meet the practical demands of operators. Therefore, it will probably become the security standard for the next-generation converged network.

References
[1] Verizon Wireless. Advances to IP Multimedia Subsystem (A-IMS)Architecture [S]. 2006.
[2] 3GPP TS 23.228. IP Multimedia Subsystem (IMS): Stage 2. [S]. 2006.
[3] 3GPP2:X.S0013-002. IP Multimedia Subsystem (IMS): Stage 2. [S]. 2006.
[4] ETSI ES 282 007. IP Multimedia Subsystem (IMS) Functional Architecture [S]. 2006.
[5] 3GPP2:S.S0086-9. 3GPP2 IMS Security Framework. [S]. 2006.
[6] 3GPP TS 33.203. 3G Security; Access Security for IP-based Service (SA3). [S]. 2006.
[7] 3GPP TS 33.210. 3G Security, Network Domain Security, IP Network Layer Security [S]. 2006.
[8] 3GPP TS 33.310. Network Domain Security (NDS), Authentication Framework (AF) [S]. 2006.

Manuscript received: 2006-12-27

[Abstract] The Advances to IP Multimedia Subsystem (A-IMS) architecture, based on the 3rd Generation Partnership Project 2 (3GPP2)’s Multimedia Domain (MMD), integrates all the service functions based on the Session Initiation Protocol (SIP) of the IP Multimedia Subsystem (IMS) and Multimedia Domain (MMD). Moreover, it supports the non-SIP applications. As for network operation, the A-IMS architecture makes some extension and supplement to the security of the IMS/MMD network, such as the addition of Security Operation Center (SOC) and posture agent, which greatly improves the security of the IMS/MMD network. The research of A-IMS is still in the stage of framework description, and still has many unclear details such as terminal support for the posture agent, content of the security information exchange, and definition of security policy, which ask for further research.