Security Technologies for NGN

Teng Zhimeng Wu Bo Wei Yinxing

（Central Research Institute of ZTE Corporation,

Nanjing 210012, China）

T he rapid growth of Internet applications is bringing increasing security threats such as illegal use of network resources and services,Denial of Service（DoS）,worms,Trojan horses,and even malicious attacks and damages into networks.Network operators,Service Providers（SP）and users have suffered huge loss from such security attacks and threats;therefore,they awake to the pretty serious security problems existing in the IP-based Internet.The network openness and inherent vulnerability of the IPnetwork make the Internet vulnerable to various attacks.Furthermore,with the development of Next Generation Networks（NGN）,everything over IPis becoming a development basis for various network technologies.Research institutes such as the International Telecommunication Union-Standardization Sector（ITU-T）and the European Telecommunications Standards Institute（ETSI）are all studying IP-based NGN,and almost every research institute has a special team working on network security.Some institutes even require that each of their technical standards should have the“Security Consideration”section.

Therefore,the security in NGN has been paid special attention,although it is still an immature technology［1-5］.This paper studies NGNsecurity in terms of basis［6-8］,requirements［2-9］,security system architecture［11-14］and security mechanisms［15-17］,which are expected to be good references to the research and deployment of NGN in China.

1 Security Basis of NGN

The IP-based NGN includes applications,service layer and transport layer.The service layer separates the service controlfrom the application and service support,and the transport layer separates the transport control sub-layer from transport sub-layer.It supports all the available access technologies,and provides voice,data,video and stream media services.It can also support the diversified services in current mobile networks,fulfill the fixed and mobile network convergence,and ensure Quality of Service（QoS）according to users'requirements.

The NGN architecture,as shown in Figure 1,consists of applications,the service control layer,transport control layer,transport layer,network management system,user network and other networks.The security system proposed in this paper is based on this architecture.

ITU-TRecommendation X.805 defines a network security architecture for providing end-to-end network security.As shown in Figure 2,the architecture includes three layers,the three planes and eight dimensions:three layers are the Infrastructure Security Layer,Services Security Layer,and Applications Security Layer;the three planes are the Management Plane,Control Plane,and End-User Plane;the eight dimensions are Access Control,Authentication,Non-repudiation,Data Confidentiality,Communication Security,Data Integrity,Availability,and Privacy.

The security layers and planes in the X.805 architecture are independent from each other,which effectively protects the security of the other layers and planes when one layer or plane is attacked.The architecture is theoretically an abstract network security model,and can be applied to create a specialnetwork security architecture with its guideline of

Abstrac t:With the development of NGN technologies and everything over IP,network security has become an important part of the current network.The 3 layers by 3 planes by 8 dimensions security architecture defined by ITU X.805 for systems providing end-to-end communications is the basis of the research and application of network security technologies.NGN has several security requirements including security strategy,authentication,authorization,access control and audit,time stamp and time source.NGN divides the network into different security areas in both logical and physical ways,and there are different security strategies for different areas.Through the security mechanisms of identification,authentication and authorization,transmit security,access control,audit and supervision,etc,the security requirements of the network would be realized.security strategies,security event handling,and establishment and security evaluation of the security architecture.Therefore,this architecture has become a foundation for research and application of information network security technologies.

▲Figure 1. NGN architecture.

The security area of the Internet Engineering Task Force（IETF）is responsible for making Internet security standards.Its standards,such as Internet Protocol Security（IPsec）and Internet X.509 Public Key Infrastructure（PKIX）,involve extensive security issues,and concern pratical application.The IETFhas made a large number of security-related Requests for Comments（RFC）,and other standardization organizations have used these RFCs into their network architectures.

The NGNsecurity architecture proposed in this paper is based on the X.805 security architecture,and integrates the NGNarchitecture and IETF security protocols related to the security system design,as shown in Figure 3.It can effectively guide the implementation of NGN security solutions.

2 Security Requirements of NGN

Network security requirements are from users,and network operators,as well as from SPs.They seem particularly important after IPreplaced circuit switching in telecommunication networks.

In order to provide network providers,SPs and users with a secure and trusted environment preventing attacks,NGN should prevent unauthorized access to the resources,services and user data in network equipment,restrict the visible range of network topology,guarantee the privacy and integrity of control messages,manage messages and user profiles transported in networks,monitor network traffic,and manage and report abnormal traffic.

According to ITU-TX.805 and the analysis of NGN security threats and NGN's vulnerability,NGN security requirements can be classified as follows:

（1）Requirement on Security Strategies

Security strategies are a set of rules,defining legitimate users of the system and their access rights,and describing what messages and why the messages will be protected.There are different user entities,various network devices from different vendors,different network architectures,different threat models and unbalanced available security functions in the NGN environment;therefore,appropriate security functions can hardly be developed without the given feasible security strategies.

▲Figure 2. ITU X.805 end-to-end security architecture.

Figure 3.▶NGN security infrastructure.

（2）Requirement on Authentication,Authorization,Access Control and Audit

Authentication and authorization are necessary for both inter-security domains and intra-security domain access to resources and services in NGN.Only authenticated entities are authorized to use registered resources and services.This requirement ensures that only legitimate users are able to access resources,system and services,and prevent illegalaccess to them.Besides,it automatically reports all the security related events,and generates manageable documents with access control rights for auditing security event.

（3）Requirement on Time Stamp and Time Source

NGN is required to offer a creditable time source like the system clock and time stamp for auditing,which will become the credential for unauthorized event handling.

（4）Requirement on Resource Availability

NGN should be able to limit the number of the important network resources allocated to a certain service request,discard the packets that do not conform to the security strategies,restrict burst traffic,mitigate the impact of burst traffic on other services,and prevent DoS attacks.

（5）Requirement on System Integrity

Based on the security strategies,NGN equipment should be able to verify and audit its resources and system,and to monitor unauthorized changes of the equipment configuration and system to prevent viruses such as worms and trojans.Therefore,the equipment is required to periodically scan its resources according to the security strategies,and to generate logs and warnings once a problem is discovered.However,the monitoring should not change the delay for real-time services on the equipment or cause any connection interruption.

（6）Security Requirement on Operation,Administration,Maintenance and Provision

NGN is required to support the management of the trusted,vulnerably trusted and distrusted domains,and to guarantee the security of Operation,Administration,Maintenance and Provision（OAMP）to prevent the equipment from being illegally taken over.

（7）Requirement on Identity and Secure Registration It is required to prevent identity theft;stop network equipment,terminals and users in disguise and deception;and avoid illegal access to resources,system and services.

（8）Security Requirement on Communications and Data

It is required to ensure the security of communications and data,including user-plane,control-plane and management-plane data.It is also necessary to protect the security of interfaces between users and logic network elements,between logic network elements,and between different operators as well.Signaling should protect privacy and integrity hop by hop.

（9）Requirement on Privacy Guarantee

It is required to protect the privacy of operators'and SPs'networks,and of user profiles as well.

（10）Requirement on Key Management

In order to protect the security of key exchange between trusted and distrusted domains,the key management mechanism should support transversal of Network Address Translation/Network Address Port Translation（NAT/NAPT）equipment.

（11）Requirement on Interconnection of NATand Firewall

The NAT/firewall function in NGN should be supported.The firewall may be Application-Level Gateway（ALG）,agent equipment,packet filter equipment,NAT/NAPTequipment,or a combination of such equipment.

（12）Requirement on Security Guarantee

It is required to evaluate and authorize the security of NGN equipment and system.The threat,vulnerability and risk assessment should point out potential threats and misuse in the network.

（13）Requirement on Security Mechanism Enhancement

The definition and selection of encryption algorithms should conform to ES 202 238［10］.

（14）Other Security Requirements

The research on requirements of security management and undeniability has not been conducted yet.

3 NGN Security Architecture

NGN security architecture is a system,and it is difficult to use single standard to define it.Its design should meet the following requirements:

·Scalability and availability

·Based on mature security mechanism and implementation technology

·Able to fulfill the separation of the application,service and transport layers,with different security countermeasures for different layers

·The application of security countermeasures should not influence QoS

·Meet security requirements of network operators,SPs and users

·Interoperability NGN introduces multiple commercial models into its network architecture.For example,the access and backbone networks may belong to different operators that they have different security strategies,and it is necessary to separate security issues at different layers.NGN logically and physically divides the architecture in Figure 1 into several security domains.Each security domain is corresponding to a specific security strategy.Operators protect inter-security-domains and intra-security-domain function elements and activities by implementing security strategies.

A security domain can be divided into trusted,vulnerably trusted and distrusted sub-domains.For a certain network operator,the trusted sub-domain refers to the security area that does not communicate with user equipments directly,and that is totally controlled by the operator,such as the backbone network;the vulnerable trusted sub-domain is the security area that links the trusted and distrusted sub-domains,and that is managed but not necessarily controlled by the operator,such as the access network and boundary gateways;the distrusted security sub-domain is not managed by the operator,such as user networks and distrusted networks of other operators.Different security sub-domains suffer different threats,vulnerability and risks,and accordingly have different security requirements.This asks network operators and SPs to make special security strategies for different domains,and to protect the security of their networks and end-to-end user services in the networks by integrating the different security strategies.

▲Figure 4. NGN security system architecture.

According to the layered NGN architecture（shown in Figure 1）,the NGN security architecture is horizontally divided into transport layer security subsystem and service layer security subsystem.The two subsystems should be independent of each other.The former is responsible for the security of data transmission while the latter handles the security of the service platform.For example,Telecom and Internet Converged Services and Protocols for Advanced Network（TISPAN）specifies that the transport layer uses Network Attachment Subsystem（NASS）credentials,the service control layer uses IPMultimedia Subsystem（IMS）Authentication and Key Agreement（AKA）,and the application layer adopts Universal Subscriber Identity Module（USIM）and Universal Integrated Circuit Card（UICC）-based Generic Bootstrapping Architecture（GBA）（GBA-U）.

The NGN security architecture is vertically divided into access network security subsystem,backbone network security subsystem,and service network subsystem.The division changes the original end-to-end security into piecemeal network security.Vertically,NGN can also be divided into multiple security domains.

The access network uses its access control component to control users'access,prevent unauthorized users from accessing the transport network,and allocate IPaddresses for user terminals.

The backbone network controls network interconnection through boundary gateways,and it allows only authorized user,control and management planes of other networks to access the trusted domain.The service control component of the service network,together with its application and service support component,when necessary,authorizes and controls users'access to services to prevent unauthorized access to services.

Security Gateway Functions（SEGF）link the security domains,as shown in Figure 4.Besides SEGF,there are possibly Security Gateway（SEG）Certificate Authority（CA）,and interconnection CA in every security domain.SEGFs in the same security domain implement intra-domain end-to-end security by IETFsecurity protocols.

An SEGFis a boundary entity of a security domain,and it is the major network element used for preventing attacks from other security domains.It separates traffic from the trusted domain with that from other security domains.The traffic from the other security domains is required to go through a special SEGFif it wants to go into the trusted domain.Pre-verification is necessary for transferring traffic from the other security domains to the trusted domain.These ways are used to avoid security issues,such as interception,falsification,DoS,address and identity fraud,eavesdropping,and counterfeiting,to take place in the trusted domain.For example,based on a specified security strategy,access control can be implemented on the management and control planes to restrict the access of certain users or users'access to certain services.SEGF is required to implement equipment-level physical security countermeasures,system reinforcement,security signaling,and OAMPVirtual Private Network（VPN）.Besides,it should have such functions as firewall,invasion detection,content filtering,VPNaccess,and VPN interconnection.

The security services SEGFcan offer include authentication,authorization,privacy,integrity,key management,and strategy implementation.

SEGFtrusts the requests from the trusted domain,and does not verify them.

4 Security Mechanisms

Security mechanisms are used to meet those security requirements in the security architecture,preventing security issues such as unauthorized information collection;unauthorized information interception;illegal equipment takeover and control;destruction,deletion,modification and disclosure of resources and imformation;and interruption of services.

4.1 Identity Recognition, Authentication and Authorization Mechanism

A user who is going to access a service in the network must assert its identity to the network and the service so that the network and the service can recognize whether he is an authorized user to access the applied service and resources or not.Now,there are various kinds of identity recognition technologies such as Subscriber Identity Module（SIM）card,intelligent card,user name/password,equipment series number,telephone number,identification,token,biometric code,digital certificate,and message authentication code.

Multiple access modes,and different network operators and SPs coexist in NGN.Therefore,it is necessary to establish a kind of trusted relationship between NGNusers and the networks and services in it,so that the users can seamlessly and transparently enjoy network services.In order to implement unified management of users,standard organizations such as OPENID,OASIS and LIBERTYALLIANCE,are studying Identity Management（Id M）.Besides,ITU-Thas set up a special Focus Group（FG）to fulfillthe management of NGN entities,such as SPs,network operators,network elements,user equipment and users,with unified identity in the future.

According to security strategies,one-way or two-way authentication is possibly required in the following cases:

·The entities in the distrusted domain access the vulnerably trusted domain entities;

·The entities in the distrusted domain access the trusted domain entities through the vulnerably trusted domain;

·User terminals acess the distrusted domain entities;

·The entities inside a security domain access each other.

That is to say,the entity that has initiated an access request has to exchange credentials with the authenticator who manages the accessed entity.The authenticator,according to the received credentials,willuse the prearranged shared key or X.509 certificate to relate the resource or service request to the network equipment,user equipment and the user who initiated the request.

Then it will use pre-stored credentials of that network equipment,user equipment and user to conduct identity authentication.Only the authenticated entity is allowed to communicate with the entity that it has requested to access.Moreover,according to the security strategies,the access rights of the authenticated entity are possibly limited to ensure that this entity accesses authorized resources and services only.There are many authentication and authorization technologies,including IETFPAP,CHAP,EAP,PANA,RADIUS,DIAMETER,LDAP,Kerberos,3GPPAKA,GAA/GBA and IEEE 802.1x.

4.2 Transport Security Mechanism

VPNtechnology is used to protect the security of signaling and OAMP messages in the NGNarchitecture.

Transport Layer Security（TLS）is the major Layer 4 VPN technology.Based on the client-server mode,it is implemented by Transport Control Protocol（TCP）and Stream Control Transport Protocol（SCTP）,and can be used either in a security domain or between different security domains to guarantee the privacy and integrity of transported information.

IPsec is the main Layer 3 VPN technology.It is implemented on the IP layer,and generally used both in the trusted and vulnerably trusted domains,and between different security domains as well.It can not only guarantee the privacy and integrity of transported information,but also prevent replay attacks.IPsec has many choices of authentication algorithms,and in NGN,it may use the methods in RFC 2403 HMAC-MD5-96 and RFC 2404 HMAC-SHA-1-96.As for key,it can use Internet Key Exchange（IKE）to fulfill automatic exchange of keys.

Generally,NGN does not consider the security of media streams.If a user requests to protect the security of media streams,Secure Real-Time Transport Protocol（SRTP）and Simple Authentication or Security Layer（SASL）technology can be used for authentication,privacy and integrity protection.

In order to avoid repeated encryption and influencing network performance,the transport security mechanism does not use different technologies simultaneously.

4.3 Access Control Mechanism

The access control mechanism is generally combined with the identity recognition,authentication and authorization mechanism to effectively prevent unauthorized users and networks from using network resources,system,information and services,as well as to prevent authorized users and networks from illegally accessing unauthorized network resources,system,information and services.

4.4 Audit and Monitoring Mechanism

NGN equipment is required to record all the events happening in the equipment in the security log according to the requirements of the security strategies.Besides,the Simple Network Management Protocol（SNMP）should,through IPsec,send the log to a specific server for system security assessment and security problem analysis.NGN equipement needs to support routine maintenance,detection,and automatic installation of security patches.It should also support self-restoration and rollback of the system.NGN equipment should have an integrity verification agent,and it should report any discovered problem.If NGN manages Customer Premises Equipment-Boundary Element（CPE-BE）by OAMP,CPE-BEshould

have the same functions,and the

information transport must be implemented through VPN.

It is possible for NGN to provide Customer Premises Equipment（CPE）in the distrusted domain with configuration mechanism.In its initiating phase,CPE conducts authentication through the Device Configuration,and Booting-Boundary Element（DCB-BE）,establishes a secure transport channel and a relation with the CPEconfiguration unit in the trusted domain,and obtains configuration files.

4.5 Key Exchange and Management Mechanism

The information network security researches focus on the security of creation,storage and exchange of keys,certificate formats and certificate verification.NGN supports symmetric and asymmetric key cryptography,and allows available key exchange and management mechanisms,including IETFPKIX,IKEv2,D-H exchange,Mikey,ITU X.509,X.akm,and manual configuration.

4.6 OAMP Mechanism

NGN has an independent OAMPIP address block,and every NGN device has a physical or logical interface for it.IP addresses are allocated in the block,and are used for OAMPinterfaces.Therefore,the NGN equipment will directly discard OAMPtraffic from other IPaddresses except from the OAMPIPaddress block on OAMPinterfaces,and directly discard any OAMPtraffic on other interfaces.Authentication is necessary for any access to OAMPinterfaces in NGN.The system offers log and rollback functions to authenticated users access.Besides,security countermeasures should be applied if the OAMPtraffic is transmitted through the distrusted domain.

4.7 System Management Mechanism

In order to avoid security problems and to reduce security vulnerabilities,only devices in use are allowed to stay in NGN,and unused ports on the devices must be closed.Besides,the operating systems of the devices must have security protection measures,and be reinforced in time.Any security patch equipment vendors supplies should be installed immediately after getting approval of the network operator or SP.

The devices should also have physical or logical access control countermeasures.The application software of the devices has lower priority than its system software.VPN is necessary for implementing message transport between the network management system and the managed entities.

4.8 Other Mechanisms

On one hand,available multiple security mechanisms are used in NGN to meet the security requirements.For example,encryption is used for privacy protection,as well as for communication and data security.On the other hand,some security mechanisms for NGN,such as NAT/firewall transversal,need further study.

5 Conclusions

Nowadays,wealth is increasingly gathering on the network with the popularity of network applications.Therefore,almost everyone is paying attention to the information network security issue.Consumers with more money,and operators with more high-end clients pay more attention to it.

However,network security is a relative concept,and in fact,there is no absolute network security.The development of NGN and everything over IPrequires the more urgent assurance of network security.In this paper,security technologies for NGN are investigated,including NGNsecurity requirements,security architecture and security mechanisms based on NGN security,which can cost-effectively legitimate rights of government departments,network operators,SPs and users,and can smoothly be supported by ZTE's unified security solution.