In addition to inheriting the above-mentioned authentication and encryption mechanisms, A-IMS also proposes some new security measures. Compared with IMS, A-IMS mainly enhances security in aspects such as integrated security and unified security management, security operation center, device admission control, and security policies.
1 Integrated security and unified security management
Since A-IMS needs to handle gigabit rate bearer traffic, in order to avoid network "bottlenecks", A-IMS integrates security mechanisms into the system In each network element, through the policy issued by the SOC and the detection of security events by SM, the network elements scattered in various places work according to the unified security policy, realizing unified security management of the entire network. For example: using the integrated security mechanism, SOC can distribute traffic standards and other security policies to network elements in various places, identify, distinguish and track abnormal behaviors through local measurement or remote measurement, and quickly block the spread of viruses. This unified integrated security mechanism , which greatly improves the overall security of the system compared to the IMS/MMD network.
2 Security Operation Center
SOC is mainly used for centralized monitoring, reporting and processing. It is the most important new entity of A-IMS and the core of the security management of the entire system. Through the formulation and distribution of policies, SOC collects security information from AM and other network elements, checks business status, identifies, analyzes and processes external intrusions, and provides mature and robust protection for A-IMS. In addition, SOC also has the ability to manage emergencies and cooperate with judicial investigations, and can assist in crisis management.
Since SOC is related to the security of the entire network, redundant equipment and UPS should usually be used to ensure its hardware reliability, and the operator's operating permissions should be strictly limited, and only employees who are absolutely necessary should be allowed to log in. SOC, and conduct background monitoring of the operations of operators who log in to the SOC. In addition, SOC must be regularly audited through strict internal information security rules to ensure the normal operation of SOC.
3 Device admission control
Device admission control is a network decision-making behavior for terminal devices to access the network. When a terminal accesses the network, the network can determine whether the device is allowed to connect to the network. If allowed, the network determines the level of service that can be obtained based on its security posture.
A-IMS divides terminals into three types: closed devices that only support voice, advanced terminals that support both voice and data, and personal computers with EV-DO capabilities. The latter two terminals belong to intelligent terminals (IAT), and A-IMS device admission control is mainly for IAT control.
Device admission control is also the main security enhancement point of A-IMS. In an IMS/MMD network, device admission control is mainly implemented through access control measures such as authentication and encryption. A-IMS has added a security agent function. Using the security agent, you can verify the health status of the device and determine the security level that the device can access. If this agent runs on IAT, it is called a posture agent. If it runs on network devices such as AM and BM, it is called a mobile security agent (MSA).
3.1 Attitude Agent
The Attitude Agent runs on the IAT and is an important part of device admission control. It collects the attitude information of the device (including whether the operating system is running in an authorized version, and Whether it has been patched correctly, etc.), and the results are sent to SM through IPGW.
When IAT initially accesses, SM will decide the initial policy response to send to IPGW based on the device posture information report sent by PA and the relevant security policy: whether it is restricted access or full access. , if it is restricted access, the relevant security policy will be downloaded to the BM, so that the device can only connect to the SIP service port on the specific AM that handles emergency calls through the BM, and at the same time transfer the Web traffic to the update server, requiring the user to download the update software.
Adopting posture agent-based device admission control has the following benefits:
Ensure that all user devices and network security policies are consistent, and prevent worms, viruses, spies and malware in advance, allowing operators to It focuses more on prevention in advance rather than handling afterward, effectively improving the security of the A-IMS network.
Provides a measure to check and control devices connected to the network regardless of their specific access methods, thereby increasing the network's adaptive capabilities and scalability.
Block incompatible or uncontrollable end devices so as not to affect network availability.
Reduce operational expenses associated with identifying and remediating incompatible, unmanageable, and compromised systems.
Prevent easy-to-attack, incompatible and uncontrollable endpoint devices from becoming targets of attacks and improve network availability.
3.2 Mobile Security Agent
MSA is located on network elements such as AM and BM, and cooperates with PA to complete the device admission control function. MSA can also monitor device status according to SM's requirements, assist SM in detecting and eliminating "ZeroDay" threats, and reduce system maintenance costs (OPEX) caused by repairing attack damage, which is very important when the network has multiple access methods ( Such as WiFi and broadband access).
MSA also has reverse firewall capabilities, which will analyze behavior during detection rather than just relying on user signatures, which is very important to prevent "ZeroDay" type attacks.
In addition to all the functions of the posture agent, MSA also has the following functions:
Preventing host intrusion
Preventing spyware
Prevent memory overflow attacks
Provide distributed reverse firewall capabilities
Prevent malicious mobile code intrusion
Ensure operating system integrity
Audit Log
Enhanced QoS
4 Security Policies
The security policy is a policy that the SOC allows the system to automatically execute when a security event occurs on the network.
4.1 Level of device security agent
In A-IMS, security policy plays a very important role. The security management of the A-IMS network architecture, DDoS prevention, access control, intrusion prevention, authentication, device admission control, etc. are all implemented by SM through security policies. SM uses the built-in Mobile Security Agent Master Controller (MSA-MC) , to achieve control of the MSA of other network elements in the network.
The MSA in the IAT collects host information and then sends it to the MSA-MC. The MSA-MC is responsible for preprocessing the relevant information according to relevant policies, and then sends the processing results to the home SM ( In H-SM), SM performs posture assessment and abnormal behavior detection, and determines the security level that users can access.
4.2 Multi-level management model of SOC
Through SOC, A-IMS policy control realizes multi-level control. SOC is the national security operation center, which distributes security policies to local SMs to achieve unified security management of the entire network.
5DDoS Protection
A-IMS uses a self-learning algorithm to prevent DDoS attacks. It can learn traffic patterns to adapt to specific network conditions, such as learning SIP behavior to determine appropriate traffic thresholds. wait. A-IMS can distinguish legitimate traffic, suspect traffic and malicious traffic. Only legitimate traffic is allowed to pass through the A-IMS network element.
The DDoS attack prevention function usually runs in an unnoticed background mode. When the system is suspected of being attacked, the forwarding mechanism is activated and the traffic is redirected to the protection system for analysis and control, and then Legitimate traffic returns to the network.
6 Security logs and reports
Each network element of A-IMS: AM, BM, IPGW, AP, SDM, etc. all support standard security event registration and reporting. All security Event alarms will be transmitted to the security event management subsystem for continuous storage, analysis and auditing. The system serves as a log collection point, using near real-time transmission to enable real-time monitoring of security operations. A-IMS log transmission is based on the following protocols: IPFIX, SDEE, SNMPV3, Syslog.