IMS and VoIP Security

Securing IMS and IMS to EPC/5G-NGC

4G-EPC/5G-NGC to IP Multimedia Subsystem (IMS) Security Challenges

In 5G and 4G, IMS enhances its role as the operator's multimedia delivery ecosystem, both for basic functionality such as voice services (VoLTE/VoIP) and rich multimedia services, such as mobile gaming, Internet Protocol Television (IPTV), etc. IMS provides services both to Internet-connected users and to mobile users. These two interfaces require specific security:

  • IMS to Internet connectivity presents the same risks and challenges as EPC/5G-NGC to PDN connectivity. It requires carrier-grade network address translation (CG-NAT) and next-generation firewall (NGFW) capabilities.
  • 4G-EPC/5G-NGC to IMS connectivity: In addition to any PDN connectivity security, SIP and Diameter are two protocols heavily used with IMS. Both may be used as attack vectors resulting in DoS and compromised over-billing attacks.

 

mobile-carrier-cloud-ims-voip-fortios.jpg

FortiGate SIP Application Layer Gateway and Diameter Verification

FortiGate Session Initiation Protocol (SIP) Application Layer Gateway (ALG) functionality provides two important capabilities:

  • High-performance support for SIP by opening SIP and RTP pinholes and performing source and destination IP address and port translation. It does this for SIP and RTP packets as well as IP addresses and port numbers in the SIP headers and the SDP body of the SIP messages.
  • Advanced SIP-related security such as deep SIP message inspection, SIP logging, SIP IPv6 support, SIP message checking, high availability (HA) failover of SIP sessions, and SIP rate limiting.

Diameter verification is provided via the detection and logging of malformed packets and unexpected Diameter message types, which can be used to analyze traffic and detect and block attacks.

 

file

Physical Appliance (PNF) or Virtual Network Function (VNF) Implementations

SIP and Diameter capabilities can be implemented as FortiGate PNFs with HA and the highest proven scalability. Fortinet’s custom security processors provide hardware acceleration to meet today and tomorrow’s traffic and session volume.

The same capabilities are provided by FortiGate virtual machines (VMs) acting as  VNFs, with the industry’s smallest footprint and fastest boot time, providing a unique consolidated security NGFW & UTM VNF for 4G/4.5G and 5G environments. Dynamic and massive auto scaling achieved via proven integration with software-defined networking (SDN) and European Telecommunications Standards Institute (ETSI) NFV management and orchestration (MANO) platforms such as Amdocs, Ciena’s Blue Planet, HPE, Ericsson, Nokia, Cisco, more.

file

SDN Integration

Fortinet technology and Fabric-Ready Partner programs ensure SDN integration via Fortinet SDN Connectors and Fortinet APIs (available via the Fortinet Developer Network). These include integration with Nuage Networks, Cisco ACI, and VMware NSX.