Some local telecommunications service providers have begun programs for the delivery of advanced voice and data services over IP that will require the implementation of security measures in order to protect both the service providing network assets as well as the customer networks from service affecting malicious intrusions that can cause either network losses or customer grievances. Additionally, the changing paradigm in the area of new services makes it beneficial for such a service provider to position itself ahead of its competitors by being the first to offer the new services afforded by the transformation from a switch based network to an IP based network. Common to both of these efforts are the challenges that are faced by a large size telecommunications service provider namely the impact on scalability and performance.
Security and performance are typically a zero sum game since improved security often results in reduced throughput and performance. This is the case in the area of perimeter protection of customer and network assets as well as in the development of new multimedia and multi-technology services for millions of customers. These challenges are manifested most tellingly in the deployment of a Softswitch infrastructure that will facilitate a telecommunication service provider achieving a position as “first to market” advanced services. Securing the Softswitch assets from potential attack by a malicious intruder is a vitally important component to consider in future IP based networks and services. A security failure in this realm can be extremely costly to the telecommunication service provider both in real economic terms as well as in reputation. The security capability, however, should be implemented in a scalable manner.
Interconnection of large-scale IP networks presents new twists to security challenges that can benefit from added perimeter protection measures. Distinct from traditional data, broadband, Voice over Internet Protocol (VoIP) and multimedia services are interactive, utilize separate signaling and transport flows, and place unique Quality of Service (QoS) and security requirements on the network that take into account users and policies derived from signaling and downstream network topology. Carrier-to-carrier VoIP peering, Hosed IP Centex and other multimedia packet-based services present new challenges for IP networks and edge networking technologies. These services are to be delivered between different IP network “islands” traversing borders between carrier and customer and carrier-to-carrier often between private and public networks. Carriers are confronted with deployment barriers such as security, service level assurance and Network Address Translation (NAT) traversal. Layer 3 and 5 (application) security enhancements are difficult to implement, either because of the inherent very-distributed nature of VoIP networks (many hops), or because they involve the use of digital certificate-based key systems which are notoriously difficult to manage, especially, at the carrier class scale of a network of a typical local service provider's size. An alternative is to protect crucial network assets such as the Softswitch infrastructure components, namely media gateways, signaling gateways, and application servers, through the use of network perimeter protection devices that will block potentially nefarious unwanted traffic from ever reaching those assets.
The network edge has evolved to be not only an access point but also a demarcation point and identifies the boundary of trust between the carrier's service network and its external customers and peers. The state of the art in VoIP security today is centered on the protection of these network “borders”. These border devices, of necessity, need to implement firewall capabilities in both stateless and stateful modes thereby introducing new challenges for carrier class implementations, as stateful modes carry the burden of being extremely consumptive of CPU cycles for the devices performing the function.
In VoIP, the ports used to carry the media part of the call, are dynamically assigned through signaling, taken down upon call termination, and reused for a subsequent call at a later time. This technology is denominated “dynamic pinhole filtering” as firewalls need to filter traffic dynamically by opening/closing ports (pinholes) depending on the state and progress of a call. The correct implementation of this technology, at the network edge, provides indeed a good level of protection at a level of granularity not otherwise achievable with other current security technologies.
At least one local service provider is currently involved in major projects that should involve the eventual deployment of this stateful capability of “dynamic pinhole filtering”. Value Added Data Security Services (VADSS) may include such things as stateful pinhole filtering and the provisioning of VADSS capabilities to customers from a network's edge and can be provided as a value-added revenue generating service. Another application could involve the large scale deployment of a Softswitch that will provide customers with hosted VoIP based services and advanced features. One of the possible devices considered for the security architecture of a Softswitch infrastructure is a Session Border Controller (SBC). Such SBCs would include, as an important component, the capability of stateful packet filtering for the media streams. These SBCs with stateful packet filtering would be used in place of conventional devices that perform Network Address Translation (NAT) techniques, but do not include a dynamic filtering capability.
A major issue of concern associated with the testing of this dynamic stateful filtering capability, for both of these potential services, is the verification of its performance at the rates demanded by a carrier class network, namely Gigabit-Ethernet (GigE) interfaces with typical concurrent sessions of the order of up to 100K or higher. It would be beneficial for service providers to develop the methodology and the integrated tools to perform testing of stateful capable “dynamic pinhole filtering” for evaluating functional operation and performance of firewalls at carrier class traffic levels.
Value Added Data Security Services will now be described. Value Added Data Security Services (VADSS) may be implemented as a suite of network-bases services that complement and add value to the basic capabilities of a local carrier's network-based IP-Virtual Private network (VPN) service and, represent a novel way of revenue generation. An exemplary VADSS service suite includes:                Virtualized firewall providing basic stateful firewall-customer-configurable rule sets for packet filtering, and full stateful firewall with dynamic pinhole filtering to protect customer assets from threats outside their network        Internet Offload—an Internet access capability directly from the IP/MPLS infrastructure; and        IPSec tunnel terminations        
The ability of VADDS to provide security services and Internet access from within a provider network is what distinguishes VADSS from similar offerings that depend on managed Customer Premise Equipment (CPE). By leveraging the economies of scale of platforms capable of running multiple instances of such applications as firewalls, a local service provider can offer these virtualized services at the Service Edge Router level. Internet threats are kept at arm's length, away from the customer access link through network-based firewalls and address translation within the provider infrastructure. VADDS could include the provisioning of virtualized firewalls, each supporting a host of stateless protocols, as well as Application Layer Gateway capabilities for SIP, H.323, Skinny, and MGCP, at GigE rates and supporting 100K concurrent sessions.
Session Border Controllers for Softswitch Infrastructure will now be described. Existing edge functions such as aggregation, class based queuing and packet marking, address translation, security and admission control are insufficient to meet the requirements for the new Softswitch based VoIP services. In addition to these traditional edge functions, VoIP and multimedia services present new requirements on the network edge including QoS and bandwidth theft protection, inter-working of incompatible signaling networks, Lawful intercept, e.g., anonymous replication & forwarding of packets, and most significantly, the capability to perform stateful packet inspection, e.g., for voice streams, also called “dynamic packet filtering”, at carrier-class rates. The service delivery network should be augmented with solutions that address these unique requirements. The existing edge router, complemented by a new class of product called a Session Border Controller (SBC), become the border element in the next generation network (NON) architecture.
Session Border Controllers are a new category of network equipment designed to complement existing IP infrastructures, to deliver critical control functions to enable high quality interactive communications across IP infrastructures, to deliver critical control functions to enable high quality interactive communications across IP network borders. A “session” is any real-time, interactive voice, video or multimedia communication using IP session signaling protocols such as SIP, H.323, MGCP or Megaco/H.248. The “border” is any IP-IP network border such as those between service provider and customer/subscriber, or between two service providers. “Control” functions minimally include security and service assurance. Security functions provide access control and topology hiding at layers 3 and 5. Service assurance functions guarantee session capacity and control.
Security and address preservation features include network access control based on stateful packet inspection, with firewall dynamic pinholes created only for authorized media flows, and network topology hiding at both layer 3 and 5 via double network address and port translations. SBCs additionally protect softswitch, gatekeeper, gateway, application server, media server and other service other service infrastructure equipment from Denial of Service (DoS) attacks and overload with rate limiting of both signaling messages and media flows. SBCs simultaneously support SIP, MGCP and H.323 networks by actively participating in session signaling and can be controlled by a third part, multi-protocol softswitch, H.323 gatekeeper or MGCP call agent using a pre-standard MIDCOM protocol. The Performance requirements for some typical SBCs in a carrier class environment typically range in the order of 5 Gig with 100K concurrent sessions.
Strict verification of the correctness of a security implementation through testing, however, is of paramount importance as any defective implementation could result in windows of vulnerability that could be exploited by a malicious intruder to invade the very assets being protected. In the realm of security, a faulty implementation of a security device is doubly dangerous, as unnoticed backdoors that can be used for malicious intent, will contribute to a false sense of security. These windows of vulnerability can in turn be used by a malicious attacker for a Denial of Service attack, in the simplest case, up to a takeover of network assets that can be used to control and disrupt other parts of the network. The penalty associated with this security capability, however, is a considerable degradation in performance. The consequence of this performance degradation can result in two equally unappealing outcomes: (i) excessively long windows of vulnerability; and (ii) a self-inflicted Denial of Service attack as the underperforming device shuts out subsequent calls.
In view of the above discussion there is a need to properly benchmark and verify the performance of various firewall security devices. Methods and apparatus that will permit a quantification of functionality and performance at carrier-class scales would be especially beneficial.