Service providers who provide network access to users typically implement access security for the network by putting in place and managing network access policies. Access security, when configured properly helps to protect both the user devices and the network itself from malicious attacks and abuses.
Various approaches have been taken to implement access security. One is to set common filtering rules for the entire enterprise or operator network. These rules or policies may be specific for the type of traffic, the specific services to be provided, or the user location, but does not take into account the identity of the users in the protected network nor the fact that the type of access technology being used for access can change as in the case of a multimodal device which may use any one of a number of access technologies. Many current application-aware firewalls and IDS/IPS (intrusion detection system/intrusion prevention system) systems have been developed according to this approach. In some multimodal networks, separate access networks or specific access technologies have unique corresponding IP subnets assigned to them. For these networks the application-aware firewalls are configured to have a specific security policy per subnet of IP addresses.
A more recent approach to managing security is to set security policy depending upon the identity of the user and/or the user's duties. In a network often there are different roles, functions or privileges assigned to each user. Consequently, it is possible to implement access security such that when a user accesses the network, the user is identified and authenticated and then the policies associated with the assigned role, function or privileges assigned to the user are used to provide control over the user's access to resources. An example of this type of approach is the use of ACLs (access control lists), for role-based or user-based access controls. An authorized device may be utilized by any one of a number of various users for network access. Each user is subject to the network security policy determined by his or her identity. FIG. 1A illustrates this principle. Network access device 10 may be used to access a network 5 by a first user 20, second user 22, or third user 24, each of which have different identities, and may have different roles or privileges. The access device 10 accesses the network 5 through a security policy enforcement point (SPEP) 21 which typically is a security proxy which controls access and traffic in both directions. FIG. 1B illustrates a single user 20 accessing the network 5 using any one of a number of different access devices 10, 12, and 14 coupled to the network 5 through the SPEP 21. No matter which device 10, 12, 14 the user utilizes to access the network 5, since a single user 20 always maintains the same identity, the same role and the same privileges, the same security policies will be applied. Independent of these security policies, tools such as port-based access control 802.1x or IMEI (international mobile equipment identity) are used for the purposes of identification and/or authentication of the devices when used to access the network.
Known networks are generally built based on an assumed fixed access technology being used. The resulting security mechanisms to secure the network (for example, filtering rules, access control, intrusion detection criteria, traffic management) therefore are tailored to the characteristics of the assumed fixed access technology being used.
With the advent of IMS and the effort towards convergence between fixed and mobile networks, the networks of the future will be drastically different. Independent “Mobile Core” and “Fixed Core” networks will be replaced with what is referred to as a converged network which has a common core connecting to different access technologies. Future implementations of “3GPP Access” or “CDMA2000 Access” will not automatically require a WCDMA access technology as is currently the case. The future 4G Access networks or the All-IP access of an operator would comprise of UMTS UTRAN, 802.11 Access Network, 802.16 Access Serving Network (ASN) or other networks based on different radio access technology. The 4G access network would also comprise of fixed access like Ethernet and DSL. Currently there exist multimodal devices (laptops, PDAs) that support multiple access technologies like Ethernet, WLAN, Bluetooth etc. on the same device. Mobile and smart phones now have the capability to work in both UTRAN/1x-EV-DO and WLAN environments and PCMCIA cards for UMTS and CDMA2000 are also available which can be used on mobile devices to support seamless mobility between UMTS/CDMA2000 and WLAN and vice versa.
FIG. 2A depicts security elements of an example converged fixed/mobile network 100. The security system of the converged network 100 typically will have a standard authentication, authorization, and accounting (AAA) 110 database which may operate in tandem with a public key infrastructure (PKI) 115, which in turn operates with IP security (IPSec) 130, and application transport layer data/signaling security 120. Monitoring activity into and from the converged network 100 are a firewall/network address translator (NAT) 140, and an IDS/IPS 145. External to the converged network 100 are devices which may use any number of access technologies including but not limited to fixed access technologies such as Ethernet/DSL 150, and wireless access technologies such as UTRAN/1xEV-DO 160, 802.11 access 170, and 802.16 access 180.
These fixed/mobile converged networks support multimodal devices having multiple wireless and fixed network interfaces, such as UMTS, WLAN, WiMax, CDMA2000, and Ethernet, each having their own unique access security requirements. Contrary to the traditional assumption of a single fixed access technology used by known security policy enforcement of network access, today's multimodal devices can use any one of a number of different types of access technologies to connect to the access network which could have uniquely different protocols, standards, and hence unique potential vulnerabilities to specific exploits and attacks. The different access technologies could have very different physical layer characteristic requirements such as bandwidth, delay, packet loss, and handoff parameters, and could have very different requirements for access to network connections, authentication, encryption, and integrity of data. The normal performance capabilities and capacities may also be quite different from one another. This dictates that security requirements, criteria, and mechanisms in UMTS, WLAN, WiMax, fixed networks, etc. are all different. The natural background traffic, capabilities, and traffic characteristics (bandwidth, delay, error-rates, etc.) also vary for different technologies.
In a multimodal converged network, security mechanisms which are to be effective cannot make the assumption that a single access technology will be used because no single fixed set of mechanisms specific to a single access technology will be sufficient to provide security to the multimodal converged network.
FIG. 2B illustrates a known situation where a user 20 has a multimodal mobile device 42 which may communicate using one of two access technologies 32, 34 which typically need to be handled by a SPEP 51 before access to the network 35 is given. In order for the multimodal device 42 to have access to the network 35 in a secure fashion, the SPEP 51 must be able to handle security for either kind of access technology. A fixed/mobile converged network which provides support for multimodal device mobility ideally would provide for end-user access to the network using any access technology of the multimodal device and ideally would be capable of dynamically providing security to a user's access when the user changes the access technology of the multimodal device while maintaining the same user identity registered on the security policy enforcement point.
Known approaches to access security management do not address the situation when the end-user dynamically changes the access technology used by his or her multimodal device within the same premises under the same identity; for instance when the end-user switches between UMTS and WLAN as a subscriber within the rich presence concept framework. Such a dynamic change in access technology will be referred to as an inter-technology change-off, which typically occurs when a user's device changes from accessing one base station using one access technology to accessing another base station using a different access technology. Such change-offs may or may not be smooth. Known systems which do not track these access technology changes remain unaware of them from a security policy perspective. Generic rules and policies or those based on the user's identity and his credentials of known systems do not provide an appropriate level of security according to the distinctive characteristics of the various different access technologies of the multimodal device. For example, firewall/filtering or IDS/IPS rules even when being specific per user's identity (and corresponding credentials) do not take into account the different possible access technologies the end-device could use; instead they are based on the assumption that the devices use a fixed access technology of the same kind typical for the given network segment (for example desktop computers using Ethernet). As a result, an event, traffic or an end-user's action which is harmless in the conditions when the first access technology is used, can potentially be destructive for the device or for the service when the second access technology is used, if not prevented by the security controls in the network.
Conversely, a relatively harmless switching from one type of access technology to another type of access technology could raise unnecessary alarms if a security policy ideal for the access technology used before the switch is applied after the switch. One example of this is the behavior of an Intrusion Detection/Prevention System (IDS/IPS) upon a switch from UMTS to WLAN. A mobile device having both UMTS and WLAN interfaces connected to UMTS access can at most use a maximum bandwidth of 2 Mbs. Once the mobile device successfully performs a change-off to a WLAN network it is able to achieve a bandwidth of around 20 Mbs or higher. A sudden increase in bandwidth usage by the mobile device/subscriber from 2 Mbs to 20 Mbs would in general be detected by the IDS/IPS as anomalous behavior, and the IDS/IPS would quarantine the user even though the behavior was not malicious. If the mobile device performs a subsequent change-off from WLAN to UMTS or other radio access, the IDS/IPS would again be triggered. In general both IPS's and firewalls need to have different values for the same security settings/parameters/thresholds of the requested access depending upon the access technology used. For example, for wireless network access the threshold number of packets for setting off a “malicious scan indication” is generally lower than the same thresholds for fixed network access. In a fixed network, a high number of packets, which in a wireless network would usually be an indication of a malicious attack such as a flooding attack, are nothing more than rather neutral conditions in the fixed network.
Known solutions do not scale well for operator or enterprise networks having a converged fixed/mobile core and having an access network consisting of multiple access technologies (like UTRAN/1x-EV-DO, WLAN, WiMax, DSL, Ethernet etc.). Since known solutions are based on the use of a single-access technology they cannot offer dynamic change in security mechanisms, particularly a dynamic change in security appropriate to a dynamically changing access technology. Another problem with known solutions is that they are based on the assumption that after a mobile device/subscriber is authenticated the IP address allocated to the device remains constant until the device disconnects/disassociates from the network. Typically, the security mechanisms of known solutions are applied to the device based on its IP address or subscriber identity. This however is not effective in the case of mobile IP in which a mobile device roams between subnets (as well as between different technologies), the acquired IP address changes (Care-of-Address). An effective multimodal security mechanism should take into consideration that the IP address of the device may change. Moreover, since known solutions are agnostic to the access technology being used, there has not been any need from a security perspective to monitor IP addresses or L2 and L3 messages.
With respect to known attempts to solve the problem using assigned IP address subnets, FIG. 3 depicts a situation for which different access technologies cannot be recognized just by the IP address subnets assigned to each access technology domain. In FIG. 3, a common and modified RNC (mRNC) 205 controls both the NodeBs (for example UTRAN-NodeB 230) as well as the WiMax-BSs (for example WiMax BS 220). As can be seen in the Figure, the addresses assigned to devices in both the UTRAN and WiMax belong to the GGSN's (Gateway GPRS Support Node) 240 subnet regardless of whether the multimodal device 200 utilizes WiMax or UTRAN. For completeness an HSS/HLR (Home Subscriber Server/Home Location Register) 250, the SGSN 210 (Serving GPRS Support Node) and the public internet 290 are depicted.
Converged fixed/mobile networks would benefit from a novel system and method to manage security in such a way that can accommodate multiple access technologies.