The softswitch network is still quite common. So I studied the Security Requirements Analysis of the softswitch network and shared it with you here. I hope it will be useful to you. The concept of "security domain" is introduced in the Process of describing and analyzing Softswitch Network Security. The security domain is a model that describes how to manage and control network security, if you have the same security protection requirements in a security domain, you can implement the same security protection mechanism.
Security domains can deploy isolation, control, and other security policies at security domain boundaries based on different security levels. According to the security requirements of each part of the softswitch network, the softswitch network can be divided into four security domains: core network, Internet access network, support system, and third-party application network, as shown in 1.
Core network security domains include all soft switches, access gateways such as TG, AG, and SG, BGW devices, and key business platforms including SHLR and number conversion platforms), Softswitch media servers, and application servers, the application gateway developed for a third-party business interface. The security domain of the Internet access network includes all the SIP telephone terminals, IAD devices, and various types of SIP access PCs allocated with public IP addresses. Supported system security domains include auxiliary operating systems such as network management, billing, and OSS. The network security domain of a third-party application mainly includes all application servers that are connected through the development service interface. In view of the fact that this application is rarely used, the security requirements of this region are not discussed here.
Security requirements of various security domains
1) core network security domain
The core network security domain is the security core of the softswitch network. From the current network situation, the bearer layer of the core network generally uses a dedicated IP network and VPN Network, and the management and control of devices in the security domain, including various AG, can be considered as safe. Security requirements for core network security domains include the availability of devices, that is, the availability of devices, including device faults, network storms, and traffic impact in various situations, to ensure the normal operation of devices and bearer services; BGW and firewalls must be deployed in the core network and other network connections for Intranet and Internet isolation. SS and other devices in the network must have complete device authentication and Credit methods to prevent unauthorized login; the core network nodes must perform status checks by means of heartbeat and media detection to promptly update the node status to ensure normal business. The access nodes must have bandwidth and business management capabilities, prevents unauthorized use of bandwidth and services by users. core network nodes should be able to process abnormal signals and messages to prevent the nodes from being paralyzed or excessively negative due to human attacks.
2) Internet Access Network Security Domain
Security issues exist in the Internet. When providing Softswitch services over the Internet, you must ensure the communication security between the service access device and the softswitch network. Security requirements for security domains of Internet access networks include: L2TP, IPSec, and other tunneling technologies must be applied between terminal devices such as SIP phones and software phones and Internet and softswitch network interconnection devices; when small-capacity AGW and IAD are connected through the Internet, GRE, IPinIP, IPSec, and other tunneling technologies must be applied between them and Internet and softswitch network interconnection devices. Comprehensive access device authentication and Credit methods are required, prevents impersonation.
3) support system security domains
The supporting systems mainly include network management, billing, and OSS. Although the support system does not directly provide services to users and is in the Intranet region, it is less likely to be attacked, but its features are special and most of them adopt general operating systems, therefore, security must be ensured. Security requirements supporting system security domains include: high-intensity user authentication mechanism; physical isolation is required for important systems, and powerful firewall devices need to be deployed between networks; system security policies need to be optimized.
Softswitch Network Security Measures
1) Bearer Network Layer
In addition to using private networks and mpls vpn for network isolation, the bearer layer of the softswitch network is used by some vendors to place network probes on key nodes, network quality monitoring is performed by means of listening in the form of ping packets. Currently, this method has the following difficulties: first, the length of the ping packet and the softswitch message package varies greatly, in the case of a certain packet loss rate, it cannot meet the requirements of softswitch signaling. Second, the ping packet frequency cannot be set too short. When the bearer network is completely interrupted, the fault point can be accurately located, however, in the case of transient disconnection or unstable network quality, it is difficult to ensure the real-time service quality and implement fault locating.
2) Network Layer
During the design and planning of softswitch, the security of the softswitch network should be fully considered: the security of the bearer network, including network isolation and attack prevention; backup of key business nodes and user business attribution; properly configure and set the business, and try to find a balance between decentralization and ease of management. The unique dual-attribution Disaster Tolerance Mechanism of the softswitch network should be fully utilized to make up for network security vulnerabilities. However, the dual-attribution mechanism should be improved, this includes the Gateway Switch policy, Softswitch control policy, heartbeat parameter setting policy, and disaster recovery database management.
3) Softswitch device layer
The security of softswitch equipment is mainly guaranteed by the manufacturer's security design. However, efforts should be made to the following aspects: the establishment of key board inspection systems and regular switch inspection systems to fully ensure the success of key board replacement; to ensure the security of software versions and patches, the vendor should establish a software version security control system, and operators should strengthen the network access inspection system and application process management to jointly solve software security and compatibility issues; fully understand and use the self-protection measures of devices, such as the overload protection mechanism of SoftSwitch.
4) management layer
Network security is a management-oriented system project, relying on "Three-point technology, seven-point management ", therefore, a series of security management systems, security assessment and risk management measures, emergency plans, and other measures must be formulated. These measures should cover all aspects of network security to achieve timely resolution of security problems that can be solved, security problems that can be mitigated are reinforced, and emergency plans for unsolved problems are prepared to reduce security threats. At the same time, strong management is needed to ensure that these systems and measures are implemented.
Conclusion
As a new network, the softswitch network not only undertakes the transition of PSTN services, but also undertakes the future of new services and new networks, new features such as IP bearer, Gateway Multiple attributions, bearer and service separation, and more open interfaces all impose high requirements on network security, softswitch Network security will be a topic that requires long-term attention and research.