★Isolated with signaling Media Proxy Devices
To ensure the security of the softswitch network, you can divide the security areas of the softswitch network according to the security requirements of the devices in the softswitch network and the security areas of the softswitch network, it is divided into two security zones: Intranet Zone and Internet zone.
Softswitch Intranet: a network area consists of softswitch, signaling gateway, application server, Media Server, relay gateway, and large-capacity Integrated Access Gateway. The devices in this network area provide services to a large number of users and require high security levels.
Softswitch Network outer network area: a network area consisting of SIP terminal, PC soft terminal, normal user IAD, and other terminal devices. Devices in this network area are placed on the user side to provide services for individual users.
Communication between the Intranet and the Internet zone is achieved through the signaling Media Proxy device. In addition to the signaling and media forwarding for access to SoftSwitch and gateway devices by terminals in the Internet zone, the signaling Media Proxy Device, at the same time, security should have the following functions:
1.The device shall be able to support application-layer attack protection based on the SIP, MGCP, and H.248 protocols.
2.Equipment should be able to identify high-risk behaviors such as abnormal messages and abnormal traffic and generate real-time alarms for maintenance personnel to further handle them.
3.In the following cases, the device should be able to identify and process according to the predefined policy.
A) messages should be processed based on the user registration status, and non-registered messages sent by unregistered users should be discarded;
B) the device shall be able to establish a monitoring list for user terminals that fail registration and authentication, record IP addresses/ports and user names, and take corresponding measures.
The device should be able to defend against common DoS attacks.
Network isolation
Physical Isolation of NGN from other networks, that is, building an independent network physically can effectively avoid external attacks. However, this network construction and maintenance costs are obviously high, therefore, this method is not desirable. In recent years, with the maturity of VPN technology, it has been feasible to build different VPNs on the same physical network, VPN technologies such as MPLS and VLAN can be used to divide an independent logical network from the physical network of grouped data into NGN virtual service networks, logically isolating NGN from other networks, other network users cannot access the NGN network through illegal channels, which can prevent attacks and damages from other networks, especially those on the Internet.
Data Encryption
To prevent illegal listening of signaling and media information transmitted in NGN, the common data encryption technology on the Internet can be used to encrypt the signaling and media streams.
Currently, the main security mechanism for signaling transmission over an IP network is the IPSec protocol. In the Megaco Protocol Specification RFC3015), the IPSec protocol must be used to ensure the communication security between the media gateway and the softswitch device. In an environment that does not support IPSec, use the Authentication Header AH provided by Megaco) to authenticate IP groups. The Megaco Protocol emphasizes that the IPSec mechanism must be used if IPSec is supported, and it is pointed out that the use of IPSec will not affect the interaction and connection performance of the Megaco Protocol. IPSec is an application protocol on the IPv4 protocol. IPv6 directly supports the IPSec option.
For media streams, RTP packets are encrypted. At present, symmetric encryption algorithms are used to encrypt RTP packets.
Currently, the encryption algorithm for private information such as user accounts and passwords is MD5, which is used for user identity authentication.
Access Control
★Access user Identity Authentication
Users of softswitch terminals, especially smart terminals, PC soft terminals, and desktop IAD, must undergo strict authentication before they can access the NGN network.
Users can use public key systems with high confidentiality to ensure the reliability of user identities. After the NGN system authenticates and confirms that the user identity is connected to the NGN network, it can bind the user ID, IP address, and other information and record it to the network security log. In this way, once a user's identity is confirmed during access, it is easy for a single user to quickly locate and investigate the user even if the network is damaged. In this way, the root cause is basically to prevent network security problems caused by network attacks on the user side. In addition, you can force the softswitch or terminal network management device to match the IP address, MAC address, and terminal flag of the terminal. When the terminal flag is correct but the IP address or MAC address is incorrect, access and services are not provided.
★Access Control
1.Device management console access
The console is the most basic configuration method provided by devices. The console has the highest configuration permission on the device and the strictest permission management on the console. Including: user login verification, console timeout logout, console terminal lock.
2.Local and remote dial-up access of asynchronous Auxiliary ports strictly controls the configuration of local and remote dial-up interaction between devices through other asynchronous Auxiliary ports of the device. Identity authentication is required by default.
3.TELNET access strictly controls Telnet access
Authentication is required by default, and the IP address of the Telnet terminal is limited.
NGN network security suggestions
How to build a secure next-generation network for the NGN network?
According to the previous discussion, in order to ensure the security of the constructed NGN network, we must do the following:
1.Place firewalls and Media Proxy devices in front of key network devices to prevent attacks on key network devices;
2.Isolate NGN from other networks such as the Internet to ensure that users other than NGN devices and outdoors cannot access NGN through illegal channels;
3.Encrypts the signaling messages that the user interacts with the softswitch to prevent unauthorized listening;
4.The access layer strictly controls user access and service usage. Users must undergo strict authentication and authentication before they can access the NGN network. users' service usage must also undergo strict authentication and authentication.
Softswitch, application servers, and various gateway devices form a closed MPLSVPN network. For internal customers, they can directly access the network through a leased line. end users in other untrusted regions can only access the network through signaling Media Proxy devices, at the same time, IPSec-encrypted signaling messages are used for interaction. The SoftSwitch and signaling Media Proxy devices strictly control terminal access and authenticate terminal signs, IP addresses, and MAC addresses.
In short, the security assurance of the Next Generation Network is a system project, which cannot be completed using any separate technology. Only a comprehensive use of encryption, authentication, anti-attack and other security measures, in addition, they can work together to build a secure next-generation network.
Edit recommendations]