Service providers, cable operators and their network product providers share a common goal of reducing customer downtime, support costs, and building customer loyalty. Traditionally, there has been limited visibility into attack surfaces, and security or robustness metrics for all IP-based products let alone those involved with the implementation of IP multimedia subsystem (IMS).

There are dozens of IMS specifications in both the 3GPP and IETF standards bodies. Product developers looking to build IMS products face nearly impossible complexity in building interoperable and secure products. IMS does leverage established Internet protocols such as SIP. But even SIP has an extensive number of “acceptable” implementations that far from ensures vendor interoperability or unforeseen security weaknesses. To truly aid in the access of multimedia and voice applications across wireless and wireline terminals, IMS software and hardware products must apply proactive security analysis techniques to protect their respective underlying network services.

There are many reasons why proactive IMS security analysis is essential including:

IMS and SIP specifications provide considerable implementation latitude to vendors. The flexibility means that many spec compliant products with equivalent functionality will not behave the same in equivalent configurations, due to valid but differing implementation decisions.

IMS’ inherent complexity itself creates opportunities for security, interoperability and robustness issues due to the high complexity of the implementation space multiplied by the larger configuration space.

The sheer order of magnitude of protocols within IMS multiplied by the many different types of equipment and deployed in many unique scenarios, results in unfathomable complexity, security, interoperability and robustness issues.

Dependence on SIP heavily leverages protocol mechanisms developed for the HTTP protocol. Inter-dependencies within protocol families requires a Security Analyzer capable of automating analysis and inherited cross protocol vulnerabilities.

IMS equipment is commonly deployed in business-critical communication infrastructure. Vulnerabilities can have very high costs, significantly impacting normal business operations.

IMS is frequently used in devices that are difficult to patch once vulnerabilities are found, thus making vulnerabilities found after ship or after deployment very costly. The best option is to find such issues before it is too late, by using a Security Analyzer.

IMS and SIP are appealing to attackers because it’s a key enabler of many types of “presence”-based services. By exploiting SIP, attackers can misuse presence-based applications to bypass traditional perimeter network defenses and cause digital mischief or worse. The newness and rapid evolution of IMS specifications enable potential vulnerabilities, as SIP’s extensions may be fragile. Built-in security is limited, particularly since SIP is an ASCII text-based protocol that is easily viewed with a packet sniffer. Also, SIP often uses the Universal Datagram Protocol (UDP) for message transport, which is easier to spoof than TCP.

Security Analyzers subject IMS implementations to rigorous attack mutations that discover service availability weaknesses resulting from protocol vulnerabilities and document how organizations can secure IMS-based applications. Potential Weaknesses of IMS applications usually require many ports to be opened on the network infrastructure allowing signaling and media related to incoming access requests, which is the antithesis of a firewall’s normal function of monitoring the IP and UDP/TCP layers and keeping unused ports closed. In order to provide a minimum level of security for environments using IMS applications, organizations must implement a IMS-aware defense in depth or translation gateways. IMS awareness adds significant complexity to these firewalls, NAT, and other security perimeter defenses, and this complexity can make them less robust, to the point of being vulnerable to exploits.

Should any IMS vulnerabilities be exploited, the results could be devastating, especially if they knock out a media gateway, voice mail, and other mission-critical voice-related resources. In fact, the entire perimeter defense could be compromised if an attacker is able to use SIP to disable a security enforcement device. To proactively protect their investments and revenue-bearing network services, Broadband Service Providers, including DSL and Cable Operators, are now using Security Analyzers for:

Product Selection: Security readiness is a key metric to support purchase decisions or upgrades, in addition to robustness, functionality and performance.

Product Deployment: Securely deploy product features or introduce configuration changes into the network architecture, end-users proactively identify and remove robustness issues or vulnerabilities before deployment.

Change Control: Analyze new software or firmware releases or bug fixes before production use, ensure that no published or previously eliminated issues or vulnerabilities are inadvertently used in the network

Threat Assessment: Security crisis management and problem reporting to a vendor is streamlined with Mu-4000’s ability to automate and “operationalize” the auditing and vulnerability remediation processes.

IMS users, including service providers, are constantly striving to enhance service availability by reducing system downtime that results in the costly loss of either existing customers or confidential information. Mu Security works with these users for their Security Analyzer needs to baseline their wide-ranging IMS product security and robustness during initial purchase or upgrade to help ensure maximum uptime. This approach also maximizes network services against disruption or malicious activities.

Similarly, IMS Product Developers, use security analyzers to ensure their products are free of both 0-day and published vulnerability defects that would cause their users to suffer negative public consequences, lost revenue or customer turnover. The increasing complexities of triple play service deployments, security product rollouts or 3G/Wireless services can quickly outpace existing resources' IMS testing ability to isolate the attack surface of any product deployed within the entire network.

Kishore Seshadri is the Vice President of Product Management at Mu Security.