A Secure Architecture for Nomadic User in IMS Network

The IP multimedia subsystem (IMS) is a basis for a significant new architecture which offers network operators the opportunity to expand their services, by integrating voice and multimedia communications and delivering them into new environments with new purposes. Basically, the IMS is an overlay network on top of IP layer that uses Session Initiation Protocol (SIP) as the primary signaling mechanism. SIP works at the application layer in IP networks. It is thus faced to not only the IP-networks security issues, but also to new issues which are related to the SIP protocol directly. Consequently, using IMS bears several new security challenges. This paper presents the most relevant SIP-related security vulnerabilities and threats, and the implementation and simulation test bed to experiment two versions of the SIP Asterisk software to emphasize these threats. The different security mechanisms that can be deployed to overcome the SIP security issues while putting emphasis the most important ones are discussed. Afterwards, the authors propose adaptable solutions to the SIP threats already identified for a specific service (access information from anywhere) in IMS context. Finally, conclusions are drawn and some perspectives are introduced to improve the security of multimedia applications. DOI: 10.4018/jmcmc.2012010101 2 International Journal of Mobile Computing and Multimedia Communications, 4(1), 1-17, January-March 2012 Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. (SIP) (Rosenberg et al., 2002) to implement new open services. The SIP is an application-level signaling protocol defined by the IETF for session management over an IP network. The term “session” refers to the media plane aspect of the communication—that is, to the exchange of user information (e.g., voice, video, and so on) among an association of participants. However, without a rigorous method to choose the most suitable security mechanisms and their parameters, SIP remains vulnerable to several attacks. In some small networks, security issues are not very critical, as the administrators of such networks can deploy appropriate software versions and set up policies for using more or less adaptable security mechanisms. However, SIP is also expected to be deployed to hundreds of millions of small devices with little or no possibilities for coordinated security policies, let alone software upgrades, which necessitates certain openness over the Internet as well as the need for the negotiation functionality to be available from the very beginning of deployment. The SIP and IMS security is thus a serious issue that should be addressed. Dealing with this problem, our paper is organized as follows. Section 2 summarizes the IMS architecture and presents a simplified SIP scenario. Then, Section 3 introduces SIP vulnerabilities and threats. Afterwards, Section 4 presents our penetration testing tool as well as our test results. Subsequently, Section 5 presents adaptable solutions to the SIP threats in the context of IMS. An analysis of these mechanisms is then presented in Section 6. Thereafter we present in Section 7 our secure IMS-based architecture. Finally, Section 8 presents our conclusions as well as our future works. 2. COMMUNICATION IN IMS: A SIP SCENARIO Before tackling our security analysis, let us first present a global idea about our target system: IMS SIP. IMS has a lot of entities and also defines many open and standard reference points for the communication between different equipments. The architecture of IMS is shown in Figure 1 (RADVISION, 2006).