Research Brief NGN: Carriers and Vendors Must Take Security Seriously Abstract: The next-generation network will need to provide security on many levels. A comprehensive set of standards should be in place by mid-2004 and carriers will offer secure services by 2010. By Andy Rolfe Recommendations Equipment vendors and carriers must recognize the importance of standards to the nextgeneration network (NGN) and contribute to the development of robust and timely specifications. Enterprises should be aware of the risks of premature adoption of open, packet-based networks for simple communications. Carriers and enterprises need to be sure that security measures in the NGN are adequate and effective before using the technology. Publication Date:21 February 2003
2 NGN: Carriers and Vendors Must Take Security Seriously Introduction Today's public switched telephone network (PSTN) is inherently secure. Individual telephones can originate only very simple control messages. Control instructions cannot easily masquerade as voice content. Digital access from a private branch exchange (PBX) has strictly limited ability to send control messages. And carriers' core signaling system (known as SS7) is protected from external access. These security features will be lost as networks migrate to the next-generation network (NGN), which will be founded on packet-based architectures. This type of architecture is currently vulnerable to many forms of malicious activity. But the industry is working to address its vulnerabilities and Gartner Dataquest expects the first set of comprehensive standards to be completed during 2004, with products following in 2005. Security in the Network for 2010 By 2010, the PSTN will have moved from the current connection-oriented, voiceoptimized service to a packet-based architecture supporting seamless integration of many different media and content types. Implementation of the NGN will be an evolutionary process, and protection from vulnerabilities will need to be embedded in much of the new infrastructure. Carriers offering network services based on Internet Protocol (IP) will not only need to protect their infrastructure from attacks, but will also be expected to protect their customers' end-systems. By 2010, monitoring and preventing security and denial-of-service attacks will have become a significant part of the roles of national and international carriers. Indeed, Gartner Dataquest expects governments to mandate minimum levels of security from carriers well before 2010. The architecture of the network in 2010 will incorporate protection against vulnerabilities at every level. All external interfaces will be secured, be they to customer equipment, the traditional PSTN or other IP networks, including the Internet. Every component of the infrastructure will be "hardened" against intrusion and denial-of-service attack. Finally, all vulnerable control and communications traffic will be encrypted. Points of Contact With the Internet The NGN will be logically separate from the Internet, but there will be many points of contact between the two, including: Formal NGN-to-Internet connections. Probably implemented at each NGN carrier, these will allow users of voice on the Internet to communicate with NGN users. Global IP control links. The NGN will need to be part of the global IP address space, requiring links from the Domain Naming System (DNS) to the NGN and the Internet. Links at every customer's premises. These will include devices used for Internet and NGN communications (for example, soft phones and PCs in contact centers). 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved. 21 February 2003
Internet Vulnerabilities Attacks on an IP network infrastructure rely on the need for at least some of the infrastructure's components to be visible to end-systems. IP communication is not feasible without end-system visibility of at least the domain name servers and a default router both potentially vulnerable infrastructure components. Common attacks exploit potential known weaknesses in equipment, including "buffer overflow," "infinite routing table" and weaknesses in the Simple Network Management Protocol (SNMP). Once control has been gained of a router or domain name server, access to other components in the IP infrastructure is possible. An IP infrastructure allows any device to communicate with any other device. To be accessible, hosts and servers advertise their presence through the DNS. The structure of domain names, IP addresses and e-mail addresses makes it relatively easy for hackers to guess the names and addresses of connected resources. End-systems are potentially vulnerable to intrusion attacks, viruses and denial-ofservice attacks. 3 Challenges for the NGN Network Address Translation Many enterprises use Network Address Translation (NAT) at the boundary between their private network and the Internet. However, the Session Initiation Protocol (SIP) that the NGN will use to locate users and set up calls will not work through many current routers or firewalls that implement NAT. There are (unfortunately) many different ways to solve the SIP and NAT firewall problem, but none is yet a standard. Session Initiation Protocol There are security vulnerabilities associated with SIP itself: SIP messages are, by default, sent in plain, unencoded text, and are therefore easy to intercept and alter. There are some security options in SIP, and SIP messages can also use other security and encryption protocols. However, there is currently no method for SIP entities to securely negotiate what security mechanism they will use. This leaves SIP vulnerable to "man in the middle" and other attacks that force the use of low levels of security, which are easily breached. These problems and privacy issues are being addressed by the Internet Engineering Task Force (IETF). Reliable Transport Protocol Calls in the NGN will be carried by the Reliable Transport Protocol (RTP). This protocol is vulnerable to interception and alteration of, for example, source or destination addresses. Without encryption of RTP calls, the NGN will be unable to offer protection from identity theft or alteration of call contents. Early proposals do specify an "interim" encryption scheme, but also state that lower-layer protocols are expected to provide security in the future. As with many other security vulnerabilities, there is no clear standard for RTP security. Code and Script Attacks Real and soft IP telephones and PBXs are potentially vulnerable to attack from executable code or scripts. These could be used to manipulate users or NGN interfaces, or to propagate other types of attack, such as distributed denial of service. 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved. 21 February 2003
4 NGN: Carriers and Vendors Must Take Security Seriously Gartner Dataquest expects to see widespread attempts at theft of service, where hackers divert the telephone services of legitimate subscribers to their own uses. IP-based voice services will require protection similar to the firewalls and malicious code protection that protect corporate data networks. Over-the-air upgrades and any area where users or administrators can download executables represent potential attack paths. Risks are also inherent in downloads of scripts written in Extensible Markup Language (XML). These and others are being addressed by the IETF's media gateway control standards. Transition to a Secure NGN Gartner Dataquest believes that, by 2010, there will have been much progress toward a secure NGN, and maintaining security will have become a significant part of carriers' roles. Governments and other organizations will become increasingly involved in defining and promoting NGN security. We expect several developments by 2010: Standards The first set of comprehensive NGN security standards should be completed during 2004, with standards-compliant products appearing in 2005. Certification Independent certification for NGN security will have emerged. Industry agreements Carriers will agree on secure integration or standardization of systems for authentication, authorization and access (AAA). Ways of integrating carrier and enterprise AAA systems will also emerge. Product developments Appropriate elements of the NGN security architecture will be integrated into the infrastructure. There will be voice-over-ip-aware, firewall-like barriers to the Internet and other carriers. There will be constraints on the propagation of XML, including XML codesigning. Service processes Carriers will have established and gained experience of operational security procedures. Carriers will use sophisticated, highly responsive systems for testing, monitoring and detecting intrusion. Carriers will collaborate globally to monitor for, detect and prevent the propagation of new attacks. 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved. 21 February 2003
2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved. 21 February 2003 5
6 NGN: Carriers and Vendors Must Take Security Seriously This document has been published to the following Marketplace codes: TELC-WW-DP-0312 For More Information... In North America and Latin America: +1-203-316-1111 In Europe, the Middle East and Africa: +44-1784-268819 In Asia/Pacific: +61-7-3405-2582 In Japan: +81-3-3481-3670 Worldwide via gartner.com: www.gartner.com 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. 113053