Network Firewall Configuration and Control - NFCC
Upcoming SlideShare
Loading in...5
×
 

Network Firewall Configuration and Control - NFCC

on

  • 366 views

 

Statistics

Views

Total Views
366
Views on SlideShare
366
Embed Views
0

Actions

Likes
0
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Network Firewall Configuration and Control - NFCC Network Firewall Configuration and Control - NFCC Document Transcript

  • 3GPP2 S.R0103-0 Version 1.0 Version Date: 09 December 2004 Network Firewall Configuration and Control - NFCC Stage 1 Requirements COPYRIGHT NOTICE 3GPP2 and its Organizational Partners claim copyright in this document and individual Organizational Partners may copyright and issue documents or standards publications in individual Organizational Partner's name based on this document. Requests for reproduction of this document should be directed to the 3GPP2 Secretariat at secretariat@3gpp2.org. Requests to reproduce individual Organizational Partner's documents should be directed to that Organizational Partner. See www.3gpp2.org for more information.
  • No text.
  • S.R0103-0 v1.0 EDITOR Trevor Plestid, Research in Motion, tplestid@rim.com REVISION HISTORY REVISION HISTORY Rev number Content changes Date 1.0 Initial Publication 9 December 2004 i View slide
  • S.R0103-0 v1.0 No text. ii View slide
  • S.R0103-0 v1.0 Table of Contents Table of Contents ...................................................................................... iii List of Tables..............................................................................................iv List of Figures .............................................................................................v 1 INTRODUCTION .................................................................................... 1 2 REFERENCES ....................................................................................... 2 3 DEFINITIONS AND ABBREVIATIONS ..................................................... 2 3.1 Definitions...................................................................................... 2 3.2 Abbreviations ................................................................................. 3 4 GENERAL FEATURE DESCRIPTION ...................................................... 4 5 DETAILED FUNCTIONALITY REQUIREMENTS....................................... 6 5.1 Basic NFCC Requirements .............................................................. 6 5.2 Subscription Identity Based NFCC Requirements............................ 6 5.3 Wireless ISP Grade of Service NFCC Requirements.......................... 6 5.4 Administration of NFCC Profiles...................................................... 7 5.5 NFCC Scalability Requirements ...................................................... 7 5.6 NFCC Individual Subscriber Configuration Requirements ............... 8 5.7 NFCC Applicability and Scope......................................................... 8 iii
  • S.R0103-0 v1.0 List of Tables iv
  • S.R0103-0 v1.0 List of Figures v
  • S.R0103-0 v1.0 No text. vi
  • S.R0103-0 v1.0 1 1 INTRODUCTION 2 This document specifies the system requirements and operation of the Network Firewall 3 Configuration and Control (NFCC) feature, from both the perspective of the subscriber 4 and the system operator. The objective is to define and to standardize the functionality of 5 this feature to be incorporated into the operations of CDMA2000®1 based wireless 6 telecommunications networks. 7 As the cdma2000 network evolves toward All-IP, we can expect a change in the security 8 needs of mobile subscribers, resulting from changes in how subscribers connect to the 9 Internet: 10 1. Subscribers may be connected to the Internet for the entire time the mobile station 11 is powered on. 12 2. There will be a greater percentage of mobiles with IP addresses assigned. 13 The IP availability of the mobile station for long periods of time invites direct attack at 14 the network protocol layer. 15 All Internet hosts need protection from malicious traffic, as provided by firewalls. 16 Today’s corporate Internet hosts generally operate with a firewall that prevents certain 17 types of Internet access to hosts behind it. Home subscribers generally cannot depend on 18 their ISP for similar protection, and may run a commercial firewall program of their own 19 to prevent unwanted IP access. Firewall protection in cdma2000 networks is equally 20 essential, but faces new requirements and challenges: 21 • Air interface usage is an expensive resource, hence it is not economically feasible 22 to pass all IP traffic to the mobile without filtering. Even if the mobile discards 23 unwanted packets, most likely the subscriber will still be billed for the transfer. 24 • The problem is compounded by the use of dormancy in data connections. 25 Unsolicited packets cause a dormant connection to become active, thereby 26 utilizing air interface resources for the duration of the dormancy timer, even if the 27 packets are discarded. Moreover, extra load for setting up connections is added to 28 the signaling path each time a connection becomes active from dormancy. 29 The lack of protection against unsolicited IP packets to terminals can have the following 30 impacts: 31 • Network capacity is negatively affected. 32 • Additional network resources are consumed (e.g. RF, channel card, etc.) for 33 handling unproductive traffic load. In addition, resources could be consumed at 34 the Wireless infrastructure and Base station as well due to excessive signaling 35 caused by unsolicited packets that wake up dormant mobile stations. 1 cdma2000® is a trademark for the technical nomenclature for certain specifications and standards of the Organizational Partners (OPs) of 3GPP2. When applied to goods and services, the cdma2000® mark certifies their compliance with cdma2000® standards. Geographically (and as of the date of publication), cdma2000® is a registered trademark of the Telecommunications Industry Association (TIA-USA) in the United States. 1
  • S.R0103-0 v1.0 1 • In some solutions, MSC/HLR/VLR/AuC may be used for packet data 2 authentication and network resource management. Use of these resources may 3 increase significantly and impact MSC/HLR/VLR/AuC capacity. 4 • AAA server load is increased due to the need to handle authentication, 5 authorization, and accounting for unsolicited unproductive packet data traffic. 6 • There is an increase in data latency; as unsolicited data traffic increases, the 7 network throughput of solicited traffic is reduced. 8 • Incorrect accumulation of billing records occurs. 9 • Mobile station battery life is negatively impacted. 10 • There is increased exposure to malicious hacks on mobile stations, via the Internet 11 or within the home network’s local subnet (e.g. a worm exploiting a hole via 12 ICMP host discovery). 13 • If either the mobile station or the network does not support concurrent voice and 14 data, the incidence of diverting incoming voice calls to voice mail increases. 15 • Receiving undesired unsolicited packets can be irritating to customers. Also, it 16 generates negative impact on the customer to operator relations as discontented 17 customers often blame their operator for the inconvenience of undesired packets. 18 There is significant need to protect subscribers and operators from unwanted IP packets 19 arriving at mobiles with open network data sessions. 20 2 REFERENCES 21 [1] X.S0011 cdma2000 Wireless IP Network Standard 22 [2] RFC 1918 Address Allocation for Private Internets 23 3 DEFINITIONS AND ABBREVIATIONS 24 3.1 Definitions 25 Solicited Packet: Any IP packet sent to a mobile station belonging to an IP flow for 26 which the mobile is configured, or comprising previously established communication 27 with an Internet node. For completeness, solicited packets include those from operator 28 services such as IOTA, and geo-location. 29 Standard Stateful Firewall: A network entity that tracks host solicitations under a subnet 30 to hosts outside and within that subnet, subsequently allowing incoming traffic from the 31 solicited hosts in accordance with the protocol and ports of the initial solicitation. Only 32 default firewall rules are applied at the the beginning of an IP session; New rules 33 established during a session are discarded at the end of that IP session. 34 Unsolicited Packet: Any IP Packet sent to a MS that is not a Solicited Packet. 2
  • S.R0103-0 v1.0 1 3.2 Abbreviations AuC Authentication Center BIOS Basic Input-Output System HLR Home Location Register ICMP Internet Control and Management Protocol IMSI International Mobile Station Identity IP Internet Protocol ISP Internet Service Provider IOTA IP-based Over-The-Air service provisioning MS Mobile Station MSC Mobile Switching Center NAI Network Access Identifier NAT Network Address Translation NFCC Network Firewall Configuration and Control PAT Port Address Translation PDSN Packet Data Serving Node RFC Request For Comment SSDP Simple Service Discovery Protocol VLR Visitor Location Register VPN Virtual Private Network 2 3 3
  • S.R0103-0 v1.0 1 4 GENERAL FEATURE DESCRIPTION 2 Data services require that mobile stations are reachable at the IP level from Internet 3 routable or proxy IP addresses. This makes the mobile station vulnerable to direct attack 4 (malicious or unintentional) at the network protocol layer. Note that a mobile station 5 cannot effectively perform “firewall” functions, since radio channel establishment is 6 required prior to firewalling decisions being taken. This makes it impractical for the 7 mobile station alone to mitigate impacts due to unsolicited packets, though NFCC does 8 not aim to preclude any supplemental firewall functions in the mobile station in addition 9 to the ones addressed herein. Furthermore, there may be applications or scenarios where a 10 subscriber may need to receive unsolicited incoming requests. Note that this is not the 11 case in current corporate Internet networks, where it is instead assumed that all sessions 12 are initiated from the protected inner nodes. 13 The following categories of unsolicited packets require Network Firewall Configuration 14 and Control: 15 • Stale Session Unsolicited packets: A mobile station has relinquished its dynamic 16 IP address. An IP entity that the mobile station had established communications 17 with can continue sending packets to this same IP address. When this IP address 18 is reassigned to another device, the new device will now receive unsolicited 19 packets. Examples are peer-to-peer file sharing and unterminated VPN sessions. 20 • Inter-subscriber Intra-subnet Unsolicited packets: Subnet-constrained broadcasts 21 or serial unicast from one mobile to another are unsolicited packets. These are 22 effectively unsolicited packets received from other subscribers served by the same 23 operator. Examples are worms exploiting subnet discovery protocols such as 24 ICMP, SSDP, or vulnerabilities caused by wireline approaches to service 25 discovery, such as Microsoft NetBIOS. 26 • Malicious packets. 27 In the wireline ISP model, the mobile station is expected to assume the responsibility for 28 firewalling. The wireless ISP model is inherently different, due to the heavy costs of 29 requiring firewalling at the mobile station, outlined in the introduction. NFCC has the 30 general property of pushing the firewalling decision into the IP core network of the 31 wireless operator. 32 Wireless service providers desire to provide a wireline ISP grade of service, so there is a 33 need to facilitate full Internet access for mobiles, just as landline ISPs. This seems like a 34 contradictory requirement; how can mobiles be allowed full Internet access while being 35 protected from the Internet? 36 Stateful firewall concepts can be used. In common stateful firewalls, all traffic is blocked 37 until the mobile station solicits for particular traffic. Profiles of allowed traffic may also 38 be implemented . However, there are some serious disadvantages to this approach: 4
  • S.R0103-0 v1.0 1 1 Common stateful firewalls are IP based, and not subscription based, thus a network 2 does not provide the MS a means for persistence of previously established push 3 service relationships. 4 2 Common stateful firewalls may have scaleability issues for carriers that maintain 5 millions of subscribers. 6 3 All unknown traffic is blocked by common stateful firewalls, not giving subscribers 7 a choice in allowing desired traffic. 8 Firewalls are therefore an important part of cdma2000 networks. They are necessary for a 9 secure access to the Internet and other services. 10 While NFCC specifies the adoption and utilization of firewalls in cdma2000 networks, 11 NFCC should ensure its integration in the cdma2000 based wireless networks, since 12 firewalls may present issues with various protocols (such as the Mobile IPv6/IPV4/IPsec 13 protocol) that are adopted into cdma2000 networks. 14 5
  • S.R0103-0 v1.0 1 5 DETAILED FUNCTIONALITY REQUIREMENTS 2 5.1 Basic NFCC Requirements 3 NFCC1. The wireless packet data network should provide mobile stations 4 protection against unsolicited packets by preventing unsolicited IP 5 packets from being transmitted on the forward link of the radio 6 interface. 7 NFCC2. NFCC should provide a rudimentary protection against unsolicited 8 packets to legacy mobile stations. 9 NFCC3. NFCC shall be compatible with the existing mobile features and 10 services. 11 5.2 Subscription Identity Based NFCC Requirements 12 NFCC4. NFCC shall apply to the subscriber’s subscription identity (e.g. IMSI or 13 NAI) and may apply the mobile station’s currently assigned IP address.. 14 NFCC5. NFCC shall provide a means to persistently store the last known firewall 15 settings when a mobile station relinquishes its IP address. Any state that 16 cannot be automatically regenerated in subsequent IP sessions shall be 17 persistent. Not all firewall states should be persistent (for example 18 automatic inbound firewall rules). MS initiated outbound connections 19 may be persistent. 20 NFCC6. NFCC shall provide a means to apply the last known firewall settings 21 when a mobile station acquires an IP address. 22 5.3 Wireless ISP Grade of Service NFCC Requirements 23 NFCC7. NFCC should allow for IP service to reach the MS without introducing 24 security threats that are not currently possible. 25 NFCC8. NFCC shall provide the capability to individual subscribers (by 26 subscription or by command) to allow any IP node to reach the 27 individual MS without manual intervention where there are no prior 28 firewall rules. 29 NFCC9. NFCC shall maintain a capability to pre-provision firewall rules, for 30 example across all subscribers, or a subscriber profile, or on a per 31 subscriber basis. 32 NFCC10. NFCC shall block any IP packet from reaching the MS where the packet 33 does not meet the rules associated with the MS subscription. 34 NFCC11. NFCC shall be able to infer the rules for a MS that does not have NFCC 35 capability. 6
  • S.R0103-0 v1.0 1 NFCC12. NFCC shall take no action due to the network not being able to forward 2 packets to the MS. 3 NFCC13. NFCC shall provide protection against unsolicited packets from other 4 subscribers in the same IP subnet. 5 NFCC14. NFCC shall provide the mobile seamless service while roaming across 6 network segments that support NFCC. 7 5.4 Administration of NFCC Profiles 8 NFCC15. NFCC shall allow for changes to firewall subscription profiles. 9 NFCC16. NFCC shall provide a means for network firewall configuration 10 administrative override to allow for certain servers to access the mobile 11 station regardless of the subscriber’s desired configurations (e.g. 12 firewall subscription profiles to allow emergency IP-based services or 13 default push services such as ‘press to talk’). 14 NFCC17. NFCC settings from the home network may be applied when the mobile 15 roams outside its home network. For reasons of home network security, 16 the NFCC feature shall allow NFCC Profile Administration to prevent 17 revision of any firewall settings for a mobile station while roaming. Put 18 differently, it shall be possible for the home network NFCC 19 administrator to preclude importation of NFCC settings established by 20 the mobile station while roaming. 21 22 NFCC18. The subscriber and operator shall have the ability to set the NFCC 23 parameters for each subscriber or class of subscribers (e.g. NAI domain), 24 with at least the following protection options: 25 • Block unsolicited IP packets except those configured by the 26 subscriber or operator as allowable. Allowable IP addresses can be 27 selected as individual addresses or as subnet addresses. Operators 28 may establish allowable addresses that take precedence over 29 subscriber settings. 30 • Allow all IP packets. 31 NFCC19. NFCC communications with the mobile, wireless infrastructure or other 32 firewalls should take place in an encrypted and authenticated secure 33 manner, including protection against replay attacks, to prevent 34 compromising the subscriber state, as well as prevention of DoS attacks. 35 5.5 NFCC Scalability Requirements 36 NFCC20. NFCC should incorporate a wireless operator mechanism to discard the 37 state of abandoned IP flows after a configurable timeout. In addition to 38 the timeout, all firewall state information associated with the MS IP 39 address is reset. 7
  • S.R0103-0 v1.0 1 5.6 NFCC Individual Subscriber Configuration Requirements 2 NFCC21. NFCC shall provide a means for an operator to configure the firewall 3 parameters for each subscriber. 4 NFCC22. NFCC shall provide a means for a subscriber to configure any firewall 5 parameters via IP-based signaling. NFCC shall provide a mechanism for 6 the mobile station to discover the address of the firewall. The support of 7 this feature in the mobile station is optional. 8 5.7 NFCC Applicability and Scope 9 NFCC23. NFCC shall apply to private and public IP addresses. NFCC shall apply 10 to SimpleIP and MobileIP. NFCC shall apply to IPv4 and IPv6 packets 11 (See [2]) 12 NFCC24. NFCC shall provide the same capabilities regardless of whether the 13 unsolicited packets originate within or outside of the wireless network. 8