MERA s competence in security design includes but is not limited to the following areas: Engineering and assessments for security solutions (e.g.

Transcription

1

2 MERA s competence in security design includes but is not limited to the following areas: Engineering and assessments for security solutions (e.g. how migrating to secured protocols will affect/change capacity, capabilities, and response times of the product) Design of mechanisms intended to protect from destruction, removal, disclosure, corruption, interruption in order to ensure network security and robustness against hacker attacks both at application and OS layers Users/devices authorization and authentication Traffic and data encryption Security-keys, certificates, and license management Vulnerability testing using open-source and commercial tools (e.g. Nessus) Development of tools for tracing and debugging security-related operations Adapt products to conform to the Russian regulations in the area of security and cryptography Security activities are especially important to the M2M domain because M2M communications may involve critical areas such as healthcare and energy Business cases on the next few slides highlight areas of MERA s experience in security feature development

3 IP base station management solution with very limited or no user intervention A self-configurable system featuring: Mutual BS authentication (IPSec-based session authentication and data encryption) Protection from destruction, removal, disclosure, corruption, interruption to ensure network security and robustness against hacker attacks IKE support between gateways within one cluster Automatic configuration of base stations Automatic upgrade of base stations, e.g. in case of new installations or HW boards replacement Real-time equipment monitoring and users notifications through alarms mechanism KPI data downloading and building the appropriate reports Load balancing and geo-redundancy

4 Prototype compliant with WiMAX End-to-End Network Systems Architecture as specified by WiMAX forum Covers the following use-cases: Network entry Key renewal (UE re-authentication) Network leave (both UE and AAA initiated) Proxy-MIP based implementation WiMAX AAA framework compliant with IETF EAP-based authentication mechanisms PKMv2 based UE authorization and authentication EAP over Radius between ASN-GW and AAA server ASN-GW Authenticator features: Compliancy with RFC3748 and WiMAX forum Support of Radius messages and attributes as defined by WiMAX specifications Encapsulation of EAP messages in Radius packets and forwarding to AAA server Handling security information from AAA server (keys, lifetime, etc), derived keys generation Other appropriate UE profile data management Home AAA server (simulated): Based on FreeRadius open source project Automated tools to provision the server with WiMAX Radius dictionary and UE profiles Interaction with ASN-GW, DHCP server and Home Agent using Radius

5 Traffic analyzer applications for Gb/A interface (BSC-SGSN, BSC-MSC) and VoIP A part of real-time OSS monitoring wireless networks Collects raw data from Data Acquisition probes using UDP/IP (multicast, 8K Jumbo frames) or directly from an Ethernet network adapter Decodes Gb/A interface messages or VoIP ones and learns the network topology Generates Gb/A/VoIP tickets in XDR and internal formats reflecting mobile subscriber s operations and sends KPI/KPM over the network using TCP/IP or UDP/IP Gb/A/VoIP tickets/kpi s then used by other components to show information in a graphical form and to provide recommendations to Telcos helping the management of certain QoS aspects such as subscribers, radio optimization, device functionality and mobile broadband services Security features (through automated scripts and I&C documents): Tuning of Web-server security settings LDAP support OS hardening (security settings tuned at the OS level) RBAC (Role Based Access Control) - user roles mechanism Various monitoring scripts (e.g. periodical removal of disabled unused users) Database encryption IPSec support

6 Certificate Management System for Tier 1 telecom vendor targeted to manage the X.509 V3 digital certificates used by the IPsec protocol running in the enodeb to perform IKEv2 authentication with the SEG within LTE network. Key features: Public-key infrastructure (PKI) implementation for LTE networks CMPv2 over HTTP(s) protocol support for on-line certificates distribution PKCS #7/#10 support for off-line certificates exchange X.509 V3 certificate management Cross-certification automation (eutran sharing) Certificate Revocation List support and Renewal propagation Secure Key Management Architecture based on Thales Security World concept RHEL SELinux based RBAC and multi-level security Efficient HTTP(s) gateway secured by RHEL firewall & OS kernel configuration preventing DoS/DDoS attacks 99.99% reliability addressed by SW & HW solutions selection & maintenance Built-in System Monitor with self-healing and pre-defined defense scenarios RootCA, SubCA, core CMS components live upgrade External interfaces to OAM, LDAP enodeb simulator for stress, capacity testing

7 Development and support of Firmware for an entire product line of VoIP desk-phones of a leading vendor Implementing support for IPsec, TLS and DTLS Deep experience with OpenSSL and with specific security libs and frameworks of Mocana and Wind River Supporting licensing servers (FLEXlm) to deal with licensing specific capabilities (e.g. support for codec G.729) Implementing and supporting srtp media communications based on external libs (GIPS/WebRTC) and specific h/w platforms (Broadcom BCM chipsets) Adding signaling path encryption with support for 128-bit Advanced Encryption Standard (AES) Implementing support for Cisco VPN Supporting 802.1x (PNAC) and Extensible Authentication Protocol (EAP-MD5) for network authentication and access control Responsible for embedded WML client/browser with support for HTTPS Creating specific tools for tracing and debugging security-related operation of VoIP solutions Implementing a custom srtp dissector for Ethereal