TS-3GB-S.R0103-0v1.0 Network Firewall Configuration and Control (NFCC) - Stage 1 Requirements Mar 3,2005 THE TELECOMMUNICATION TECHNOLOGY COMMITTEE
TS-3GB-S.R0103-0v1.0 Network Firewall Configuration and Control (NFCC) - Stage 1 Requirements <Remarks> 1. Application level of English description Application level : E2 English description is included in the text and figures of main body, annexes and appendices. 2. Relationship with international recommendations and standards This standard is standardized based on the Technical Specification S.R0103-0(Version 1.0) approved by 3GPP2. 3. Departures from international recommendations Changes to original standard Standards referred to in the original standard, which are replaced by TTC standards. Standards referred to in the original standard should be replaced by derived TTC standards. 4. IPR Status of Confirmation of IPR Licensing Condition submitted is provided in the TTC web site. 5. Working Group 3GPP2 Working Group i
3GPP2 S.R0103-0 Version 1.0 Version Date: 09 December 2004 Network Firewall Configuration and Control - NFCC Stage 1 Requirements COPYRIGHT NOTICE 3GPP2 and its Organizational Partners claim copyright in this document and individual Organizational Partners may copyright and issue documents or standards publications in individual Organizational Partner's name based on this document. Requests for reproduction of this document should be directed to the 3GPP2 Secretariat at secretariat@3gpp2.org. Requests to reproduce individual Organizational Partner's documents should be directed to that Organizational Partner. See www.3gpp2.org for more information.
No text.
EDITOR Trevor Plestid, Research in Motion, tplestid@rim.com REVISION HISTORY REVISION HISTORY Rev number Content changes Date 1.0 Initial Publication 9 December 2004 i
No text. ii
Table of Contents Table of Contents... iii List of Tables...iv List of Figures...v 1 INTRODUCTION... 1 2 REFERENCES... 2 3 DEFINITIONS AND ABBREVIATIONS... 2 3.1 Definitions... 2 3.2 Abbreviations... 3 4 GENERAL FEATURE DESCRIPTION... 4 5 DETAILED FUNCTIONALITY REQUIREMENTS... 6 5.1 Basic NFCC Requirements... 6 5.2 Subscription Identity Based NFCC Requirements... 6 5.3 Wireless ISP Grade of Service NFCC Requirements... 6 5.4 Administration of NFCC Profiles... 7 5.5 NFCC Scalability Requirements... 7 5.6 NFCC Individual Subscriber Configuration Requirements... 8 5.7 NFCC Applicability and Scope... 8 iii
List of Tables iv
List of Figures v
No text. vi
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 1 INTRODUCTION This document specifies the system requirements and operation of the Network Firewall Configuration and Control (NFCC) feature, from both the perspective of the subscriber and the system operator. The objective is to define and to standardize the functionality of this feature to be incorporated into the operations of CDMA2000 1 based wireless telecommunications networks. As the cdma2000 network evolves toward All-IP, we can expect a change in the security needs of mobile subscribers, resulting from changes in how subscribers connect to the Internet: 1. Subscribers may be connected to the Internet for the entire time the mobile station is powered on. 2. There will be a greater percentage of mobiles with IP addresses assigned. The IP availability of the mobile station for long periods of time invites direct attack at the network protocol layer. All Internet hosts need protection from malicious traffic, as provided by firewalls. Today s corporate Internet hosts generally operate with a firewall that prevents certain types of Internet access to hosts behind it. Home subscribers generally cannot depend on their ISP for similar protection, and may run a commercial firewall program of their own to prevent unwanted IP access. Firewall protection in cdma2000 networks is equally essential, but faces new requirements and challenges: Air interface usage is an expensive resource, hence it is not economically feasible to pass all IP traffic to the mobile without filtering. Even if the mobile discards unwanted packets, most likely the subscriber will still be billed for the transfer. The problem is compounded by the use of dormancy in data connections. Unsolicited packets cause a dormant connection to become active, thereby utilizing air interface resources for the duration of the dormancy timer, even if the packets are discarded. Moreover, extra load for setting up connections is added to the signaling path each time a connection becomes active from dormancy. The lack of protection against unsolicited IP packets to terminals can have the following impacts: Network capacity is negatively affected. Additional network resources are consumed (e.g. RF, channel card, etc.) for handling unproductive traffic load. In addition, resources could be consumed at the Wireless infrastructure and Base station as well due to excessive signaling caused by unsolicited packets that wake up dormant mobile stations. 1 cdma2000 is a trademark for the technical nomenclature for certain specifications and standards of the Organizational Partners (OPs) of 3GPP2. When applied to goods and services, the cdma2000 mark certifies their compliance with cdma2000 standards. Geographically (and as of the date of publication), cdma2000 is a registered trademark of the Telecommunications Industry Association (TIA-USA) in the United States. 1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 In some solutions, MSC/HLR/VLR/AuC may be used for packet data authentication and network resource management. Use of these resources may increase significantly and impact MSC/HLR/VLR/AuC capacity. AAA server load is increased due to the need to handle authentication, authorization, and accounting for unsolicited unproductive packet data traffic. There is an increase in data latency; as unsolicited data traffic increases, the network throughput of solicited traffic is reduced. Incorrect accumulation of billing records occurs. Mobile station battery life is negatively impacted. There is increased exposure to malicious hacks on mobile stations, via the Internet or within the home network s local subnet (e.g. a worm exploiting a hole via ICMP host discovery). If either the mobile station or the network does not support concurrent voice and data, the incidence of diverting incoming voice calls to voice mail increases. Receiving undesired unsolicited packets can be irritating to customers. Also, it generates negative impact on the customer to operator relations as discontented customers often blame their operator for the inconvenience of undesired packets. There is significant need to protect subscribers and operators from unwanted IP packets arriving at mobiles with open network data sessions. 2 REFERENCES [1] X.S0011 cdma2000 Wireless IP Network Standard [2] RFC 1918 Address Allocation for Private Internets 23 24 25 26 27 28 29 30 31 32 33 34 3 DEFINITIONS AND ABBREVIATIONS 3.1 Definitions Solicited Packet: Any IP packet sent to a mobile station belonging to an IP flow for which the mobile is configured, or comprising previously established communication with an Internet node. For completeness, solicited packets include those from operator services such as IOTA, and geo-location. Standard Stateful Firewall: A network entity that tracks host solicitations under a subnet to hosts outside and within that subnet, subsequently allowing incoming traffic from the solicited hosts in accordance with the protocol and ports of the initial solicitation. Only default firewall rules are applied at the the beginning of an IP session; New rules established during a session are discarded at the end of that IP session. Unsolicited Packet: Any IP Packet sent to a MS that is not a Solicited Packet. 2
1 2 3 3.2 Abbreviations AuC Authentication Center BIOS Basic Input-Output System HLR Home Location Register ICMP Internet Control and Management Protocol IMSI International Mobile Station Identity IP Internet Protocol ISP Internet Service Provider IOTA IP-based Over-The-Air service provisioning MS Mobile Station MSC Mobile Switching Center NAI Network Access Identifier NAT Network Address Translation NFCC Network Firewall Configuration and Control PAT Port Address Translation PDSN Packet Data Serving Node RFC Request For Comment SSDP Simple Service Discovery Protocol VLR Visitor Location Register VPN Virtual Private Network 3
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 4 GENERAL FEATURE DESCRIPTION Data services require that mobile stations are reachable at the IP level from Internet routable or proxy IP addresses. This makes the mobile station vulnerable to direct attack (malicious or unintentional) at the network protocol layer. Note that a mobile station cannot effectively perform firewall functions, since radio channel establishment is required prior to firewalling decisions being taken. This makes it impractical for the mobile station alone to mitigate impacts due to unsolicited packets, though NFCC does not aim to preclude any supplemental firewall functions in the mobile station in addition to the ones addressed herein. Furthermore, there may be applications or scenarios where a subscriber may need to receive unsolicited incoming requests. Note that this is not the case in current corporate Internet networks, where it is instead assumed that all sessions are initiated from the protected inner nodes. The following categories of unsolicited packets require Network Firewall Configuration and Control: Stale Session Unsolicited packets: A mobile station has relinquished its dynamic IP address. An IP entity that the mobile station had established communications with can continue sending packets to this same IP address. When this IP address is reassigned to another device, the new device will now receive unsolicited packets. Examples are peer-to-peer file sharing and unterminated VPN sessions. Inter-subscriber Intra-subnet Unsolicited packets: Subnet-constrained broadcasts or serial unicast from one mobile to another are unsolicited packets. These are effectively unsolicited packets received from other subscribers served by the same operator. Examples are worms exploiting subnet discovery protocols such as ICMP, SSDP, or vulnerabilities caused by wireline approaches to service discovery, such as Microsoft NetBIOS. Malicious packets. In the wireline ISP model, the mobile station is expected to assume the responsibility for firewalling. The wireless ISP model is inherently different, due to the heavy costs of requiring firewalling at the mobile station, outlined in the introduction. NFCC has the general property of pushing the firewalling decision into the IP core network of the wireless operator. Wireless service providers desire to provide a wireline ISP grade of service, so there is a need to facilitate full Internet access for mobiles, just as landline ISPs. This seems like a contradictory requirement; how can mobiles be allowed full Internet access while being protected from the Internet? Stateful firewall concepts can be used. In common stateful firewalls, all traffic is blocked until the mobile station solicits for particular traffic. Profiles of allowed traffic may also be implemented. However, there are some serious disadvantages to this approach: 4
1 2 3 4 5 6 7 8 9 10 11 12 13 14 1 Common stateful firewalls are IP based, and not subscription based, thus a network does not provide the MS a means for persistence of previously established push service relationships. 2 Common stateful firewalls may have scaleability issues for carriers that maintain millions of subscribers. 3 All unknown traffic is blocked by common stateful firewalls, not giving subscribers a choice in allowing desired traffic. Firewalls are therefore an important part of cdma2000 networks. They are necessary for a secure access to the Internet and other services. While NFCC specifies the adoption and utilization of firewalls in cdma2000 networks, NFCC should ensure its integration in the cdma2000 based wireless networks, since firewalls may present issues with various protocols (such as the Mobile IPv6/IPV4/IPsec protocol) that are adopted into cdma2000 networks. 5
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 5 DETAILED FUNCTIONALITY REQUIREMENTS 5.1 Basic NFCC Requirements NFCC1. NFCC2. NFCC3. The wireless packet data network should provide mobile stations protection against unsolicited packets by preventing unsolicited IP packets from being transmitted on the forward link of the radio interface. NFCC should provide a rudimentary protection against unsolicited packets to legacy mobile stations. NFCC shall be compatible with the existing mobile features and services. 5.2 Subscription Identity Based NFCC Requirements NFCC4. NFCC5. NFCC6. NFCC shall apply to the subscriber s subscription identity (e.g. IMSI or NAI) and may apply the mobile station s currently assigned IP address.. NFCC shall provide a means to persistently store the last known firewall settings when a mobile station relinquishes its IP address. Any state that cannot be automatically regenerated in subsequent IP sessions shall be persistent. Not all firewall states should be persistent (for example automatic inbound firewall rules). MS initiated outbound connections may be persistent. NFCC shall provide a means to apply the last known firewall settings when a mobile station acquires an IP address. 5.3 Wireless ISP Grade of Service NFCC Requirements NFCC7. NFCC8. NFCC9. NFCC10. NFCC11. NFCC should allow for IP service to reach the MS without introducing security threats that are not currently possible. NFCC shall provide the capability to individual subscribers (by subscription or by command) to allow any IP node to reach the individual MS without manual intervention where there are no prior firewall rules. NFCC shall maintain a capability to pre-provision firewall rules, for example across all subscribers, or a subscriber profile, or on a per subscriber basis. NFCC shall block any IP packet from reaching the MS where the packet does not meet the rules associated with the MS subscription. NFCC shall be able to infer the rules for a MS that does not have NFCC capability. 6
1 2 3 4 5 6 NFCC12. NFCC13. NFCC14. NFCC shall take no action due to the network not being able to forward packets to the MS. NFCC shall provide protection against unsolicited packets from other subscribers in the same IP subnet. NFCC shall provide the mobile seamless service while roaming across network segments that support NFCC. 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 5.4 Administration of NFCC Profiles NFCC15. NFCC16. NFCC17. NFCC18. NFCC19. NFCC shall allow for changes to firewall subscription profiles. NFCC shall provide a means for network firewall configuration administrative override to allow for certain servers to access the mobile station regardless of the subscriber s desired configurations (e.g. firewall subscription profiles to allow emergency IP-based services or default push services such as press to talk ). NFCC settings from the home network may be applied when the mobile roams outside its home network. For reasons of home network security, the NFCC feature shall allow NFCC Profile Administration to prevent revision of any firewall settings for a mobile station while roaming. Put differently, it shall be possible for the home network NFCC administrator to preclude importation of NFCC settings established by the mobile station while roaming. The subscriber and operator shall have the ability to set the NFCC parameters for each subscriber or class of subscribers (e.g. NAI domain), with at least the following protection options: Block unsolicited IP packets except those configured by the subscriber or operator as allowable. Allowable IP addresses can be selected as individual addresses or as subnet addresses. Operators may establish allowable addresses that take precedence over subscriber settings. Allow all IP packets. NFCC communications with the mobile, wireless infrastructure or other firewalls should take place in an encrypted and authenticated secure manner, including protection against replay attacks, to prevent compromising the subscriber state, as well as prevention of DoS attacks. 5.5 NFCC Scalability Requirements NFCC20. NFCC should incorporate a wireless operator mechanism to discard the state of abandoned IP flows after a configurable timeout. In addition to the timeout, all firewall state information associated with the MS IP address is reset. 7
1 2 3 4 5 6 7 8 9 10 11 12 13 5.6 NFCC Individual Subscriber Configuration Requirements NFCC21. NFCC22. NFCC shall provide a means for an operator to configure the firewall parameters for each subscriber. NFCC shall provide a means for a subscriber to configure any firewall parameters via IP-based signaling. NFCC shall provide a mechanism for the mobile station to discover the address of the firewall. The support of this feature in the mobile station is optional. 5.7 NFCC Applicability and Scope NFCC23. NFCC24. NFCC shall apply to private and public IP addresses. NFCC shall apply to SimpleIP and MobileIP. NFCC shall apply to IPv4 and IPv6 packets (See [2]) NFCC shall provide the same capabilities regardless of whether the unsolicited packets originate within or outside of the wireless network. 8