Security is being overlooked in FMC networks now, exposing subscribers and their enterprise networks to new, unseen threats and risks. And as IMS is slowly rolled out, it is becoming clear that the traditional approach to service-provider security just doesn’t cut it.

Today’s Architectures

Today’s increasingly “connected” employees are demanding voice, video, data and wireless services in the home, at the office, even on the road, forcing service providers to build an architecture that can support this convergence. The IP Multimedia Subsystem (IMS)) provides an open architecture for delivering converged triple- and quad-play services with high reliability and high performance.

With IMS, data and services of all types can quickly pass from one network to another, dramatically improving business productivity. However, this efficient transfer of data from network to network also introduces some very real security threats.

The IMS Security Challenge

As IMS is adopted, it is becoming clear that the traditional approach to service-provider security, focused on securing the edge of the network, is not sufficient to handle spyware, malware, worms and viruses previously isolated to the Internet or wireless networks.

Convergence of these previously isolated networks (Internet and wireless) with previously secure cable and wireline networks, and their intersection with free public networks like WiFi and WiMAX further exposes network vulnerabilities to a much wider set of devices. Additionally, these converged networks are at risk for denial of service attacks, spoofing and theft of service.

As a result, service providers need to adopt a more comprehensive approach to securing their networks -- one that does not focus on point or edge security, but rather provides a flexible, consolidated security services layer that begins at the network core.

Strategies in Use Today

In today’s networks, security is often set up with devices scattered throughout the network, in the core, at the edge and in between. Generally speaking, this scattered security approach is the result of attempts to re-use existing infrastructure and to save money. In an IMS world, this is simply not feasible.

IMS provides a unified architecture that supports converged IP-service and application delivery. These IP-based applications historically have been delivered on either fixed or mobile networks, separate and distinct, and roaming or traversal across these networks was not supported. The issue at hand – quite simply – is that the security mechanisms originally put in place for each of these formerly “independent” networks are no longer sufficient as applications and services now roam across these boundaries. To presume that the strategies in use today – maintaining that the security controls for a specific application on top of a specific access network – will still work as the application traverses a network boundary, and secondly continues service on this new network, is simply insufficient. In an IMS architecture, the active intelligence of control and data plane management occurs within the IMS core, and thus security mechanisms need a holistic approach involving integration into this core.

Proposed Alternatives

The philosophical alternatives for providing a security services layer in the IMS domain mirror those options provided for pre-IMS environments, namely a “one vendor fits all” approach versus the “best of breed” approach (albeit, the actual implementations are still in their infancy). However, given the sheer magnitude of applications and services functioning and co-existing in the IMS domain along with their associated security requirements, this argument easily swings in favor of the best of breed approach.

What would you choose – a single vendor claiming a breadth of security expertise to “‘do it all,” or a system that clearly enables independent ISV’s, who each excel in their respective specific security domains and yet operate holistically within a Unified Threat Management (UTM) environment? The alternative that provides superior value and protection within the IMS framework is clear.

From Network Core – UTM Service Layer

Service providers who have a true UTM platform in their network now and are running multiple best-of- breed security applications already can simply add a new blade with a new security application as new threats arise.

Unlike an all inclusive media gateway, UTM hardware runs applications on individual blades. The hardware holds X number of blades. Each application gets a blade - blades are built to scale and can be remotely programmed and provisioned to deliver security applications where they are needed. So putting multiple applications on one box results in device consolidation, and thus cost savings, time savings and space saving.

And as IMS is slowly rolled out... there will be a slew of new security hardware and software devices created to solve new and perceived problems, which will only add to the cost of upgrading networks.

UTM technology provides a security services layer within the greater network architecture. UTM is not deployed at the provider edge, it is not embedded in the transport equipment and it is not based on closed, proprietary systems. Instead, it is a highly consolidated, flexible service layer that begins at the network core and allows service providers to deploy the most appropriate security measures precisely where they are needed most.

So what are the properties and characteristics of UTM equipment that make this service layer ideal for the IMS-based service provider infrastructure?

Flexibility

The most important property of a security layer in a converged services environment is the flexibility to deliver the right application, at the right time, for the right task, whether it is the driving of value-add security services – revenue generation – or the protection of critical assets based on the potential risk of those assets if compromised. Network protection needs to happen at wire speed. Furthermore, these protective capabilities must be provided on a multi-domain basis where virtualization of security policies on a per-subscriber (individual or enterprise) basis is required.

To function as an effective services layer, UTM technology should be deployed from the core of the network. Consider the following rationale:

· Computing v. transport: A major wireless service provider recently chose to consolidate on a UTM platform, in turn reducing its number of firewalls by a factor of 15 xs. This decision achieved a staggering 1500 percent reduction in equipment requirements, while also saving on operational costs. How is this possible? It’s actually quite simple. When the cost of transport is high in relation to the cost of computing, processing tends to move to the edge of the network. However, as the cost of transport is lowered, it becomes possible to move bits at low cost across the network to a less decentralized and more powerful computing infrastructure without a loss in performance. The result? Huge savings.

· Enhance cooperation: In many organizations there is a natural tension between security and network teams. If you put security functionality into one network device, which party is ultimately responsible for the box? This same tension extends to within an organization’s security team – should the firewall team have control over anti-virus and content protection? By maintaining a distinct and separate security layer, organizations can quickly introduce new services while avoiding internal politics and focus on what matters most – running an efficient and secure network.

· Changing network traffic: Traditional edge-based functions make sense when all traffic is local. But as we know, that simply isn’t the case in today’s network. The virtual nature of the Web ensures that traffic will flow into the core and onto other destinations as opposed to staying local. (Consider the proliferation of WiFi and WiMAX networks.) As a result, the gains from edge-based deployments are minimal and simply incur more cost than is necessary. This is because the price of a feature-loaded edge device costs more than one optimized purely for transport. In addition, if an organization can virtualize the value-add protection service in the cloud, the attendant consolidated infrastructure will achieve greater economies of scale.

A UTM Services Layer

Is it the end for security devices sitting on the edge of the network? Of course not. Simple, but important functions, including access control and some signaling protection should be deployed at the edge because protocols and methods used don’t often change and require little strain from a processing standpoint.

The real value of the UTM service-layer architecture is the combination of purpose-built hardware that accelerates and virtualizes network topologies, along with fail over for massive scaling and redundancy. Additionally, Linux array enables network security architects add new best-of-breed security applications from multiple vendors so that the infrastructure has access to the newest threat mitigation techniques. Best-of-breed and flexibility at the core are essential in high-end UTM.

UTM done right has natural synergies with the IMS philosophy. Both strategies offer an open architecture that deliver converged security services with high reliability and high performance. In an ever-competitive landscape, providers should aggressively pursue a true UTM infrastructure to offer the greatest service with the greatest security.

Throop Wilder is co-founder and vice president of marketing for Crossbeam Systems.