Infinite Convergence Securing Rich Communications Services (RCS) An Infinite Convergence White Paper April 2015 Securing RCS Infinite Convergence Solutions (C) Copyright (2015) All Rights Reserved 1 Rich Communications Services provide new end-user experiences, but just providing a new experience is not enough. Both Users and Operators desire safe and secure messaging. Infinite Convergence’s Rich Communications Service provides the security necessary for the operator to gain user’s trust and loyalty. This paper addresses areas of concern with an RCS Messaging solution and how security is addressed. Client Access An RCS Client must register with the IMS Core / RCS Server prior to receiving access. Registration consists of Validation of the user (i.e. are they an approved user of the network / service), and Authentication of the user (i.e., are they whom they claim to be). Validation typically consists of checking if the user’s identity is contained in an approved user database. Authentication typically consists of challenging the client to prove they are whom they say to be. This is accomplished with performing some form of authentication challenge. The IMS Core performs the authentication when the client accesses the IMS Core. When the IMS Core is not available and the client directly accesses the RCS Server, the RCS Server performs the authentication. The RCS Server supports SIP Digest Authentication, Token-based authentication or external server based authentication. Once the RCS Server has successfully authenticated the client, a persistent connection is established with the client. All subsequent communication is performed over the established connection, the RCS Server validates messaging received on the established connection belongs to the authenticated user’s client. Messaging RCS Messaging (Chat, Standalone, File Transfer) is initiated by establishing a SIP Session. SIP submission requests are validated to make sure the sending user is authorized for RCS and approved for the service being requested. The RCS Server functions as a Back-to-Back User Agent (B2BUA), where all received messaging is terminated at the RCS Server and the RCS Server initiates new requests to the recipient(s). The RCS Server supports Transport Layer Security (TLS) to secure the SIP session. Within the SIP request is a request for bearer transport, (MSRP or RTP) depending upon the service being requested. The RCS Server supports TLS for MSRP connections (Chat, Standalone – Large Message Mode, File Transfer) and supports TLS for RTP (Video Share). MSRP and RTP submissions received are only accepted from the negotiated SIP session. Securing RCS Infinite Convergence Solutions (C) Copyright (2015) All Rights Reserved 2 Connections Separate VLANs can be supported for WiFi and internet access and IMS Core access. The VLANs can be separate physical cables if desired. All ports, VIPs and services are closed, except for SIP, MSRP and RTP. Security scans are performed to ensure the highest level of security possible. OAM is supported via HTTPS and login access is secured by role-based access control. A user’s roles determine what a user is allowed to view and modify on the system. Access between network entities are secured with TLS. Protocols Only secure protocols are used for all operational interfaces. Insecure options are not provided. Specific cases include the following: OS level log in to the system is performed using ssh instead of telnet File transfer to and from the system is performed using SFTP instead of ftp Web UI access is performed using HTTPS instead of HTTP Alarms are generated using SNMPv2c All passwords that are provided to the RCS Server are stored in an encrypted manner Idle logins are automatically logged off Only necessary ports are enabled The RCS Server supports a highly granular set of access permissions that can be assigned to users based upon need. Summary Securing not only the client access but access to all network entities and restricting administrator access provides a secure messaging solution. Securing RCS Infinite Convergence Solutions (C) Copyright (2015) All Rights Reserved 3 About Infinite Convergence Solutions Incorporated in 2010, infinite Convergence is a subsidiary of Infinite Computer Solutions LTD. With quality and reliability from our technology roots in Motorola, combined with the agility and innovation expected from a modern company, Infinite Convergence provides state of the art, highly available, and highly reliable messaging services supporting the messaging needs of enterprises and Cellular Service Providers (CSPs) worldwide. Infinite Convergence provides a complete messaging product portfolio that includes: Rich Communication Services (RCS) Personal Messaging Cloud (PMC) Presence with Network Address Book (PS) Enterprise Messaging Service (EMS, EMS+, EMS Flex) Multimedia Messaging Service Center (MMSC) Short Messaging Service Center (SMSC) Short Messaging Service Gateway (SMSGW) Public Safety Multimedia Messaging Server (PSMM) Global Offices: HQ: Chicago Sales Offices: Chicago | Washington DC | Los Angeles | Munich | London | Bangalore | Singapore Contact Us: Website: www.infinite-convergence.com Email: [email protected] Securing RCS Infinite Convergence Solutions (C) Copyright (2015) All Rights Reserved 4
© Copyright 2024