Download Report

Infinite
Convergence
Securing Rich Communications
Services (RCS)
An Infinite Convergence White Paper
April 2015
Securing RCS
Infinite Convergence Solutions (C) Copyright (2015) All Rights Reserved
1
Rich Communications Services provide new end-user experiences, but just
providing a new experience is not enough. Both Users and Operators desire
safe and secure messaging. Infinite Convergence’s Rich Communications
Service provides the security necessary for the operator to gain user’s trust
and loyalty. This paper addresses areas of concern with an RCS Messaging
solution and how security is addressed.
Client Access
An RCS Client must register with the IMS Core / RCS Server prior to receiving access.
Registration consists of Validation of the user (i.e. are they an approved user of the network /
service), and Authentication of the user (i.e., are they whom they claim to be). Validation
typically consists of checking if the user’s identity is contained in an approved user database.
Authentication typically consists of challenging the client to prove they are whom they say to
be. This is accomplished with performing some form of authentication challenge. The IMS
Core performs the authentication when the client accesses the IMS Core. When the IMS Core
is not available and the client directly accesses the RCS Server, the RCS Server performs the
authentication. The RCS Server supports SIP Digest Authentication, Token-based
authentication or external server based authentication. Once the RCS Server has successfully
authenticated the client, a persistent connection is established with the client. All subsequent
communication is performed over the established connection, the RCS Server validates
messaging received on the established connection belongs to the authenticated user’s client.
Messaging
RCS Messaging (Chat, Standalone, File Transfer) is initiated by establishing
a SIP Session. SIP submission requests are validated to make sure the
sending user is authorized for RCS and approved for the service being
requested. The RCS Server functions as a Back-to-Back User Agent
(B2BUA), where all received messaging is terminated at the RCS Server
and the RCS Server initiates new requests to the recipient(s). The RCS
Server supports Transport Layer Security (TLS) to secure the SIP session.
Within the SIP request is a request for bearer transport, (MSRP or RTP)
depending upon the service being requested. The RCS Server supports TLS
for MSRP connections (Chat, Standalone – Large Message Mode, File
Transfer) and supports TLS for RTP (Video Share). MSRP and RTP
submissions received are only accepted from the negotiated SIP session.
Securing RCS
Infinite Convergence Solutions (C) Copyright (2015) All Rights Reserved
2
Connections
Separate VLANs can be supported for WiFi and internet access and IMS Core access. The
VLANs can be separate physical cables if desired. All ports, VIPs and services are closed,
except for SIP, MSRP and RTP. Security scans are performed to ensure the highest level of
security possible. OAM is supported via HTTPS and login access is secured by role-based
access control. A user’s roles determine what a user is allowed to view and modify on the
system. Access between network entities are secured with TLS.
Protocols
Only secure protocols are used for all operational interfaces. Insecure options are not
provided.
Specific cases include the following:
 OS level log in to the system is performed using ssh instead of telnet
 File transfer to and from the system is performed using SFTP instead of ftp
 Web UI access is performed using HTTPS instead of HTTP
 Alarms are generated using SNMPv2c
 All passwords that are provided to the RCS Server are stored in an encrypted manner
 Idle logins are automatically logged off
 Only necessary ports are enabled
The RCS Server supports a highly granular set of access permissions that can be assigned to
users based upon need.
Summary
Securing not only the client access but access to all network entities and restricting
administrator access provides a secure messaging solution.
Securing RCS
Infinite Convergence Solutions (C) Copyright (2015) All Rights Reserved
3
About Infinite Convergence Solutions
Incorporated in 2010, infinite Convergence is a subsidiary of Infinite Computer Solutions
LTD. With quality and reliability from our technology roots in Motorola, combined with
the agility and innovation expected from a modern company, Infinite Convergence
provides state of the art, highly available, and highly reliable messaging services
supporting the messaging needs of enterprises and Cellular Service Providers (CSPs)
worldwide.
Infinite Convergence provides a complete messaging product portfolio that includes:








Rich Communication Services (RCS)
Personal Messaging Cloud (PMC)
Presence with Network Address Book (PS)
Enterprise Messaging Service (EMS, EMS+, EMS Flex)
Multimedia Messaging Service Center (MMSC)
Short Messaging Service Center (SMSC)
Short Messaging Service Gateway (SMSGW)
Public Safety Multimedia Messaging Server (PSMM)
Global Offices:
HQ: Chicago
Sales Offices:
Chicago | Washington DC | Los Angeles | Munich | London | Bangalore | Singapore
Contact Us:
Website: www.infinite-convergence.com
Email: [email protected]
Securing RCS
Infinite Convergence Solutions (C) Copyright (2015) All Rights Reserved
4