Security for IP services is a significant factor in order for wireless carriers and network operators to open their networks to next generation access technologies. The nCite security gateway device provides advanced cryptography for confidentiality and integrity of voice, data, and multimedia across IP networks, and further supports state of the art certificate based authentication mechanisms. Netrake, recently acquired by AudioCodes, started deploying the nCite Security Gateway (SG) in 2005. Netrake's heritage lies in developing powerful network processing technology and unique "deep packet inspection" capabilities. The nCite SG along with the Mediant 8k Media Gateway are vital core components of next generation wireless networks offering true dual mode voice and data service to wireless handsets.

Introduction

The nCite Security Gateway product (nCite SG) is a hardened security device that utilizes state-of-the-art network processors. The nCite SG performs deep packet inspection and advanced cryptography in order to securely connect mobile subscribers to next generation wireless networks. The nCite SG provides a scaleable, secure, cost-effective, solution allowing mobile subscribers to access services using WiFi access from any location.

The nCite SG is carrier-grade in all respects (performance, capacity, reliability, scalability, management, and security) and is complementary to existing Service Provider infrastructures.

The nCite SG is a 3U device, NEBS level 3 compliant chassis. The nCite SG is based on the IETF standard architecture for Internet Security (IPsec) as defined in RFC 2401. The device operating as a Security Gateway establishes tunnel mode security associations with mobile subscribers (MS) over an IP interface.

Network Architecture

The nCite SG is designed to support wireless architectures based on Generic Access Networks (GAN) or previously Unlicensed Mobile Alliance (UMA) standards. The subscriber initiates an IPSec-ESP tunnel to the Security Gateway using Internet Key Exchange version 2 (IKEv2). Upon successful authentication of SG and the mobile subscriber an uplink and a downlink IPSec security association are established between SG and MS. Further communication with the cellular network, via the GAN controller/UNC, is conducted solely within the confines of these security associations.
 

^{Figure 1: Network Architecture and Interfaces}

Confidentiality and Integrity Mechanisms

The nCite SG performs cryptography and packet processing functions. The nCite SG terminates all security tunnels and uses IPsec-based Encapsulating Security Payload (ESP) protocols for both authentication and confidentiality. The nCite SG supports 3DES in CBC mode algorithm as defined in RFC 2451, as well as, AES with fixed key length in CBC mode algorithm as specified in RFC 3602 for confidentiality. As it relates to Authentication/Integrity, the nCite SG supports pseudo-random functions based on PRF-HMAC-SHA1 and PRF_AES_CBC algorithms as specified in RFC 2104 and RFC 3664.

Internet Key Exchange and Certificate Based Authentication

The nCite SG supports Internet Key Exchange (IKEv2) protocol as specified in RFC 4306. The key exchange protocol is based on Diffie-Hellman standards for key management and supports mutual authentication for client and server. Diffie-Hellman (D-H) key exchange is a cryptographic protocol that allows two parties, which have no prior knowledge of each other, to jointly establish a shared secret key over an insecure communications channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher. The GAN specification requires mutual authentication between the Security Gateway and the Mobile Subscriber (MS). The Wm interface, defined by 3GPP [TS 29.234], allows delegation of subscriber authentication to an AAA service running in the provider network, rather than requiring the nCite SG to maintain a copy of user credentials. The MS authenticates the Security Gateway based on a certificate-based authentication scheme. Certificates are used to prevent man-in-the-middle attacks eliminating the possibility of a 3rd party impersonating the other party in a secure communication session establishment.

Key Features

The nCite SG in addition to establishing IPSec ESP mode tunnel to dual mode wireless handsets supports the following capabilities:

• 300,000 IPSec tunnels per nCite SG
• Denial of Service (DOS) attack prevention
• Distributed Denial of Service (DDOS) attack prevention
• Man-In-Middle attack prevention
• Firewall/Network Address Translation (FW/NAT) traversal
• IMSI Filtering
• Dynamic Session Security
• Non-Repudiation
• Rate limiting tunnels, and flows
• Access control (DNS, MGW, GANC/UNC, GPRS Gateway)