Session Initiation Protocol Firewall for the IP Multimedia Subsystem Core

As the deployment of Session Initiation Protocol (SIP) accelerates, there is an accompanying need to secure the SIP infrastructure. One way to do so is through a SIP firewall, which is loosely defined as a device that blocks attacks mounted via SIP Using this definition, a firewall is indistinguishable from a session border controller (SBC), also used by SIP service providers to secure their networks. SIP fire walls and SBCs are often deployed by SIP service providers at the periphery of the network to impose some manner of order on the SIP traffic before allowing it to enter the network. In this vein, a SIP firewall needs to effectively block many SIP attacks and distinguish a distributed denial of service (DDoS) attack from a classic overload traffic arrival rate. But what exactly is a firewall and what features should it provide in its role of inspecting SIP traffic bound for the service provider's network? What are the economic and technical tradeoffs necessary for ubiquitous deployment? In this paper, we define the role of a firewall in protecting the IP Multimedia Subsystem (IMS) or SIP-based core network, distinguish it from an SBC, and characterize the specific threats to SIP messages at the L2 (data link layer), L3 (network layer), L4 (transport layer), and L5 (session layer). We show how a SIP firewall can thwart these attacks and we propose an implementation based on a simplified, but fully hardware accelerated SIP proxy as a front end SIP firewall. Such a system naturally blocks most attacks and implements many defense mechanisms. (C) 2011 Alcatel-Lucent.