Authentication as a Service for LTE Base Stations
|
|
- Darren Hunter
- 8 years ago
- Views:
Transcription
1 White Paper Authentication as a Service for LTE Base Stations Prepared by Patrick Donegan Senior Analyst, Heavy Reading on behalf of May 2012
2 New Network Security Challenges in LTE The 3GPP network architecture changes in some fundamental ways in the transition from 3G to LTE. And these changes have a major impact on the way security is provided in the mobile network, including as regards authentication of base stations or enodebs in the network. Figure 1: Authentication and Encryption in 3G and LTE Networks Source: Heavy Reading These changes in the LTE architecture and their security implications can be summarized as follows: The RNC is no longer a dedicated node in LTE. Instead, its functions are distributed between the Evolved Packet Core and the enodeb. This increases the operator's exposure in LTE compared with 3G, since the 3GPP encryption that is instantiated in the end-user device now terminates in the enodeb rather than the RNC. From a security perspective, in LTE the 3GPP encryption now terminates at many sites at the edge of the mobile network, instead of a handful of nodes located much deeper in the network. Whereas 3G was originally designed with TDM backhaul in mind, LTE was designed to be launched with IP/Ethernet backhaul. From a security point of view, 3G was originally designed to be deployed with a highly secure backhaul technology, whereas LTE is required to be deployed with a backhaul technology with known security vulnerabilities that are exploited and extended by large numbers of hackers and attackers every day. To keep up with the huge growth in mobile broadband data consumption, mobile operators recognize that in the coming years they will need to start supplementing their macro and microcell layers with new public access small HEAVY READING MAY 2012 WHITE PAPER AUTHENTICATION AS A SERVICE FOR LTE BASE STATIONS 2
3 cells. Designed to be mounted on building walls, bus stops, lampposts and the like, mobile operators envisage deploying four to eight or even more of these public access small cells per macro cell. Precisely because the small cell deployment model assumes such easily accessible locations, these sites will inevitably be much more vulnerable to tampering and security breaches than conventional macro and micro cells that have strong physical protection against intrusion and unauthorized intervention. As formally recognized by the Next Generation Mobile Network (NGMN) Alliance in its February 2012 White Paper on "Security in LTE Backhauling," the primary threats that arise in the context of the LTE network are: Insider attacks abuse of administrator rights (enodeb or Cell Site Gateway access) External attacks via networks from Internet or other PDN, from GPRS roaming exchange or other PLMN, from an external transport network or external non- 3GPP access network External attacks on physical access to the network on the radio interfaces, tampering with easily accessible (e.g., small cells), unauthorized physical access to network ports Attacks from mobiles To mitigate these security vulnerabilities in LTE, 3GPP provides for the use of IPsec authentication and encryption between the enodeb and the core network. This is designed to protect the integrity of user traffic and the network wherever the operator considers the backhaul network to be what 3GPP defines as "untrusted." Three years ago, when most operators first started contemplating LTE deployments, it was common for them to resist the use of IPsec on the grounds that it would add cost and complexity to the network. But Figure 2 shows how the position of mobile operators has shifted over the last couple of years. Figure 2: Adoption of IPsec for LTE Question: "For the first three years following the launch of LTE, to what extent do you expect that IPsec will be needed between the LTE cell site and the LTE core?" % OF ALL OPERATORS SEPT MOBILE SECURITY SURVEY DEC BACKHAUL SURVEY All cell sites will need IPsec implemented 37% 20% At least half of all cell sites will need IPsec implemented 11% 13% A subset of cell sites will need IPsec implemented 12% 19% IPsec will probably not be needed in the backhaul 15% 17% IPsec will definitely not be needed in the backhaul 5% 1% It's still unclear at this stage 20% 29% Source: Heavy Reading; n=83 (2010) and 84 (2011) HEAVY READING MAY 2012 WHITE PAPER AUTHENTICATION AS A SERVICE FOR LTE BASE STATIONS 3
4 As shown in Figure 2, two separate surveys of more than 80 qualified networkoriented professionals carried out in December 2010 and then again in September 2011 demonstrate growing acceptance of the need for IPsec to secure the LTE network. 48 percent of respondents in September 2011 reckoned that IPsec will be required at at least half of LTE cell sites, compared with just 33 percent in December percent reckoned it will be needed at all LTE cell sites in September 2011, compared with just 20 percent nine months earlier. Authentication of enodebs Using PKI According to 3GPP TS , where IPsec is deployed by the mobile operator this protocol necessarily provides the encryption of traffic between the enodeb and the core of the LTE network. Where the authentication of the enodeb is concerned, however, 3GPP provides a choice of model: The first option is to use a manual, so-called "shared secret," authentication model. This entails a field engineer manually entering a cryptographic key at the cell site during the initial setup process. That pre-shared key will have been generated by the operator's own operations team. Once it is inputted at the new cell site by the field engineer, it is recognized as legitimate and trusted and the enodeb will duly be authenticated by the network. The second option is to deploy Public Key Infrastructure (PKI) with IPsec, based on the Internet Key Exchange Version 2 (IKEv2) and Certificate Management Protocol Version 2 (CMPv2). While most operators that have launched LTE so far have done so using the manual shared secret authentication model, there are good grounds for thinking that over time, operators will want to start adopting the PKI model. The manual inputting of shared secret keys into each enodeb by an operative while preserving its secrecy is prone to human error, and hence potentially expensive from an opex perspective. Automating symmetric key management according to proprietary solutions is liable to be expensive, as well. In the interests of security, shared secret keys should be changed regularly. Managing that program of key renewal without affecting operational stability, together with the necessary site visits to carry out changes, is also potentially expensive from an opex perspective. As previously pointed out, the introduction of public access small cells into the network will result in an acceleration in the rate of deployment of cell sites in the mobile network. As a result, the operational challenges of a manual shared secret key model will become increasingly acute as the operator looks to scale LTE capacity with growing subscriber and data traffic volumes. The growth of machine-to-machine applications using LTE will grow the number of end points in the network still further, amplifying the challenge posed by the growth in the number of cell sites. As shown immediately below, the automated PKI authentication model as defined by 3GPP introduces an additional layer of security into the authentication process as compared with the manual shared secret model. HEAVY READING MAY 2012 WHITE PAPER AUTHENTICATION AS A SERVICE FOR LTE BASE STATIONS 4
5 3GPP's Model for Certificate Enrollment in a PKI Environment Figure 3 shows the basic 3GPP architecture for PKI-based authentication of enodebs in LTE. A RAN vendor provides its own root certificate to the mobile operator. That root certificate is then pre-installed in the mobile operator's Registration Authority (RA) or Certification Authority (CA). That then serves as the primary source of trust, enabling multiple certificates to be issued by the CA to the enodeb according to what is, in essence, a client-server model. Figure 3: Certificate Enrollment for enodebs in LTE Source: 3GPP TS The two-way authentication is enabled by the vendor's own signed certificate being pre-installed in the enodeb. Importantly, as mandated by 3GPP, the authentication is supported by the use of the Certificate Management Protocol Version 2 or CMPv2, an Internet protocol used to manage the request and distribution of X.509 digital certificates within a PKI solution. Once authenticated the enodeb is authorized to instantiate one or more IPsec encryption tunnels and send traffic across the network towards the core with IPsec encryption where the traffic is unencrypted at the Security Gateway (SEG), in part enabled by the operator's own root certificate being pre-installed. Enhancements to Existing PKI Systems Based on Internet Protocols 3GPP's approach to PKI draws entirely from existing Internet protocols. The main way in which 3GPP's deployment model materially differs from most other PKI implementations is that it is among the first to leverage the CMPv2 protocol, and among the first to leverage one particular advanced feature of CMPv2. This is the capability that CMPv2 has a capability rendered mandatory by 3GPP for LTE to use two certificates, a Vendor Base Station Certificate and an Operator Base Station Certificate, rather than just one, according to the model used in most PKI systems up until now. In the LTE environment, the mobile operator has its own certificate, much as any enterprise running its own PKI would. In addition, however, the authentication mechanism prescribed by 3GPP leverages the advanced features of CMPv2 to require a second certificate. This is the RAN vendor's own certificate, which it assigns to the enodeb during the manufacturing process. The vendor's certificate is then required to authenticate the initial request for the operator's certificate HEAVY READING MAY 2012 WHITE PAPER AUTHENTICATION AS A SERVICE FOR LTE BASE STATIONS 5
6 upon turning up each LTE enodeb to commercial service for the very first time. This vendor certificate effectively replaces a One Time Password, which has to be entered manually in typical enterprise PKIs. After the initial authentication of the enodeb at the time of service turn-up, all subsequent update certificates for that enodeb are authenticated solely by the operator's certificate according to traditional PKI models. Importantly, however, the requirement for the second certificate to participate in the authentication at the point of service turn-up provides a valuable additional layer of security. This goes above and beyond the security and automation provided by the manual shared secret model and above and beyond what is provided by most presentday PKI models in the enterprise environment. From the perspective of designing and operating a CA for LTE authentication, relatively few changes should be required to render existing PKI equipment and system parameters compliant with 3GPP requirements for LTE. In addition to support for CMPv2, including the ability to enable a dual certificate signature model at the initial point of service turn-up, two other enhancements to existing PKI systems are liable to be required to render them 3GPP-compliant: Since base stations are objects rather than human operatives, the CA needs to be able to support enodeb serial numbers in issuing certificates, rather than the user names of individual operatives, as has been typical with PKI systems until now. If an LTE enodeb is legitimate, it can only have an IP address that comes from within the mobile operator's own unique IP address range. Therefore, a CA needs to be able to restrict issuing certificates to within that specified IP address range. PKI Authentication: A Mobile Operator's Core Competency? There is little in the changes of the LTE security architecture that would make a mobile operator want to radically alter its present-day operating model so far as the right-hand side of Figure 3 is concerned. So whether the operator runs its network itself or outsources the operation of parts of the network to a vendor partner the operator will deploy and manage its SEG and enodebs in much the same way as it manages its 3G network infrastructure. The same is not so true of the left-hand side of Figure 3, however. Designing, operating and maintaining a PKI solution with its own CA at the heart of it on the scale that is liable to be required for LTE represents a new security model compared with what most mobile operators are used to. Moreover, there are a number of security specialists that are experienced in offering cloud-based certification services as a managed service and are tailoring their capabilities to the mobile operator sector to align with the emerging market requirements for LTE. It is for this reason that when mobile operators come to roll out LTE, they need to look carefully at the case for leasing authentication as a service from a leading cloud-based provider, as well as the case for building their own PKI infrastructure from scratch. HEAVY READING MAY 2012 WHITE PAPER AUTHENTICATION AS A SERVICE FOR LTE BASE STATIONS 6
7 Self-Build PKI Solutions for LTE PKI infrastructure is a relatively mature technology and has been widely deployed in enterprise and telco environments for many years. Some mobile operators may even have some experience of using it on the IT side of the house, for example for improving WLAN security with 802.1x, securing internal and external websites, signing code and sensitive documents, and the like. Until now, however, mobile operators have had no reason to deploy a PKI infrastructure on the telco side of the house as a part of the security infrastructure for the cellular network infrastructure itself. There is no reason at all why a mobile operator can't build its own PKI infrastructure. If they take the view that as a part of their security solution it should not be outsourced or that the act of outsourcing is itself a security risk then provided the operator invests enough capex and opex, there is nothing to stop the operator going down the self-build route. The following is a high-level perspective on the primary elements of a PKI solution that are needed to support an LTE deployment and the design and management capabilities that are needed to support it. The PKI equipment. This is pretty straightforward. The operator basically needs to invest in some standard server equipment and some PKI software together with some hardware security modules. There's certainly nothing unduly taxing about that capital outlay. The design of the PKI data center facility. This gets trickier. Obviously, this requires real estate in the operator's facilities. A PKI infrastructure that supports a service that is open to the general public, as a mobile operator does, also needs to house the equipment in highly secure data center facilities that should conform to strict security auditing standards. In Europe, for example, these auditing standards are laid down in ETSI TS To begin with, many mobile operators won't have the in-house expertise to design such a facility in a manner that would pass an annual audit. That would therefore typically require either hiring a full-time person or a short-term contractor, which introduces project risk once the individual's contract has expired. Walls and doors should meet certain high-specification security standards in terms of thickness and other quality and security criteria. And access control needs to be carefully designed. One example is so-called "man-trap" doors, which are similar to those sometimes installed in banks, so that only one person at a time can enter through each secure door, which closes immediately behind them. Operational headcount and processes. Depending on the level of sophistication the operator wants to deploy, a PKI data center is likely to require staffing by anywhere from three to eight full-time employees. PKI policies and operational processes need to be defined. Operational processes also need to be highly secure. This means, for example, that while it might be optimal from a cost point of view to have the same individual be charged with a variety of tasks in managing the PKI infrastructure, in fact security requirements should prohibit certain combinations of tasks being assigned to the same person lest that person then themselves become a security risk in their own right. Interoperability between the PKI infrastructure and each release of the RAN vendor's enodebs and the SEG also needs to be managed. HEAVY READING MAY 2012 WHITE PAPER AUTHENTICATION AS A SERVICE FOR LTE BASE STATIONS 7
8 With enough investment in facilities, people, equipment and processes, a mobile operator should certainly be capable of running its own PKI infrastructure to a high standard. But getting PKI security right is decidedly non-trivial. There have, for example, been instances of PKI CAs being shut down after security breaches resulting in the CA issuing fraudulent certificates. Base Station Authentication as a Service Integrated incumbent telecom operators as well as pure-play mobile operators have tended to reduce rather than increase headcount in recent years. They have been and remain under pressure from a rebalancing of revenues from voice to data and the increasing challenges of keeping up with the growth in data traffic without materially exceeding sustainable levels of capex and opex. Mobile operators continue to look to allocate limited human and capital resources into areas that will maximize cost savings or new revenues. And as they do so, every cost center is one that needs to be carefully evaluated according to whether it can most successfully be performed in-house or outsourced to third parties that can either offer concentrated expertise or scale or both in an area that may be outside the operator's core competence. There are several reasons for considering authentication of LTE network elements as a potential candidate for outsourcing. To begin with, this is a model in which the operator's user traffic continues to remain entirely within the mobile operator's domain. So not only is it just control traffic that exits the mobile operator's network to a managed service provider according to this model it's also a relatively small proportion of the operator's control traffic. The model is also based on mature PKI standards that are not only widely deployed in telecom and IT markets worldwide but also adapted and embraced by 3GPP. Moreover, there are a number of managed service providers such as Symantec that have track records in providing cloud-based authentication services at scale based on these standards, albeit not yet for mobile operators rolling out LTE. Let's begin with the cost of the infrastructure itself. A managed service provider selling authentication as a service should be able to leverage its facilities, its PKI infrastructure and its specialized, skilled personnel a lot more cost-efficiently than the operator can by building out its own dedicated facilities and hiring its own dedicated people. This is particularly pertinent in the case of the marginal cost associated with security processes requiring that certain tasks be distributed across different personnel, rather than concentrated in one person. With a managed services approach, the up-to-the-minute PKI expertise is also permanently available to the mobile operator, whereas in a self-build model these experts might only be brought in for the initial setup phase and perhaps brought back in again intermittently, according to a model which risks being less seamless as well as potentially more expensive. Given that it is designed to support several different mobile operators, a managed service provider should be able to support an ongoing program of interoperability between its PKI infrastructure and different vendors' RAN and core infrastructure at a significantly lower cost than an operator can support investing in this capability by itself. HEAVY READING MAY 2012 WHITE PAPER AUTHENTICATION AS A SERVICE FOR LTE BASE STATIONS 8
9 Figure 4: Process Flow in a PKI Managed Service Model for LTE Source: Symantec The SLAs for an LTE Authentication Model For a mobile operator to have confidence in a managed service provider delivering authentication as a service, the managed service provider needs to be able to commit to an SLA that meets the mobile operator's requirements exactly. This means being highly attuned to the unique requirements of the LTE network. First and foremost, mobile operators don't want "support" of the conventional kind written into an SLA for authentication as a service. They typically don't want to be able to send a question to a support team and be guaranteed a response within a specified number of hours. The mobile operator is typically not going to want to receive a "trouble ticket." Rather, they are likely to want the managed service provider itself to proactively monitor, manage and troubleshoot the PKI service. The availability of the CA to the mobile operator needs to be nailed down in the SLA. This needs to be done not just in terms of specifying no more than a given amount of hours of non-availability per month. At a more granular level, the SLA also needs to specify that no one incident of non-availability will last longer than a specified number of minutes. And no proportion of total allowable down-time will occur during specified hours of the day when the operator is most likely to need to carry out changes to the RAN infrastructure. Processing time also needs to be defined. For example, when the mobile operator sends a certificate request to the CA as the operator looks to turn up a new enodeb to commercial service, the SLA needs to specify that it will receive a response within a specified timeframe. The same processing times need to be defined with respect to the maximum time allowed to pre-approve, revoke and validate certificates depending on the specific operator's requirements. Another area requiring definition is the volume of transactions for example, the maximum daily volume of certificates that the operator is entitled to as well as the frequency with which they can be requested consecutively. HEAVY READING MAY 2012 WHITE PAPER AUTHENTICATION AS A SERVICE FOR LTE BASE STATIONS 9
10 Conclusion With encryption and authentication terminating in the enodeb, LTE presents new security exposures for mobile operators. 3GPP has anticipated these and provides for IPsec to defend against these new exposures. Mobile operators increasingly recognize that while IPsec may only be an option in 3GPP, it will increasingly be required as LTE is rolled out. The question of whether the authentication of each enodeb should be done manually or automatically leveraging mature PKI standards is more or less a no-brainer. Over time, the manual shared secret model simply won't scale well. The next question that operators will need to consider carefully is whether or not to invest capex and opex in their own facilities and extra headcount to build up this sophisticated authentication capability in-house. In days gone by, self-build would have typically been the first instinct of the mobile operator's management team. But we are now in an era when mobile network operating margins will increasingly come under pressure, and when specialist and managed service providers can also offer cloud-based services such as network authentication at potentially significantly lower cost. In this era, mobile operators need to think very carefully about whether a self-build model still aligns with their security, revenue and margin goals or whether buying in base station authentication as a service could start to look like a more compelling option. About Symantec Symantec is a global leader in providing security, storage and systems management solutions to help our customers from consumers and small businesses to the largest global organizations secure and manage their information and identities independent of device. Symantec does this by bringing together leading software and cloud solutions that work seamlessly across multiple platforms, giving customers the freedom to use the devices of their choice and to access, store and transmit information anytime, anywhere. We ensure that sensitive data is protected through all phases of its use. This information-centric approach makes data protection more intelligent, policydriven and easier to manage. By leveraging our already rich experience in securing and managing information, Symantec has rounded out the portfolio by acquiring new capabilities, building new solutions, and integrating encryption and policy management capabilities to the authentication services. Symantec has a strong focus on the communication service provider industry. With its solutions it protects 9 out of the 10 largest telecom companies worldwide. Symantec operates the largest and most comprehensive PKI solutions for enterprises and service providers available on the market today, and has been doing so since More than 200 million device certificates have been issued to date. HEAVY READING MAY 2012 WHITE PAPER AUTHENTICATION AS A SERVICE FOR LTE BASE STATIONS 10
Security Executive Summary. Securing LTE Radio Access Networks Effectively
Security Executive Summary Securing LTE Radio Access Networks Effectively LTE networks require a dedicated security solution As an all-ip technology, LTE brings new capabilities to improve the customer
More informationThe Security Vulnerabilities of LTE: Opportunity & Risks for Operators
White Paper The Security Vulnerabilities of LTE: Opportunity & Risks for Operators A Heavy Reading Executive Overview Prepared by Patrick Donegan Senior Analyst, Heavy Reading www.heavyreading.com on behalf
More informationHow to secure an LTE-network: Just applying the 3GPP security standards and that's it?
How to secure an LTE-network: Just applying the 3GPP security standards and that's it? Telco Security Day @ Troopers 2012 Peter Schneider Nokia Siemens Networks Research 1 Nokia Siemens Networks 2012 Intro
More informationHow to Ready your Mobile Backhaul
How to Ready your Mobile Backhaul Network for LTE LTE has outperformed service provider expectations, driven by end-user demand. That s a huge opportunity for operators if they commit to re-architecting
More informationLTE transport network security Jason S. Boswell Head of Security Sales, NAM Nokia Siemens Networks
LTE transport network security Jason S. Boswell Head of Security Sales, NAM Nokia Siemens Networks 1 Nokia Siemens Networks New evolved Networks - new security needs Walled Garden Transport & Protocols
More informationSecurity MWC 2014. 2013 Nokia Solutions and Networks. All rights reserved.
Security MWC 2014 2013 Nokia Solutions and Networks. All rights reserved. Security Ecosystem overview Partners Network security demo + End-user security demo + + + + NSN end-to-end security solutions for
More informationSecure distribution of the device identity in mobile access network. Konstantin Shemyak senior security specialist, Nokia Siemens Networks
Secure distribution of the device identity in mobile access network Konstantin Shemyak senior security specialist, Nokia Siemens Networks 1 MobiSec-2010 Secure distribution of the device identity in mobile
More informationWHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?
WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY? Contents Introduction.... 3 What Types of Network Security Services are Available?... 4 Penetration Testing and Vulnerability Assessment... 4 Cyber
More informationCloud security architecture
ericsson White paper Uen 284 23-3244 January 2015 Cloud security architecture from process to deployment The Trust Engine concept and logical cloud security architecture presented in this paper provide
More informationProtect Identities for people, workstations, mobiles, networks
ot Corporate ID Protect Identities for people, workstations, mobiles, networks Address your security needs with the leader in the corporate identity market Corporate security challenges The security of
More informationPayment Card Industry Data Security Standard
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
More informationOracle s Secure HetNet Backhaul Solution. A Solution Based on Oracle s Network Session Delivery and Control Infrastructure
Oracle s Secure HetNet Backhaul Solution A Solution Based on Oracle s Network Session Delivery and Control Infrastructure HetNets are a gradual evolution of cellular topology, not a distinct network unto
More informationComparing Cost of Ownership: Symantec Managed PKI Service vs. On- Premise Software
WHITE PAPER: COMPARING TCO: SYMANTEC MANAGED PKI SERVICE........ VS..... ON-PREMISE........... SOFTWARE................. Comparing Cost of Ownership: Symantec Managed PKI Service vs. On- Premise Software
More informationThe Virtual Ascent of Software Network Intelligence
White Paper The Virtual Ascent of Software Network Intelligence Prepared by Jim Hodges Senior Analyst, Heavy Reading www.heavyreading.com on behalf of www.windriver.com July 2013 Introduction Although
More informationSolutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance
White Paper Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance Troy Herrera Sr. Field Solutions Manager Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA
More informationRemote Services. Managing Open Systems with Remote Services
Remote Services Managing Open Systems with Remote Services Reduce costs and mitigate risk with secure remote services As control systems move from proprietary technology to open systems, there is greater
More information2. From a control perspective, the PRIMARY objective of classifying information assets is to:
MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected
More informationManaged Security Services for Data
A v a y a G l o b a l S e r v i c e s Managed Security Services for Data P r o a c t i v e l y M a n a g i n g Y o u r N e t w o r k S e c u r i t y 2 4 x 7 x 3 6 5 IP Telephony Contact Centers Unified
More information4G Mobile Networks At Risk
07.05.1203 Consortium Attack analysis and Security concepts for MObile Network infastructures supported by collaborative Information exchange 4G Mobile Networks At Risk The ASMONIA Threat and Risk Analysis
More informationGETTING THE MOST FROM THE CLOUD. A White Paper presented by
GETTING THE MOST FROM THE CLOUD A White Paper presented by Why Move to the Cloud? CLOUD COMPUTING the latest evolution of IT services delivery is a scenario under which common business applications are
More informationWi-Fi, Health Care, and HIPAA
AN AIRMAGNET TECHNICAL WHITE PAPER Wi-Fi, Health Care, and HIPAA WLAN Management in the Modern Hospital by Wade Williamson WWW.AIRMAGNET.COM This page contains no topical information. Table of Contents
More informationNokia NetAct. Virtualized OSS that goes beyond network management
Nokia NetAct Virtualized OSS that goes beyond network management From network management to network maximization Nokia NetAct gives you one consolidated view over any network, even the most complicated
More informationModule 1: Facilitated e-learning
Module 1: Facilitated e-learning CHAPTER 3: OVERVIEW OF CLOUD COMPUTING AND MOBILE CLOUDING: CHALLENGES AND OPPORTUNITIES FOR CAs... 3 PART 1: CLOUD AND MOBILE COMPUTING... 3 Learning Objectives... 3 1.1
More informationEnterprise A Closer Look at Wireless Intrusion Detection:
White Paper Enterprise A Closer Look at Wireless Intrusion Detection: How to Benefit from a Hybrid Deployment Model Josh Wright Senior Security Researcher Introduction As wireless enterprise networks become
More informationWhitepaper. Are Firewalls Enough for End-to-End. VoIP Security
Whitepaper Are Firewalls Enough for End-to-End VoIP Security Table of Contents I. Introduction... 3 II. Definitions... 3 III. Security... 4 IV. Interoperability... 5 V. Availability... 5 VI. A single demarcation
More information3G/Wi-Fi Seamless Offload
Qualcomm Incorporated March 2010 Table of Contents [1] Introduction... 1 [2] The Role of WLAN... 2 [3] 3G/Wi-Fi Seamless Offload Pathway... 2 [4] Application-Based Switching... 3 [5] Wi-Fi Mobility...
More informationNokia Networks. security you can rely on
Nokia Networks security you can rely on Protecting communication networks is critical 7 billion mobile subscriptions in 2014 1 Mobile broadband network traffic expected to grow by a factor of 1,000 by
More informationDATA SECURITY 1/12. Copyright Nokia Corporation 2002. All rights reserved. Ver. 1.0
DATA SECURITY 1/12 Copyright Nokia Corporation 2002. All rights reserved. Ver. 1.0 Contents 1. INTRODUCTION... 3 2. REMOTE ACCESS ARCHITECTURES... 3 2.1 DIAL-UP MODEM ACCESS... 3 2.2 SECURE INTERNET ACCESS
More informationNokia Siemens Networks Flexi Network Server
Nokia Siemens Networks Flexi Network Server Ushering network control into the LTE era 1. Moving towards LTE Rapidly increasing data volumes in mobile networks, pressure to reduce the cost per transmitted
More informationConquering PCI DSS Compliance
Any organization that stores, processes or transmits information related to credit and debit card payments has a responsibility to protect each cardholder s personal data. To help accomplish this goal,
More informationCisco Wireless Security Gateway R2
Cisco Wireless Security Gateway R2 Product Overview The Cisco Wireless Security Gateway (WSG) is a highly scalable solution for tunneling femtocell, Unlicensed Mobile Access (UMA)/Generic Access Network
More informationHow much do you pay for your PKI solution?
Information Paper Understand the total cost of your PKI How much do you pay for your PKI? A closer look into the real costs associated with building and running your own Public Key Infrastructure and 3SKey.
More informationSecurity for Application Service Providers
Security for Application Service Providers Overview Outsourcing is nothing new. Time sharing services for data processing have been around for some time. EDI applications have been at least partially outsourced
More informationAn Oracle White Paper December 2013. The Value of Diameter Signaling in Security and Interworking Between 3G and LTE Networks
An Oracle White Paper December 2013 The Value of Diameter Signaling in Security and Interworking Between 3G and LTE Networks Introduction Today s mobile networks are no longer limited to voice calls. With
More informationIs backhaul the weak link in your LTE network? Network assurance strategies for LTE backhaul infrastructure
Is backhaul the weak link in your LTE network? Network assurance strategies for LTE backhaul infrastructure The LTE backhaul challenge Communication Service Providers (CSPs) are adopting LTE in rapid succession.
More informationEnterprise Technology Vendor Service
Enterprise Technology Vendor Service E-SPIN's provide full range of Enterprise Technology Vendor Services, from routine ICT technology product (hardware, software, consumables) procurement, to software
More informationUse of MPLS in Mobile Backhaul Networks
Use of MPLS in Mobile Backhaul Networks Introduction Backhaul plays a vital role in mobile networks by acting as the link between Radio Access Network (RAN) equipment (Eg: radio basestation) and the mobile
More informationPCI DSS Top 10 Reports March 2011
PCI DSS Top 10 Reports March 2011 The Payment Card Industry Data Security Standard (PCI DSS) Requirements 6, 10 and 11 can be the most costly and resource intensive to meet as they require log management,
More informationInternet Content Provider Safeguards Customer Networks and Services
Internet Content Provider Safeguards Customer Networks and Services Synacor used Cisco network infrastructure and security solutions to enhance network protection and streamline compliance. NAME Synacor
More informationHIPAA Security Considerations for Broadband Fixed Wireless Access Systems White Paper
HIPAA Security Considerations for Broadband Fixed Wireless Access Systems White Paper Rev 1.0 HIPAA Security Considerations for Broadband Fixed Wireless Access Systems This white paper will investigate
More informationS-Series SBC Interconnect Solutions. A GENBAND Application Note May 2009
S-Series SBC Interconnect Solutions A GENBAND Application Note May 2009 Business Requirements A ubiquitous global voice service offering is the challenge among today s large service providers. The need
More informationCA Enterprise Mobility Management MSO
SERVICES DESCRIPTION CA Enterprise Mobility Management MSO At a Glance Today, your customers are more reliant on mobile technologies than ever. They re also more exposed by mobile technologies than ever.
More informationSecurely Access and Manage Firewall- Protected Equipment From Anywhere
Securely Access and Manage Firewall- Protected Equipment From Anywhere Contents Introduction... 3 Remote Device Management... 3 Overcoming the Hurdles... 4 Beyond Analog and Cellular Modems... 5 ManageLinx
More informationIndustry. Head of Research Service Desk Institute
Asset Management in the ITSM Industry Prepared by Daniel Wood Head of Research Service Desk Institute Sponsored by Declaration We believe the information in this document to be accurate, relevant and truthful
More informationHow To Use A Femtocell (Hbn) On A Cell Phone (Hbt) On An Ipad Or Ipad (Hnt) On Your Cell Phone On A Sim Card (For Kids) On The Ipad/Iph
. Femtocell: Femtostep to the Holy Grail... Ravishankar Borgaonkar, Kévin Redon.. Technische Universität Berlin, SecT ravii/kredon@sec.t-labs.tu-berlin.de TROOPERS 2011, 30 March 2011 3G/UMTS femtocells
More informationJuniper Solutions for Turnkey, Managed Cloud Services
Juniper Solutions for Turnkey, Managed Cloud Services Three use cases for hosting and colocation service providers looking to deliver massively scalable, highly differentiated cloud services. Challenge
More informationPCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com
Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration
More informationSimplify SSL Certificate Management Across the Enterprise
WHITE PAPER White Paper Simplify SSL Certificate Management Across the Enterprise Simplify SSL Certificate Management Across the Enterprise Contents introduction 1 A Platform for Single-Point Control and
More informationBriskWave. Consulting. LTE Network Sharing. Some Operational & Management Aspects. BriskWave. Consulting
LTE Network Sharing Some Operational & Management Aspects Contact Info Name: Luc Samson Email: luc.samson@briskwave.com Cellular: + 514 502 6654 Skype: samsonluc Company: Briskwave Executive Summary 3GPP
More informationUsing Entrust certificates with VPN
Entrust Managed Services PKI Using Entrust certificates with VPN Document issue: 1.0 Date of issue: May 2009 Copyright 2009 Entrust. All rights reserved. Entrust is a trademark or a registered trademark
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationProtecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems
Page 1 of 5 Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems In July the Payment Card Industry Security Standards Council (PCI SSC) published
More informationSession Border Controllers in the Cloud
Session Border Controllers in the Cloud Introduction Mobile Network Operators (MNOs), carriers and enterprises must virtualize Session Border Controllers (SBCs) and deploy them in the cloud to support
More informationWireless & Mobile. Working Group
Wireless & Mobile Working Group Table of Contents 1 Executive Summary... 3 2 Mission & Motivation... 3 3 Scope... 3 4 Goals & Non-Goals... 4 5 Deliverables... 5 6 Milestones... 6 7 Example Use Cases Summaries...
More informationMaximizing Operator Value from VoIP Services
WIRELESS 20/20 Maximizing Operator Value from VoIP Services Maximizing Operator Value from VoIP Services How cloud-based service delivery platforms are changing the game By Haig Sarkissian and Randall
More informationMoving Network Management from OnSite to SaaS. Key Challenges and How NMSaaS Helps Solve Them
Moving Network Management from OnSite to SaaS Key Challenges and How NMSaaS Helps Solve Them Executive Summary In areas such as sales force automation and customer relationship management, cloud-based
More informationOpen Data Center Alliance Usage: Provider Assurance Rev. 1.1
sm Open Data Center Alliance Usage: Provider Assurance Rev. 1.1 Legal Notice This Open Data Center Alliance SM Usage:Provider Assurance is proprietary to the Open Data Center Alliance, Inc. NOTICE TO USERS
More informationKUDELSKI SECURITY DEFENSE. www.kudelskisecurity.com
KUDELSKI SECURITY DEFENSE Cyber Defense Center connection for remote information exchange with local monitoring consoles Satellite link Secure Data Sharing, a data-centric solution protecting documents
More informationA SECURITY ARCHITECTURE FOR AGENT-BASED MOBILE SYSTEMS. N. Borselius 1, N. Hur 1, M. Kaprynski 2 and C.J. Mitchell 1
A SECURITY ARCHITECTURE FOR AGENT-BASED MOBILE SYSTEMS N. Borselius 1, N. Hur 1, M. Kaprynski 2 and C.J. Mitchell 1 1 Royal Holloway, University of London 2 University of Strathclyde ABSTRACT Future mobile
More informationAddress C-level Cybersecurity issues to enable and secure Digital transformation
Home Overview Challenges Global Resource Growth Impacting Industries Address C-level Cybersecurity issues to enable and secure Digital transformation We support cybersecurity transformations with assessments,
More informationThe New IP Networks: Time to Move From PoC to Revenue
White Paper The New IP Networks: Time to Move From PoC to Revenue Prepared by Roz Roseboro Senior Analyst, Heavy Reading www.heavyreading.com on behalf of www.brocade.com February 2015 Introduction The
More informationNFV: What Exactly Can Be Virtualized?
NFV: What Exactly Can Be Virtualized? Jim Hodges d Senior Analyst, Heavy Reading Agenda NFV Drivers ETSI NFV Use Cases Virtualization Criteria Applying the Criteria NFV Challenges Summary 2 NFV Adoption
More informationE-Guide. Sponsored By:
Security and WAN optimization: Getting the best of both worlds E-Guide As the number of people working outside primary office locations increases, the challenges surrounding security and optimization are
More informationConverged Private Networks. Supporting voice and business-critical applications across multiple sites
Converged Private Networks Supporting voice and business-critical applications across multiple sites Harness converged voice and high-speed data connectivity MPLS-based WAN solution that supports voice
More informationSage ERP I White Paper. ERP and the Cloud: What You Need to Know
I White Paper ERP and the Cloud: What You Need to Know Table of Contents Executive Summary... 3 Increased Interest in Cloud-Based ERP and SaaS Implementations... 3 What is Cloud/SaaS ERP?... 3 Why Interest
More informationADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT
ADDING NETWORK INTELLIGENCE INTRODUCTION Vulnerability management is crucial to network security. Not only are known vulnerabilities propagating dramatically, but so is their severity and complexity. Organizations
More informationBusiness Case for Juniper Networks Virtualized Mobile Control Gateway
Business Case for Juniper Networks Virtualized Mobile Control Gateway Executive Summary Mobile traffic growth is exploding in response to the worldwide uptake in smartphone sales. At the same time new
More informationWhy Digital Certificates Are Essential for Managing Mobile Devices
WHITE PAPER: WHY CERTIFICATES ARE ESSENTIAL FOR MANAGING........... MOBILE....... DEVICES...................... Why Digital Certificates Are Essential for Managing Mobile Devices Who should read this paper
More informationSecurity Issues with Integrated Smart Buildings
Security Issues with Integrated Smart Buildings Jim Sinopoli, Managing Principal Smart Buildings, LLC The building automation industry is now at a point where we have legitimate and reasonable concern
More informationMobilize Your Corporate Content and Apps Enable Simple and Secure Mobile Collaboration for Business. www.maas360.com
Mobilize Your Corporate Content and Apps Enable Simple and Secure Mobile Collaboration for Business www.maas360.com Copyright 2014 Fiberlink, an IBM company. All rights reserved. Information in this document
More informationNorth American Electric Reliability Corporation (NERC) Cyber Security Standard
North American Electric Reliability Corporation (NERC) Cyber Security Standard Symantec Managed Security Services Support for CIP Compliance Overviewview The North American Electric Reliability Corporation
More informationSecuring an IP SAN. Application Brief
Securing an IP SAN Application Brief All trademark names are the property of their respective companies. This publication contains opinions of StoneFly, Inc., which are subject to change from time to time.
More informationIPsec Deployment Strategies for Securing LTE Networks
White Paper IPsec Deployment Strategies for Securing LTE Networks Prepared by Patrick Donegan Senior Analyst, Heavy Reading www.heavyreading.com On behalf of www.radisys.com May 2011 TABLE OF CONTENTS
More informationIntroduction. About Image-X Enterprises. Overview of PKI Technology
Digital Signature x Introduction In recent years, use of digital or electronic signatures has rapidly increased in an effort to streamline all types of business transactions. There are two types of electronic
More informationA Closer Look at Wireless Intrusion Detection: How to Benefit from a Hybrid Deployment Model
A Closer Look at Wireless Intrusion Detection: How to Benefit from a Hybrid Deployment Model Table of Contents Introduction 3 Deployment approaches 3 Overlay monitoring 3 Integrated monitoring 4 Hybrid
More informationVirtual Patching: a Proven Cost Savings Strategy
Virtual Patching: a Proven Cost Savings Strategy An Ogren Group Special Report December 2011 Executive Summary Security executives, pushing the limits of traditional labor-intensive IT patch processes
More informationCyber/IT Risk: Threat Intelligence Countering Advanced Adversaries Jeff Lunglhofer, Principal, Booz Allen. 14th Annual Risk Management Convention
Cyber/IT Risk: Threat Intelligence Countering Advanced Adversaries Jeff Lunglhofer, Principal, Booz Allen 14th Annual Risk Management Convention New York, New York March 13, 2013 Today s Presentation 1)
More informationTHE VIRTUAL PROBE: ASSURANCE & MONITORING IN THE NFV/SDN ERA
THE VIRTUAL PROBE: ASSURANCE & MONITORING IN THE NFV/SDN ERA White paper December 2015 2 Amdocs service assurance and customer experience monitoring solution is designed for operators who are migrating
More informationRemote Access Security
Glen Doss Towson University Center for Applied Information Technology Remote Access Security I. Introduction Providing remote access to a network over the Internet has added an entirely new dimension to
More informationWhy self-signed certificates are much costlier and riskier than working with a trusted security vendor
The Hidden Costs of Self-Signed SSL Certificates Why self-signed certificates are much costlier and riskier than working with a trusted security vendor Introduction Even when business is booming, smart
More informationThe Benefits of SSL Content Inspection ABSTRACT
The Benefits of SSL Content Inspection ABSTRACT SSL encryption is the de-facto encryption technology for delivering secure Web browsing and the benefits it provides is driving the levels of SSL traffic
More informationSymantec Global Intelligence Network 2.0 Architecture: Staying Ahead of the Evolving Threat Landscape
WHITE PAPER: SYMANTEC GLOBAL INTELLIGENCE NETWORK 2.0.... ARCHITECTURE.................................... Symantec Global Intelligence Network 2.0 Architecture: Staying Ahead of the Evolving Threat Who
More informationAchieving Business Agility Through An Agile Data Center
Achieving Business Agility Through An Agile Data Center Overview: Enable the Agile Data Center Business Agility Is Your End Goal In today s world, customers expect or even demand instant gratification
More informationDevelopment of the Nationwide Interoperable Public Safety Broadband Network Notice of Inquiry. Comments from ClearSky Technologies, Inc.
Department of Commerce National Telecommunications and Information Administration Docket No: 12098505-2505-01 Development of the Nationwide Interoperable Public Safety Broadband Network Notice of Inquiry
More informationMaking the Case for Open Source Controllers
White Paper Making the Case for Open Source Controllers Prepared by Roz Roseboro Senior Analyst, Heavy Reading www.heavyreading.com on behalf of www.brocade.com September 2014 Introduction Telcos face
More informationWhite Paper: Cloud Identity is Different. World Leading Directory Technology. Three approaches to identity management for cloud services
World Leading Directory Technology White Paper: Cloud Identity is Different Three approaches to identity management for cloud services Published: March 2015 ViewDS Identity Solutions A Changing Landscape
More informationCisco Remote Management Services for Financial Services
Cisco Remote Management Services for Financial Services The global financial services industry continues to evolve to adjust to a shifting market landscape and increased customer expectations. With demand
More informationLOG INTELLIGENCE FOR SECURITY AND COMPLIANCE
PRODUCT BRIEF uugiven today s environment of sophisticated security threats, big data security intelligence solutions and regulatory compliance demands, the need for a log intelligence solution has become
More informationCloud-Based Project Information Management from Aconex: A Guide for IT Professionals
Cloud-Based Project Information Management from Aconex: A Guide for IT Professionals Adopting an Aconex SaaS Solution It s the job of CIOs and IT managers to ensure that their organizations adopt secure
More informationClavister Small Cell Site Security Solution
clavister SolutionSeries Clavister Small Cell Site Security Distributed operator environment Clavister small cell site security solution SOLUTION AT-A-GLANCE Clavister Small Cell Security Gateway offers
More informationCellular Data Offload. And Extending Wi-Fi Coverage. With Devicescape Easy WiFi
Cellular Data Offload And Extending Wi-Fi Coverage With Devicescape Easy WiFi Case Study October 2010 List of Acronyms 3G Third Generation 4G Fourth Generation API Application Programming Interface AP
More informationPCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data
White Paper PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data Using credit cards to pay for goods and services is a common practice. Credit cards enable easy and
More informationPreparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS
Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS CONTENTS PAGE RECONNAISSANCE STAGE 4 INCURSION STAGE 5 DISCOVERY STAGE 6 CAPTURE STAGE 7 EXFILTRATION STAGE
More informationSymantec Integrated Enforcer for Microsoft DHCP Servers Getting Started Guide
Symantec Integrated Enforcer for Microsoft DHCP Servers Getting Started Guide Legal Notice Copyright 2006 Symantec Corporation. All rights reserved. Federal acquisitions: Commercial Software - Government
More informationIP-VPN Architecture and Implementation O. Satty Joshua 13 December 2001. Abstract
Abstract Virtual Private Networks (VPNs) are today becoming the most universal method for remote access. They enable Service Provider to take advantage of the power of the Internet by providing a private
More informationSecurity Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions
Kevin Staggs, Honeywell Process Solutions Table of Contents Introduction...3 Nerc Standards and Implications...3 How to Meet the New Requirements...4 Protecting Your System...4 Cyber Security...5 A Sample
More informationPayment Transactions Security & Enforcement
Payment Transactions Security & Enforcement A REPORT FROM NEWNET COMMUNICATION TECHNOLOGIES, LLC Copyright NewNet Communication Technologies, LLC. 700 East Butterfield Road, Suite 350, Lombard, IL 60148
More informationBest Practices for Outdoor Wireless Security
Best Practices for Outdoor Wireless Security This paper describes security best practices for deploying an outdoor wireless LAN. This is standard body copy, style used is Body. Customers are encouraged
More informationGiganet Cloud Managed Security as a Service
Giganet Cloud Managed Security as a Service The Internet is so slow! Am I getting the right bandwidth?? These are common questions and issues familiar to ISPs and subscribers. ISPs and subscribers have
More information