Mobile Network Security

Transcription

1 A key component of Ericsson s Evolved IP Network solution Technology paper This document outlines the need for effective network security in response to increasing perceived threats, recent publicized security breaches, and user requirements based upon the use of mobile devices in all aspects of daily life. The paper describes Ericsson s approach to network security in general, and then discusses the additional security measures proposed to meet increasing demands faced when network operators plan their evolutions to LTE, LTE-Advanced and 5G. Information is presented from the perspective of Ericsson as a mobile broadband infrastructure and services provider, an end-to-end solution integrator and a dedicated standards body contributor and support 6/ FGB Rev A

2 1 Introduction We are living in a period of rapid social and industrial change, driven by advances in communications, mobility, new business models and social networking applications. Some organizations encourage employees to use their own mobile devices for business purposes as well as personal communications. The same social networking applications are used for commercial advantage and personal communications. An ever-increasing amount of personal and business data is held and processed in the cloud. Working practices are increasingly flexible and dynamic with employees, contractors, outsourced resources and customers often collaborating on the same projects, and often communicating as friends away from work. The results are obvious in terms of increased connectivity, faster response times, increased productivity and competitiveness. There is however, no longer a clear distinction in time, location or activity between people s personal and professional communications, and this poses potential security and privacy risks. Ericsson is committed to developing and deploying the products, solutions and services to fulfill the demands of the Networked Society, driven by technology advances and the inevitability of an ever-more closely connected world. Meanwhile Ericsson is equally committed to the security and privacy of network operators networks and services, as well as end-user data - whether stored or in transit. In networking terms, security measures have necessarily increased as mobile standards and operators networks have moved to IP transport, which provides great benefits in terms of convergence, efficiency and flexibility, but at the same time has increased accessibility. Now as the industry prepares for and undertakes a migration to Long Term Evolution (LTE), LTE-Advanced and 5 th Generation ( 5G ) mobile networks, connectivity moves into a new realm with the Internet of Things, served by new generations of access technologies such as small cells, many of which will be deployed in public spaces and connected over untrusted networks. Network security must therefore keep pace, foresee potential risks, and act on the basis of knowledge gained from new threats and attacks experienced in networks connecting billions of users. This paper describes Ericsson s approach to network security, and how security is built into the Evolved IP Network solution. It also addresses operators concerns regarding safeguarding their networks from unauthorized access, and describes the use of the IP Security protocol suite, commonly referred to as IPsec. This provides secure communications by encrypting IP packets in transit to and from the radio access network. 2 Ericsson s Role in Network Security Ericsson sees itself as a leading vendor of secure networks and security-related services. Security is constantly being evaluated from a vendor perspective, a managed network provider perspective, and naturally from a user s perspective too. 6/ FGB Rev A Ericsson AB (13)

3 Security is not something that you do once and forget, it is something that has to evolve with the constantly changing environment, it needs to adapt to embrace new technology and respond to new threats. As well as the competency gained from designing and deploying secure networks, Ericsson gains hands-on security skills and early awareness of threats by supporting networks that connect more than 2.5 billion subscribers and managing networks serving 1 billion subscribers worldwide. Ericsson gains real-world experience from security incident response teams. Threat mitigation requirements are fed directly back into product design, and best practice is shared between the many elements of Ericsson s product portfolio, while of course maintaining strict customer confidentialities. With one of the largest research and development organizations in the information and communications technology industry, Ericsson Research conducts security-specific research covering radio access, cloud technologies, IP and transport, real-time media and services. It participates in international standards bodies and cooperates with academic researchers. Ericsson Research also develops architectures, and securityspecific solutions and prototypes for future platforms, networks, services and software. Collectively, these activities allow Ericsson to defend against cyber attacks and develop new security services. Ericsson s Network Security Competence Center has been active since 1996 and contributes expertise to all parts of Ericsson. The center s activities include providing security consulting services for customers and running the Product Security Incident Response Team. 3 Technology Primer 3.1 General security approach The general security approach employed in Ericsson networks and consultancy services advocates multi-layered protection, with each successive layer providing a greater degree of protection. The first (outer) layer defies less sophisticated security attacks and the final (innermost) layer protecting against the most sophisticated attacks. To assume that all security attacks are external, would be an oversimplification however, and incorrect. Networks are increasingly complex, inter-connected and accessible. It s therefore correspondingly more difficult to maintain an outer perimeter. Insider threats comprise a sizeable proportion of actual incidents, although numbers are uncertain and vary between organizations. Defense in depth means using perimeter protection to apply selected security measures at appropriate places in the network. At the outer perimeter, access control plays the main role. Basic packet filtering and rate limiting combine to reduce a large amount of unsolicited traffic and denial of service ( DoS ) flooding-attacks before packets can enter the next security perimeter of the network. Defense against internal attacks depends upon the security afforded by the inner layers. 6/ FGB Rev A Ericsson AB (13)

4 First Defense Perimeter: Router-based Security Protection Site Routers in Ericsson Evolved IP Network solution deployments may be configured with a packet filter policy based on a deny-all approach. This permits only the ingress of packets that are permissible user traffic and those needed for fault-free operation of the receiving network. The Site Router can provide DoS protection for the connected network using rate limiting to prevent performance-impacting overload of the network and its services. Second Defense Perimeter: Firewall-based Security Protection Firewalls provide further access control through the use of firewall filter policies, following the same principles as the EIN Site Routers. Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) stateful inspection are used to lower the number of policies required. GPRS Tunneling Protocol (GTP) inspection is used to inspect traffic destined for other peer networks via the Global Roaming Exchange (GRX). Firewalls provide reconnaissance deterrence, DoS attack protection, deep packet inspection, and intrusion detection and prevention options. Deep packet inspection supports both stateful signatures and protocol anomalies. All these measures must be explicitly configured. The increasing use of encryption requires firewalls to additionally implement heuristics-based techniques to identify and act upon malicious traffic flows. Third Defense Perimeter: Host Security Protection Hosts such as network devices including packet gateways or application nodes, for example, may provide further access control measures. For Operations and Maintenance, access control is mandatory, using identification, authentication and authorization mechanisms. Some hosts may support more sophisticated means of protection, often referred to as node hardening. This includes measures such as Interior Border Gateway Protocol (IGP) and Border Gateway Protocol (BGP) authentication, applying access control lists, closing unwanted or unused ports in applications and clients, and using a secure protocol like Secure Shell (SSH) instead of Telnet for configuration and management, for example. 6/ FGB Rev A Ericsson AB (13)

5 3.2 The need for IPsec in the RAN The introduction of 3 rd Generation Partnership Program (3GPP) LTE networks marked a significant change in the evolution of mobile broadband networks from the preceding Wideband Code Division Multiple Access (WCDMA or 3G ) standards. A new flat architecture was introduced with a reduced number, and different types of nodes defined for use in the data plane, and IP transport used throughout. In LTE networks, the enodeb base stations are connected directly to the core network, with most control procedures being contained within the LTE enodeb, instead of running between enodebs and the core network and thereby placing latency-related demands on the backhaul. Encrypted (by standard) Non- Encrypted (by standard) S1 enodeb SAPC SASN X2 RAN Core Evolved Packet Core EPG S1 IMS SGSN -MME enodeb As a consequence of the pervasive use of IP, all network nodes, servers and devices are now addressable. This means that they are therefore accessible and hold the potential to be attacked, or to become hijacked and become the source of a subsequent attack launched from the operator s network. Although the air interface to each enodeb is encrypted by 3GPP specification, there is only a recommendation to use encryption on the transport layer between each enodeb and the core network. The IP Security protocol suite (IPsec) has now been introduced into many network operators backhaul networks, providing both encryption and authentication. This requires the introduction of a Security Gateway (SeGW) application device to terminate IPsec tunnels generated from each enodeb. This may take the form of a standalone or virtualized device, or it may co-reside with other applications, such as Evolved Packet Gateway (EPG), in a multi-application device. The introduction of IPsec will introduce some delay due to the encryption and decryption processes, and the overall delay must be taken into account while planning networks for specific services. 6/ FGB Rev A Ericsson AB (13)

6 3.3 Evolution to LTE Advanced As the industry moves to support more heterogeneous networks using a combination of macro, micro and pico base stations, an increasing number of network operators are therefore using small cells (including micro and pico cells) to extend their reach and provide access to spaces previously not profitable to access using larger and more expensive macro radio base stations. Many key features required to successfully deliver small cells in heterogeneous networks are included in 3GPP Release 11 and following releases. Mindful of the potential security risks faced by radio base stations (RBSs) installed in public places, Ericsson has made significant steps to secure both macro and small cell nodes and thus the rest of the operator s network. These steps include software validation, whereby the hardware platform will only execute known good software through the use of a trust anchor which only accepts software signed with Ericsson certificates. Hardware ports are by default disabled once a connected device is removed, to prevent potential attacks on disused but enabled ports. Small cell nodes will be placed in public locations and are therefore more liable to be accessed and tampered with, providing a possibility for malicious attacks. In this way an access node can become untrusted even though it s connected to a trusted network. Malicious Attacker PCRF MME S-GW Attack Untrusted Network SeGW Evolved Packet Core Trusted Network P-GW HSS IPWorks OSS Conversely, a trusted node such as a macro RBS can be connected to the rest of the network by an untrusted access network such as internet-grade transport. The end results are similar in terms of produced untrusted scenarios and both require specific security measures to address the risks posed. Independently of the move to LTE-Advanced and small cells, macro RBSs connected using trusted backhaul are also seeing increased demands for security. This is due to tightened demands from corporate policy, increased regulation from country regulators, and in general from the increased criticality of mobile network applications and the role that mobile broadband services play in people s personal and working lives. 6/ FGB Rev A Ericsson AB (13)

7 A Security Gateway (SeGW) can therefore be deployed by the network operator at the perimeter of the trusted core network providing secure connectivity to the RBS in the untrusted network using the IPsec protocol. This protects the trusted network from malicious attack by a person connected to the trusted network, as they have no visibility or access to, or beyond, the SeGW device. 3.4 High availability All subscriber traffic passes through the Security Gateway in an operator s network so it s important, from a service availability and security point of view, to make sure that the gateway has high availability. Hardware redundancy protects against a single equipment failure. Duplicated Security Gateways, either co-located or geographically distributed can provide progressively higher levels of availability. When Security Gateway pairs are physically separated, the Inter-Chassis Redundancy (ICR) protocol aligns the state between the two Security Gateways and allows each to effectively back up the other immediately if one should fail, without a loss of state ICR ICR ICR Security Gateway Security Gateway VRRP Security Gateway Security Gateway Security Gateway Security Gateway BGP L3 MC-LAG L3 MC- LAG L2 Geo-redundant Co-located Co-located The BGP, Virtual Router Redundancy Protocol (VRRP) and Multi-Chassis Link Aggregation Group (MC-LAG) protocols are used depending upon the type of physical redundancy (co-location, geo-redundant) used. Although not strictly considered as a high availability measure, an enodeb can be configured for Dead Peer Detection (DPD) which, under Internet Key Exchange (IKE) peer failure conditions, will cause an automatic failover to a secondary security gateway if a primary gateway fails. As the traffic disruption encountered using DPD typically lasts for up to approximately 40 seconds, the acceptability of this solution will depend upon service level requirements. 6/ FGB Rev A Ericsson AB (13)

8 3.5 Firewall use and placement Taking a holistic view of the entire mobile transport network and client nodes permits network operators to apply sufficient security measures, with optimal network placement. This contrasts favorably with an approach that secures each part of the network in isolation. The holistic approach, used within the Ericsson Evolved IP Network solution, provides effective network security and is frequently more costeffective. The most common location for firewall placement is on the Gn or S1 interfaces (connecting the operator s own backhaul network), the Gp interface (connecting a roaming partner s network) or the Gi/SGi interfaces (connecting the network operator s core network to external networks). Given the rapid rise in network traffic, the performance of the firewall becomes a potential bottle neck in any network. It s therefore vital to ensure high availability in both the security node itself and the connected network architecture. Similarly, the firewall s backplane capacity and scalability needs to be sufficient to meet the needs of the future. The Gi/SGi firewall faces the internet where all traffic must use public IP address. For this reason it s common for this firewall to use Network Address Translation (NAT) features, so the number of NAT User Sessions supported can be an important factor in firewall selection. In other cases, it can be preferred to keep the two functions separate, so they can scale independently, for example. Placement of other firewalls in an operator s network should be dependent upon a threat analysis which will include an evaluation of the operator s security policies and risk profile, as well as details of the physical network and transmission used. The results of the analysis will include identification of potential security risks, relative prioritization and recommend appropriate security measures. Ericsson professional services can undertake this analysis. 6/ FGB Rev A Ericsson AB (13)

9 Ericsson sees the firewall function being deployed in several different areas of the mobile operator s network. A firewall function is a logical entity representing a firewall that is specific to a dedicated function, and not necessarily an individual physical firewall device. The following functions are often logically associated with each other in the EIN solution and represented as one firewall: The O&M firewall function protects the O&M network from the Network Operation Center. The Charging firewall function separates the charging network from the signaling network, the Operations and Management (O&M) network, and business support (enterprise) networks. It also provides IPsec functionality toward business support networks if needed. The IP Interconnect firewall is the next logical firewall with three firewall functions: The Packet Switched (PS) Roaming firewall function, separating the PS Core network from Roaming Partners and Roaming Exchanges. It also provides IPsec functionality toward Roaming Exchanges over the internet. The Inter-Operator Signaling Transport (SIGTRAN) firewall function, separating the Signaling Network from other operator s signaling Networks. It also provides IPsec functionality for SIGTRAN traffic if needed. The Session Initiation Protocol (SIP) Interworking firewall function. This provides optional IPsec functionality for SIP traffic. The third firewall protects the operator s network from attacks emanating from access networks over the backhaul network. It s particularly important given the growing popularity of small cells using the public internet for backhaul. 6/ FGB Rev A Ericsson AB (13)

10 4 Products and Use Cases 4.1 Product portfolio Ericsson Radio System family including RBS 6000 Modular system architecture is designed to evolve smoothly to 5G with multistandard, multi-band and multi-layer technology. It reduces site acquisition issues, with dramatic gains in capacity density and energy efficiency. The system will address growing mobile data needs, expected to reach 25 exabytes per month by 2020, when 5G is expected to be commercialized. Comprises a broad range of new products including macro and small cells, antenna systems, IP transport, microwave nodes, rails and other site equipment for indoor and outdoor applications. RBS 6000 supports IPsec and auto-integration on LTE, WCDMA and SIU/TCU/BasebandT products. Ericsson SSR 8000 family and Smart Services Card Ericsson SSR 8000 family of Smart Services Routers provides operators with a highly scalable, consolidated platform that offers services for both fixed and mobile network infrastructure. SSR hosts multiple applications including Evolved Packet Gateway (EPG), Security Gateway (SeGW), IP/MPLS Site Router, Wi-Fi Mobility Gateway (WMG), Broadband Network Gateway (BNG) and Carrier Grade Network Address Translation (CG-NAT). SSC1-v2 card based on x86 technology hosts Security Gateway application. SSR can host multiple SSC1-v2 cards, each supporting up to 8000 tunnels and up to 15G throughput. Maximum aggregate throughput is calculated as combined downstream and upstream throughputs across all tunnels, and is determined by the choice of algorithms and packet size. RBS Auto Integration - requires IKEv2-CP (IRAS) and PKI certificates supporting up to RSA 4096 key length. 6/ FGB Rev A Ericsson AB (13)

11 Ericsson Router 6000 family Works with Ericsson Radio System to deliver unprecedented routing capacity, reduced latency and QoS capabilities, and effectively couples radio and IP transport for the 5G future. The Router 6000 series is part of a comprehensive suite of router platforms running one network operating system (Ericsson IP Operating System IPOS), from cell-site routers to edge, core and data centers. Router 6000 offers high capacity radio-integrated IP transport for mobile backhaul and metro access applications. It also combines with Ericsson Network Manager to provide unified management and control of a network operator s radio and transport network. The routers offer optimized support for LTE Advanced, 5G and M2M applications. Distributed Security Gateway with in-line IPsec processing. RBS Auto Integration - requires IKEv2-CP (IRAS) and PKI certificates supporting up to RSA 4096 key length. Ericsson Virtual Router The Ericsson Virtual Router helps service providers speed up new service introduction at a reduced cost. It s a truly modular virtual router designed around a cloud-based architecture. It runs on Intel x86-based servers, which provides operators with hardware platform flexibility and the ability to deploy a variety of virtualized applications. The modular architecture seamlessly scales beyond the limitations of a single x86 socket or server. Virtual Backplane Designed for critical carrier applications, it features control and data plane resiliency and industry-leading scale and resiliency. Easy to deploy and integrate into existing networks. The virtual router uses Ericsson s field-proven, fault-tolerant, 64-bit IP Operating System, in common with Ericsson s router portfolio and is managed by a common management framework. 4.2 Smart Services Router as RAN Security Gateway The following use case shows how the Ericsson Smart Services Router can be deployed as a Security Gateway, providing IPsec-based secure access from radio base stations (RBSs) and small cells toward the core network. IPsec becomes crucial when either the network to which a node connects is not trusted, or if the node itself is placed at an insecure location and can be tampered with. 6/ FGB Rev A Ericsson AB (13)

12 With this solution, two IPsec tunnels are created from an RBS to a Security Gateway in order to create secure communications between the RAN and the operator s core network. The IPsec tunnels are created as part of a process called RBS Auto Integration. This process uses secure auto provisioning to simplify and automate the equipment deployment process, and reduce the associated costs. This coupled with tight integration with Ericsson s Operation and Support System Radio and Core (OSS- RC) particularly simplifies the task of adding small cells which is very relevant given the expected scale of many deployments. When establishing IPsec tunnels for RAN access, it s imperative to securely authenticate remote RBS nodes and avoid rogue attempts to masquerade as known and trusted entities. With IPsec, the authentication of the remote node is achieved using certificates. The use of certificates demands an extra infrastructure called Key Infrastructure (PKI), to manage the certificates in a trustworthy manner. All IPsec tunnels terminate at the SeGW, thereby ensuring that all RBS traffic must traverse this secure node before reaching the core network. The IPsec tunnels can be configured and supported in different combinations that map particular data streams to unique IPsec tunnels. The configuration shown in the diagram above maps RAN traffic for onward delivery to the operator s core network, and O&M traffic to the OSS nodes and PKI. Ericsson s Smart Services Router provides a hardware platform for the Security Gateway and the SSR family s multi-application capability means that it can fulfill the IP/MPLS Site Router and Evolved Packet Gateway functions too. The Security Gateway application in this case is hosted on SSR Smart Services Cards ( SSC1-v2 ) which has been verified with RBS 6000 macro, micro and pico products. Other SeGW platforms are also available, depending upon the network operator s specific application, and supported by Ericsson. Ericsson s OSS-RC supports full PKI/CA infrastructure as well as all the regular functions associated with network management of radio and core networks. The Ericsson IPWorks Remote Authentication Dial In User System (RADIUS) server provides inner IP address allocation. 6/ FGB Rev A Ericsson AB (13)

13 5 Summary Individuals, businesses and society in general must be able to trust that networks are reliable, and that the information carried over them is secure. Network security is a fundamental requirement for communication networks and the pressure to further secure networks is increasing as a result of changes in the way we use and trust mobile devices for so many aspects of our daily lives and business. Ericsson views security as a continuous process starting with initial network design and integration. It s not something to do once and then forget, or perhaps defer thinking that security breaches only affect the most obvious of targets. Security must evolve as part of a changing environment, both in terms of technology developments, and threats posed. The introduction of all-ip mobile broadband networks, LTE Advanced and then 5G all deliver new levels of performance and possible applications, but they increase the need for additional security measures. Ericsson s scale helps with delivering secure products and services. This scale is measured in terms of the size, geographical and technology diversity, and multivendor composition of the networks Ericsson supports and manages. Collectively this scale means that Ericsson is able to discover and monitor new and emerging threats to security around the world, and apply this knowledge to new and existing products and preventative services.. The Evolved IP Network provides comprehensive IP infrastructure connecting all parts of a mobile broadband network from base stations and small cells to external networks such as the internet, peering networks and enterprises. EIN provides operators with tested and verified holistic solutions for all aspects of service delivery including QoS, high availability, synchronization and security, for example. EIN includes all aspects of the IPsec implementation described within this paper and complies with Ericsson s general security approach also described herein. The EIN solution has been independently tested and verified by the European Advanced Networking Test Center (EANTC), including the IPsec solution based upon the Ericsson Smart Services Router and RBS products. The report issued by EANTC is publicly available for download. 6/ FGB Rev A Ericsson AB (13)