GPRS Network Security

Transcription

1 AT&T Wireless Services, Inc. GPRS Network Security Document Number Revision Peter Rysavy, Primary Contributing Writer Product Development AT&T Wireless Services, Inc. PO Box Redmond, WA

2 2002 AT&T Wireless Services, Inc. Copyright Notice This work is protected by the copyright laws of the United States and is the property of AT&T Wireless Services, Incorporated. Copying, reproduction, merger, translation, modification, or enhancement by anyone other than authorized employees or licensees of AT&T Wireless Services, without prior consent of AT&T Wireless Services, is prohibited. All trademarks or registered trademarks are the property of their respective owners. For questions about this document, please contact: Bonnie Beeman AT&T Wireless PO Box Redmond, WA (425)

3 2002 AT&T Wireless Services, Inc. AT&T Mobile Internet Security GPRS Network Security Contents 1. Introduction The Need For Security Defining and Implementing an Effective Security Policy AWS GPRS Security Summary AWS GPRS Network Architecture Network Interfaces Mobile Station to Network Interface IP Address Management IP versus PPP Service IP Addresses Internal Network Interfaces AWS GPRS Network Intercarrier Interface External Network Interface Naming (APNs) and Routing Frame Relay Connections AT&T Wireless Connectivity Option - Frame Relay Internet Interface Virtual Private Network (VPN) Discussion Managed Internet Connection Client VPN Solution GSM/GPRS Mobile Internet Phone Enhanced Data Rates for GSM Evolution (EDGE)...36 Appendix A: Data-Security Technologies and Standards...38 Appendix B: Acronym List

4 GPRS Network Security 2002 AT&T Wireless Services, Inc. 1. Introduction This document provides a high-level description of the security considerations associated with using General Packet Radio Service (GPRS) from AT&T Wireless Services (AWS). It addresses security concerns and identifies standard and optional solutions to address customers security needs. GPRS is a wireless packet-data data service for Global System for Mobile Communications (GSM) cellular networks. AWS is deploying GSM and GPRS throughout its coverage areas. GPRS security mechanisms are based to a large extent on GSM security mechanisms, ones that have withstood the test of time and the extremely widespread use involving hundreds of millions of users worldwide. This document explains the security features of the AWS GPRS service and clarifies how these features would best augment a company s security policy to achieve a complete security solution. It is intended for users of wireless data services who may have concerns about the security of their data but who may not be familiar with the various security features, mechanisms and options of the AWS GPRS service. Most of the security mechanisms discussed in this paper will also apply to forthcoming wireless technologies from AWS such as Enhanced Data Rates for GSM Evolution (EDGE) and Universal Mobile Telephone System (UMTS) The Need For Security Many of the ways we communicate today are via relatively insecure channels. For instance, we regularly use non-secure phone lines for voice and modem communication. By contrast the AWS GPRS service offers significant security features that resist attack by a passive airlink eavesdropper or a malicious network user. 4

5 2002 AT&T Wireless Services, Inc. AT&T Mobile Internet Security Ensuring network security in the modern world is driven by the need to: Maintain the confidentiality and integrity of sensitive information in a distributed network environment Protect the identities and information communicated by customers Prevent attacks that deny the availability of services Prevent fraudulent use of services Provide necessary information to defense and law enforcement agencies However, securing an organization or company's data network and its various interconnections presents a challenge. Adding remote access using a wireless network adds to the challenge, but this challenge can be accommodated through deployment of security technologies available today. It should be noted that implementing a security policy requires careful analysis. An organization must understand the technological considerations of network security and must balance the cost of security measures against its potential benefits. While security measures prevent and/or reduce the risk of unauthorized access, security may also reduce productivity by creating additional processing and work overhead. Security measures may also create expensive administrative and educational overhead, as well as use significant computing resources that require dedicated hardware. For corporate facilities, physical security is usually based on security guards, card-key entry systems, closed-circuit television, and off-limits areas. With these security measures in place, an organization can feel confident that within their physical facilities, assets are protected, and high user productivity is maintained. To extend this physical security model into the virtual world of internal and external networking and Internet access, organizations must decide where to strike a balance between access, productivity, and security measures that may be perceived as restrictive by users of the organization's network. The primary goal of a good security policy and design is to meet security requirements while adding as few restrictions as possible from the network user's perspective. It is of utmost importance for organizations to understand what they want to protect and what level 5

6 GPRS Network Security 2002 AT&T Wireless Services, Inc. of access is needed. For example, an organization may need strict protection on its accounting databases, but may need only limited protection on its internal mailing list. The important point is that any decision to invest in security systems must answer two questions: How valuable is the information that is being protected? What is the perceived level of threat to the information? Extending a corporate security policy to include wireless data networks requires an understanding of the security features of the wireless data technology, as well as the security provided by networks to which the wireless network provides access Defining and Implementing an Effective Security Policy An effective security policy is best defined after thorough analysis of an organization's unique security issues. These security issues must be resolved in order to implement an effective security policy: Know the company or organization's assets. An organization needs to understand what they want to protect and what level of access is appropriate. An organization may discover that certain parts of the infrastructure can be left open because there is little cost involved if these parts are somehow compromised. Balance the cost of security. Security costs must be in proportion to the actual dangers; otherwise, the cost could be unnecessarily burdensome to the entire organization. It is also important to understand how technological considerations relate to cost. For example, an organization may not have the capacity or resources to replace legacy systems that may not be supported by their original vendors. In this case, it may not be possible to implement new technical options such as encryption. Identify security assumptions. It is inherently dangerous for an organization to assume that its network is not compromised, that intruders are not very knowledgeable, that they are using standard software, or that a locked room is safe. It is important to examine and justify assumptions; any hidden assumption is a potential security risk. Allow for human factors. If security measures interfere with essential uses of the system, users will sometimes resist and even 6

7 2002 AT&T Wireless Services, Inc. AT&T Mobile Internet Security circumvent them. For example, because automatically generated "nonsense" passwords can be difficult to remember, users often write them on desktops, on the undersides of keyboards, or on other surfaces which can easily be seen by others, and in this way render a password protection measure self-defeating. In order to achieve compliance, users must understand and accept the need for security and, more importantly, security measures must be reasonable, allowing users to get their work done. In order to detect security problems, an organization must understand how a system normally functions, how devices are normally used, and what typical behavior to expect. Detecting unusual behavior, tracking this behavior, and logging unusual events, can help catch intruders before they can damage the system. An organization must create barriers within their system so that if an intruder accesses one part of a system, they do not automatically have access to the rest of the system. Partitioning should be considered in order to provide as much protection as necessary for network components. Although maintaining a high level of security on the entire infrastructure is difficult, it is often possible to do so for smaller, sensitive components. Almost any change made to a system can affect security. This is especially true when new services are created. System administrators, programmers, and users should consider the security implications of every potential system change. Understanding the security implications of a change takes practice; it requires lateral thinking and a willingness to explore every way that a service could potentially be manipulated. Another goal of a good security design and policy is to create an environment that is not susceptible to every minor system change. It is not the intent of this document to be a complete tutorial on wireless security. Rather, it is intended as a guideline for identifying security considerations when using the AWS GPRS service. There are many good books and Internet-hosted information on the subject of security. For reference, some general information on network security is provided in Appendix A: Data Security Technologies. 7

8 GPRS Network Security 2002 AT&T Wireless Services, Inc. 2. AWS GPRS Security Summary The AWS GPRS service was designed with security in mind. It is based on GPRS technology, a data service for GSM networks. The GPRS security architecture is comprehensive, proven (since it is based on GSM technology) and does not suffer from the security shortcomings of some other wireless technologies. Not only does GPRS technology contain comprehensive security provisions, but AWS has augmented its network with additional security functions. The key benefits of these combined measures include: User identities are protected. Only legitimate mobile systems can connect to the network. All user data transmitted over the airlink is encrypted. Encryption keys between the mobile system and the GPRS network change each time the mobile system connects to the network. This means that even if an intruder were able to determine the key for one session, the key would be useless for subsequent sessions. In addition, the network can update the keys at periodic intervals. Customers networks connected to the AT&T GPRS service by frame relay service are protected against attacks from the Internet. In addition, AWS offers a managed Internet connection that employs virtual private networking (VPN) technology to allow secure communications across the Internet. IP addresses, whether for mobile systems or fixed-end systems, are never transmitted "in the clear" (unencrypted) over the airlink, reducing the risk of attacks on both mobile and fixed-end systems. The security aspects of the AWS GPRS service, as well as its connections to other networks, are summarized in the following sections entitled AWS GPRS Network Architecture and Network Interfaces. Subsequent sections of this document elaborate on select topics introduced in these summaries. Customers should be aware that different releases of the GPRS specification incorporate different security features. The current version of the AWS GPRS service is 8

9 2002 AT&T Wireless Services, Inc. AT&T Mobile Internet Security based on release 98 of the GPRS specification (3GPP Technical Specification V7.7.0.) The network will be upgraded to a newer version of the GPRS specification over time, resulting in potential changes or enhancements to security features AWS GPRS Network Architecture The AWS GPRS service consists of specific network components. To understand the security aspects of the network, it helps to understand the basic network components between which data transfer occurs. It is also important to consider how the AWS GPRS service connects to other networks, such as customer networks and the Internet. It is also important to consider how the AWS GPRS service interconnects with GPRS networks from other carriers. The primary elements of a GSM and GPRS network are shown in Figure 1. Mobile Station Mobile Station Base Transceiver Subsystem Public Switched Telephone Network Mobile Station Mobile Station Mobile Station Base Transceiver Subsystem Base Station Controller GSM Network Circuit Swithced IP Data Mobile Switching Center Home Location Register Visitors Location Register GPRS Addition Serving GPRS Support Node Gateway GPRS Support Node External Data Network (e.g.internet) Figure 1: Components of a GPRS network The radio interface is between the mobile station and the Base Transceiver Subsystem (BTS). The BTS connects to a base station controller (BSC). The BSC separates voice and data traffic, with circuit-switched traffic directed to the Mobile Switching Center and packet-data traffic directed to the GPRS infrastructure. The Mobile Switching Center handles voice and circuit-switched data communications but does not play a role in GPRS security. 9

10 GPRS Network Security 2002 AT&T Wireless Services, Inc. The two key elements of the GPRS infrastructure are the Serving GPRS Support Node and the Gateway GPRS Support Node. The functions of these elements and other GPRS network elements, along with their associated security functions is described next. Subscriber Identity Module. One important security mechanism is the SIM card. This is a small electronic card inserted into the mobile station that contains the user s identification information. A user cannot gain access to network services (voice and data) without a valid SIM card. Mobile Station (MS): This is the wireless computing device used to connect to the GPRS network. Examples of MS include a GSM/GPRS mobile Internet phone, a notebook computer connected to a GPRS modem or a PDA with GPRS modem. The network authenticates the GPRS device (e.g. modem) against credential stored in the subscriber identity module (SIM) card. The network can also optionally request a password from a user. All user data communicated between the MS and SGSN is encrypted. Since an MS can potentially be stolen, it is best to employ a security solution that does not rely solely on the MS hardware. For any sensitive information that can be accessed by applications on the MS, the user should be required to provide a password or be required to use a hardware token. Note also that the GSM/GPRS mobile Internet phone service employs architecture with separate security protocols. These protocols are detailed in the section entitled GSM/GPRS Mobile Internet Phone. Base Transceiver Subsystem and Base Station Controller: These elements manage the radio interface, including the control of which MS has access to the radio channel at what time. These elements essentially relay messages between the MS and SGSN, and do not play a role in GPRS security. 10

11 2002 AT&T Wireless Services, Inc. AT&T Mobile Internet Security Serving GPRS Support Node: The SGSN manages communications with an MS, sending and receiving data and keeping track of their location. The SGSN is the equivalent of the Mobile Switching Center for data functions. The SGSN obtains subscriber information from the Home Location Register (HLR) such as what services are available to the particular subscriber. The SGSN registers the MS, authenticates the MS, and encrypts data sent to the MS. Gateway GPRS Support Node: The GGSN is the gateway to external networks such as the Internet or private customer networks. The GGSN assigns IP addresses, and can also authenticate users acting as a RADIUS client. If private IP addresses are used, a server at the GGSN location performs the translation from private IP address to public IP address. Firewalls located at the GGSN also perform a firewall function to restrict unauthorized traffic. Home Location Register: The HLR contains a database of permanent user subscription information for both voice and data services. It also contains dynamic information about active users (e.g. current SGSN providing serving to a particular MS.) The HLR stores the necessary information to authenticate an MS. Visitors Location Register (VLR). The VLR contains a database of subscription data for users of one (the typical case) or more MSCs. The VLR is used to manage roaming and provides more detailed mobility information on active users within an MSC administrative area. Fixed End System (F-ES): This element is the traditional external data application system or internal network that supports and services application systems. By definition, its location is fixed. An F-ES can be one of many stationary-computing devices, such as a workstation or host computer. The customer maintains the F-ES and its security is the customer s responsibility. In connecting the F-ES to the AWS GPRS service, the customer must ensure that they have an effective security policy, and that appropriate firewalls have been put in place. As discussed in the section, "External Network Interface" even if using a frame relay PVC to 11

12 GPRS Network Security 2002 AT&T Wireless Services, Inc. connect to the AWS GPRS service, IP traffic can reach the F-ES that originates from any GPRS MS, whether or not the IP traffic belongs to the particular customer. Firewall: This element is responsible for controlling in and outbound network traffic. See Figure 2. Note that the implementation of the firewall is independent of the GPRS specification and will vary depending on GPRS service provider. The firewall function at the GPRS network is usually contained within or at the GGSN. A firewall implemented within the customer s network operates independently of the firewalls in the AWS GPRS service and therefore is the customer s complete responsibility. Border Gateway: This element is the interface to an intercarrier network. See Figure 2. It's principal purpose is security. It restricts traffic between carriers to legitimate traffic only, e.g. authentication of roaming users, user data and exchange of billing records. External Data Network: This element is the external networking solution that covers a wide geographical area and provides a connection between an F-ES and the AWS GPRS service. The most common WAN connection for the AWS GPRS service is a frame relay circuit or the Internet. Security considerations are quite different for frame relay and Internet connections. These differing security considerations are described in the section "External Network Interface" Network Interfaces To further understand the security features of the AWS GPRS service security, we must next examine the key interfaces of the overall network. Refer to Figure 1 above and Figure 2 below. Note we explore many of these topics in greater detail in subsequent sections. 12

13 2002 AT&T Wireless Services, Inc. AT&T Mobile Internet Security Application Level Security User User User User Mobile Station Mobile Station User Level Security Mobile Station Mobile Station GPRS Provider 1 BTS MS to Network Interface BSC BG: Border Gateway BTS: Base Transceiver Subsystem BSC: Base Station Controller GGSN: Gateway GPRS Support Node SGSN: Serving GPRS Support Node GPRS Provider 2 BTS BSC SGSN SGSN SGSN Intercarrier Interface Internal Interfaces Private IP Network (GPRS Operator 1) BG Inter Carrier GPRS Backbone BG Private IP Network (GPRS Operator 2) GGSN, firewall GGSN, firewall GGSN External Interfaces Private Intranet Internet Private Intranet Figure 2: GPRS Network Interfaces The summaries of the most important interfaces with respect to security are as follows: User Level Security: For a user to gain access to the GPRS network, the user must have a SIM card for their GPRS device. SIM cards can be further protected by requiring a user to enter a personal identification number (PIN). If the user enters an incorrect PIN more than three times, further attempts are blocked until the user enters a special code that can only be obtained from the AWS customer care department. Note that AWS supplies GSM/GPRS equipment with the PIN function disabled; however the customer can re-enable it. Beyond these measures, customers can further enhance security to protect against lost or stolen mobile equipment with mechanisms such as hardware tokens or passwords at the application level. MS to Network Interface: This is an important interface as it includes the radio interface. When an MS first connects to the network, the SGSN initiates an authentication process where the subscriber s secret key contained in the SIM card is checked using 13

14 GPRS Network Security 2002 AT&T Wireless Services, Inc. a challenge-response mechanism against information stored in the network. Following authentication, the MS and SGSN engage in an exchange that determines an encryption key. (Note that encryption is referred to as ciphering in GPRS technical documents.) This key is different for every data session, and is never transmitted over the air. From that point forward, data communications between the MS and SGSN is encrypted. This interface is described in more detail in the section Mobile Station to Network Interface. GPRS Internal Network Interfaces: Communications between GPRS elements occurs over private networks, and AWS takes reasonable precautions to protect these networks against unauthorized traffic, eavesdropping and denial of service. Portions of the network, such as user data communications between the SGSN and GGSN may even be encrypted. However, customers should not rely on internal security measures of the network to protect the confidentiality of their data. For any sensitive data, customers are advised to add their own security provisions. This interface is described in the section Internal Network Interfaces. Intercarrier Interface: This is the interface at the Border Gateway between the AWS GPRS service and other service providers, such as other cellular-telephone companies providing GPRS service and with whom AWS has roaming agreements. These include companies such as Cingular Wireless and T Mobile. In some cases, GPRS carriers are linked through a GPRS roaming exchange, a network that links multiple carriers together. The Border Gateway performs a firewall function restricting traffic to authorized communications. Other security functions may be present, but customers should employ their own security provisions for sensitive data. This interface is described in the section Internal Network Interfaces. External Interface: This is the interface between the AWS GPRS service and networks that connect to the customer network where the F-ES resides. The F-ES is part of the customer's network, and its security is the responsibility of the customer. The most common network connections are via a frame relay permanent-virtual circuit (PVC) or via the Internet. AWS has specific service offerings for both frame relay and the Internet. Some security is provided by the 14

15 2002 AT&T Wireless Services, Inc. AT&T Mobile Internet Security firewall function at the GGSN in the AWS GPRS service, but customers should not necessarily rely solely on this firewall. This interface is described in more detail in the section External Network Interface. 3. Mobile Station to Network Interface This section discusses the security mechanisms between the mobile station and the AT&T GPRS network. These mechanisms include authentication of the mobile station, key derivation, and encryption. Customers should also note that unlike other wireless technologies (e.g. wireless LANs) where an intruder can easily monitor radio communications using commercial subscriber equipment, eavesdropping on a GSM/GPRS radio signal requires sophisticated equipment. This is due in part to the way GSM networks divide communications into time slots. During operation, the GPRS network first authenticates the user using a challenge-response mechanism. This GPRS authentication mechanism is similar to GSM voice service authentication, except that it is conducted by the SGSN (responsible for packet-data service) instead of the MSC (responsible for circuit-switched services such as voice). The SGSN sends a random 128 bit number (the challenge) to the MS which computes a 32 bit response based on this number and its secret subscriber authentication key (called the Ki key which is stored in the SIM card) using a GSM algorithm called A3. The SGSN does the same calculation and matches the response from the MS with its own calculated value, and if they are the same, the MS is successfully authenticated and allowed to engage in further communications with the network. The SGSN obtains the secret subscriber key and random number from the HLR associated with the MS. This challengeresponse mechanism avoids transmitting the secret subscriber key over the radio interface. Once an MS has been authenticated, the next step is to produce an encryption key. This 64-bit key is calculated by both the MS and the network by applying a key-generating algorithm called A8 to the random number previously used for authentication and the secret subscriber key. Once the encryption key is derived, communication 15

16 GPRS Network Security 2002 AT&T Wireless Services, Inc. between the MS and the GPRS network is encrypted using an algorithm called GPRS-A5, a modified version of the A5 algorithm used within GSM networks for voice communication. GPRS-A5 is optimized for packet-data communications. The protocol level that handles encryption is called the Logical Link Control (LLC) layer. LLC operates between the MS and SGSN at layer 2 of the network reference model. See Figure 3. Both signaling (control) information and user data are processed by the LLC layer, and so the network keeps both user data and control information such as a user s location confidential. The GPRS process of authentication and encryption differs from CDPD networks. With GPRS, authentication precedes derivation of the encryption key whereas with CDPD, derivation of the encryption key precedes authentication. Once a user has a GPRS session (referred to as a packet data protocol context) activated, not only does the network protect the confidentiality of users IP data, but also their SMS messages. SMS messages are delivered via the SGSN, using the LLC protocol layer, and so are also encrypted. 16

17 2002 AT&T Wireless Services, Inc. AT&T Mobile Internet Security Mobile Station Base Station Subsystem Serving GPRS Support Node Gateway GPRS Support Node IP IP SNDCP LLC RLC Encrypted Communications RLC Relay BSSGP Relay SNDCP LLC BSSGP GTP TCP/UDP IP GTP TCP/UDP IP MAC GSM RF MAC Frame Relay Frame Relay GSM RF Layer 1 Layer 1 Layer 2 Layer 1 Layer 2 Layer 1 SNDCP: Subnetwork Dependent Convergence Protocol LLC: Logical Link Control RLC: Radio Link Control MAC: Medium Access Control GSM RF: GSM Radio Frequency Layer BSSGP: Base Station Subsystem GPRS Protocol GTP: GPRS Tunnel Protocol Figure 3: GPRS Protocols To further enhance security, the network can re-authenticate an MS, and also derive a new encryption key at periodic intervals. The operator controls how often this happens based on current security needs. Neither the secret subscriber key, nor the encryption key are ever transmitted over the radio link. All that is transmitted is the 128 bit random number, which by itself is useless to an eavesdropper. At the MS, both the authentication response and the encryption keys are computed within the SIM card which physically restricts information about its contents. Details of the A3, A8 and GPRS-A5 algorithm are deliberately not made publicly available to further increase the security of GSM and GPRS networks. Even before encryption begins, the network protects a user identity by assigning temporary user identification. The user s actual International Mobile Subscriber Identity (IMSI), which identifies the user account, or any information allowing somebody to derive the IMSI easily are not normally communicated over the air in clear text. This protects users from eavesdroppers who might identify a user s account information or location prior to the start of encryption. 17

18 GPRS Network Security 2002 AT&T Wireless Services, Inc. There is one additional level of authentication that can optionally be invoked between the MS and GPRS network. The network can request that the user enter a password. The network forwards the password to the GGSN which acting as a Remote Authentication Dial-In User Service (RADIUS) client, submits the password for authentication to a RADIUS server. This form of authentication is available for customers using either GPRS IP or PPP services. Customers should be aware that the MS does not explicitly authenticate the GPRS service. But the fact that the network can calculate the A8 encryption key, indicating knowledge of the Ki key, does provide a level of indirect authentication. 4. IP Address Management Before examining other aspects of the AWS GPRS service, it is important to have an understanding of how the network manages IP addresses, as this has security implications. There are two items to consider. One is the difference between IP and PPP service. The other is how the network manages IP addresses IP versus PPP Service Most customers use an IP-based service. This means that the AWS GPRS service assigns an IP address to an MS, and then transports IP datagrams between the GGSN and the MS, with the GGSN acting as a gateway to external networks. In this case, the network manages how IP datagrams are routed to users and with which external networks an MS can communicate. This is explained further in the next section, IP Addresses. An alternate form of service is PPP service, where instead of transporting IP datagrams, the network transports PPP frames between the MS and GGSN. The purpose of the PPP service is to either allow the customer to manage their IP addresses, or to allow the customer to use other networking protocols such as Novell IPX or AppleTalk. 18

19 2002 AT&T Wireless Services, Inc. AT&T Mobile Internet Security The GGSN can terminate the PPP connection, or can extend it using tunneling protocols such as Layer 2 Tunneling Protocol (L2TP) to external networks, including customer networks. In such a case the PPP connection would terminate in a customer network. Using L2TP, the GGSN is the L2TP Access Concentrator (LAC) and the customer premise equipment is the L2TP network server (LNS). The LNS is likely to be supplied by AWS. See Figure 4. Mobile Station PPP SNDCP LLC RLC MAC GSM RF Base Station Subsystem Encrypted Communications RLC Relay BSSGP LLC MAC Frame Relay Frame Relay GSM RF Layer 1 Layer 1 Serving GPRS Support Node Relay SNDCP BSSGP GTP TCP/UDP IP Layer 2 Layer 1 Gateway GPRS Support Node PPP GTP TCP/UDP IP Layer 2 Layer 1 Relay L2TP IP Layer 2 Layer 1 PPP: Point to Point Protocol SNDCP: Subnetwork Dependent Convergence Protocol LLC: Logical Link Control RLC: Radio Link Control MAC: Medium Access Control GSM RF: GSM Radio Frequency Layer BSSGP: Base Station Subsystem GPRS Protocol GTP: GPRS Tunnel Protocol L2TP: Layer 2 Tunneling Protocol Figure 4: PPP Service with L2TP Connection to Customer Site If using IP protocols in conjunction with the PPP service, the customer network is responsible for assigning an IP address to the MS as part of establishing the PPP link. The customer also has the option of authenticating the user using the Challenge Authentication Protocol (CHAP) or Password Authentication Protocol (PAP), as both authentication protocols are options with PPP. The PPP service is relatively secure as it limits user data communications to the exchange of PPP frames with the customer network. Any communications between the MS and the Internet has to be via the customer s network. In addition, the L2TP protocol itself has security features, including data encryption. 19

20 GPRS Network Security 2002 AT&T Wireless Services, Inc. As for specifying the type of service (IP vs. PPP), a customer must first order the appropriate service. For establishing connections, the Access Point Name used (APN) determines the type of service. When an MS requests data service (by establishing a packet data protocol context), it specifies the APN it wishes to use IP Addresses The following discussion applies to IP service, and not the PPP service discussed in the prior section. AWS offers three types of IP addresses: public, private and customer supplied. Public means that the network assigns the MS a temporary IP address from a pool of public IP addresses owned by AWS. These addresses remain the same for user IP datagrams both inside and outside the AWS GPRS service. In contrast, with a private IP address (as defined by Internet RFC 1918), the AWS network assigns the MS a temporary private IP address that it translates to a public IP address at a server residing between the GGSN and the external network. There are two types of proxy servers and two address translation servers used in the GPRS network. One proxy server is the WAP gateway which is used to support WAP browsers, primary in handsets. Another proxy function is performed by the Optimization Server which provides proxy services as part of it compression function for web traffic and a variety of other common Internet based applications like FTP. A Network Address Translation (NAT) Server provides private to public address translation and a few other services. NAT services support many common VPN tunnels and nearly all common Internet services. A Network Address and Port Translation (NAPT) server, which is optionally paired with the Optimization Server, is used to provide highly efficient address utilization for a sub-set of common Internet services and applications (primarily HTTP). With NAPT, multiple mobile stations share the same public IP address. What differentiates the mobile stations is their port numbers. Contact AT&T Wireless Services Customer Care at for the currently 20

21 2002 AT&T Wireless Services, Inc. AT&T Mobile Internet Security supported applications. Internet RFC 3022 describes NAPT functionality. Public addresses may be better suited for some applications such as certain virtual private networking software (e.g. IPSec) that embed the client IP address in the data payload. The GPRS specification allows for both fixed and dynamic IP addresses. However, the American Registry for Internet Numbers (ARIN) which is the IPv4 address assignment authority, no longer allows static IP addresses for wireless data services. AWS currently only offers dynamically assigned IP addresses. This means customers cannot employ firewalls that filters incoming traffic based on the static IP address of the MS unless using customer-supplied addresses (discussed at the end of this section.) If the customer is using a public IP address, the customer s MS is more vulnerable to attack from the Internet. For this reason, customers should disable any services (e.g. file sharing) on the MS and should consider personal firewall software. Note however that if a customer has obtained a fixed-end connection (either Frame Relay or Managed Internet option) from AWS, a service option is to disable routing of traffic between the MS and the Internet. This does not prevent communication to the Internet via the customer network, but such communication is then under the customer s control. This security option is also available for private IP addresses. For private addresses, AWS uses the network. If the customer is using a private IP address, the customer s MS is less vulnerable to attack from the Internet. The NAPT Server scans incoming data addressed to an MS and only allows the traffic when the source address and port (UDP or TCP) number matched previously sent outgoing data. This means any communication must be initiated by the MS. The network only allows IP traffic associated with specific applications, determined by the port numbers used. A similar process occurs with the proxy servers (WAP and Optimization Server). 21

22 GPRS Network Security 2002 AT&T Wireless Services, Inc. The net result is that it is more difficult, but not impossible, for attackers to target an MS since their traffic is more likely to be blocked than with a public IP address. Nevertheless, customers are still advised to disable services such as file sharing on the MS and to consider personal firewall software. Also, WAP, NAT or NAPT servers do not protect against unauthorized traffic when an MS has previously been compromised and has unauthorized (e.g. virus or worm) software resident. With customer-supplied addresses, AWS uses a block of IP addresses from the customer for assignment to the customer s mobile stations. These requires prior arrangement with AWS, and these must be valid public IP addresses.. AWS does not advertise these addresses to the Internet. This approach requires that the customer connect their network to the AWS GPRS service using either a frame-relay or managed Internet connection. The benefit of this approach is that customers can filter incoming traffic from MS based on their IP address. 5. Internal Network Interfaces This section briefly examines the interfaces of the AWS GPRS service and their security functions. These include the portions controlled by AWS and the interface to other GPRS service providers AWS GPRS Network AWS makes security a high priority, and employs various mechanisms beyond those specified in the GPRS specifications to protect customer data, customer networks, customer mobile stations and its own network. As discussed in the prior section, Mobile Station to Network Interface, GPRS technology provides for authentication and encryption between the MS and SGSN. See Figure 1 and Figure 2. Since the SGSN is geographically centralized to cover regional service 22

23 2002 AT&T Wireless Services, Inc. AT&T Mobile Internet Security areas, user data is protected over these large areas. Private circuits are used to connect base station controllers to the SGSN. Communication between the SGSN and GGSN occurs over an IP network. User data is tunneled between these nodes using the GPRS Tunneling Protocol. See Figure 3. GTP does not provide any security mechanisms. Instead, some security is provided by the underling IP network being a private network. Other nodes such as the HLR which contains subscriber information are protected by only being accessible through SS7 signaling networks which are not publicly accessible. AWS also maintains firewalls that restrict unauthorized traffic in its connections to other networks, such as customer networks, the Internet, and other carriers. Any customer traffic directed at GPRS network elements is discarded. Although the network employs various means of protecting against unauthorized traffic and eavesdropping, customers with sensitive applications should employ security measures of their own Intercarrier Interface Inter-service provider (i.e., Intercarrier) security is of concern when an MS travels to a different carrier's GPRS network and attempts to access the AWS GPRS service. What are the security implications of an MS operating in this fashion and of the wide-area connection between carriers? First, GPRS carriers must have roaming agreements in place for data service. Second, GPRS carriers must have their networks interconnected, either through direct links or via an interconnecting network sometimes referred to as a GPRS Roaming Exchange (GRX). See Figure 2. The node that interfaces to the GRX or other carriers is called the Border Gateway, whose principal function is to block unauthorized traffic. The type of traffic that is allowed includes user data communications (carried by the GTP Tunnel Protocol), domain name service queries, routing protocols (e.g. Border Gateway Protocol) and signaling protocols. However, 23

24 GPRS Network Security 2002 AT&T Wireless Services, Inc. customers should not make any security assumptions about the privacy of their data when intercarrier connections are involved as multiple entities are involved, and this portion of the network is likely to change over time. When an MS is operating in a visited carrier s GPRS network, the SGSN in the visited carrier s network serving area authenticates the MS using the same mechanisms as discussed in the section, Mobile Station to Network Interface. The difference is that the visited carrier s HLR does not contain the subscription information, and so the SGSN obtains this information from the HLR in the subscriber s home network. This process is similar to when a voice subscriber roams into a different carrier s network.. Once authenticated, communications is encrypted between the MS and the SGSN as previously discussed. In the situation where an AWS GPRS service customer is operating in another carrier s area, the PDP context that is activated is between the MS and the home network GGSN. In other words, the customer uses their existing access point names (APNs). The result is that the IP address allocated to the customer will be from the same pool as if they were in their home carrier s network. All data to and from the MS will be routed via the home network GGSN, and any security provisions (e.g. whether or not data can be routed to/from the Internet) will apply. In addition, all of the customer s services (e.g. NAPT, NAT, Optimization Server, WAP Gateway, Portal) will remain accessible. The advantage of this approach is that a user has a consistent experience with the same security provisions regardless of where they obtain GPRS service. In the future, it might be possible to access other APNs (such as direct Internet service via the visited carrier). This may have implications on security that customers will need to consider. Customers should also be aware that to obtain GPRS service from a carrier in a different area (e.g. overseas), they can obtain service directly from that carrier. This will involve getting a SIM card from that carrier for their equipment. Once using that SIM card, all security functions will be handled by that carrier and their subscription to the A&T Mobile Internet Service (along with any of their security provisions and fixed-end connections) will not be in effect. 24

25 2002 AT&T Wireless Services, Inc. AT&T Mobile Internet Security 6. External Network Interface This section describes the security aspects of the interface between the AWS GPRS service and external data networks. It is through the external network interface that customers connect their networks to the AWS GPRS service. The three principal types of connections include frame relay connections, managed Internet connections and normal Internet connections. See Figure 2 and Figure 5. The difference between the two types of Internet connections is that with the managed Internet connection, AWS provides a virtual private network service to secure communications between the AWS GPRS service and the customer network. This service is called the Wireless Connectivity Option Managed Internet Service (WCO Managed Internet Service). With normal Internet connections, user data is routed across the Internet and any additional security is the customer s responsibility. AT&T Frame Relay Network Customer A Network AT&T GPRS Network VPN Tunnel Internet Customer B Network Customer C Network Figure 5: Different types of External Network Connections Frame relay connections can be obtained directly from AT&T Wireless Services or from other frame-relay service providers. The AT&T service is called Wireless Connectivity Option Frame Relay (WCO Frame Relay). The following sections discuss the security aspects of the three types of connections, including a general discussion of VPN technology. First we briefly discuss naming and routing. 25

26 GPRS Network Security 2002 AT&T Wireless Services, Inc Naming (APNs) and Routing Within a GPRS network, an external network with which the MS can communicate is referred to by an Access Point Name (APN). When establishing a data session (Packet Data Protocol context), the MS specifies an APN. The APNs available to an MS are part of the subscription profile. The APN also determines certain routing options. One option, if the customer is using either a frame relay connection or WCO Managed Internet connection, is whether or not the MS can communicate with the Internet. If Internet communication is not allowed, then packets addressed from the Internet addressed to the MS or sent to the Internet from the MS are discarded at the GGSN. The only exception are packets associated with the managed Internet connection itself (a VPN tunnel). A customer specifies this security option at the time they order service. Customers should also be aware that any MS operating in the AWS GPRS network can send IP packets to any customer site connected via frame relay or a managed Internet connection. Finally, routing rules in the AWS GPRS service prevent an MS from communicating with another MS Frame Relay Connections Frame relay connections are considered the most secure external network connection as they employ links (called permanent virtual circuits or PVCs) that are relatively private. The AWS GPRS service connects to a variety of external networks, including those operated by frame relay network providers, as shown in Figure 5. Frame relay is a packet-oriented communication method used to connect computer systems. The frame relay network is often called a fast-packet switching network. Tasks such as error checking, packet sequencing, and packet acknowledgment are handled by the end systems involved in transmission rather than by the network itself. This allows the frame relay network to operate at much higher speeds than older packet-switched networks such as X.25. Frame relay provides an increased level of security when compared to the public Internet. Frame relay PVCs are almost like leased lines 26

27 2002 AT&T Wireless Services, Inc. AT&T Mobile Internet Security between the customer s premises and AWS. Frame relay networks are operated by service providers in such a way that there is neither any open access to individual PVCs, nor is there access between one PVC and another even if they share the same physical circuit. Firewalls in the AWS GPRS service prevent data communications between the Internet and any customer frame-relay PVC. Firewalls and physically separate networks also prevent any MS or customer s frame relay connection from reaching GPRS infrastructure equipment. Customers can obtain frame-relay connections from a variety of providers, including AT&T Wireless. The AT&T Wireless frame-relay service is called AT&T Wireless Connectivity Option - Frame Relay and is discussed in more detail in the next section AT&T Wireless Connectivity Option - Frame Relay Customers can purchase frame relay service from AWS for their fixedend connection. There are many advantages to obtaining service from AWS, including a single service provider for both wireless and fixedend connections, faster time to provision, faster time to resolve any problems and a highly dependable network. A frame-relay connection requires a private line from a customer s router to the AT&T Frame Relay Network. A local exchange carrier usually provides this line. See Figure 6. 27

28 GPRS Network Security 2002 AT&T Wireless Services, Inc. LAN Router CSU/DSU Customer Frame Relay Port DLCI AT&T Private Line (LE C P rovided ) Wireless Customer Connectivity FR Switch AT&T Frame Relay Network PVC FR Switch AWS Frame Relay T1 Port DLCI = 100 Router CSU/DSU Network Access AWS MD-IS Bothell WA AND/OR Allen TX Demarcation Point 1. Network Access: A digital local loop LEC connection to the AT&T Frame Relay switch. Either a 56kbps or T1 connection 2. Port: A physical connection to a sw itch in the A T& T Frame Relay network. Fully subscribed speeds of 56kbps to 1.544Mbps 3. PVC: A logical connection between ports with a guaranteed minimum performance, or CIR Figure 6: WCO Frame Relay Connection 6.4. Internet Interface The AWS GPRS service has a routed connection to the Internet, as shown Figure 2. One can think of the GPRS network as a wireless extension of the Internet. As such, the AWS GPRS service can route traffic between a MS and an Internet host. An Internet host can be any Internet reachable system, whether Internet Web server, File Transfer Protocol (FTP) site, or private corporate system Virtual Private Network (VPN) Discussion A virtual private network is a method to ensure private transmissions over public networks. A VPN establishes a secure tunnel between its endpoints. Each endpoint authenticates the other endpoint, forwards traffic to authorized services, and encrypts and decrypts communications. A VPN typically encrypts the IP packet (or other network layer protocol), adds a special header and encapsulates all this information in a new IP packet. There are a number of off-the-shelf solutions that allow an organization to implement a VPN. A VPN approach is particularly effective when connecting to a fixed-end system via the Internet. With a frame relay fixed-end connection, there is less need to employ VPN technology. 28