Securing Next Generation Mobile Networks

Similar documents
Oracle s Secure HetNet Backhaul Solution. A Solution Based on Oracle s Network Session Delivery and Control Infrastructure

Cisco Wireless Security Gateway R2

Why Is DPI Essential for Wireless Networks?

The LTE Challenge. for the Small-to- Midsize Mobile Network Operator

1 Introduction Services and Applications for HSPA Organization of the Book 6 References 7

How To Choose Radisys

Lethal Cocktail: Traffic Off-Loading and Shaping Don t Mix Well

3G/Wi-Fi Seamless Offload

Implementing ATCA Serving Gateways for LTE Networks

Use of MPLS in Mobile Backhaul Networks

Nokia Siemens Networks Flexi Network Server

Security Executive Summary. Securing LTE Radio Access Networks Effectively

Wi-Fi integration with cellular networks enhances the customer experience. White paper

10 METRICS TO MONITOR IN THE LTE NETWORK. [ WhitePaper ]

Practical Security Testing for LTE Networks BlackHat Abu Dhabi December 2012 Martyn Ruks & Nils

Security Testing 4G (LTE) Networks 44con 6th September 2012 Martyn Ruks & Nils

ALTERNATIVE BACKHAUL AND DATA OFFLOAD SOLUTIONS FOR GSM AND UMTS OPERATORS

Subtitle. VoIP Trends. What to Expect in VoIP 2016 Compare Business Products

How to Ready your Mobile Backhaul

Lucent VPN Firewall Security in x Wireless Networks

LTE Overview October 6, 2011

Whitepaper. 10 Metrics to Monitor in the LTE Network. blog.sevone.com

Threat-Centric Security for Service Providers

Managed 4G LTE WAN: Provide Cost-Effective Wireless Broadband Service

Secured VPN Models for LTE Backhaul Networks

The Security Vulnerabilities of LTE: Opportunity & Risks for Operators

GPRS / 3G Services: VPN solutions supported

SpiderCloud E-RAN Security Overview

Technical white paper. Enabling mobile broadband growth Evolved Packet Core

White paper. Mobile broadband with HSPA and LTE capacity and cost aspects

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

IPV6 IN MOBILE NETWORKS

Single Radio Voice Call Continuity. (SRVCC) with LTE. White Paper. Overview. By: Shwetha Vittal, Lead Engineer CONTENTS

Nokia Siemens Networks Flexi Network Gateway. Brochure

Mobile Network Security

Operator s Dilemma. How to take advantage of the growing mobile Internet. Notava uaxes White Paper. Dr. Risto Suoranta, CTO, Notava

HIGH-PERFORMANCE SOLUTIONS FOR MONITORING AND SECURING YOUR NETWORK A Next-Generation Intelligent Network Access Guide OPEN UP TO THE OPPORTUNITIES

An Oracle White Paper December The Value of Diameter Signaling in Security and Interworking Between 3G and LTE Networks

U.S. Patent Appl. No. 13/ filed September 28, 2011 NETWORK ADDRESS PRESERVATION IN MOBILE NETWORKS TECHNICAL FIELD

Diameter in the Evolved Packet Core

Verizon Wireless White Paper. Verizon Wireless Broadband Network Connectivity and Data Transport Solutions

Nokia Networks. Voice over Wi-Fi. White paper. Nokia Networks white paper Voice over Wi-Fi

Using DPI to Increase ARPU Despite Flat-Rate Plans

Efficient evolution to all-ip

Mobile Wireless Overview

Cisco Integrated Services Routers Performance Overview

Radisys Integrated Conferencing Solution Improves Economics and Flexibility in Next- Generation Architecture

Network Access Security in Mobile 4G LTE. Huang Zheng Xiong Jiaxi An Sihua

Bringing Mobile Broadband to Rural Areas. Ulrich Rehfuess Head of Spectrum Policy and Regulation Nokia Siemens Networks

5.0 Network Architecture. 5.1 Internet vs. Intranet 5.2 NAT 5.3 Mobile Network

WHITE PAPER. Mobility Services Platform (MSP) Using MSP in Wide Area Networks (Carriers)

FMC (Fixed Mobile Convergence)

GSM v. CDMA: Technical Comparison of M2M Technologies

A compelling Multiservice IP Backbone use case

How to secure an LTE-network: Just applying the 3GPP security standards and that's it?

GPRS and 3G Services: Connectivity Options

4G Mobile Networks At Risk

Multimedia Conferencing Solutions

Optimization Handoff in Mobility Management for the Integrated Macrocell - Femtocell LTE Network

A Uni ed Wireless Strategy for Cable Operators

ALCATEL-LUCENT 7750 SERVICE ROUTER NEXT-GENERATION MOBILE GATEWAY FOR LTE/4G AND 2G/3G AND ANCHOR FOR CELLULAR-WI-FI CONVERGENCE

LTE transport network security Jason S. Boswell Head of Security Sales, NAM Nokia Siemens Networks

Simplified network architecture delivers superior mobile broadband

Application Note License-Exempt Gigabit Ethernet Microwave Radio Applications

RIDE-IT System Overview

Routing Security Server failure detection and recovery Protocol support Redundancy

Mobility and cellular networks

HSPA, LTE and beyond. HSPA going strong. PRESS INFORMATION February 11, 2011

Virtualization techniques for redesigning mobile backhaul networks: challenges and issues. Fabrice Guillemin Orange Labs, IMT/IMT/OLN/CNC/NCA

Session Border Controllers: Addressing Tomorrow s Requirements

Wireless & Mobile. Working Group

Traffic. Data Dominant. Time. Figure 1. Wireless network traffic timescale

A Business Case for Scaling the Next-Generation Network with the Cisco ASR 9000 System: Now with Converged Services. Key Takeaways.

Business Case for S/Gi Network Simplification

Deploying IPv6 in 3GPP Networks. Evolving Mobile Broadband from 2G to LTE and Beyond. NSN/Nokia Series

Signaling is growing 50% faster than data traffic

Cisco Which VPN Solution is Right for You?

Colt IP VPN Services Colt Technology Services Group Limited. All rights reserved.

Clavister Small Cell Site Security Solution

SATELLITE MOBILE BACKHAUL: FROM VOICE TO DOMINANT DATA

Enterprise Connectivity over Mobile Broadband

Mobile IPv6 deployment opportunities in next generation 3GPP networks. I. Guardini E. Demaria M. La Monaca

Eudemon1000E Series Firewall HUAWEI TECHNOLOGIES CO., LTD.

How To Make A Secure Ip Based Service Available To A Network (Ip) From A Cell Phone Or Ip) From An Ip Device (Ipv) Or Ipv (Ips) From The Cell Phone (Ipa) Or From A P

Rethinking the Small Cell Business Model

Intel Network Builders Solution Brief. Intel and ASTRI* Help Mobile Network Operators Support Small Cell Networks

LTE Security How Good Is It?

Top 10 Considerations for a Successful 4G LTE Evolved Packet Core Deployment

Gigabit Multi-Homing VPN Security Router

MNS Viewpoint: LTE EVOLUTION IN AFRICA 1. Introduction

GSM services over wireless LAN

Security MWC Nokia Solutions and Networks. All rights reserved.

Software-defined networking and Network Function Virtualization-based approach for optimizing a carrier network with integrated datacenters

Cellular Backhaul: Extending the Edge of the Network November 2008

How QoS differentiation enhances the OTT video streaming experience. Netflix over a QoS enabled

MPLS: Key Factors to Consider When Selecting Your MPLS Provider Whitepaper

Connecting MPLS Voice VPNs Enabling the Secure Interconnection of Inter-Enterprise VoIP

WHITEPAPER MPLS: Key Factors to Consider When Selecting Your MPLS Provider

Transcription:

White Paper October 2010 Securing Next Generation Mobile Networks Overview As IP based telecom networks are deployed, new security threats facing operators are inevitable. This paper reviews the new mobile access paradigms, examines the security challenges, and outlines the technical requirements for a new generation of security gateways. CONTENTS Executive Summary pg. 2 Growing Mobile Demand pg. 2 Expanding Mobile Network Capacity pg. 2 Securing Mobile Network Backhaul pg. 3 Network Security Technology Requirements pg. 3 Lte Security Gateway Solution pg. 4 Conclusion pg. 5 Glossary pg. 6 References pg. 6

2 Executive Summary Exploding data traffic on mobile networks is creating congestion and putting unprecedented pressure on network operators to meet nearly insatiable data demand. Most major worldwide mobile operators have announced plans to migrate their networks to Long Term Evolution (LTE), an all-ip network that will increase broadband capacity to support up to ten times higher data rates and enable an abundance of new mobile applications. In the near term, many operators are also considering alternative wireless offload solutions which route both voice and data traffic over the public Internet to relieve network congestion and improve coverage. In both situations, operators are exposed to inherent security threats and challenges familiar to enterprise IP networks. As cyber crime becomes more sophisticated and profitable, these attacks are occurring more frequently and with more severity and complexity. Mobile networks will have similar security requirements to enterprises, but on a much larger scale. This white paper will examine potential security challenges in both LTE infrastructure and wireless offload deployments, introduce the relevant 3GPP standards, and present solutions based on an LTE security gateway, or LTE. Growing Mobile Demand The increase in demand for mobile bandwidth is undeniable. Nokia Siemens Networks reported that in 2008, their customers saw an increase in High Speed Packet Access (HSPA) data traffic of 5.7 times the previous year, and eleven customers saw a ten-fold increase. So we re seeing a significant amount of stress on the network, said Patrick Donegan, Senior Analyst, Heavy Reading. 1 According to Cisco, mobile data traffic will double every year through 2014, increasing approximately 40 times over the next five years (Figure 1). By 2014, seventeen percent of this data will be transmitted over the Internet, much of which will need to be secured. IP has become the de facto transport, not only for user traffic, but also for control within network infrastructure. Security threats resulting from untrusted network endpoints, shared facilities, and disgruntled employees are magnified in an all-ip environment. Expanding Mobile Network Capacity In recent years, the convergence of telecom and IP networking, have driven new standards, technologies and platforms. Persistent growth of bandwidth hungry services and applications has driven the development of LTE, which supplies the bandwidth needed for these applications, while lowering operating costs and simplifying network management. LTE delivers four times more downlink bandwidth and eight times more uplink bandwidth than its predecessor, HSPA. It also provides better cell performance, lower latency and higher Quality of Service (QoS), while supporting more users at a lower cost per byte. LTE will take many years to rollout and become pervasive, however, and existing cellular networks are already becoming tapped out. With smartphones and other wireless devices becoming increasingly popular, some operators are looking for near term wireless offload and coverage solutions. A new study from ABI Research reports that CONSUMER INTERT TRAFFIC PETABYTES PER MONTH 3500000 3500000 3000000 2500000 2000000 1500000 1000000 500000 0 Mobile VoIP Mobile Gaming Mobile P2P Mobile Web/Data Mobile Video 2010 2012 2014 YEAR Figure 1. Cisco Global Mobile Data Traffic Forecast (Source: Cisco, 2 2010) 4% 5% 8% 17% 66%

3 about sixteen percent of data traffic is diverted from mobile networks today and is expected to increase to forty-eight percent by 2015. 3 Cisco estimates that by 2014, twenty-three percent of U.S. smartphone traffic could be offloaded through the public Internet, using wireless LANs and femtocells. Even higher percentages are forecasted for Western Europe and Russia. Wireless offload relieves pressure on 3G access networks, but introduces the need for security gateways. Securing Mobile Network Backhaul Both LTE access and 3G wireless offload present new security challenges not encountered in traditional mobile network backhaul, the infrastructure for connecting cell sites to the core network. Historically, backhaul employed dedicated T1 and unshared facilities between macro cellsites and the core network base stations. LTE phases out TDM connected cell sites in favor of Ethernet and IP connections, and for both cost and bandwidth reasons, LTE backhaul may leverage commercial broadband links. LTE networks have more small and distributed cell sites, which are difficult and costly to physically protect against criminal activity. Operators are also increasingly sharing cell sites to get around government limitations and use the best locations. The LTE architecture pushes more mobility function out to the cell sites, enabling hackers to disrupt subscribers and penetrate new data applications. And the flat LTE topology provides a direct route from cell sites to the network core, creating the possibility for Denial-of-Service (DoS) attacks and interception of user communications. All these factors drive new security requirements in LTE. The security exposures in wireless offload applications are more obvious. WiFi access points and femtocells are connected over the public Internet and expose the core network to the full range of Internet attacks, including address spoofing, identity theft, man-in-themiddle, and DoS. In addition to securing the wireless segment of a connection with appropriate wireless security like WPA, mobile devices require end-to-end security to the core network, and network gateways must be appropriately firewalled to protect the core network. The security topology for LTE Access and Wireless Offload networks is shown in Figure 3. Dual Mode Handset WiFi Access Point Figure 2. Wireless Offload 4G 3G 2G 3G LTE enodeb WiFi Access Point Femtocell Backhaul Network or Public Internet Standard 3G/4G Handset Network Security Technology Requirements A security gateway is required to secure the connections between network elements over an untrusted communications link. The link may be untrusted because the elements are owned by different operators and therefore reside in different security domains (Za interface), or because the elements are owned by the same operator in the same security domain but are connected in a way that may lead to security breaches because the interfaces are not protected (e.g. no use of between internal elements). The elements may be part of the LTE backhaul network, like cell sites (enodebs), or part of the enhanced packet core, like Serving and Packet Gateways (S-GWY, P-GWY). Wu UMA-Enabled Femtocell Up S1 Wu Up lub Firewall and Tunneling Technology Wireless Data Offload Public Internet (Untrusted) 3G Core Network (Trusted) LTE Serving Gateway (SGW) I-WLAN Terminating Gateway (TTG) Femtocell Gateway Figure 3. Securing LTE Access and Wireless Offload Networks To Packet Network Voice/Data

4 The requirements for providing a secure connection between LTE network elements are specified in the 3GPP Network Domain Security (NDS) standard. The primary requirement is to use Internet Protocol Security (IPsec), as shown in Figure 4. With IPsec, data is passed between the network elements in secure tunnels using a protocol called Encapsulating Security Payload (ESP) which includes subscriber authentication, content integrity and data encryption. These tunnels are set up using a protocol called Internet Key Exchange (IKE), which enables the elements to identify each other in a trusted manner called a Security Association (SA). A-1 A-2 Security Domain A A Figure 4. Securing LTE Networks Za Security Domain B B IKE Connection ESP Security Association B-1 B-2 The requirements for providing a secure connection between a mobile device or femtocell in a wireless offload application share similarities to the NDS scenario. An IPsec tunnel is established between the mobile device or femtocell using IKE; bidirectional security associations are established; and encrypted ESP data is transmitted (Figure 5). Lte Security Gateway Solution An LTE Security Gateway, or LTE, must meet the technology requirements for both LTE and its wireless offload applications predecessors. It should provide very high performance IPsec tunneling and stateful firewall protection and be cost effective for a telecom equipment manufacturer to deploy in an operator network. An LTE should adhere to the 3GPP P-G standards and provide high performance IPsec capability, with carrier-grade reliability and scalability for telecom networks. This requires supporting key IETF RFCs for ESP, IKE and Certificate Management Protocol (CMP) as required by 3GPP LTE specifications 33.210 and 33.310. Ideally, an LTE will process at least multi- Gbps of encrypted IPsec traffic and scale to much higher IPsec throughput to support massive amounts of IP data from many LTE cell sites. Additionally, in wireless offload applications, a security gateway should secure large numbers of WiFi connected mobile devices and femtocells and support various Data Offload 3G HSS/ HLR Internet SGSN: Service GPRS Support Node AAA Wu or Up Figure 5. Securing Wireless Offload Applications authentication schemes appropriate for each device, e.g. reuse of SIM card in mobile devices, support for both femtocell smart-card and certificate based schemes, and back-end RADIUS support. Wireless offload applications such as I-WLAN and Home NodeB femtocells also require associating the user s IPsec tunnel with the GTP connection to the packet core. Another important LTE feature is a stateful firewall, which can process several million concurrent IP flows, with pre-defined and custom filters, consistency checks and DoS prevention mechanisms. This requires 10G Ethernet ports and firewall services performed at line rate. In addition to network security, an LTE should ideally feature static and dynamic Network Address Translation (NAT), Virtual Routing (VLAN), DHCP services and traffic management. Wm GGSN: Gateway GPRS Support Node Gn

5 Because security technology is complex and engineers with relevant experience are scarce and expensive, most telecom equipment manufacturers would prefer to buy a complete LTE solution which they can easily and cost effectively integrate into the LTE network elements in their portfolio. Like other telecom equipment, the LTE should have a fault tolerant configuration option and meet carrier requirements for high availability and serviceability. Many equipment manufacturers have adopted the open, carrier grade Advanced Telecom Computing Architecture (ATCA) and would benefit from a blade solution that could be readily integrated in spare slots of existing network elements, as well as offered as a standalone solution. Conclusion The explosion of mobile data applications has begun, and worldwide mobile operators are planning to migrate their networks to LTE. The new LTE networks will increase broadband capacity to support higher data rates, simplify network management, and lower transport costs. Whether operators choose to move directly to LTE or enhance their current generation networks with wireless offload applications, they must address the security issues associated with an all-ip network. The financial risk and reputation impact associated with any security breach in the early stages of a network rollout are too big to ignore. The 3GPP standards, including NDS, specify ways to secure user data and protect network elements, but leave many implementation decisions up to the operators. Network security is a major hurdle for LTE equipment vendors because the scope of potential breaches is large, the technology is complex, and engineers with relevant security expertise are scarce and expensive. The best solution is a turnkey security gateway that is flexible and scalable and can be cost effectively integrated to make new network rollouts secure from the outset. Glossary The following Glossary is in the order of the acronyms appearing in the paper. 3GPP: 3rd Generation Partnership Project ATCA: Advanced Telecom Computing Architecture CMP: Certificate Management Protocol DoS: Denial-of-Service enodeb: enhanced nodeb, LTE radio at a cellsite ESP: Encapsulating Security Payload HSPA: High Speed Packet Access IETF: Internet Engineering Task Force IKE: Internet Key Exchange IP: Internet Protocol IPsec: Internet Protocol Security I-WLAN: Interworking-Wireless Local Area Network LTE: Long Term Evolution (one flavor of 4G) NAT: Network Address Translation NDS: Network Domain Security P-GWY: Packet Gateway QoS: Quality of Service S1-U: User-plane (mobile) traffic between & LTE enodeb (cellsites) & Serving-Gateway (S-GWY) packet core elements SA: Security Association : Security Gateway S-GWY: Serving Gateway T1: Data Circuit Running at 1.544 Mbit/s Line Rate TDM: Time Division Multiplexed WPA: Wireless Protected Access

6 References 1 Source: http://www.lightreading.com/video.asp? doc_id=174795. 2 Source: Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update, 2009-2014 from February 9, 2010 found at http://www.cisco.com/en/ US/solutions/collateral/ns341/ns525/ns537/ns705/ ns827/white_paper_c11-520862.html. 3 http://4g-wirelessevolution.tmcnet.com/channels/ network-acceleration/articles/95417-wifi-femtocellothers-help-mobile-data-offloading-research.htm. Corporate Headquarters 5435 Dawson Creek Drive Hillsboro, OR 97124 USA 503-615-1100 Fax 503-615-1121 Toll-Free: 800-950-0044 www.radisys.com info@radisys.com 2011 Radisys Corporation. Radisys, Trillium, Continuous Computing and Convedia are registered trademarks of Radisys Corporation. *All other trademarks are the properties of their respective owners. October 2010

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information