SECURING THE MOBILE NETWORK



Similar documents
WHITE PAPER CYBER SECURITY AND ELECTRIC UTILITY COMMUNICATIONS WHAT NERC/CIP MEANS FOR YOUR MICROWAVE

Security Executive Summary. Securing LTE Radio Access Networks Effectively

Draft ITU-T Recommendation X.805 (Formerly X.css), Security architecture for systems providing end-to-end communications

Securing Next Generation Mobile Networks

HIPAA Privacy & Security White Paper

Securing an IP SAN. Application Brief

WHITEPAPER MPLS: Key Factors to Consider When Selecting Your MPLS Provider

LTE transport network security Jason S. Boswell Head of Security Sales, NAM Nokia Siemens Networks

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

MPLS: Key Factors to Consider When Selecting Your MPLS Provider Whitepaper

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Use of MPLS in Mobile Backhaul Networks

Mobile Wireless Overview

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

WHITEPAPER. Smart Grid Security Myths vs. Reality

UMTS security. Helsinki University of Technology S Security of Communication Protocols

Securing SIP Trunks APPLICATION NOTE.

State of Texas. TEX-AN Next Generation. NNI Plan

An Oracle White Paper December The Value of Diameter Signaling in Security and Interworking Between 3G and LTE Networks

LTE BACKHAUL REQUIREMENTS: A REALITY CHECK

Application Note License-Exempt Gigabit Ethernet Microwave Radio Applications

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Seamless Mobile Security for Network Operators. Build a secure foundation for winning new wireless services revenue.

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

The Benefits of SSL Content Inspection ABSTRACT

Applications that Benefit from IPv6

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Protecting Your Organisation from Targeted Cyber Intrusion

Mobile network evolution A tutorial presentation

IT Security Standard: Network Device Configuration and Management

ITL BULLETIN FOR JANUARY 2011

CHAPTER 1 INTRODUCTION

Defense in Cyber Space Beating Cyber Threats that Target Mesh Networks

Security MWC Nokia Solutions and Networks. All rights reserved.

How To Secure A Voice Over Internet Protocol (Voip) From A Cyber Attack

ALTERNATIVE BACKHAUL AND DATA OFFLOAD SOLUTIONS FOR GSM AND UMTS OPERATORS

T.38 fax transmission over Internet Security FAQ

ICANWK406A Install, configure and test network security

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

GSM Risks and Countermeasures

MIGRATING PUBLIC SAFETY NETWORKS TO IP/MPLS

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

How Proactive Business Continuity Can Protect and Grow Your Business. A CenturyLink White Paper

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

Mobile Backhaul The Next Telecoms Revolution

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

How to secure an LTE-network: Just applying the 3GPP security standards and that's it?

Topics in Network Security

Mobility and cellular networks

Packet Synchronization in Cellular Backhaul Networks By Patrick Diamond, PhD, Semtech Corporation

HIPAA Security Considerations for Broadband Fixed Wireless Access Systems White Paper

SpiderCloud E-RAN Security Overview

HSPA, LTE and beyond. HSPA going strong. PRESS INFORMATION February 11, 2011

Executive Summary and Purpose

Securing VoIP Networks using graded Protection Levels

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005

Cisco Advanced Services for Network Security

SafeNet Network Encryption Solutions Safenet High-Speed Network Encryptors Combine the Highest Performance With the Easiest Integration and

A Model-based Methodology for Developing Secure VoIP Systems

TDM services over IP networks

Central Agency for Information Technology

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

The LTE Challenge. for the Small-to- Midsize Mobile Network Operator

S-Series SBC Interconnect Solutions. A GENBAND Application Note May 2009

Network Security Policy

Recommended IP Telephony Architecture

Deploying a Secure Wireless VoIP Solution in Healthcare

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

Security Requirements for Wireless Networking

Information Security: A Perspective for Higher Education

Managed Security Services for Data

Gold Lock Desktop White Paper

Whitepaper. 10 Metrics to Monitor in the LTE Network. blog.sevone.com

A NIMS Smart Practice

Wireless VPN White Paper. WIALAN Technologies, Inc.

ZyXEL offer more than just a product, we offer a solution. The Prestige DSL router family benefits providers and resellers enabling them to offer:

MERA s competence in security design includes but is not limited to the following areas: Engineering and assessments for security solutions (e.g.

Standard: Information Security Incident Management

Wireless Network Standard and Guidelines

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

A HELPING HAND TO PROTECT YOUR REPUTATION

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

Network Security. by David G. Messerschmitt. Secure and Insecure Authentication. Security Flaws in Public Servers. Firewalls and Packet Filtering

ETHERNET WAN ENCRYPTION SOLUTIONS COMPARED

ISO Controls and Objectives

Database Security Guideline. Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Managed 4G LTE WAN: Provide Cost-Effective Wireless Broadband Service

HIPAA Compliance and Wireless Networks Cranite Systems, Inc. All Rights Reserved.

SS7 & LTE Stack Attack

Remote Access Security

Network Security: Introduction

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

SSL VPN Technical Primer

Transcription:

AVIAT NETWORKS SECURING THE MOBILE NETWORK BY LOUIS SCIALABBA, AVIAT NETWORKS SOLUTIONS MARKETING

TABLE OF CONTENTS Introduction... 3 Impact of an Unsecure Mobile Network... 3 Benefits of Secure Mobile Networks... 4 Importance of Securing the Microwave Network... 4 Definition of Security Enforcement... 5 ITU-T X.800 Threats Model... 5 Physical Site and Equipment Security... 6 Secure Management... 6 Centralized user management... 6 Payload Encryption... 6 2G and 3G Network Security... 7 4G Mobile Network Security... 7 Solutions for LTE Microwave Backhaul Segments... 8 Customer Use Case... 9 MTN Ghana use of RADIUS... 9 Summary...10 Page 2

INTRODUCTION In an era of ubiquitous broadband communication at work and home, the issue of security in mobile backhaul is more important than ever. The new generation of LTE wireless technology is an enabler for applications such as mobile commerce, voice over IP (VoIP), and high-definition video delivery to smartphones, but it has also opened some sinkholes in the foundation that pre-lte architectures and applications have established. This white paper discusses the burgeoning need for Security in Mobile Backhaul in terms of benefits to MNOs and society. IMPACT OF AN UNSECURE MOBILE NETWORK Security incidents can have severe consequences for mobile operators. Short-term public relations hiccups can be dealt with, but over the long-term, carriers are subject to subscriber churn, which can significantly influence profitability. Softpedia.com cited a study performed by Opinion Matters, whereby it was determined that 75 percent of smartphone users in the UK would likely change mobile providers if a security breach occurred on their current network. Aside from technology drivers, the public concern over personal privacy and governmental preoccupation with national security are both mandating Mobile Network Operators (MNOs) to protect information confidentiality, integrity, and availability. In addition to subscriber churn, MNOs can face litigation and legal problems, especially when a security breach affects enterprise service. The economic impact can be several hundred of thousands or even millions of dollars. In a report presented by McAfee at the World Economic Forum, it was found that over half of 600 IT executives surveyed have suffered large-scale incidents that have associated downtime costs of over $6.5 Million per day. The type of data-at-risk includes commercial information, such as patents, software code, and designs, as well as employee records. In such cases, MNOs must defend against both the enterprise and individuals who have been victimized. A heist of Intellectual Property (IP) could have a costly effect on a corporation, especially if the subject matter is innovative but easily replicated in the marketplace. Governments are getting involved, mandating that carriers abide by security legislation specially intended for telecommunication service providers. In the European Union, EU directive 2009/140/EC, article 13a, requires operators to take steps to provide uninterrupted and secure transmission of voice and data over EU telecommunications infrastructure. Operators are also required to report security incidents so the effectiveness of their controls can be measured. At the national level, security over mobile networks or, in fact, any Internet access can have massive impacts on international relations. One example was the 2009 attack on Silicon Valley companies. In an article on csoononline.com, the alleged perpetrators of the breach were described as Chinese hackers, who exploited a weakness to gain access to Google's internal network, while Google admitted that some of its intellectual property had been stolen and that it would soon cease operations in China. Page 3

The impact of that event has had far-reaching consequences in the technology industry and political relations between the United States and China. Dating back to March 2005 is arguably the most infamous and criminal mobile network breach of all time, the scandal dubbed The Athens Affair by writers Vassilis Prevelakis and Diomidis Spinellis. In that security breach on the Vodafone Greece mobile network, equipment was illegally accessed and software was implanted in switching centers and later downloaded directly to cellphones, allowing for unlawful tapping of potentially incriminating phone conversations among targeted Vodafone subscribers, including sitting ministers of the government. It was a highly sophisticated hacking of the network that most carriers could not prevent; however one reason Vodafone received scathing publicity was because it purportedly mishandled informative system log files a function that could have been prevented by more robust security mechanism. Two years after the incident, Vodafone was fined $76 million. BENEFITS OF SECURE MOBILE NETWORKS The old adage that prevention is the best medicine certainly applies to security. The rewards certainly outweigh the risks. Every year MNOs are judged by companies such as J.D. Power and Consumer Reports on the level of satisfaction by their customers. Consistently high rankings help MNOs establish a trusted brand for their service offering. Strength in branding is one element of customer retention and lower overall subscriber churn. Strong brand value supports higher Average Revenue Per User (ARPU). It is one thing for a customer to shrug off an unusually high wait time for a technical support call; it is another for a customer to feel violated that his voice and data transactions on the network were compromised because the operator failed to take preventative measures. Security breaches lead to negative PR, which leads to degradation of customer trust, which ultimately leads to a tainted brand, higher churn and lower profits. All the effort a corporation endures to build strong brand value can easily be offset by just one security breach IMPORTANCE OF SECURING THE MICROWAVE NETWORK The use of microwave for mobile backhaul has long been the technology of choice around the world due to its low overall Total Cost of Ownership (TCO), flexibility and high reliability. Microwave backhaul for macro cell sites has accounted for over half of all backhaul technologies combined, including fiber and copper-based solutions. The abundant presence of microwave puts security concerns in the forefront for those who manage the network and customers on it. In 2013, Infonetics Research published the results of a Global Survey on Microwave Strategies and Vendor Leadership. In it, operators were asked to rank the importance of different microwave product features in terms of influence on purchasing decisions. Like the prior year, Management Interface Security ranked very high No. 4 overall, ahead of popular items like 1024 QAM, QoS, and MIMO. This priority is suggesting an awareness of security issues in microwave connections, according to the report s findings. Page 4

Microwave is usually part of a larger network of connected elements in a backhaul design. As such, it is important that security concerns do not make it a weak link in the chain. Specific security threats to microwave equipment can include misconfiguration and/or tampering of provisioning information, whether by malicious intruders or disgruntled employees. In fact, studies have shown that 50-90 percent of all hacking activities are perpetrated by "insiders" or people with physical access to the equipment. Additionally, operators may carry critical traffic for government and financial institutions and other critical traffic across their microwave equipment. Such traffic has strict security requirements traversing all points in the network. Lastly, the migration from TDM to IP as part of the evolution from 2G to 3G and 4G has opened the microwave segment of the backhaul to security concerns stemming from the distributed nature of IP networks. DEFINITION OF SECURITY ENFORCEMENT The Next Generation Mobile Network (NGMN) organization has defined five classes of threats for the mobile network, as depicted in the illustration below. The threats include Destruction, Corruption, Removal, Disclosure and Interruption of information. Critical management and data traffic over unsecured networks means some form of encryption may be needed, beyond just physical equipment and site security. This applies to both microwave and fiber networks. ITU-T X.800 THREATS MODEL Page 5

MNOs can fend off these threats by implementing different types of security mechanisms. These mechanisms include: PHYSICAL SITE AND EQUIPMENT SECURITY Whether it is a macro base station tower or an emerging small cell on a busy urban street lamp, devices such as radios, switches and routers can be tampered with if some level of equipment protection is not provided. Many devices include telemetry features that will alert or alarm the network operator if a port card, control unit, backup battery or fan is removed, and typically specialized card pullers and screws are used to keep the network element protected. Additionally, tamper-evident labels can be used to detect intrusions. SECURE MANAGEMENT Secure Management is about securing access and control of the microwave radio. Messages sent from the Network Operations Center (NOC) to the radio are protected and not subject to compromise or malicious spoofing by unauthorized users. Secure Management also protects against accidental or unintentional misconfiguration of the network. Secure Management adds several layers of security and should be implemented in a manner that is FIPS 140-2 Level 2 compliant. FIPS 140-2 validation is required whenever encryption is specified in any US Federal procurement RFP. CENTRALIZED USER MANAGEMENT Radius is one mechanism that can be used to create centralized user management of a network. Radius includes Authentication, Authorization and Accounting of remote user accounts. It greatly simplifies and expedites changes to user account characteristics. Radius also allows for password enforcement and complexity rules to be tailored to individual organizations according to company policy. PAYLOAD ENCRYPTION There are various forms of payload encryption, one being IPSec (Internet Protocol Security). IPSec requires agent authentication and the sharing of cryptography keys for each packet exchanged during a security session. IPSec has its challenges in mobile networks, namely cost and complexity of implementation and a tight coupling with IPV6. In the microwave radio domain, payload encryption can be achieved using AES encryption on both management and data traffic. This prevents eavesdropping on wireless communications, as any snooping along the transmission path between links or in the transmitter s vicinity will only receive a garbled transmission. At a minimum, radios should support AES encryption and 128- or 256-bit symmetric keys, via a randomly generated encryption combination. These combinations are created and negotiated between links using industrystandard key agreement methods, which supports modulo of at least 2048 bits. Payload Encryption should be implemented in compliance with FIPS- 197, which provides the definition for AES encryption. AES is commonly regarded as one of the leading worldwide encryption schemes accepted by the most demanding entities such as US Government and US Military. Page 6

2G AND 3G NETWORK SECURITY GSM networks provided a step-functional increase in security capabilities versus early AMPS and TACS analog cellular technology. Because GSM is a digital technology, it is able to use a speech-coding algorithm as well as authentication and encryption mechanisms. David Margrave, in his paper GSM Security and Encryption explains that included in the design of the GSM authentication and encryption schemes is that sensitive information is never transmitted over the radio channel. This is because a challengeresponse technique is built into the GSM authentication function. Conversations are encrypted with a temporary, randomly generated ciphering key which is issued by the network and may be changed periodically (i.e. during hand-offs) for additional security. A5/1 is the name of the stream cipher that was used to provide early GSM communication privacy, but it ultimately proved to be vulnerable over time and had several documented attacks on a global scale. A5/3, or KASUMI, was used in 3G systems, designed specifically for 3GPP for the UMTS standard, but it also was broken by cipher attacks over the last decade. Nevertheless, the native encryption in 3G networks helped the security cause in the path starting from the handset to the base station to the Radio Network Controller (RNC). The flatter network architecture of 4G, in a sense, is a step backwards in security. 4G MOBILE NETWORK SECURITY In LTE, RNC functionality is in the enodeb, meaning that native encryption terminates at the base station (see LTE reference diagram below). As a result, and according to NGMN, some functions previously in the controller (BSC and RNC respectively) move directly into the enodeb, exposing the service and the underlying packet backhaul network to potential security threats. The X2 interface has the potential to increase the propagation and scale of security attacks. Especially of concern is the use case of shared backhaul or converged network infrastructure, for example, as in a Fixed- Mobile Converged (FMC) network. The panacea from 3GPP for the security gap in LTE was intended to be IPsec. IPSec would require secure tunnels from the enodeb to the Evolved Packet Core, with termination of those tunnels in a Security Gateway (S- GW). However, operators globally have pause when it comes to rampant IPSec deployment. Patrick Donegan, Heavy Reading analyst, in a public report conducted on behalf of Radisys, agrees and explains that, many operators are initially limiting their IPsec deployment to specific cases, such as where backhaul is leased or in the case of physically vulnerable small cells. Also, Donegan points out that operators are still waiting for ecosystem vendors to widely support the IPv6 protocol, and MNOs would prefer to wait for IPv6 before spending time and money on IPSec, the implementation of which is intimately coupled with IPv4 and/or IPv6. A case can be made for implementing payload encryption on backhaul links, especially in microwave radio backhaul links that are in wide use around the world. Payload encryption could give operators a few years to work out the business case for IPSec, particularly if their microwave backhaul gear already has encryption capability built in and all is needed is a software license. Page 7

3G &LTE Network Architectures SOLUTIONS FOR LTE MICROWAVE BACKHAUL SEGMENTS Secure Management offers secure management access to Aviat Eclipse Packet Node radios over unsecured networks. Secure Management features dictate who can access the network, the privileges of those users, and visibility they are allowed, all while encrypting all traffic and offering layered protection against multiple types of attacks. In the case of a breach of any layer, Secure Management also provides rich forensic capabilities for post incident analysis. Additionally, the Security Event Logger feature records all management activity for increased accountability and improved troubleshooting and root cause analysis. Payload Encryption secures wireless data and in-band and out-of-band management traffic. With Secure Management and Payload encryption working together as a depth strategy, even data that might ride on overhead channels (e.g. site management devices) is secure. The Strong Security suite from Aviat Networks offers solutions for wireless communications protection with options for Secure Management, Payload Encryption and integrated RADIUS capability. Integrated RADIUS capability enables authentication, authorization and accounting of remote user accounts. Hacker-deterrent features include Mechanized Attack Prevention, password complexity and minimization and encrypting of information kept in the radio. Page 8

Access control protection helps ensure proper privileges for employees, especially new hires, contractors, and lower skilled employees. For Local Access this includes: Identity-based authentication Identity-based privileges Security warning banners Access control lists Automatic Session timeout Disabling unused ports and unsecured protocols and backdoors Encryption and caching of user accounts For Remote Access this includes: Secure tunneling (TLS) Disabling of unsecure protocols (e.g., Telnet) Secure software download (HTTPS) Closure of all engineering backdoors Finally, in the Network Operations Center (NOC), SNMPv3, NMS Access control lists, encrypted remote backup and secured system log are provided to better enforce security mechanisms from a centralized point of control. CUSTOMER USE CASE MTN Ghana is the largest mobile communications provider in Ghana. With a constant flow of new service subscribers, network security is vital. Long-time users of Aviat Networks radios, MTN Ghana has used Aviat Eclipse since 2007 for its network backbone and 3.5G access management, benefitting from reliability and easy migration from TDM to Ethernet. However, with growth comes occasional traffic and equipment disturbances in the network, and MTN Ghana looked to Aviat to make sure disturbances were not a result of security incidents. Traditionally, US federal government and military agencies and their contractors are the primary users of high-level security solutions. Their networks must be compliant per Federal Information Process Standards FIPS-140-2 for management and FIPS-197 for data payload encryption. Because of the extensive validation and testing regimen that vendors must go through for their products, mobile and enterprise operators are embracing these standards. MTN GHANA USE OF RADIUS Eclipse radios use both AAA and RADIUS. MTN Ghana has several thousand microwave sites and has decided to prioritize deployment of AAA and RADIUS in key sites along the backbone. Secure Management using AAA/RADIUS with Element Management System ProVision has improved the availability and visibility of the wireless network. In particular, network visibility into Ghana s capital city, Accra, has increased tremendously, allowing a reduction in staff hours of workers who previously needed to visit remote sites in the field. Troubleshooting has become simple and fast, as the nodes are visible from one central location. MTN Ghana adds Aviat Networks implemented their Secure Management AAA system with RADIUS to control physical access to the equipment. Through RADIUS, rigorous Password Authentication is implemented to Page 9

mitigate unauthorized access to the equipment on site. This has assisted MTN Ghana to ensure those who access the equipment are both authorized to do so, and qualified to do the work permitted by the specific set of rights assigned to them within the Secure framework. Securing the Backbone in MTN Ghana: the backbone network of thousands of microwave radio links connects a nation. SUMMARY Security is a necessary function for both users and providers of mobile networks. Mobile network security involves several aspects, from physical site security to data encryption to secure management interfaces. The evolution of mobile networks to a flatter LTE architecture has uncovered some challenges in the security domain. Secure management is perhaps the most effective and simple method to employ, especially in microwave backhaul segments. Aviat Networks provides a full suite of security mechanisms for its microwave product portfolio a key enabler of reliable backhaul functionality around the world. Although many mobile operators may not appreciate the need for network security today, it will likely be required throughout all portions of the network over time, with microwave transport being a critical segment. WWW.AVIATNETWORKS.COM Aviat Networks, Inc. 2013 All Rights Reserved. Subject to change without notice. wp_securing_mobntwk_univ_17sep13 Page 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information