SlideShare une entreprise Scribd logo

LTEcloudSecurityIssuesTakeaways-GP

D
Dr. Galina Diker Pildush
1  sur  40
Télécharger pour lire hors ligne
Presented  @  CanSecWest,  2012,  Vancouver   &   ISSA  International  Conference  2012,  Anaheim,  CA   Galina  Pildush,  PhD    
!  Is:   !  LTE  introduction   !  LTE  perspectives  and  vulnerabilities   !  Is  not:   !  Everything  else  
!  LTE  =  Long-­‐Term  Evolution  of  Evolved  Universal   Terrestrial  Radio  Access  Network   !  Greater  flexibility  of  spectrum  usage   !  Reduced  latency   !  Interworking  with  other  systems,  for  example   CDMA2000   !  LTE-­‐Advanced   !  Worldwide  functionality  and  roaming   !  Service  compatibility   !  Enhanced  peak  data  rates  (100  Mbps  –  1  Gpbs)  
UTRAN   RNC  NodeB   GERAN   BSC  BTS   SGSN   HSS   (HLR,  AuC)   MSC   VLR   GGSN   PCRF   GMSC   CS-­‐MGW   CS-­‐MGW   Gi  Gn   Gx   IuPS   Gr  Gs   Gc   C   D   IuCS   Nc   Mc   Nb  IuCS   IuPS   IuCS   IuCS   Gb   Interfaces  supporting  user  traffic   Interfaces  supporting  signalling   This  is  where  it  was  a  few  years  ago  …   AN   CN   Note:     -­‐ This  is  a  display  of  a  basic   GPRS  architecture  blocks  and   interfaces     -­‐ Not  all  network  elements  and   interfaces  shown   A   PSTN   Internet  
UTRAN   RNC  NodeB   GERAN   BSC  BTS   SGSN   HSS   (HLR,  AuC)   MSC   VLR   GGSN   PCRF   GMSC   CS-­‐MGW   CS-­‐MGW   Gi  Gn   Gx   IuPS   Gr  Gs   Gc   C   D   IuCS   Nc   Mc   Nb  IuCS   A   IuPS   IuCS   IuCS   Gb   This  is  where  it  is  today  …  and  still  evolving  …   AN   CN   MME   S-­‐GW   PDN-­‐GW   E-­‐UTRAN          eNodeB   S1-­‐U   S12   S5   S4   SGi  S1-­‐MME   S11   S3   S8   S6a   Gxc   Gx   S4   Gxc   S3   PSTN   Internet   Internet   Note:     -­‐ This  is  a  display  of  a  basic   GPRS  and  EPS  architecture   blocks  and  interfaces     -­‐ Not  all  network  elements  and   interfaces  shown  
GSM   RF   MAC   RLC   SND CP   IP   Appl -­‐n   UE   L1bis   Laye r  1   Laye r  1   Laye r  1   Netw orkS ervic e   Laye r  2   IP   GTP-­‐U   Relay   SNDCP   Laye r  2   Laye r  2   GTP-­‐U  GTP-­‐U   Relay   Laye r  1   GTP-­‐ U   PDN  GW  Serving  GW  SGSN   Laye r  2   SGi  S5/S8  S4  Um   LLC   GSM   RF   L1bis   MAC   Netw ork   Servi ce   UDP   BSSG P   BSSGP   Relay   RLC   BS   LLC   IP   UDP  UDP   IP  IP   IP   UDP   Gb   Laye r  1   MAC   RLC   PCD P   IP   Appl-­‐ n   UE   Laye r  1   Laye r  1   Laye r  1   Laye r  1   MAC   Laye r  2   RLC   UDP /IP   GTP-­‐U   Relay   PDCP   Laye r  2   Laye r  2   UDP /IP   UDP /IP   GTP-­‐U  GTP-­‐U   Relay   Laye r  1   GTP-­‐ U   IP   PDN  GW  Serving  GW  UTRAN   UDP /IP   Laye r  2   SGi  S5/S8  Iu  Uu   Protocol  Reference  Model   GERAN  User  Plane   Protocol  Reference  Model   UTRAN  User  Plane   Layer   1   MAC   RLC   PCD P   IP   Appl-­‐ n   UE   Layer   1   Layer   1   Layer   1   Layer   1   MAC   Layer   2   RLC   UDP/ IP   GTP-­‐U   Relay   PDCP   Layer   2   Layer   2   UDP/ IP   UDP/ IP   GTP-­‐U  GTP-­‐U   Relay   Layer   1   GTP-­‐ U   IP   PDN  GW  Serving  GW  eNodeB   UDP/ IP   Layer   2   SGi  S5/S8  S1-­‐U  LTE-­‐Uu   Protocol  Reference  Model   E-­‐UTRAN  User  Plane  
Control  Plane   User  Plane   !  Source:  www.3gpp.org  
S-­‐GW   PDN-­‐GW   E-­‐UTRAN   eNodeB   S1-­‐MME   S1-­‐U   H-­‐PCRF   HSS   (HLR,  AuC)   MME   S10   S11   S5   S6a   Gx   SGi   Rx   PDN-­‐GW   E-­‐UTRAN   eNodeB   S1-­‐MME   S1-­‐U   V-­‐PCRF   HSS   (HLR,  AuC)   MME   S10   S11   S5   S6a   Gx   SGi   Rx   Internet   HPLMN   VPLMN   S6a   S8   L-­‐GW   Internet   L-­‐GW   SGi   SGi   S8   S1-­‐AP   SCTP   IP   Lower   Layers   S1-­‐AP   SCTP   IP   Lower   Layers   IP   Lower   Layers   IP   Lower   Layers   IP   Lower   Layers   IP   Lower   Layers   3rd  Party     Application     Function   Domain  DIAMETER   SCTP   IP   Lower  Layers   IPX  Cloud   DIAMETER   SCTP   IP   Lower  Layers   S9   S-­‐GW   S8   DIAMETER   SCTP   IP   Lower  Layers   UDP   IP   Lower   Layers   GTPv2   GTP-­‐U  OCS   Gy   UDP   IP   Lower   Layers   GTP-­‐U  
S-­‐GW   PDN-­‐GW   H-­‐PCRF   HSS   (HLR,  AuC)   MME   Internet   OCS   1   1.  Attach    Request  (initial  attach,   IMSI,  PDP  Connection  Request)   2   2.  Update  Location,  granting  the   service   3   3.  Create  Session  Request   4   4.  Create  Session  Request   5.  Create  Session  Response   5   6.  Create  Session  Response   6   7.  Initial  Context  Setup  Request   (attach  accept,  activate  default  EPS   Bearer  Request)   7   8   8.  Initial  Context  Setup  Response   9   9.  Attach  Complete,  Activate  Default   Bearer  Accept   Note:     -­‐ Connection  establishment   shown    in  this  diagram  is   simplified  
!  Traditionally  PSTN  is  a  “Walled  Garden”   !  Protocols  are  not  widely  spread  and/or  known   !  Complex  protocols   !  Closed  architectures   !  Controlled  access   !  Today  LTE  access  uses  IP  as  a  transport   !  Convergence  of  voice  and  data   !  Convergence  of  wireline  and  wireless   !  Lower  operations  costs   !  Ahh…  Life  is  good  …  or  IS  IT  NOT?   !     
!  Love  sooo  …  many  Apps    -­‐  over  10.9  billion  (expected  to   rise  to  76.9  billion  by  2014!)  *   !  The  more  the  merrier   !  Free  is  better  than  paid  for   !  Voice,  video,  data  –  all  in  one!   !  Enjoy  high  speed   !  Want  my  SP  to  maintain  the  service  I  subscribe  to   !  Ahh…  Life  is  good…  or  IS  IT  NOT?   *Source:  IDC  
!  Can  connect  with  staff  any  time  from  anywhere   !  Should  be  able  to  increase  productivity   !  Faster  decisions  making   !  Instant  access  to  teleworkers   !  Instant    deal  making   !  Etc.,  etc.,  etc  …   !  Ahh…  Life  is  good  …  or  IS  IT  NOT?  
!  The  more  apps,  the  merrier  –     !  It’s  a  Wild-­‐Wild  West  (WWW)  out  there  –  grab  as  much  as  you  can   !  No  regulations,  validations,  or  restrictions   !  I  can  masquerade  anyone  or  anything   !  Phish  around  tricking  you  into  entering  sensitive   information   !  Financial  theft   !  Privacy  theft   !  Challenge  is  invigorating   !  This  is  a  wonderland  –  millions  of  walking  servers  with  eyes   and  ears  without  firewalls   !  Ahh…  Life  IS  good!  
!  LTE  is  IP  end-­‐to-­‐end   !  The  protocols  are  open   !  The  infrastructures  are  getting  more  complex   !  This  could  introduce  new  vulnerabilities   !  Complexity  does  not  mean  more  secure   !  What  does  it  all  mean  to  a  security  person?  
!  The  threats  are  possible  on:   •  Network  Infrastructure  elements  –  RAN,  Core   •  Bandwidth  consumption   •  Servers   •  UEs  
!  On  network  elements  –  paralyzing  the  network   •  Flood  attacks     •  Worm  infections  and  Trojan  attacks   •  Spam  and  virus  attacks   •  Man  in  the  middle  attacks     !  On  UEs   •  Phishing   •  Botnet   •  Viruses   •  Worms   •  Trojan  attacks   !  Trusted  but  infected  UEs  could  become  sources  of  attacks  
!  Paralyzed:   !  Network  elements  and/or  entire  network  infrastructures   !  Fixed  servers   !  Mobile  servers  –  UEs   !  Misbehaved  servers   !  Mis-­‐billing  and/or  overbilling   !  Battery  drainage  on  UEs   !  Personal  data  compromised   !  Financial  theft   !  Misconduct   !  Unhappy  customers   !  Loss  of  privacy   !  Loss  of  customers   !  Bad  industry  reputation   !  Loss  of  revenue  and  business  
!  UEs   !  The  out-­‐of-­‐control  spread   of  unprotected  servers  –   smart  phones   EVERYWHERE!  Operators  core   !  Facing  Internet   !  Peering  points   !  RAN-­‐Core  connection   !  Operators  RAN  
S-­‐GW   PDN-­‐GW   E-­‐UTRAN   eNodeB   S1-­‐MME   S1-­‐U   H-­‐PCRF   HSS   (HLR,  AuC)   MME   S10   S11   S5   S6a   Gx   SGi   Rx   PDN-­‐GW   E-­‐UTRAN   eNodeB   S1-­‐MME   S1-­‐U   V-­‐PCRF   HSS   (HLR,  AuC)   MME   S10   S11   S5   S6a   Gx   SGi   Rx   Internet   HPLMN   VPLMN   S6a   S8   L-­‐GW   Internet   L-­‐GW   SGi   SGi   S8   S1-­‐AP   SCTP   IP   Lower   Layers   S1-­‐AP   SCTP   IP   Lower   Layers   3rd  Party     Application     Function   Domain  DIAMETER   SCTP   IP   Lower  Layers   IPX  Cloud   DIAMETER   SCTP   IP   Lower  Layers   S9   S-­‐GW   S8   DIAMETER   SCTP   IP   Lower  Layers   OCS   Gy  
!  SCTP  Association  hijacking:     !  Address  camping  or  stealing   !  If  attacker  can  take  over  an  IP  address  they  can  restart   the  association     !  Man-­‐in-­‐the-­‐middle     !  Bombing  attacks:   !  Get  a  server  to  amplify  packets  to  an  innocent  victim   !  Allows  an  attacker  to  use  an  arbitrary  SCTP  endpoint  to   send  multiple  packets  to  a  victim  in  response  to  one   packet   !  Allows  an  attacker  to  use  an  SCTP  server  to  send  a   larger  packet  to  a  victim  than  it  sent  to  the  SCTP  server     !  Association  redirection  –  http://tools.ietf.org/html/ rfc5062  
S-­‐GW   PDN-­‐GW   E-­‐UTRAN   eNodeB   S1-­‐MME   S1-­‐U   H-­‐PCRF   HSS   (HLR,  AuC)   MME   S10   S11   S5   S6a   Gx   SGi   Rx   PDN-­‐GW   E-­‐UTRAN   eNodeB   S1-­‐MME   S1-­‐U   V-­‐PCRF   HSS   (HLR,  AuC)   MME   S10   S11   S5   S6a   Gx   SGi   Rx   Internet   HPLMN   VPLMN   S6a   S8   L-­‐GW   Internet   L-­‐GW   SGi   SGi   S8   3rd  Party     Application     Function   Domain  DIAMETER   SCTP   IP   Lower  Layers   IPX  Cloud   DIAMETER   SCTP   IP   Lower  Layers   S9   S-­‐GW   S8   DIAMETER   SCTP   IP   Lower  Layers   OCS   Gy  
!  Diameter  attacks   !  Negotiation  attack  –  could  cause  Diameter  server  to   choose  a  less  secure  authentication  method  (CHAP,   PAP,  for  example)   !  Connection  hijacking  –  attacker  attempts  to  inject   packets   !  Replay     !  Snooping  packets   !  Packet  modifications   !  Impersonation  –  rogue  NEs  with  forged  IP  addresses   !  Man-­‐in-­‐the-­‐middle  attack  –  attackers  gain  control  of  a   Diameter  agent,  modifying  packets  in  transit  
S-­‐GW   PDN-­‐GW   E-­‐UTRAN   eNodeB   S1-­‐MME   S1-­‐U   H-­‐PCRF   HSS   (HLR,  AuC)   MME   S10   S11   S5   S6a   Gx   SGi   Rx   PDN-­‐GW   E-­‐UTRAN   eNodeB   S1-­‐MME   S1-­‐U   V-­‐PCRF   HSS   (HLR,  AuC)   MME   S10   S11   S5   S6a   Gx   SGi   Rx   Internet   HPLMN   VPLMN   S6a   S8   L-­‐GW   Internet   L-­‐GW   SGi   SGi   S8   3rd  Party     Application     Function   Domain   IPX  Cloud   S9   S-­‐GW   S8   UDP   IP   Lower   Layers   GTPv2   GTP-­‐U  OCS   Gy  
!  Attacks  from  a  peering  side  –  GTPv2  and  GTP-­‐U   !  GTP-­‐in-­‐GTP  could  be  used  as  an  attack  –  spoofing  NEs,   recursive  GTP  packet  processing   !  Rogue  data  from  “trusted”  partners   !  Remember  –  although  GTP  is  “GPRS  Tunnelling   Protocol”  there  is  no  built-­‐in  encryption  
S-­‐GW   PDN-­‐GW   E-­‐UTRAN   eNodeB   S1-­‐MME   S1-­‐U   H-­‐PCRF   HSS   (HLR,  AuC)   MME   S10   S11   S5   S6a   Gx   SGi   Rx   PDN-­‐GW   E-­‐UTRAN   eNodeB   S1-­‐MME   S1-­‐U   V-­‐PCRF   HSS   (HLR,  AuC)   MME   S10   S11   S5   S6a   Gx   SGi   Rx   Internet   HPLMN   VPLMN   S6a   S8   L-­‐GW   Internet   L-­‐GW   SGi   SGi   S8   IP   Lower   Layers   IP   Lower   Layers   IP   Lower   Layers   IP   Lower   Layers   3rd  Party     Application     Function   Domain   IPX  Cloud   S9   S-­‐GW   S8   OCS   Gy  
!  Attacks  from  the  Internet  –  SGi   !  DDoS  attacks   !  Botnets   !  Exploit  core  network  elements  and  turn  them  into   attack  vectors   !  Viruses,  worms,  Trojans,  Overbilling   !  Etc…  etc…  etc  
!  SMS  Trojans  –     !  Polymorphic,  mutating  with  every  download   !  Known  as  server-­‐side  polymorphism   !  Existed  in  the  world  of  desktops   !  More  can  be  found  here  -­‐http://www.techworld.com.au/article/ 414311/symantec_warns_android_trojans_mutate_every_download     !  Attacks  evolved  from  SMS-­‐type  to  application  layer,   covering  ALL  handheld  devices  –  iPhones/iPads,   Androids,  RIM,  Notebooks,  etc,  etc,  etc…   !  Spam  messages   !  Exploit  of  unregistered  pre-­‐paid  SIM  cards   !  Exploit  of  signaling  fraud  
!  UE   !  Network  Infrastructure   !  RANs   !  Against  known  and  unknown  attacks  
S-­‐GW   PDN-­‐GW   E-­‐UTRAN   eNodeB   S1-­‐MME   S1-­‐U   H-­‐PCRF   HSS   (HLR,  AuC)   MME   S10   S11   S5   S6a   Gx   SGi   Rx   PDN-­‐GW   E-­‐UTRAN   eNodeB   S1-­‐MME   S1-­‐U   V-­‐PCRF   HSS   (HLR,  AuC)   MME   S10   S11   S5   S6a   Gx   SGi   Rx   Internet   HPLMN   VPLMN   S8   L-­‐GW   Internet   L-­‐GW   SGi   SGi   S8   3rd  Party     Application     Function   Domain   IPX  Cloud   S9   S-­‐GW   S8   OCS   Gy   LTE-­‐FW   LTE-­‐FW                    LTE-­‐FW              LTE-­‐FW   LTE-­‐FW   LTE-­‐FW   LTE-­‐FW   LTE-­‐FW   LTE-­‐FW   S6a  
!  While  convergence  sounds  great,  should  I  converge  all   my  networks  –  wireline,  wireless,  voice,  data,  others  (?)   !  How  do  I  protect  my  cloud?   !  Where  is  my  “walled  garden”?   !  IP  transport  +  UEs  apps  bring  security  concerns   !  Protocols  vulnerabilities  at  signaling/control  planes   !  Open  protocols/applications   !  Lack  of  apps  standards   !  What  are  the  possible  vulnerabilities?   !  Is  it  good  enough  to  just  do  NAT/CGNAT?   !  Are  the  threats  really  there?  
!  Exponential  spread  of  UEs     !  Is  this  a  de  ja  vu  of  wired  line  10-­‐15  years  ago?   !  How  do  I  detect  an  infected  UE?   !  What  do  I  do  with  the  infected  UE?   !  Should  I  do  policy  enforcement  with  an  infected  UE?   !  Can  I  be  held  liable  for  delivering  customer  traffic   securely?   !  Cost  vs.  risk   !  Complexity  vs.  ease  of  management   !  IPv6   !  Transition  to   !  Could  IP  within  IP  pose  more  threat?  
!  Protect     !  My  phone  from  viruses,  Trojan  attacks,  worm,  etc.   !  Integrity  of  my  data   !  My  privacy   !  Ensure     !  Secure  access   !  Secure  services   !  Proper  billing   !  Optimal  use  of  my  phone,  including  its  battery  life   !  Privacy  
!  Takes  a  long  time   !  From  standards  security  perspective   !  Missing  holistic  view  -­‐  it  is  rather  piecemeal   !  Optional  encryption  of  EVERYTHING   !  Is  it  enough?  
!  Be  careful  with  new  Apps   !  Anything  free  could  bite  you  back  –  free  WiFi,  free  app,   free  …   !  Check  for  availability  of  security  solutions  for  your   UEs   !  Be  proactive  in  designing  your  protection   !  Include  protection  of  the  protectors  –  firewalls   !  Deploy  FWs   !  Deploy  IPSec  VPNs   !  Be  careful  with  what  is  encrypted   !  Ensure  you  trust  the  termination  elements  of  IPSec   !  Can  you  afford  to  trust  them?  
!  Understand  the  “normal”   traffic  flows   !  Throttle  at  perimeter,  as  close   to  source  as  feasible   !  Pros  –  more  accurate  and   controlled   !  Cons  –  could  be  scaling   difficulty   !  Reduces  the  impact  of   unknown   !  Evens  the  traffic  flows   !  Deploy  elements  of  firewall   features  for  DDoS,  etc  attacks   Apply  FW     protection   Define   Baseline   Throttle   Traffic  Close   to  Source  
!  You?   !  Smart  phone  manufacturer?   !  Service  provider?   !  Anybody  else?   And   !  Is  Mobile  protection  just  that  –  “mobile”  or  is  it   “YOUR  Identity”  
LTEcloudSecurityIssuesTakeaways-GP
LTEcloudSecurityIssuesTakeaways-GP

Recommandé

LPWAN Technology ~ What is Weightless-P?
LPWAN Technology ~ What is Weightless-P? LPWAN Technology ~ What is Weightless-P?
LPWAN Technology ~ What is Weightless-P? Jay Wey 魏士傑
 
Cloud Traffic Engineer – Google Espresso Project by Shaowen Ma
Cloud Traffic Engineer – Google Espresso Project by Shaowen MaCloud Traffic Engineer – Google Espresso Project by Shaowen Ma
Cloud Traffic Engineer – Google Espresso Project by Shaowen MaMyNOG
 
802.11ac Wave 2 technology deep dive and deployment recommendations
802.11ac Wave 2 technology deep dive and deployment recommendations802.11ac Wave 2 technology deep dive and deployment recommendations
802.11ac Wave 2 technology deep dive and deployment recommendationsAruba, a Hewlett Packard Enterprise company
 
Weightless - a new standard, a new technology
Weightless - a new standard, a new technologyWeightless - a new standard, a new technology
Weightless - a new standard, a new technologyDhruvit Rajpura
 
How To Disrupt The Internet of Things With Unified Networking
How To Disrupt The Internet of Things With Unified NetworkingHow To Disrupt The Internet of Things With Unified Networking
How To Disrupt The Internet of Things With Unified NetworkingHaystack Technologies
 
Wireless LAN & 802.11ac Wi-Fi Fundamentals #AirheadsConf Italy
Wireless LAN & 802.11ac Wi-Fi Fundamentals #AirheadsConf ItalyWireless LAN & 802.11ac Wi-Fi Fundamentals #AirheadsConf Italy
Wireless LAN & 802.11ac Wi-Fi Fundamentals #AirheadsConf ItalyAruba, a Hewlett Packard Enterprise company
 
LoRaWAN vs Haystack
LoRaWAN vs HaystackLoRaWAN vs Haystack
LoRaWAN vs HaystackHaystack Technologies
 
LoRaWAN class module and subsystem
LoRaWAN class module and subsystemLoRaWAN class module and subsystem
LoRaWAN class module and subsystemJian-Hong Pan
 

Recommandé

LPWAN Technology ~ What is Weightless-P?
LPWAN Technology ~ What is Weightless-P? LPWAN Technology ~ What is Weightless-P?
LPWAN Technology ~ What is Weightless-P? Jay Wey 魏士傑
 
Cloud Traffic Engineer – Google Espresso Project by Shaowen Ma
Cloud Traffic Engineer – Google Espresso Project by Shaowen MaCloud Traffic Engineer – Google Espresso Project by Shaowen Ma
Cloud Traffic Engineer – Google Espresso Project by Shaowen MaMyNOG
 
802.11ac Wave 2 technology deep dive and deployment recommendations
802.11ac Wave 2 technology deep dive and deployment recommendations802.11ac Wave 2 technology deep dive and deployment recommendations
802.11ac Wave 2 technology deep dive and deployment recommendationsAruba, a Hewlett Packard Enterprise company
 
Weightless - a new standard, a new technology
Weightless - a new standard, a new technologyWeightless - a new standard, a new technology
Weightless - a new standard, a new technologyDhruvit Rajpura
 
How To Disrupt The Internet of Things With Unified Networking
How To Disrupt The Internet of Things With Unified NetworkingHow To Disrupt The Internet of Things With Unified Networking
How To Disrupt The Internet of Things With Unified NetworkingHaystack Technologies
 
Wireless LAN & 802.11ac Wi-Fi Fundamentals #AirheadsConf Italy
Wireless LAN & 802.11ac Wi-Fi Fundamentals #AirheadsConf ItalyWireless LAN & 802.11ac Wi-Fi Fundamentals #AirheadsConf Italy
Wireless LAN & 802.11ac Wi-Fi Fundamentals #AirheadsConf ItalyAruba, a Hewlett Packard Enterprise company
 
LoRaWAN vs Haystack
LoRaWAN vs HaystackLoRaWAN vs Haystack
LoRaWAN vs HaystackHaystack Technologies
 
LoRaWAN class module and subsystem
LoRaWAN class module and subsystemLoRaWAN class module and subsystem
LoRaWAN class module and subsystemJian-Hong Pan
 
DASH7 Alliance University Working Group Magazine - May 2012
DASH7 Alliance University Working Group Magazine - May 2012DASH7 Alliance University Working Group Magazine - May 2012
DASH7 Alliance University Working Group Magazine - May 2012Haystack Technologies
 
Haystack Technology Overview
Haystack Technology OverviewHaystack Technology Overview
Haystack Technology OverviewHaystack Technologies
 
The IoT Hunger Games 2015
The IoT Hunger Games 2015The IoT Hunger Games 2015
The IoT Hunger Games 2015Haystack Technologies
 
2012 ah vegas rf fundamentals
2012 ah vegas rf fundamentals2012 ah vegas rf fundamentals
2012 ah vegas rf fundamentalsAruba, a Hewlett Packard Enterprise company
 
Gigabit wi fi 802.11ac in depth onno harms
Gigabit wi fi 802.11ac in depth onno harmsGigabit wi fi 802.11ac in depth onno harms
Gigabit wi fi 802.11ac in depth onno harmsAruba, a Hewlett Packard Enterprise company
 
Very High Density (vhd) 802.11ac Wireless Network Design and Deployment Basics
Very High Density (vhd) 802.11ac Wireless Network Design and Deployment BasicsVery High Density (vhd) 802.11ac Wireless Network Design and Deployment Basics
Very High Density (vhd) 802.11ac Wireless Network Design and Deployment BasicsAruba, a Hewlett Packard Enterprise company
 
Car net testresults_may2015_presentation_final
Car net testresults_may2015_presentation_finalCar net testresults_may2015_presentation_final
Car net testresults_may2015_presentation_finalwrpru
 
Gigabit wifi 802.11 ac in depth_peter thornycroft
Gigabit wifi 802.11 ac in depth_peter thornycroftGigabit wifi 802.11 ac in depth_peter thornycroft
Gigabit wifi 802.11 ac in depth_peter thornycroftAruba, a Hewlett Packard Enterprise company
 
LoRaWAN101_What is it
LoRaWAN101_What is itLoRaWAN101_What is it
LoRaWAN101_What is itBirdz
 
80211ac faq 121311
80211ac faq 12131180211ac faq 121311
80211ac faq 121311Aruba, a Hewlett Packard Enterprise company
 
Outdoor MIMO Wireless Networks
Outdoor MIMO Wireless NetworksOutdoor MIMO Wireless Networks
Outdoor MIMO Wireless NetworksAruba, a Hewlett Packard Enterprise company
 
ARUBA 2014 : 802.11ac Wi-Fi fundamentals v2
ARUBA 2014 : 802.11ac Wi-Fi fundamentals v2ARUBA 2014 : 802.11ac Wi-Fi fundamentals v2
ARUBA 2014 : 802.11ac Wi-Fi fundamentals v2Marcello Marchesini
 
VRD-Indoor80211n 2012 05-31
VRD-Indoor80211n 2012 05-31VRD-Indoor80211n 2012 05-31
VRD-Indoor80211n 2012 05-31Aruba, a Hewlett Packard Enterprise company
 
Best Practices on Migrating to 802.11ac Wi-Fi
Best Practices on Migrating to 802.11ac Wi-FiBest Practices on Migrating to 802.11ac Wi-Fi
Best Practices on Migrating to 802.11ac Wi-FiAruba, a Hewlett Packard Enterprise company
 
AntTail white paper: Technology scan IoT Datacommunications: LoRa, NB-IoT, GPRS
AntTail white paper: Technology scan IoT Datacommunications: LoRa, NB-IoT, GPRSAntTail white paper: Technology scan IoT Datacommunications: LoRa, NB-IoT, GPRS
AntTail white paper: Technology scan IoT Datacommunications: LoRa, NB-IoT, GPRSMark Roemers
 
Wi-fi and Radio Fundamentals, and 802.11ac Technology Deep Dive
Wi-fi and Radio Fundamentals, and 802.11ac Technology Deep DiveWi-fi and Radio Fundamentals, and 802.11ac Technology Deep Dive
Wi-fi and Radio Fundamentals, and 802.11ac Technology Deep DiveAruba, a Hewlett Packard Enterprise company
 
802.11ac Migration - Airheads Local
802.11ac Migration - Airheads Local802.11ac Migration - Airheads Local
802.11ac Migration - Airheads LocalAruba, a Hewlett Packard Enterprise company
 
Lorawan: What you need to know
Lorawan: What you need to knowLorawan: What you need to know
Lorawan: What you need to knowPaul Coomans
 
Outdoor Point-to-Point Deployments
Outdoor Point-to-Point DeploymentsOutdoor Point-to-Point Deployments
Outdoor Point-to-Point DeploymentsAruba, a Hewlett Packard Enterprise company
 
Introducing the new HayTag 2.0
Introducing the new HayTag 2.0Introducing the new HayTag 2.0
Introducing the new HayTag 2.0Haystack Technologies
 
CTIA 2010 Corporate Overview
CTIA 2010 Corporate OverviewCTIA 2010 Corporate Overview
CTIA 2010 Corporate OverviewContinuous Computing
 
MWC 2010 LTE
MWC 2010 LTEMWC 2010 LTE
MWC 2010 LTEContinuous Computing
 

Contenu connexe

Tendances

DASH7 Alliance University Working Group Magazine - May 2012
DASH7 Alliance University Working Group Magazine - May 2012DASH7 Alliance University Working Group Magazine - May 2012
DASH7 Alliance University Working Group Magazine - May 2012Haystack Technologies
 
Car net testresults_may2015_presentation_final
Car net testresults_may2015_presentation_finalCar net testresults_may2015_presentation_final
Car net testresults_may2015_presentation_finalwrpru
 
LoRaWAN101_What is it
LoRaWAN101_What is itLoRaWAN101_What is it
LoRaWAN101_What is itBirdz
 
ARUBA 2014 : 802.11ac Wi-Fi fundamentals v2
ARUBA 2014 : 802.11ac Wi-Fi fundamentals v2ARUBA 2014 : 802.11ac Wi-Fi fundamentals v2
ARUBA 2014 : 802.11ac Wi-Fi fundamentals v2Marcello Marchesini
 
AntTail white paper: Technology scan IoT Datacommunications: LoRa, NB-IoT, GPRS
AntTail white paper: Technology scan IoT Datacommunications: LoRa, NB-IoT, GPRSAntTail white paper: Technology scan IoT Datacommunications: LoRa, NB-IoT, GPRS
AntTail white paper: Technology scan IoT Datacommunications: LoRa, NB-IoT, GPRSMark Roemers
 
Lorawan: What you need to know
Lorawan: What you need to knowLorawan: What you need to know
Lorawan: What you need to knowPaul Coomans
 

Tendances (20)

DASH7 Alliance University Working Group Magazine - May 2012
DASH7 Alliance University Working Group Magazine - May 2012DASH7 Alliance University Working Group Magazine - May 2012
DASH7 Alliance University Working Group Magazine - May 2012
 
Haystack Technology Overview
Haystack Technology OverviewHaystack Technology Overview
Haystack Technology Overview
 
The IoT Hunger Games 2015
The IoT Hunger Games 2015The IoT Hunger Games 2015
The IoT Hunger Games 2015
 
2012 ah vegas rf fundamentals
2012 ah vegas rf fundamentals2012 ah vegas rf fundamentals
2012 ah vegas rf fundamentals
 
Gigabit wi fi 802.11ac in depth onno harms
Gigabit wi fi 802.11ac in depth onno harmsGigabit wi fi 802.11ac in depth onno harms
Gigabit wi fi 802.11ac in depth onno harms
 
Very High Density (vhd) 802.11ac Wireless Network Design and Deployment Basics
Very High Density (vhd) 802.11ac Wireless Network Design and Deployment BasicsVery High Density (vhd) 802.11ac Wireless Network Design and Deployment Basics
Very High Density (vhd) 802.11ac Wireless Network Design and Deployment Basics
 
Car net testresults_may2015_presentation_final
Car net testresults_may2015_presentation_finalCar net testresults_may2015_presentation_final
Car net testresults_may2015_presentation_final
 
Gigabit wifi 802.11 ac in depth_peter thornycroft
Gigabit wifi 802.11 ac in depth_peter thornycroftGigabit wifi 802.11 ac in depth_peter thornycroft
Gigabit wifi 802.11 ac in depth_peter thornycroft
 
LoRaWAN101_What is it
LoRaWAN101_What is itLoRaWAN101_What is it
LoRaWAN101_What is it
 
80211ac faq 121311
80211ac faq 12131180211ac faq 121311
80211ac faq 121311
 
Outdoor MIMO Wireless Networks
Outdoor MIMO Wireless NetworksOutdoor MIMO Wireless Networks
Outdoor MIMO Wireless Networks
 
ARUBA 2014 : 802.11ac Wi-Fi fundamentals v2
ARUBA 2014 : 802.11ac Wi-Fi fundamentals v2ARUBA 2014 : 802.11ac Wi-Fi fundamentals v2
ARUBA 2014 : 802.11ac Wi-Fi fundamentals v2
 
VRD-Indoor80211n 2012 05-31
VRD-Indoor80211n 2012 05-31VRD-Indoor80211n 2012 05-31
VRD-Indoor80211n 2012 05-31
 
Best Practices on Migrating to 802.11ac Wi-Fi
Best Practices on Migrating to 802.11ac Wi-FiBest Practices on Migrating to 802.11ac Wi-Fi
Best Practices on Migrating to 802.11ac Wi-Fi
 
AntTail white paper: Technology scan IoT Datacommunications: LoRa, NB-IoT, GPRS
AntTail white paper: Technology scan IoT Datacommunications: LoRa, NB-IoT, GPRSAntTail white paper: Technology scan IoT Datacommunications: LoRa, NB-IoT, GPRS
AntTail white paper: Technology scan IoT Datacommunications: LoRa, NB-IoT, GPRS
 
Wi-fi and Radio Fundamentals, and 802.11ac Technology Deep Dive
Wi-fi and Radio Fundamentals, and 802.11ac Technology Deep DiveWi-fi and Radio Fundamentals, and 802.11ac Technology Deep Dive
Wi-fi and Radio Fundamentals, and 802.11ac Technology Deep Dive
 
802.11ac Migration - Airheads Local
802.11ac Migration - Airheads Local802.11ac Migration - Airheads Local
802.11ac Migration - Airheads Local
 
Lorawan: What you need to know
Lorawan: What you need to knowLorawan: What you need to know
Lorawan: What you need to know
 
Outdoor Point-to-Point Deployments
Outdoor Point-to-Point DeploymentsOutdoor Point-to-Point Deployments
Outdoor Point-to-Point Deployments
 
Introducing the new HayTag 2.0
Introducing the new HayTag 2.0Introducing the new HayTag 2.0
Introducing the new HayTag 2.0
 

Similaire à LTEcloudSecurityIssuesTakeaways-GP

Layer 1 Encryption in WDM Transport Systems
Layer 1 Encryption in WDM Transport SystemsLayer 1 Encryption in WDM Transport Systems
Layer 1 Encryption in WDM Transport SystemsADVA
 
Playing in a Satellite environment
Playing in a Satellite environmentPlaying in a Satellite environment
Playing in a Satellite environmentChristian Martorella
 
Service Chaining - Cloud Network Services at Scale
Service Chaining - Cloud Network Services at ScaleService Chaining - Cloud Network Services at Scale
Service Chaining - Cloud Network Services at ScaleMarketingArrowECS_CZ
 
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksHITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksJim Geovedi
 
Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015
Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015
Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015Bruno Teixeira
 
Services and applications’ infrastructure for agile optical networks
Services and applications’ infrastructure for agile optical networksServices and applications’ infrastructure for agile optical networks
Services and applications’ infrastructure for agile optical networksTal Lavian Ph.D.
 
Overview of Wireless Sensor Networks
Overview of Wireless Sensor NetworksOverview of Wireless Sensor Networks
Overview of Wireless Sensor NetworksDuncan Purves
 
CSG Huawei.pdf
CSG Huawei.pdfCSG Huawei.pdf
CSG Huawei.pdfchien29091
 
04 (IDNOG01) Handling massive numbers subscribers and attacks by Takeki kumamura
04 (IDNOG01) Handling massive numbers subscribers and attacks by Takeki kumamura04 (IDNOG01) Handling massive numbers subscribers and attacks by Takeki kumamura
04 (IDNOG01) Handling massive numbers subscribers and attacks by Takeki kumamuraIndonesia Network Operators Group
 
6TiSCH + RPL @ Telecom Bretagne 2014
6TiSCH + RPL @ Telecom Bretagne 20146TiSCH + RPL @ Telecom Bretagne 2014
6TiSCH + RPL @ Telecom Bretagne 2014Pascal Thubert
 
Spectrum management best practices in a Gigabit wireless world
Spectrum management best practices in a Gigabit wireless worldSpectrum management best practices in a Gigabit wireless world
Spectrum management best practices in a Gigabit wireless worldCisco Canada
 
Low-Power Wide Area - Overview
Low-Power Wide Area - OverviewLow-Power Wide Area - Overview
Low-Power Wide Area - OverviewM2M Alliance e.V.
 
14.) wireless (hyper dense wi fi)
14.) wireless (hyper dense wi fi)14.) wireless (hyper dense wi fi)
14.) wireless (hyper dense wi fi)Jeff Green
 
Introducing Application Engineered Routing Powered by Segment Routing
Introducing Application Engineered Routing Powered by Segment RoutingIntroducing Application Engineered Routing Powered by Segment Routing
Introducing Application Engineered Routing Powered by Segment RoutingCisco Service Provider
 

Similaire à LTEcloudSecurityIssuesTakeaways-GP (20)

CTIA 2010 Corporate Overview
CTIA 2010 Corporate OverviewCTIA 2010 Corporate Overview
CTIA 2010 Corporate Overview
 
MWC 2010 LTE
MWC 2010 LTEMWC 2010 LTE
MWC 2010 LTE
 
Layer 1 Encryption in WDM Transport Systems
Layer 1 Encryption in WDM Transport SystemsLayer 1 Encryption in WDM Transport Systems
Layer 1 Encryption in WDM Transport Systems
 
Project
ProjectProject
Project
 
Playing in a Satellite environment
Playing in a Satellite environmentPlaying in a Satellite environment
Playing in a Satellite environment
 
CCNA 1
CCNA 1CCNA 1
CCNA 1
 
Service Chaining - Cloud Network Services at Scale
Service Chaining - Cloud Network Services at ScaleService Chaining - Cloud Network Services at Scale
Service Chaining - Cloud Network Services at Scale
 
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksHITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
 
Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015
Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015
Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015
 
Services and applications’ infrastructure for agile optical networks
Services and applications’ infrastructure for agile optical networksServices and applications’ infrastructure for agile optical networks
Services and applications’ infrastructure for agile optical networks
 
Ofc2014 ddm 100-g
Ofc2014 ddm 100-gOfc2014 ddm 100-g
Ofc2014 ddm 100-g
 
Overview of Wireless Sensor Networks
Overview of Wireless Sensor NetworksOverview of Wireless Sensor Networks
Overview of Wireless Sensor Networks
 
CSG Huawei.pdf
CSG Huawei.pdfCSG Huawei.pdf
CSG Huawei.pdf
 
04 (IDNOG01) Handling massive numbers subscribers and attacks by Takeki kumamura
04 (IDNOG01) Handling massive numbers subscribers and attacks by Takeki kumamura04 (IDNOG01) Handling massive numbers subscribers and attacks by Takeki kumamura
04 (IDNOG01) Handling massive numbers subscribers and attacks by Takeki kumamura
 
6TiSCH + RPL @ Telecom Bretagne 2014
6TiSCH + RPL @ Telecom Bretagne 20146TiSCH + RPL @ Telecom Bretagne 2014
6TiSCH + RPL @ Telecom Bretagne 2014
 
Spectrum management best practices in a Gigabit wireless world
Spectrum management best practices in a Gigabit wireless worldSpectrum management best practices in a Gigabit wireless world
Spectrum management best practices in a Gigabit wireless world
 
LTE Workshop
LTE WorkshopLTE Workshop
LTE Workshop
 
Low-Power Wide Area - Overview
Low-Power Wide Area - OverviewLow-Power Wide Area - Overview
Low-Power Wide Area - Overview
 
14.) wireless (hyper dense wi fi)
14.) wireless (hyper dense wi fi)14.) wireless (hyper dense wi fi)
14.) wireless (hyper dense wi fi)
 
Introducing Application Engineered Routing Powered by Segment Routing
Introducing Application Engineered Routing Powered by Segment RoutingIntroducing Application Engineered Routing Powered by Segment Routing
Introducing Application Engineered Routing Powered by Segment Routing
 

LTEcloudSecurityIssuesTakeaways-GP

  • 1. Presented  @  CanSecWest,  2012,  Vancouver   &   ISSA  International  Conference  2012,  Anaheim,  CA   Galina  Pildush,  PhD    
  • 2. !  Is:   !  LTE  introduction   !  LTE  perspectives  and  vulnerabilities   !  Is  not:   !  Everything  else  
  • 3. !  LTE  =  Long-­‐Term  Evolution  of  Evolved  Universal   Terrestrial  Radio  Access  Network   !  Greater  flexibility  of  spectrum  usage   !  Reduced  latency   !  Interworking  with  other  systems,  for  example   CDMA2000   !  LTE-­‐Advanced   !  Worldwide  functionality  and  roaming   !  Service  compatibility   !  Enhanced  peak  data  rates  (100  Mbps  –  1  Gpbs)  
  • 4. UTRAN   RNC  NodeB   GERAN   BSC  BTS   SGSN   HSS   (HLR,  AuC)   MSC   VLR   GGSN   PCRF   GMSC   CS-­‐MGW   CS-­‐MGW   Gi  Gn   Gx   IuPS   Gr  Gs   Gc   C   D   IuCS   Nc   Mc   Nb  IuCS   IuPS   IuCS   IuCS   Gb   Interfaces  supporting  user  traffic   Interfaces  supporting  signalling   This  is  where  it  was  a  few  years  ago  …   AN   CN   Note:     -­‐ This  is  a  display  of  a  basic   GPRS  architecture  blocks  and   interfaces     -­‐ Not  all  network  elements  and   interfaces  shown   A   PSTN   Internet  
  • 5. UTRAN   RNC  NodeB   GERAN   BSC  BTS   SGSN   HSS   (HLR,  AuC)   MSC   VLR   GGSN   PCRF   GMSC   CS-­‐MGW   CS-­‐MGW   Gi  Gn   Gx   IuPS   Gr  Gs   Gc   C   D   IuCS   Nc   Mc   Nb  IuCS   A   IuPS   IuCS   IuCS   Gb   This  is  where  it  is  today  …  and  still  evolving  …   AN   CN   MME   S-­‐GW   PDN-­‐GW   E-­‐UTRAN          eNodeB   S1-­‐U   S12   S5   S4   SGi  S1-­‐MME   S11   S3   S8   S6a   Gxc   Gx   S4   Gxc   S3   PSTN   Internet   Internet   Note:     -­‐ This  is  a  display  of  a  basic   GPRS  and  EPS  architecture   blocks  and  interfaces     -­‐ Not  all  network  elements  and   interfaces  shown  
  • 6. GSM   RF   MAC   RLC   SND CP   IP   Appl -­‐n   UE   L1bis   Laye r  1   Laye r  1   Laye r  1   Netw orkS ervic e   Laye r  2   IP   GTP-­‐U   Relay   SNDCP   Laye r  2   Laye r  2   GTP-­‐U  GTP-­‐U   Relay   Laye r  1   GTP-­‐ U   PDN  GW  Serving  GW  SGSN   Laye r  2   SGi  S5/S8  S4  Um   LLC   GSM   RF   L1bis   MAC   Netw ork   Servi ce   UDP   BSSG P   BSSGP   Relay   RLC   BS   LLC   IP   UDP  UDP   IP  IP   IP   UDP   Gb   Laye r  1   MAC   RLC   PCD P   IP   Appl-­‐ n   UE   Laye r  1   Laye r  1   Laye r  1   Laye r  1   MAC   Laye r  2   RLC   UDP /IP   GTP-­‐U   Relay   PDCP   Laye r  2   Laye r  2   UDP /IP   UDP /IP   GTP-­‐U  GTP-­‐U   Relay   Laye r  1   GTP-­‐ U   IP   PDN  GW  Serving  GW  UTRAN   UDP /IP   Laye r  2   SGi  S5/S8  Iu  Uu   Protocol  Reference  Model   GERAN  User  Plane   Protocol  Reference  Model   UTRAN  User  Plane   Layer   1   MAC   RLC   PCD P   IP   Appl-­‐ n   UE   Layer   1   Layer   1   Layer   1   Layer   1   MAC   Layer   2   RLC   UDP/ IP   GTP-­‐U   Relay   PDCP   Layer   2   Layer   2   UDP/ IP   UDP/ IP   GTP-­‐U  GTP-­‐U   Relay   Layer   1   GTP-­‐ U   IP   PDN  GW  Serving  GW  eNodeB   UDP/ IP   Layer   2   SGi  S5/S8  S1-­‐U  LTE-­‐Uu   Protocol  Reference  Model   E-­‐UTRAN  User  Plane  
  • 7. Control  Plane   User  Plane   !  Source:  www.3gpp.org  
  • 8. S-­‐GW   PDN-­‐GW   E-­‐UTRAN   eNodeB   S1-­‐MME   S1-­‐U   H-­‐PCRF   HSS   (HLR,  AuC)   MME   S10   S11   S5   S6a   Gx   SGi   Rx   PDN-­‐GW   E-­‐UTRAN   eNodeB   S1-­‐MME   S1-­‐U   V-­‐PCRF   HSS   (HLR,  AuC)   MME   S10   S11   S5   S6a   Gx   SGi   Rx   Internet   HPLMN   VPLMN   S6a   S8   L-­‐GW   Internet   L-­‐GW   SGi   SGi   S8   S1-­‐AP   SCTP   IP   Lower   Layers   S1-­‐AP   SCTP   IP   Lower   Layers   IP   Lower   Layers   IP   Lower   Layers   IP   Lower   Layers   IP   Lower   Layers   3rd  Party     Application     Function   Domain  DIAMETER   SCTP   IP   Lower  Layers   IPX  Cloud   DIAMETER   SCTP   IP   Lower  Layers   S9   S-­‐GW   S8   DIAMETER   SCTP   IP   Lower  Layers   UDP   IP   Lower   Layers   GTPv2   GTP-­‐U  OCS   Gy   UDP   IP   Lower   Layers   GTP-­‐U  
  • 9. S-­‐GW   PDN-­‐GW   H-­‐PCRF   HSS   (HLR,  AuC)   MME   Internet   OCS   1   1.  Attach    Request  (initial  attach,   IMSI,  PDP  Connection  Request)   2   2.  Update  Location,  granting  the   service   3   3.  Create  Session  Request   4   4.  Create  Session  Request   5.  Create  Session  Response   5   6.  Create  Session  Response   6   7.  Initial  Context  Setup  Request   (attach  accept,  activate  default  EPS   Bearer  Request)   7   8   8.  Initial  Context  Setup  Response   9   9.  Attach  Complete,  Activate  Default   Bearer  Accept   Note:     -­‐ Connection  establishment   shown    in  this  diagram  is   simplified  
  • 10. !  Traditionally  PSTN  is  a  “Walled  Garden”   !  Protocols  are  not  widely  spread  and/or  known   !  Complex  protocols   !  Closed  architectures   !  Controlled  access   !  Today  LTE  access  uses  IP  as  a  transport   !  Convergence  of  voice  and  data   !  Convergence  of  wireline  and  wireless   !  Lower  operations  costs   !  Ahh…  Life  is  good  …  or  IS  IT  NOT?   !     
  • 11. !  Love  sooo  …  many  Apps    -­‐  over  10.9  billion  (expected  to   rise  to  76.9  billion  by  2014!)  *   !  The  more  the  merrier   !  Free  is  better  than  paid  for   !  Voice,  video,  data  –  all  in  one!   !  Enjoy  high  speed   !  Want  my  SP  to  maintain  the  service  I  subscribe  to   !  Ahh…  Life  is  good…  or  IS  IT  NOT?   *Source:  IDC  
  • 12. !  Can  connect  with  staff  any  time  from  anywhere   !  Should  be  able  to  increase  productivity   !  Faster  decisions  making   !  Instant  access  to  teleworkers   !  Instant    deal  making   !  Etc.,  etc.,  etc  …   !  Ahh…  Life  is  good  …  or  IS  IT  NOT?  
  • 13. !  The  more  apps,  the  merrier  –     !  It’s  a  Wild-­‐Wild  West  (WWW)  out  there  –  grab  as  much  as  you  can   !  No  regulations,  validations,  or  restrictions   !  I  can  masquerade  anyone  or  anything   !  Phish  around  tricking  you  into  entering  sensitive   information   !  Financial  theft   !  Privacy  theft   !  Challenge  is  invigorating   !  This  is  a  wonderland  –  millions  of  walking  servers  with  eyes   and  ears  without  firewalls   !  Ahh…  Life  IS  good!  
  • 14. !  LTE  is  IP  end-­‐to-­‐end   !  The  protocols  are  open   !  The  infrastructures  are  getting  more  complex   !  This  could  introduce  new  vulnerabilities   !  Complexity  does  not  mean  more  secure   !  What  does  it  all  mean  to  a  security  person?  
  • 15. !  The  threats  are  possible  on:   •  Network  Infrastructure  elements  –  RAN,  Core   •  Bandwidth  consumption   •  Servers   •  UEs  
  • 16. !  On  network  elements  –  paralyzing  the  network   •  Flood  attacks     •  Worm  infections  and  Trojan  attacks   •  Spam  and  virus  attacks   •  Man  in  the  middle  attacks     !  On  UEs   •  Phishing   •  Botnet   •  Viruses   •  Worms   •  Trojan  attacks   !  Trusted  but  infected  UEs  could  become  sources  of  attacks  
  • 17. !  Paralyzed:   !  Network  elements  and/or  entire  network  infrastructures   !  Fixed  servers   !  Mobile  servers  –  UEs   !  Misbehaved  servers   !  Mis-­‐billing  and/or  overbilling   !  Battery  drainage  on  UEs   !  Personal  data  compromised   !  Financial  theft   !  Misconduct   !  Unhappy  customers   !  Loss  of  privacy   !  Loss  of  customers   !  Bad  industry  reputation   !  Loss  of  revenue  and  business  
  • 18.
  • 19. !  UEs   !  The  out-­‐of-­‐control  spread   of  unprotected  servers  –   smart  phones   EVERYWHERE!  Operators  core   !  Facing  Internet   !  Peering  points   !  RAN-­‐Core  connection   !  Operators  RAN  
  • 20. S-­‐GW   PDN-­‐GW   E-­‐UTRAN   eNodeB   S1-­‐MME   S1-­‐U   H-­‐PCRF   HSS   (HLR,  AuC)   MME   S10   S11   S5   S6a   Gx   SGi   Rx   PDN-­‐GW   E-­‐UTRAN   eNodeB   S1-­‐MME   S1-­‐U   V-­‐PCRF   HSS   (HLR,  AuC)   MME   S10   S11   S5   S6a   Gx   SGi   Rx   Internet   HPLMN   VPLMN   S6a   S8   L-­‐GW   Internet   L-­‐GW   SGi   SGi   S8   S1-­‐AP   SCTP   IP   Lower   Layers   S1-­‐AP   SCTP   IP   Lower   Layers   3rd  Party     Application     Function   Domain  DIAMETER   SCTP   IP   Lower  Layers   IPX  Cloud   DIAMETER   SCTP   IP   Lower  Layers   S9   S-­‐GW   S8   DIAMETER   SCTP   IP   Lower  Layers   OCS   Gy  
  • 21. !  SCTP  Association  hijacking:     !  Address  camping  or  stealing   !  If  attacker  can  take  over  an  IP  address  they  can  restart   the  association     !  Man-­‐in-­‐the-­‐middle     !  Bombing  attacks:   !  Get  a  server  to  amplify  packets  to  an  innocent  victim   !  Allows  an  attacker  to  use  an  arbitrary  SCTP  endpoint  to   send  multiple  packets  to  a  victim  in  response  to  one   packet   !  Allows  an  attacker  to  use  an  SCTP  server  to  send  a   larger  packet  to  a  victim  than  it  sent  to  the  SCTP  server     !  Association  redirection  –  http://tools.ietf.org/html/ rfc5062  
  • 22. S-­‐GW   PDN-­‐GW   E-­‐UTRAN   eNodeB   S1-­‐MME   S1-­‐U   H-­‐PCRF   HSS   (HLR,  AuC)   MME   S10   S11   S5   S6a   Gx   SGi   Rx   PDN-­‐GW   E-­‐UTRAN   eNodeB   S1-­‐MME   S1-­‐U   V-­‐PCRF   HSS   (HLR,  AuC)   MME   S10   S11   S5   S6a   Gx   SGi   Rx   Internet   HPLMN   VPLMN   S6a   S8   L-­‐GW   Internet   L-­‐GW   SGi   SGi   S8   3rd  Party     Application     Function   Domain  DIAMETER   SCTP   IP   Lower  Layers   IPX  Cloud   DIAMETER   SCTP   IP   Lower  Layers   S9   S-­‐GW   S8   DIAMETER   SCTP   IP   Lower  Layers   OCS   Gy  
  • 23. !  Diameter  attacks   !  Negotiation  attack  –  could  cause  Diameter  server  to   choose  a  less  secure  authentication  method  (CHAP,   PAP,  for  example)   !  Connection  hijacking  –  attacker  attempts  to  inject   packets   !  Replay     !  Snooping  packets   !  Packet  modifications   !  Impersonation  –  rogue  NEs  with  forged  IP  addresses   !  Man-­‐in-­‐the-­‐middle  attack  –  attackers  gain  control  of  a   Diameter  agent,  modifying  packets  in  transit  
  • 24. S-­‐GW   PDN-­‐GW   E-­‐UTRAN   eNodeB   S1-­‐MME   S1-­‐U   H-­‐PCRF   HSS   (HLR,  AuC)   MME   S10   S11   S5   S6a   Gx   SGi   Rx   PDN-­‐GW   E-­‐UTRAN   eNodeB   S1-­‐MME   S1-­‐U   V-­‐PCRF   HSS   (HLR,  AuC)   MME   S10   S11   S5   S6a   Gx   SGi   Rx   Internet   HPLMN   VPLMN   S6a   S8   L-­‐GW   Internet   L-­‐GW   SGi   SGi   S8   3rd  Party     Application     Function   Domain   IPX  Cloud   S9   S-­‐GW   S8   UDP   IP   Lower   Layers   GTPv2   GTP-­‐U  OCS   Gy  
  • 25. !  Attacks  from  a  peering  side  –  GTPv2  and  GTP-­‐U   !  GTP-­‐in-­‐GTP  could  be  used  as  an  attack  –  spoofing  NEs,   recursive  GTP  packet  processing   !  Rogue  data  from  “trusted”  partners   !  Remember  –  although  GTP  is  “GPRS  Tunnelling   Protocol”  there  is  no  built-­‐in  encryption  
  • 26. S-­‐GW   PDN-­‐GW   E-­‐UTRAN   eNodeB   S1-­‐MME   S1-­‐U   H-­‐PCRF   HSS   (HLR,  AuC)   MME   S10   S11   S5   S6a   Gx   SGi   Rx   PDN-­‐GW   E-­‐UTRAN   eNodeB   S1-­‐MME   S1-­‐U   V-­‐PCRF   HSS   (HLR,  AuC)   MME   S10   S11   S5   S6a   Gx   SGi   Rx   Internet   HPLMN   VPLMN   S6a   S8   L-­‐GW   Internet   L-­‐GW   SGi   SGi   S8   IP   Lower   Layers   IP   Lower   Layers   IP   Lower   Layers   IP   Lower   Layers   3rd  Party     Application     Function   Domain   IPX  Cloud   S9   S-­‐GW   S8   OCS   Gy  
  • 27. !  Attacks  from  the  Internet  –  SGi   !  DDoS  attacks   !  Botnets   !  Exploit  core  network  elements  and  turn  them  into   attack  vectors   !  Viruses,  worms,  Trojans,  Overbilling   !  Etc…  etc…  etc  
  • 28. !  SMS  Trojans  –     !  Polymorphic,  mutating  with  every  download   !  Known  as  server-­‐side  polymorphism   !  Existed  in  the  world  of  desktops   !  More  can  be  found  here  -­‐http://www.techworld.com.au/article/ 414311/symantec_warns_android_trojans_mutate_every_download     !  Attacks  evolved  from  SMS-­‐type  to  application  layer,   covering  ALL  handheld  devices  –  iPhones/iPads,   Androids,  RIM,  Notebooks,  etc,  etc,  etc…   !  Spam  messages   !  Exploit  of  unregistered  pre-­‐paid  SIM  cards   !  Exploit  of  signaling  fraud  
  • 29. !  UE   !  Network  Infrastructure   !  RANs   !  Against  known  and  unknown  attacks  
  • 30. S-­‐GW   PDN-­‐GW   E-­‐UTRAN   eNodeB   S1-­‐MME   S1-­‐U   H-­‐PCRF   HSS   (HLR,  AuC)   MME   S10   S11   S5   S6a   Gx   SGi   Rx   PDN-­‐GW   E-­‐UTRAN   eNodeB   S1-­‐MME   S1-­‐U   V-­‐PCRF   HSS   (HLR,  AuC)   MME   S10   S11   S5   S6a   Gx   SGi   Rx   Internet   HPLMN   VPLMN   S8   L-­‐GW   Internet   L-­‐GW   SGi   SGi   S8   3rd  Party     Application     Function   Domain   IPX  Cloud   S9   S-­‐GW   S8   OCS   Gy   LTE-­‐FW   LTE-­‐FW                    LTE-­‐FW              LTE-­‐FW   LTE-­‐FW   LTE-­‐FW   LTE-­‐FW   LTE-­‐FW   LTE-­‐FW   S6a  
  • 31.
  • 32. !  While  convergence  sounds  great,  should  I  converge  all   my  networks  –  wireline,  wireless,  voice,  data,  others  (?)   !  How  do  I  protect  my  cloud?   !  Where  is  my  “walled  garden”?   !  IP  transport  +  UEs  apps  bring  security  concerns   !  Protocols  vulnerabilities  at  signaling/control  planes   !  Open  protocols/applications   !  Lack  of  apps  standards   !  What  are  the  possible  vulnerabilities?   !  Is  it  good  enough  to  just  do  NAT/CGNAT?   !  Are  the  threats  really  there?  
  • 33. !  Exponential  spread  of  UEs     !  Is  this  a  de  ja  vu  of  wired  line  10-­‐15  years  ago?   !  How  do  I  detect  an  infected  UE?   !  What  do  I  do  with  the  infected  UE?   !  Should  I  do  policy  enforcement  with  an  infected  UE?   !  Can  I  be  held  liable  for  delivering  customer  traffic   securely?   !  Cost  vs.  risk   !  Complexity  vs.  ease  of  management   !  IPv6   !  Transition  to   !  Could  IP  within  IP  pose  more  threat?  
  • 34. !  Protect     !  My  phone  from  viruses,  Trojan  attacks,  worm,  etc.   !  Integrity  of  my  data   !  My  privacy   !  Ensure     !  Secure  access   !  Secure  services   !  Proper  billing   !  Optimal  use  of  my  phone,  including  its  battery  life   !  Privacy  
  • 35. !  Takes  a  long  time   !  From  standards  security  perspective   !  Missing  holistic  view  -­‐  it  is  rather  piecemeal   !  Optional  encryption  of  EVERYTHING   !  Is  it  enough?  
  • 36. !  Be  careful  with  new  Apps   !  Anything  free  could  bite  you  back  –  free  WiFi,  free  app,   free  …   !  Check  for  availability  of  security  solutions  for  your   UEs   !  Be  proactive  in  designing  your  protection   !  Include  protection  of  the  protectors  –  firewalls   !  Deploy  FWs   !  Deploy  IPSec  VPNs   !  Be  careful  with  what  is  encrypted   !  Ensure  you  trust  the  termination  elements  of  IPSec   !  Can  you  afford  to  trust  them?  
  • 37. !  Understand  the  “normal”   traffic  flows   !  Throttle  at  perimeter,  as  close   to  source  as  feasible   !  Pros  –  more  accurate  and   controlled   !  Cons  –  could  be  scaling   difficulty   !  Reduces  the  impact  of   unknown   !  Evens  the  traffic  flows   !  Deploy  elements  of  firewall   features  for  DDoS,  etc  attacks   Apply  FW     protection   Define   Baseline   Throttle   Traffic  Close   to  Source  
  • 38. !  You?   !  Smart  phone  manufacturer?   !  Service  provider?   !  Anybody  else?   And   !  Is  Mobile  protection  just  that  –  “mobile”  or  is  it   “YOUR  Identity”