ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
SeGW Whitepaper from Radisys
1. SECURING NEXT GENERATION
MOBILE NETWORKS
VERSION 1.0 | OCTOBER 2010
ABSTRACT: As IP based telecom networks are deployed,
new security threats facing operators are inevitable.
This paper reviews the new mobile access paradigms,
examines the security challenges, and outlines
CONTENTS
the technical requirements for a new generation EXECUTIVE SUMMARY.. ............................................2
of security gateways.
GROWING MOBILE DEMAND......................................2
EXPANDING MOBILE NETWORK CAPACITY.. ................2
SECURING MOBILE NETWORK BACKHAUL..................3
NETWORK SECURITY TECHNOLOGY REQUIREMENTS...3
LTE SECURITY GATEWAY SOLUTION.. .........................4
CONCLUSION...........................................................4
GLOSSARY..............................................................5
REFERENCES..........................................................5
2. RADISYS WHITEPAPER | SECURING NEXT GENERATION MOBILE NETWORKS
EXECUTIVE SUMMARY 3500000
Mobile VoIP
Exploding data traffic on mobile networks is 3500000 Mobile Gaming 4%
creating congestion and putting unprecedented Mobile P2P 5%
Mobile Web/Data 8%
CONSUMER INTERNET TRAFFIC
pressure on network operators to meet nearly insatiable 3000000
Mobile Video
PETABYTES PER MONTH
data demand. Most major worldwide mobile operators 17%
have announced plans to migrate their networks to Long 2500000
Term Evolution (LTE), an all-IP network that will increase
2000000
broadband capacity to support up to ten times higher
data rates and enable an abundance of new mobile
1500000
applications. In the near term, many operators are also 66%
considering alternative “wireless offload” solutions 1000000
which route both voice and data traffic over the public
Internet to relieve network congestion and improve 500000
coverage. In both situations, operators are exposed
to inherent security threats and challenges familiar to 0
2010 2012 2014
enterprise IP networks. As cyber crime becomes more
YEAR
sophisticated and profitable, these attacks are occurring
more frequently and with more severity and complexity. Figure 1. Cisco Global Mobile Data Traffic Forecast (Source: Cisco,2 2010)
Mobile networks will have similar security requirements
to enterprises, but on a much larger scale. This white
paper will examine potential security challenges in both
LTE infrastructure and wireless offload deployments, EXPANDING MOBILE
introduce the relevant 3GPP standards, and present NETWORK CAPACITY
solutions based on an LTE security gateway, or LTE SEG. In recent years, the convergence of telecom and IP
networking, have driven new standards, technologies and
GROWING MOBILE DEMAND platforms. Persistent growth of bandwidth hungry services
and applications has driven the development of LTE, which
The increase in demand for mobile bandwidth is supplies the bandwidth needed for these applications,
undeniable. Nokia Siemens Networks reported that while lowering operating costs and simplifying network
in 2008, their customers saw an increase in High management. LTE delivers four times more downlink
Speed Packet Access (HSPA) data traffic of 5.7 times bandwidth and eight times more uplink bandwidth
the previous year, and eleven customers saw a ten- than its predecessor, HSPA. It also provides better cell
fold increase. “So we’re seeing a significant amount of performance, lower latency and higher Quality of Service
stress on the network,” said Patrick Donegan, Senior (QoS), while supporting more users at
Analyst, Heavy Reading.1 According to Cisco, mobile data a lower cost per byte. LTE will take many years to rollout
traffic will double every year through 2014, increasing and become pervasive, however, and existing cellular
approximately 40 times over the next five years (Figure networks are already becoming tapped out.
1). By 2014, seventeen percent of this data will be
transmitted over the Internet, much of which will need With smartphones and other wireless devices becoming
to be secured. IP has become the de facto transport, not increasingly popular, some operators are looking for near
only for user traffic, but also for control within network term wireless offload and coverage solutions. A new study
infrastructure. Security threats resulting from untrusted from ABI Research reports that about sixteen percent of
network endpoints, shared facilities, and disgruntled data traffic is diverted from mobile networks today and
employees are magnified in an all-IP environment. is expected to increase to forty-eight percent by 2015.3
Cisco estimates that by 2014, twenty-three percent of
U.S. smartphone traffic could be offloaded through the
public Internet, using wireless LANs and femtocells. Even
higher percentages are forecasted for Western Europe and
Russia. Wireless offload relieves pressure on 3G access
networks, but introduces the need for security gateways.
WWW.RADISYS.COM | 2
3. RADISYS WHITEPAPER | SECURING NEXT GENERATION MOBILE NETWORKS
SECURING MOBILE
NETWORK BACKHAUL lub
Both LTE access and 3G wireless offload present new 3G Core Network
Standard (Trusted)
security challenges not encountered in traditional mobile 3G/4G Handset
network backhaul, the infrastructure for connecting cell
sites to the core network. Historically, backhaul employed UMA-Enabled Wireless
dedicated T1 and unshared facilities between macro Dual Mode Femtocell Data
Handset Offload
cellsites and the core network base stations. LTE phases Up
out TDM connected cell sites in favor of Ethernet and
IP connections, and for both cost and bandwidth reasons,
Public Internet
LTE backhaul may leverage commercial broadband links. Wu (Untrusted)
LTE networks have more small and distributed cell sites, WiFi Access SEG
Point
which are difficult and costly to physically protect against
criminal activity. Operators are also increasingly sharing Figure 2. Wireless Offload
cell sites to get around government limitations and use
the best locations. The LTE architecture pushes more
mobility function out to the cell sites, enabling hackers to
disrupt subscribers and penetrate new data applications. LTE
eNodeB
And the flat LTE topology provides a direct route from SEG
LTE Serving
cell sites to the network core, creating the possibility 4G Gateway (SGW)
S1
for Denial-of-Service (DoS) attacks and interception
of user communications. All these factors drive new WiFi Access
Point Backhaul To Packet
security requirements in LTE. Network SEG I-WLAN Network
3G or Public Terminating Gateway
Internet Wu (TTG)
The security exposures in wireless offload applications Voice/Data
are more obvious. WiFi access points and femtocells are Femtocell
SEG
connected over the public Internet and expose the core Femtocell
2G Gateway
network to the full range of Internet attacks, including 3G Up
address spoofing, identity theft, man-in-the-middle, and
DoS. In addition to securing the wireless segment of a Firewall and Tunneling Technology
connection with appropriate wireless security like WPA,
Figure 3. Securing LTE Access and Wireless Offload Networks
mobile devices require end-to-end security to the core
network, and network gateways must be appropriately
firewalled to protect the core network. The security
topology for LTE Access and Wireless Offload networks Security Security
is shown in Figure 3. Domain A Domain B
NE NE
A-1 B-1
Zb Zb
NETWORK SECURITY
TECHNOLOGY REQUIREMENTS Za
Zb SEG A SEG B Zb
A security gateway is required to secure the connections
between network elements over an “untrusted”
communications link. The link may be untrusted Zb Zb
because the elements are owned by different operators NE NE
A-2 B-2
and therefore reside in different security domains
IKE “Connection”
(Za interface), or because the elements are owned by
ESP Security Association
the same operator in the same security domain but are
connected in a way that may lead to security breaches Figure 4. Securing LTE Networks
because the interfaces are not protected (e.g. no use
of Zb between internal elements). The elements may
be part of the LTE backhaul network, like cell sites as shown in Figure 4. With IPsec, data is passed between
(eNodeBs), or part of the enhanced packet core, the network elements in secure “tunnels” using a
like Serving and Packet Gateways (S-GWY, P-GWY). protocol called Encapsulating Security Payload (ESP)
which includes subscriber authentication, content
The requirements for providing a secure connection integrity and data encryption. These tunnels are set
between LTE network elements are specified in the 3GPP up using a protocol called Internet Key Exchange (IKE),
Network Domain Security (NDS) standard. The primary which enables the elements to identify each other in
requirement is to use Internet Protocol Security (IPsec), a trusted manner called a Security Association (SA).
WWW.RADISYS.COM | 3
4. RADISYS WHITEPAPER | SECURING NEXT GENERATION MOBILE NETWORKS
The requirements for providing a secure connection SGSN: Service GPRS GGSN: Gateway
Support Node GPRS Support Node
between a mobile device or femtocell in a wireless
offload application share similarities to the NDS scenario.
An IPsec tunnel is established between the mobile 3G
device or femtocell using IKE; bidirectional security
associations are established; and encrypted ESP data
is transmitted (Figure 5). Data
AAA
HSS/
Offload HLR Gn
LTE SECURITY Wm
GATEWAY SOLUTION SEG
An LTE Security Gateway, or LTE SEG, must meet the Internet
Wu or Up
technology requirements for both LTE and its wireless
offload applications predecessors. It should provide very
high performance IPsec tunneling and stateful firewall
protection and be cost effective for a telecom equipment Figure 5. Securing Wireless Offload Applications
manufacturer to deploy in an operator network.
cost effectively integrate into the LTE network elements
An LTE SEG should adhere to the 3GPP P-G standards
in their portfolio. Like other telecom equipment, the LTE
and provide high performance IPsec capability, with
SEG should have a fault tolerant configuration option
carrier-grade reliability and scalability for telecom
and meet carrier requirements for high availability and
networks. This requires supporting key IETF RFCs for
serviceability. Many equipment manufacturers have
ESP, IKE and Certificate Management Protocol (CMP)
adopted the open, carrier grade Advanced Telecom
as required by 3GPP LTE specifications 33.210 and
Computing Architecture (ATCA) and would benefit
33.310. Ideally, an LTE SEG will process at least multi-
from a blade solution that could be readily integrated
Gbps of encrypted IPsec traffic and scale to much higher
in spare slots of existing network elements, as well
IPsec throughput to support massive amounts of IP
as offered as a standalone solution.
data from many LTE cell sites. Additionally, in wireless
offload applications, a security gateway should secure
large numbers of WiFi connected mobile devices and CONCLUSION
femtocells and support various authentication schemes
The explosion of mobile data applications has begun,
appropriate for each device, e.g. reuse of SIM card in
and worldwide mobile operators are planning to migrate
mobile devices, support for both femtocell smart-card
their networks to LTE. The new LTE networks will increase
and certificate based schemes, and back-end RADIUS
broadband capacity to support higher data rates, simplify
support. Wireless offload applications such as I-WLAN
network management, and lower transport costs. Whether
and Home NodeB femtocells also require associating
operators choose to move directly to LTE or enhance
the user’s IPsec tunnel with the GTP connection to
their current generation networks with wireless offload
the packet core.
applications, they must address the security issues
Another important LTE SEG feature is a stateful firewall, associated with an all-IP network. The financial risk and
which can process several million concurrent IP flows, reputation impact associated with any security breach
with pre-defined and custom filters, consistency checks in the early stages of a network rollout are too big to
and DoS prevention mechanisms. This requires 10G ignore. The 3GPP standards, including NDS, specify ways
Ethernet ports and firewall services performed at line rate. to secure user data and protect network elements, but
In addition to network security, an LTE SEG should ideally leave many implementation decisions up to the operators.
feature static and dynamic Network Address Translation Network security is a major hurdle for LTE equipment
(NAT), Virtual Routing (VLAN), DHCP services and traffic vendors because the scope of potential breaches is large,
management. the technology is complex, and engineers with relevant
security expertise are scarce and expensive. The best
Because security technology is complex and engineers solution is a turnkey security gateway that is flexible and
with relevant experience are scarce and expensive, most scalable and can be cost effectively integrated to make
telecom equipment manufacturers would prefer to buy new network rollouts secure from
a complete LTE SEG solution which they can easily and the outset.
WWW.RADISYS.COM | 4