SeGW Whitepaper from Radisys


Published on

LTE NDS Security using SeGW from Radisys

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

SeGW Whitepaper from Radisys

  1. 1. SECURING NEXT GENERATION MOBILE NETWORKS VERSION 1.0 | OCTOBER 2010ABSTRACT: As IP based telecom networks are deployed,new security threats facing operators are inevitable.This paper reviews the new mobile access paradigms,examines the security challenges, and outlines CONTENTSthe technical requirements for a new generation EXECUTIVE SUMMARY.. ............................................2of security gateways. GROWING MOBILE DEMAND......................................2 EXPANDING MOBILE NETWORK CAPACITY.. ................2 SECURING MOBILE NETWORK BACKHAUL..................3 NETWORK SECURITY TECHNOLOGY REQUIREMENTS...3 LTE SECURITY GATEWAY SOLUTION.. .........................4 CONCLUSION...........................................................4 GLOSSARY..............................................................5 REFERENCES..........................................................5
  2. 2. RADISYS WHITEPAPER | SECURING NEXT GENERATION MOBILE NETWORKSEXECUTIVE SUMMARY 3500000 Mobile VoIP Exploding data traffic on mobile networks is 3500000 Mobile Gaming 4% creating congestion and putting unprecedented Mobile P2P 5% Mobile Web/Data 8% CONSUMER INTERNET TRAFFICpressure on network operators to meet nearly insatiable 3000000 Mobile Video PETABYTES PER MONTHdata demand. Most major worldwide mobile operators 17%have announced plans to migrate their networks to Long 2500000Term Evolution (LTE), an all-IP network that will increase 2000000broadband capacity to support up to ten times higherdata rates and enable an abundance of new mobile 1500000applications. In the near term, many operators are also 66%considering alternative “wireless offload” solutions 1000000which route both voice and data traffic over the publicInternet to relieve network congestion and improve 500000coverage. In both situations, operators are exposedto inherent security threats and challenges familiar to 0 2010 2012 2014enterprise IP networks. As cyber crime becomes more YEARsophisticated and profitable, these attacks are occurringmore frequently and with more severity and complexity. Figure 1. Cisco Global Mobile Data Traffic Forecast (Source: Cisco,2 2010)Mobile networks will have similar security requirementsto enterprises, but on a much larger scale. This whitepaper will examine potential security challenges in bothLTE infrastructure and wireless offload deployments, EXPANDING MOBILEintroduce the relevant 3GPP standards, and present NETWORK CAPACITYsolutions based on an LTE security gateway, or LTE SEG. In recent years, the convergence of telecom and IP networking, have driven new standards, technologies andGROWING MOBILE DEMAND platforms. Persistent growth of bandwidth hungry services and applications has driven the development of LTE, whichThe increase in demand for mobile bandwidth is supplies the bandwidth needed for these applications,undeniable. Nokia Siemens Networks reported that while lowering operating costs and simplifying networkin 2008, their customers saw an increase in High management. LTE delivers four times more downlinkSpeed Packet Access (HSPA) data traffic of 5.7 times bandwidth and eight times more uplink bandwidththe previous year, and eleven customers saw a ten- than its predecessor, HSPA. It also provides better cellfold increase. “So we’re seeing a significant amount of performance, lower latency and higher Quality of Servicestress on the network,” said Patrick Donegan, Senior (QoS), while supporting more users atAnalyst, Heavy Reading.1 According to Cisco, mobile data a lower cost per byte. LTE will take many years to rollouttraffic will double every year through 2014, increasing and become pervasive, however, and existing cellularapproximately 40 times over the next five years (Figure networks are already becoming tapped out.1). By 2014, seventeen percent of this data will betransmitted over the Internet, much of which will need With smartphones and other wireless devices becomingto be secured. IP has become the de facto transport, not increasingly popular, some operators are looking for nearonly for user traffic, but also for control within network term wireless offload and coverage solutions. A new studyinfrastructure. Security threats resulting from untrusted from ABI Research reports that about sixteen percent ofnetwork endpoints, shared facilities, and disgruntled data traffic is diverted from mobile networks today andemployees are magnified in an all-IP environment. is expected to increase to forty-eight percent by 2015.3 Cisco estimates that by 2014, twenty-three percent of U.S. smartphone traffic could be offloaded through the public Internet, using wireless LANs and femtocells. Even higher percentages are forecasted for Western Europe and Russia. Wireless offload relieves pressure on 3G access networks, but introduces the need for security gateways. WWW.RADISYS.COM | 2
  3. 3. RADISYS WHITEPAPER | SECURING NEXT GENERATION MOBILE NETWORKSSECURING MOBILENETWORK BACKHAUL lubBoth LTE access and 3G wireless offload present new 3G Core Network Standard (Trusted)security challenges not encountered in traditional mobile 3G/4G Handsetnetwork backhaul, the infrastructure for connecting cellsites to the core network. Historically, backhaul employed UMA-Enabled Wirelessdedicated T1 and unshared facilities between macro Dual Mode Femtocell Data Handset Offloadcellsites and the core network base stations. LTE phases Upout TDM connected cell sites in favor of Ethernet andIP connections, and for both cost and bandwidth reasons, Public InternetLTE backhaul may leverage commercial broadband links. Wu (Untrusted)LTE networks have more small and distributed cell sites, WiFi Access SEG Pointwhich are difficult and costly to physically protect againstcriminal activity. Operators are also increasingly sharing Figure 2. Wireless Offloadcell sites to get around government limitations and usethe best locations. The LTE architecture pushes moremobility function out to the cell sites, enabling hackers todisrupt subscribers and penetrate new data applications. LTE eNodeBAnd the flat LTE topology provides a direct route from SEG LTE Servingcell sites to the network core, creating the possibility 4G Gateway (SGW) S1for Denial-of-Service (DoS) attacks and interceptionof user communications. All these factors drive new WiFi Access Point Backhaul To Packetsecurity requirements in LTE. Network SEG I-WLAN Network 3G or Public Terminating Gateway Internet Wu (TTG)The security exposures in wireless offload applications Voice/Dataare more obvious. WiFi access points and femtocells are Femtocell SEGconnected over the public Internet and expose the core Femtocell 2G Gatewaynetwork to the full range of Internet attacks, including 3G Upaddress spoofing, identity theft, man-in-the-middle, andDoS. In addition to securing the wireless segment of a Firewall and Tunneling Technologyconnection with appropriate wireless security like WPA, Figure 3. Securing LTE Access and Wireless Offload Networksmobile devices require end-to-end security to the corenetwork, and network gateways must be appropriatelyfirewalled to protect the core network. The securitytopology for LTE Access and Wireless Offload networks Security Securityis shown in Figure 3. Domain A Domain B NE NE A-1 B-1 Zb ZbNETWORK SECURITYTECHNOLOGY REQUIREMENTS Za Zb SEG A SEG B ZbA security gateway is required to secure the connectionsbetween network elements over an “untrusted”communications link. The link may be untrusted Zb Zbbecause the elements are owned by different operators NE NE A-2 B-2and therefore reside in different security domains IKE “Connection”(Za interface), or because the elements are owned by ESP Security Associationthe same operator in the same security domain but areconnected in a way that may lead to security breaches Figure 4. Securing LTE Networksbecause the interfaces are not protected (e.g. no useof Zb between internal elements). The elements maybe part of the LTE backhaul network, like cell sites as shown in Figure 4. With IPsec, data is passed between(eNodeBs), or part of the enhanced packet core, the network elements in secure “tunnels” using alike Serving and Packet Gateways (S-GWY, P-GWY). protocol called Encapsulating Security Payload (ESP) which includes subscriber authentication, contentThe requirements for providing a secure connection integrity and data encryption. These tunnels are setbetween LTE network elements are specified in the 3GPP up using a protocol called Internet Key Exchange (IKE),Network Domain Security (NDS) standard. The primary which enables the elements to identify each other inrequirement is to use Internet Protocol Security (IPsec), a trusted manner called a Security Association (SA). WWW.RADISYS.COM | 3
  4. 4. RADISYS WHITEPAPER | SECURING NEXT GENERATION MOBILE NETWORKSThe requirements for providing a secure connection SGSN: Service GPRS GGSN: Gateway Support Node GPRS Support Nodebetween a mobile device or femtocell in a wirelessoffload application share similarities to the NDS scenario.An IPsec tunnel is established between the mobile 3Gdevice or femtocell using IKE; bidirectional securityassociations are established; and encrypted ESP datais transmitted (Figure 5). Data AAA HSS/ Offload HLR GnLTE SECURITY WmGATEWAY SOLUTION SEGAn LTE Security Gateway, or LTE SEG, must meet the Internet Wu or Uptechnology requirements for both LTE and its wirelessoffload applications predecessors. It should provide veryhigh performance IPsec tunneling and stateful firewallprotection and be cost effective for a telecom equipment Figure 5. Securing Wireless Offload Applicationsmanufacturer to deploy in an operator network. cost effectively integrate into the LTE network elementsAn LTE SEG should adhere to the 3GPP P-G standards in their portfolio. Like other telecom equipment, the LTEand provide high performance IPsec capability, with SEG should have a fault tolerant configuration optioncarrier-grade reliability and scalability for telecom and meet carrier requirements for high availability andnetworks. This requires supporting key IETF RFCs for serviceability. Many equipment manufacturers haveESP, IKE and Certificate Management Protocol (CMP) adopted the open, carrier grade Advanced Telecomas required by 3GPP LTE specifications 33.210 and Computing Architecture (ATCA) and would benefit33.310. Ideally, an LTE SEG will process at least multi- from a blade solution that could be readily integratedGbps of encrypted IPsec traffic and scale to much higher in spare slots of existing network elements, as wellIPsec throughput to support massive amounts of IP as offered as a standalone from many LTE cell sites. Additionally, in wirelessoffload applications, a security gateway should securelarge numbers of WiFi connected mobile devices and CONCLUSIONfemtocells and support various authentication schemes The explosion of mobile data applications has begun,appropriate for each device, e.g. reuse of SIM card in and worldwide mobile operators are planning to migratemobile devices, support for both femtocell smart-card their networks to LTE. The new LTE networks will increaseand certificate based schemes, and back-end RADIUS broadband capacity to support higher data rates, simplifysupport. Wireless offload applications such as I-WLAN network management, and lower transport costs. Whetherand Home NodeB femtocells also require associating operators choose to move directly to LTE or enhancethe user’s IPsec tunnel with the GTP connection to their current generation networks with wireless offloadthe packet core. applications, they must address the security issuesAnother important LTE SEG feature is a stateful firewall, associated with an all-IP network. The financial risk andwhich can process several million concurrent IP flows, reputation impact associated with any security breachwith pre-defined and custom filters, consistency checks in the early stages of a network rollout are too big toand DoS prevention mechanisms. This requires 10G ignore. The 3GPP standards, including NDS, specify waysEthernet ports and firewall services performed at line rate. to secure user data and protect network elements, butIn addition to network security, an LTE SEG should ideally leave many implementation decisions up to the operators.feature static and dynamic Network Address Translation Network security is a major hurdle for LTE equipment(NAT), Virtual Routing (VLAN), DHCP services and traffic vendors because the scope of potential breaches is large,management. the technology is complex, and engineers with relevant security expertise are scarce and expensive. The bestBecause security technology is complex and engineers solution is a turnkey security gateway that is flexible andwith relevant experience are scarce and expensive, most scalable and can be cost effectively integrated to maketelecom equipment manufacturers would prefer to buy new network rollouts secure froma complete LTE SEG solution which they can easily and the outset. WWW.RADISYS.COM | 4
  5. 5. RADISYS WHITEPAPER | SECURING NEXT GENERATION MOBILE NETWORKSGLOSSARY: REFERENCES:The following Glossary is in the order of the acronyms Source: 1appearing in the paper. id=174795. 3GPP: 3rd Generation Partnership Project Source: Cisco Visual Networking Index: Global 2 Mobile Data Traffic Forecast Update, 2009-2014 ATCA: Advanced Telecom Computing Architecture from February 9, 2010 found at en/US/solutions/collateral/ns341/ns525/ns537/ns705/ CMP: Certificate Management Protocol ns827/white_paper_c11-520862.html. DoS: Denial-of-Service 3e NodeB: enhanced nodeB, LTE radio at a cellsite network-acceleration/articles/95417-wifi-femtocell- others-help-mobile-data-offloading-research.htm. ESP: Encapsulating Security Payload HSPA: High Speed Packet Access IETF: Internet Engineering Task Force IKE: Internet Key Exchange IP: Internet Protocol IPsec: Internet Protocol Security I-WLAN: Interworking-Wireless Local Area Network LTE: Long Term Evolution (one flavor of 4G) NAT: Network Address Translation NDS: Network Domain Security P-GWY: Packet Gateway QoS: Quality of Service S1-U: ser-plane (mobile) traffic between U LTE eNodeB (cellsites) Serving-Gateway (S-GWY) packet core elements SA: Security Association SEG: Security Gateway S-GWY: Serving Gateway T1: Data Circuit Running at 1.544 Mbit/s Line Rate TDM: Time Division Multiplexed WPA: Wireless Protected Access Corporate Headquarters 5445 NE Dawson Creek Drive Hillsboro, OR 97124 USA Phone: 503-615-1100 Fax: 503-615-1121 Toll-Free: 800-950-0044 ©2010 RadiSys Corporation. RadiSys is a registered trademark of RadiSys Corporation. Convedia is a registered trademark of RadiSys Corporation. *All other trademarks are the properties of their respective owners. 10-218-00 October 2010 WWW.RADISYS.COM | 5