Backhaul Security for Wi-Fi &
Senior Analyst, Heavy Reading
on behalf of
HEAVY READING | MARCH 2012 | WHITE PAPER | BACKHAUL SECURITY FOR WI-FI & SMALL CELLS 2
Network Security & the Small-Cell Era
While mobile operators are right to think positively about the opportunity that Wi-Fi
and small cells represent, they also need to be hard-headed and strategic about
addressing the risk of new security exposures that small cells will inevitably bring to
their network assets and their customer's user experience. 3GPP specifies a Security
Gateway or SEG that serves as a security gateway for supporting a growing
proportion of the operator's investment in new small cells as well as macrocells.
The Beginning of the Small-Cell Era
There is no industry-agreed definition on precise cell site types, but Heavy Reading
defines microcells as medium-sized base stations designed for capacity fill-in,
typically deployed in urban areas in conjunction with higher capacity macrocells.
Our definition of a microcell is a base station product that supports between 5
watts and 10 watts of power output per sector; up to four sectors; is portable,
weighing perhaps 20-30 kg; a range of perhaps 500 meters; and capable of
having the baseband and RF elements separated out and deployed several
meters away, allowing greater flexibility regarding where they can be deployed.
Microcells, as Heavy Reading defines them, were launched by all the major 2G
and 3G infrastructure vendors in the late 1990s or early 2000s and came to be the
key product for cellular network planners in the first decade of the 21st century.
As mobile operators went from 20 percent mobile subscriber penetration to 100
percent, as more and more people began using their cell phone as their primary
phone, as the extraordinary boom in text messaging took off, and then as the first
HSPA and EVDO upgrades started to be rolled out in earnest, most mobile opera-
tors deployed substantial volumes of microcells in the network to keep up with the
new capacity demands. They deployed them because they provided a capacity
fill-in solution that was more targeted, more flexible, more environmentally-friendly
and lower cost than conventional high-capacity macrocells that cost a lot more,
consume a lot more power and take up a lot more space.
Small Cells – The Next Generation
In much the same way that new patterns of user demand drove the deployment
of microcells in the mobile network in the first decade of this century, new patterns
of demand in this second decade of the century – specifically the huge consump-
tion of data via 3G- and 4G-enabled laptops, smartphones, tablets and other
devices – is driving the business case for a new generation of still smaller cells.
Again, in the absence of industry-wide agreement on what the precise definition
is, Heavy Reading chooses to define this new generation simply as small cells.
In Heavy Reading's definition, a small cell is defined in the following way:
· Very small form factors weighing a few kilograms, some no heavier than 1
or 2 kg.
· Typically a single-sector device with omni- or directional antenna.
· Low power output compared with macro- and microcells, some as low as
· A range of no more than 100-150 meters in urban environments, often less.
HEAVY READING | MARCH 2012 | WHITE PAPER | BACKHAUL SECURITY FOR WI-FI & SMALL CELLS 3
The value proposition of small cells today is essentially the same as that of the first
microcells ten years ago – by reducing a base station's footprint still further, so that
small cells can be held in the palm of the hand, additional spectrum can be
accessed or existing spectrum used more efficiently; the miniaturized size allows
even greater flexibility of deployment; there is even less environmental impact in
terms of power consumption and obtrusive objects in the public domain.
In sum, new generations of small cells hold out the promise of serving as the next
base station type for keeping up with the demand for mobile data – but doing so
at a lower cost that enables the operator to maintain profitability.
The Three Main Types of Small Cell
From a mobile operator's perspective, small cells can be broken down into three
· 3GPP-compliant 2G, 3G or 4G femtocells for closed user groups in residen-
tial and enterprise markets, managed separately from the macro network.
· 3GPP-compliant public-access small cells for use by all subscribers, inte-
grated with the macro network; and
· Mobile operator-deployed Wi-Fi access points.
3GPP Femtocells for Closed User Groups
A lot of mobile operators are already deriving benefits from deploying small cells in
volume, of course. 2G and 3G femtocells – small cells for closed user groups in the
residential or enterprise environment – are being widely deployed by mobile
operators throughout the world. According to the Small Cell Forum, there were
more than 2 million femtocells in service as of June 2011.
As of June 2011, femtocells were being actively deployed by 31 operators
throughout the world including AT&T, Verizon Wireless, Vodafone, Telefónica, T-
Mobile, NTT Docomo, KDDI and China Unicom. This was up from 19 in February
2011, leveraging an infrastructure market of 25 femtocell vendors. The majority of
deployments today are residential-only, although some operators are also
deploying femtocells in enterprise environments, as well.
3GPP Small Cells for Public Access
These are still very early days for operators in terms of evaluating the business case
for deploying public-access small cells that are accessible to any of their custom-
ers. But Heavy Reading expects 2012 to be the year when many vendors launch
their first 3GPP public-access small-cell products.
That said, there is already evidence of some initial deployments. For example:
· In November 2011, for example, Vodafone UK announced it is extending
its rollout of Alcatel-Lucent's femtocell products into trialing some of its
wide-area small-cell products, including Alcatel-Lucent's 9364 3G Metro-
cell product, which has dimensions of 24 cm x 24 cm x 5 cm and weighs
just 2 kg. These trials are targeted at rural environments in the U.K., where
HEAVY READING | MARCH 2012 | WHITE PAPER | BACKHAUL SECURITY FOR WI-FI & SMALL CELLS 4
small cells in remote communities could deliver mobile broadband speeds
to relatively small numbers of users at a lower cost point than either the
fixed network or conventional macro- and microcell-based approaches.
· South Korea's SK Telecom is deploying a new 16-user public-access small
cell developed by Contela, a Korean company. SK Telecom is currently
rolling out Contela's new 2FA public-access small cells, supporting both
HSPA and Wi-Fi, in major shopping malls and airports around the country.
2012 will see many more vendors announcing new small-cell products. Many of
the 25 femtocell vendors are re-spinning their platforms to deliver products into this
space that support the higher capacity needed and allow integration with the
macro and micro layers. Mainstream 3GPP infrastructure vendors will also be
launching new products in this space in 2012, some of which will be small versions
of their current microcell portfolio, while others will be based on new purpose-built
small cell platforms.
There will be dedicated 2G, 3G and 4G small cells, as well as products that
support two or more of those generations in one device. There will also be small
cells that combine one or more cellular radio interfaces along with Wi-Fi, with the
latter serving either as a subscriber access option or to backhaul the 3GPP traffic.
Wi-Fi Access Points
A Wi-Fi access point meets Heavy Reading's definition of a small-cell product that
is already available to mobile operators. Because it operates in unlicensed
spectrum that is more vulnerable to interference than licensed 3GPP spectrum, Wi-
Fi has traditionally been considered something of a poor relation of licensed
cellular radio standards in mobile operator circles.
Mobile operators do have experience of leveraging Wi-Fi, but it is typically as a
parallel access network to the mobile network. While users can get basic Internet
access from a mobile operator's approved co-branded Wi-Fi access network,
today they typically can't access the mobile operator's unique suite of services
delivered from its core network. This is even true today in most cases where mobile
operators deploy their own Wi-Fi access points.
Figure 1: Connection Types By Device and OS
HEAVY READING | MARCH 2012 | WHITE PAPER | BACKHAUL SECURITY FOR WI-FI & SMALL CELLS 5
As they contemplate the future role of small cells in their network, many mobile
operators are also looking again at the role of Wi-Fi in their access networks. As
reflected in the comScore data referring to the U.S. market during 3Q11 (Figure 1),
it is not uncommon for mobile operators to report that their customer's smartphone
usage is now split roughly evenly between Wi-Fi and 3GPP access networks. The
number of connections on AT&T's Wi-Fi networks has increased from just 20 million
in 2008 to 381.2 million in 2010 and stood at 745 million for 2011 by the end of 3Q11.
Leading Wi-Fi vendors are driving the Wi-Fi industry roadmap in the direction of
greater carrier-grade performance and user mobility features. Most notably the
Hotspot 2.0 Task Group was formed in 2010 within the Wi-Fi Alliance to create a
common set of standards for common, seamless Wi-Fi authentication and roaming
that seeks to mirror the user experience with 3G.
Examples of mobile operators all over the world are looking again at how they use
Wi-Fi to handle rising data traffic volumes and compliment their service offerings:
· During 2011 Japan's KDDI began rolling out what is probably the world's
largest mobile operator-built Wi-Fi network focused on 3G capacity relief
in urban hotspots. Deployed in a data offload configuration to relieve ca-
pacity on KDDI's CDMA 2000 RAN and mobile packet core capacity, and
backhauled via the operator's preexisting WiMax network at 2.5GHz, this
network is due to reach 100,000 Wi-Fi access points in downtown Tokyo by
1Q12. KDDI's post-paid data customers are offered free access with auto-
authentication to the Wi-Fi network for data applications.
· With the London Olympics upcoming, in January 2012 O2 announced that
it is building out what it says will be Europe's largest Wi-Fi Zone and "inte-
grating new layers of technology into the existing network to enable a
seamless and sustained customer experience."
· Having been reluctant to use Wi-Fi up until recently, China Mobile is now
intent on deploying up to 1 million Wi-Fi access points throughout China.
Some 3GPP-driven RAN vendors are altering their strategies to make way for
greater leveraging of Wi-Fi networks. Nokia Siemens Networks (NSN) now markets a
"Smart Offload" solution that leverages Wi-Fi, a development that would have
been unthinkable a few years ago.
Unique Security Challenges With Small Cells
So far, only the positive opportunity presented by small cells has been discussed. It
is certainly substantial, but the small-cell era necessarily creates new challenges
from a security perspective as well. The specific issues relating to each of the three
small cell categories identified will be addressed shortly, but they can also be
generally summarized at a high level in the following way:
· Hundreds of thousands of macro- and microcells were deployed when
the mobile operator's initial transport network was built around secure TDM
protocols, and when all manner of IP-based Internet security attacks were
confined to wireline-connected PCs. By contrast, when small cells are
rolled out in volume, it will be into an increasingly IP-oriented mobile net-
work environment, where the security vulnerabilities are inevitably greater.
HEAVY READING | MARCH 2012 | WHITE PAPER | BACKHAUL SECURITY FOR WI-FI & SMALL CELLS 6
· Unlike conventional macrocell sites that have strong physical security –
including heavily locked doors, alarms and strict access control – due to
their form factor small cells are more likely to be deployed in a relatively
openly accessible, public place, such as a shopping mall or a street light
or other utility pole. Here they can much more easily be physically tam-
pered with and potentially compromised by unauthorized parties.
· Because they support fewer subscribers than a macro- or microcell, as
previously stated in many cases small cells need to leverage preexisting
fixed access networks for backhaul. In cases where that is a DSL connec-
tion, the mobile user's traffic is liable to be exposed to the untrusted open
Internet environment, rather than managed end-to-end across the mobile
operator's dedicated, trusted facilities.
· Many mobile operators will roll out LTE small cells. This is important from a
security perspective because unlike with 2G and 3G, where 3GPP man-
dates encryption between the air interface and the BSC or RNC, in LTE the
3GPP-mandated encryption terminates in the eNodeB, with the result that
there is no native or embedded encryption in LTE between the eNodeB
and the core of the network.
· Mirroring the femtocell model, many 3G public-access small cells are also
designed with a subset of radio resource management features built in, so
that they too can bypass the RNC if the operator wants to. Although it is
not mandated in 3GPP's 3G standards in the same way that it is in LTE, the
result of this model is nevertheless the same as in LTE, in that encryption is
terminated in the 3G public-access small cell, so the operator needs to
encrypt it again across the backhaul to secure it effectively.
While these five security issues are generic to small cells – particularly to 3GPP small
cells – the following sections will explore security issues relating to the three specific
small cell types.
Femtocells: A Model for Small Cell Security
The industry already has a well-established model for mitigating small-cell security
risks in the way the 3GPP has redefined security specifically for femtocells. And this
model has the potential to serve as the basis for securing other small cells, as well.
There are three major exposures in the femtocell model as compared with
conventional macro- and microcell security:
· Since it is deployed by the user themselves in the home or enterprise, the
femtocell device itself is obviously vulnerable to physical tampering.
· Femtocells are independent of the mobile operator's macro and micro
layer, in that the traffic they generate is routed directly to the operator's
core network, rather than to a BSC or RNC. With a femtocell, the 3GPP
encryption that would normally terminate at the BSC or RNC terminates in
the femtocell itself. Hence femtocell user traffic is no longer protected by
3GPP encryption, but is clear text that could potentially be intercepted.
· In the femtocell model, particularly in home environments, the access
network providing the backhaul is not the mobile operator's own dedi-
cated transport service. Rather it is a simple DSL connection, with all the
exposure to the public Internet and security vulnerability that that entails.
HEAVY READING | MARCH 2012 | WHITE PAPER | BACKHAUL SECURITY FOR WI-FI & SMALL CELLS 7
As shown in Figure 2, 3GPP provides a unique security architecture for femtocells.
The key feature of 3GPP's femtocell security architecture is that it provides for the
instantiation of an IPsec tunnel within the femtocell or Home eNodeB itself for
encryption and authentication of the traffic as it exits the femtocell and is trans-
ported across the access network. That tunnel is then unencrypted by a security
gateway in the operators' core network.
What is essentially this security architecture has already been successfully dep-
loyed to support all of the 2 million femtocells in service today, and will serve for
future femtocell and Home eNodeB deployments. The model has been shown to
be highly secure to date.
There have been a couple of scares, notably relating to security vulnerabilities
relating to some early deployments by Vodafone and SFR. In the Vodafone case,
detected at the start of 2010, hackers demonstrated that an engineering serial
port connection that had been used for debugging in trials of its Sure Signal
femtocells had been left live, together with default passwords, with the result that
the traffic from the femtocell could potentially be intercepted.
A security patch was automatically issued to all Sure Signal devices within a few
weeks of the vulnerability being identified, and no actual damage was done to
any of Vodafone's customers, but the episode served to highlight the potential
exposure across small-cell product types and the nature of the new security
The experience of femtocell deployments thus far is therefore that the security
architecture is performing extremely well, although operators need to remain
permanently vigilant with respect to potential future vulnerabilities.
Figure 2: HeNB Security Femto, Pico and Small Cells
HEAVY READING | MARCH 2012 | WHITE PAPER | BACKHAUL SECURITY FOR WI-FI & SMALL CELLS 8
Security for 3GPP Public-Access Small Cells
3GPP-based public-access small cells share many of the same security vulnerabili-
ties as closed user group femtocells in the home or enterprise. For that reason,
3GPP foresees substantially reusing the femtocell security architecture for securing
public-access small cells.
There are some differences in the risk profile of a public-access small cell as
compared with a femtocell:
· A public-access small cell that has a radio-based backhaul which is a
physically separate unit, rather than being one integrated device, will
have the additional vulnerability of interception of traffic in the wired or
wireless communication path between the two devices.
· In cases where the X2 interface between cells is used in LTE public-access
small cells, an attacker might not just be able to access a single cell, but
could potentially look to leverage the X2 to access several adjacent cells
It's clear that while there will be very little variation in the security architectures that
mobile operators use in the case of femtocells, the greater variety and complexity
associated with deploying and managing public-access small cells will give rise to
a lot more variation in the security model that operators adopt as these are rolled
There is certainly an opportunity to reuse the same security gateway to terminate
both femtocell and public-access small-cell traffic. The benefits of this approach
are obvious from both a capex and opex perspective. The operator can share the
same security architecture across public and private domain small cells as well as
the same physical equipment, providing it is able to scale sufficiently to support
hundreds of thousands or even millions of subscribers.
There are reasons why some operators might want to forego the benefits of
sharing the same physical security gateway and instead have separate gateways
for femtocells and public-access small cells. For example, Integration and coordi-
nation with the macro- and microcell layers as regards handover and provisioning
is going to be very important for public-access small cells. And unlike in the
femtocell environment, many operators are likely to want their public-access small
cells to trigger a security alarm in their NOC if they are tampered with.
It is true that many microwave and other radio-based backhaul solutions do
support their own very robust encryption. The disadvantage for the operator in
relying on this as an alternative to IPsec is that IPsec provides the operator with a
uniform approach not just for encryption, but also for authentication across all of
its insecure cells.
Enhanced Security for Carrier Deployed Wi-Fi
With its origins as a self-deployed home and enterprise access technology,
security didn't feature as a key consideration in the evolution of Wi-Fi, as it did in
the case of cellular standards. The resulting ease with which countless numbers of
users have had sensitive, personal information copied and stolen is well known.
HEAVY READING | MARCH 2012 | WHITE PAPER | BACKHAUL SECURITY FOR WI-FI & SMALL CELLS 9
But consistent with the increasing interest of fixed and mobile operators in using Wi-
Fi as a complimentary broadband access network in their portfolio, a lot of work is
being done to render Wi-Fi networking more secure in terms of both the user-
facing air interface and the network-facing transport or backhaul service.
Industry efforts to provide integration of Wi-Fi into a mobile operator's access
portfolio date back more than 10 years to Unlicensed Mobile Access (UMA), which
provides for hand-off between wide-area GSM and indoor Wi-Fi usage, and
Interworking Wireless LAN (I-WLAN), which provides for Wi-Fi integration with a
mobile operator's 3G mobile packet core elements. Whereas UMA saw very little
adoption, there is ongoing interest in both I-WLAN for 3G and increasingly for Wi-Fi
integration with the Evolved Packet Core (EPC).
As shown in Figure 3, 3GPP's I-WLAN standard specifies the instantiation of an IPsec
tunnel in the smartphone or other end-user device as a means of securing what it
defines as "untrusted" Wi-Fi traffic coming into the 3G core. The tunnel is termi-
nated before the traffic hits the mobile packet core by a Packet Data Gateway
(PDG) or Tunnel Termination Gateway (TTG) performing much the same role as the
Femto Gateway in femtocell deployments.
3GPP therefore provides a means by which mobile operators can leverage the
same security architecture based on IPsec for all its small-cell deployments –
whether they be femtocells, 3GPP public-access small cells or carrier deployed Wi-
Fi access points.
Figure 3: The I-WLAN Security Architecture
HEAVY READING | MARCH 2012 | WHITE PAPER | BACKHAUL SECURITY FOR WI-FI & SMALL CELLS 10
It should be noted that there have been other parallel developments in the Wi-Fi
security space in the years since the I-WLAN standard was first written. For exam-
ple, a combination of Generic Routing Encapsulation (GRE) encryption and the
IEEE's 802.1x authentication is now an alternative approach for mobile operators to
secure Wi-Fi access networks. It has the advantage that there has so far been
faster initial adoption of 802.1x than IPsec among smartphone vendors, although
most smartphone vendors have IPsec in their roadmaps. Nevertheless, this alterna-
tive has the disadvantage that opting for different security environments for
different types of small cells creates challenges from both a capex and opex
perspective. The 802.1x and GRE approach is also not formally approved by 3GPP,
whereas I-WLAN, with its endorsement of IPsec as the encryption mechanism for
securing Wi-Fi traffic, is.
The Additional Need for IPsec at Macro Sites
So far this paper has demonstrated how security issues are different for small cells
as compared with conventional macro- and microcells. It has shown how the
instantiation of IPsec tunnels by 3G and LTE small cells and their termination in a
security gateway is provided for by 3GPP, and how that same security infrastruc-
ture can be reused for carrier-deployed Wi-Fi access points to provide a common
security infrastructure for small cells.
It's also worth adding that in the case of LTE, where encryption is always termi-
nated in the eNodeB irrespective of whether the eNodeB is a large macrocell or a
public-access small cell, 3GPP also recommends the use of IPsec wherever the
backhaul is deemed to be "untrusted" by the mobile operator. This means that in
addition to being shared across all future small-cell deployments, the IPsec
security infrastructure can also be shared across LTE macro and micro sites.
Several years further out, operators are going to start dispensing with their dedi-
cated 2G and 3G packet cores and begin terminating their 2G and 3G traffic on
the EPC. As and when they look to do that, operators will need to look at how they
secure that in an all-IP environment, and one potential approach could be to
wrap 2G and 3G traffic into IPsec tunnels as well.
Key Requirements in 3GPP Security Gateways
Mobile operators need highly scalable and cost effective security solutions to
protect their networks and subscribers as small cells are rolled out in volume in the
home, the enterprise and the wide-area public-access markets. Carrier-class
solutions are preferable to enterprise products, enabling the operator to support
potentially very large numbers of concurrent, bidirectional IPSec tunnels on a
stateful, high-availability system, at the lowest possible cost per subscriber.
Key factors required from a 3GPP SEG to ensure rollout of small cells is accompa-
nied by robust security are:
· Carrier-grade availability and redundancy
· Full alignment with 3GPP standards
· Ease of integration into the existing network
HEAVY READING | MARCH 2012 | WHITE PAPER | BACKHAUL SECURITY FOR WI-FI & SMALL CELLS 11
· High scalability
· Reuse of the security solution not just across multiple types of small cell, but
for LTE and potentially other macrocells
· Run on a highly secure hardware and software architecture
When purchasing a 3GPP SEG, the operator must recognize the location, the
performance, the capacity and the reuse of the software throughout the network.
Having the SEG collocated or integrated with the primary elements in the mobile
network infrastructure such as the RNC, GGSN or PDG, or integrated is recom-
mended for deployment.
Though not always the first thing people think about, poor security implementa-
tions have the potential to delay the large-scale rollout of small cells in the
operator's radio access network.
Small cells have unique security requirements that are addressed by 3GPP via the
SEG. The SEG can serve as a common platform for 3G and LTE public-access small
cells; femtocells; Wi-Fi small cells; as well as LTE macrocells. Even though some
mobile operators may not want to support all of these different radio access
products from the same physical SEG node, there are nevertheless significant
advantages to leveraging different instances of the same platform for each.
Enterprise platforms are unsuited to the scalability that many mobile operators are
liable to need as they roll out small cells in volume. High-capacity, high-availability
platforms are likely to be the preferred long-term choice of mobile operators.
Background to This Paper
This Heavy Reading white paper was commissioned by Radisys, but is based on
independent research. The research and opinions expressed in this report are
those of Heavy Reading.
Radisys (Nasdaq: RSYS) is a leading provider of embedded wireless infrastructure
solutions for telecom, aerospace, defense and public safety applications. Radisys'
market-leading ATCA, IP Media Server and COM Express platforms coupled with
world-renowned Trillium software, services and market expertise enable customers
to bring high-value products and services to market faster with lower investment
and risk. Radisys solutions are used in a wide variety of 3G & 4G/LTE mobile
network applications including: Radio Access Networks (RAN) solutions from
femtocells to picocells and macrocells, wireless core network applications, DPI
and policy management; conferencing and media services including voice,
video and data, as well as customized mobile network applications that support
the aerospace, defense and public safety markets.