View
218
Download
0
Category
Preview:
Citation preview
UnVeilingLTE Cloud SecurityLTE Cloud Security
CanSecWest, 2012, VancouverGalina Pildush PhDGalina Pildush, PhDgalina@juniper.net
WHAT IS THIS TALK ABOUT
Is:LTE introductionLTE perspectives and vulnerabilities
Is not:Everything else
2 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
WHAT IS LTE
LTE = Long-Term Evolution of Evolved Universal Terrestrial Radio Access Network
Greater flexibility of spectrum usageReduced latencyInterworking with other systems, for example CDMA2000g y
LTE-AdvancedWorldwide functionality and roamingService compatibilityEnhanced peak data rates (100 Mbps – 1 Gbps)
3 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
THIS IS WHERE IT WAS A FEW YEARS AGO …
GERAN
SGSNIuPSIuPS
Gb
UTRAN
BSCBTSGGSN GiGn
Gx
GrGs
IuCS
PSTN
RNCNodeB
( )HSS
(HLR, AuC)MSCVLR
PCRFGc
C
D
Nc
IuCSAN
GMSC
CS-MGWMc
Internet
CS-MGWNbIuCS
IuCS
Interfaces supporting user traffic
CNNote: -This is a display of a basic GPRS architecture blocks and interfaces Not all network elements and
A
4 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Interfaces supporting user traffic
Interfaces supporting signalling-Not all network elements and interfaces shown
THIS IS WHERE IT IS TODAY … AND STILL EVOLVING …
GERAN
BSCBTS
SGSNIuPS
GrGs
IuPS
GbCN
S3
S4
UTRAN
RNCNodeB
BSCBTSGGSN GiGn
Gx
GrGs
GcD
IuCS
Internet
RNCNodeB
( )HSS
(HLR, AuC)MSCVLR
PCRF
Gc
C
D
Nc
IuCS
E-UTRANS6a Gxc
GMSC
CS-MGWMc
IuCS
AN
eNodeB S3PSTN
CS-MGWNbIuCS
AIuCS
MME
PDN GWS1-U S5
SGiS1-MME
S11
Gx
Internet
5 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
S-GW PDN-GWS1-U
S12
S4S8
Gxc
Note: -This is a display of a basic GPRS and EPS architecture blocks and interfaces -Not all network elements and interfaces shown
Protocol Reference ModelGERAN User Plane
Protocol Reference ModelUTRAN User Plane
SNDCP
IP
Appl-n
GTP-U
Relay
SNDCP GTP-UGTP-U
Relay
GTP-U
IP
IP
Appl-n
Relay RelayIP
RLC
CP
Netw
IP
U
LLC
Netw
UDP
BSSGP
BSSGP
Relay
RLC
LLC UDPUDP
IPIP IP
UDP
MAC
RLC
PCDP
MAC Laye
RLC UDP/IP
GTP-UPDCP
Laye Laye
UDP/IP
UDP/IP
GTP-UGTP-U GTP-U
UDP/IP
Laye
GSM RF
MAC
UE
L1bis
Layer 1
Layer 1
Layer 1
NetworkServic
e
Layer 2
Layer 2
Layer 2
Layer 1
PDN GWServing GWSGSN
Layer 2
SGiS5/S8S4Um
GSM RF
L1bis
MAC
Network
Service
BSGb
Layer 1
MAC
Layer 1
Layer 1
Layer 1
Layer 1
MAC yr 2
Layer 2
Layer 2
Layer 1
Layer 2
SGiS5/S8IuUu
UE PDN GWServing GWUE PDN GWServing GWUTRAN
IP
Appl-n
IP
Protocol Reference ModelE-UTRAN User Plane
RLC
PCDP
IP
L
RLC UDP/IP
GTP-U
Relay
PDCP
UDP/IP
UDP/IP
GTP-UGTP-U
Relay
GTP-U
IP
UDP/IP
6 Copyright © 2011 Juniper Networks, Inc. www.juniper.net Layer 1
MAC
UE
Layer 1
Layer 1
Layer 1
Layer 1
MAC Layer 2
Layer 2
Layer 2
Layer 1
PDN GWServing GWeNodeB
Layer 2
SGiS5/S8S1-ULTE-Uu
Control Plane
U PlUser Plane
7 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Source: www.3gpp.org
LTE GENERIC ARCHITECTURES1-AP
PDN GW
eNodeB
MME S10
S11
S6a
SCTP
IP
Lower Layers
IP
S-GWPDN-GW
E-UTRAN H-PCRF
HSS
Gx SGi
Rx
L-GW
SGi
Lower Layers
IP
Lower S9
S8
GTPv2GTP-UOCS
UDP
IP
Lower Layers
GTP-U
( )SS
(HLR, AuC)Internet
HPLMN
S6aInternet
Layers
IPX Cloud
DIAMETER
SCTP
IP
S9
DIAMETER
SCTP
IP
Lower
UDP
IP
Lower Layers
OCS
Gy
y
N d B
MME
S10S11 S6
VPLMN
SGiS1-AP
SCTP
IP
Lower
IP
Lower
IP
Lower Layers
3rd Party
IPX CloudLower Layers
Lower Layers
PDN-GW
E-UTRAN
eNodeB S6a
Gx
SGiL-GW
Lower Layers
Lower Layers
3 Party Application FunctionDomainDIAMETER
SCTP
IP
S-GW
8 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
V-PCRF
( )HSS
(HLR, AuC)
RxIP
Lower Layers
ESTABLISHING THE CONNECTION – NO ROAMING
MME
1
9
H-PCRF
OCS
12
3 67
8
S-GW PDN-GW
( )HSS
(HLR, AuC)
Internet4
5
1. Attach Request (initial attach, IMSI, PDP Connection Request)
5
7. Initial Context Setup Request (attach accept, activate default EPS
2. Update Location, granting the service3. Create Session Request
Bearer Request)8. Initial Context Setup Response9. Attach Complete, Activate Default
9 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
4. Create Session Request5. Create Session Response6. Create Session Response
Bearer AcceptNote: -Connection establishment shown in this diagram is simplified
LTE FROM OPERATOR’S PERSPECTIVE
Traditionally PSTN is a “Walled Garden”Protocols are not widely spread and/or knownProtocols are not widely spread and/or knownComplex protocolsClosed architecturesC t ll dControlled access
Today LTE access uses IP as a transportConvergence of voice and dataConvergence of voice and dataConvergence of wireline and wirelessLower operations costs
Ahh… Life is good … or IS IT NOT?
10 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LTE FROM CONSUMER PERSPECTIVE
Love sooo … many Apps - over 10.9 billion (expected to rise to 76.9 billion by 2014!) *
The more the merrierFree is better than paid for
V i id d t ll i !Voice, video, data – all in one!
Enjoy high speed
W t SP t i t i th i I b ib tWant my SP to maintain the service I subscribe to
Ahh… Life is good… or IS IT NOT?
*Source: IDC
11 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
*Source: IDC
LTE FROM ENTERPRISE PERSPECTIVECan connect with staff any time from anywhere
Should be able to increase productivityp yFaster decisions makingInstant access to teleworkersInstant deal makingInstant deal makingEtc., etc., etc …
Ahh… Life is good … or IS IT NOT?
12 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LTE FROM HACKER’S PERSPECTIVE
The more apps, the merrier –It’s a Wild Wild West (WWW) out there grab as much as you canIt s a Wild-Wild West (WWW) out there – grab as much as you canNo regulations, validations, or restrictionsI can masquerade anyone or anything
Phish around tricking you into entering sensitive information
Financial theft
Privacy theft
Challenge is invigorating
This is a wonderland – millions of walking servers with eyes and ears without firewalls
13 Copyright © 2011 Juniper Networks, Inc. www.juniper.net Ahh… Life IS good!
WHAT CAN WE CONCLUDE?
LTE is IP end-to-end
The protocols are open
The infrastructures are getting more complexThis could introduce new vulnerabilitiesComplexity does not mean more secure
What does it all mean to a security person?
14 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LET’S DEFINE A PROBLEM STATEMENT
The threats are possible on:p• Network Infrastructure Elements – RAN, Core• Bandwidth consumption• Servers• Servers
15 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
WHAT ARE THE POSSIBLE THREATS ?On network elements • Flood attacks • Worm infections and Trojan attacks• Worm infections and Trojan attacks• Spam and virus attacks• Man in the middle attacks
On UEsPhishingBotnetBotnetVirusesWormsTrojan attacks
Trusted but infected UEs could become sources of attacks
16 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
WHAT ARE THE EFFECTS OF THE THREATS ?Paralyzed:
Network elements and/or entire network infrastructuresFixed serversFixed serversMobile servers – UEs
Misbehaved serversMis-billing and/or overbillingBattery drainage on UEsPersonal data compromisedPersonal data compromisedFinancial theftMisconductUnhappy customersLoss of privacyLoss of customers
17 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Bad industry reputationLoss of revenue and business
Attacks on LTE –Places of Vulnerabilities
18 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VULNERABILITIES – WHERE?
UEsThe out-of-control spread of unprotected servers – smart phones
Operators coreFacing InternetPeering pointsRAN-Core connection
Operators RANOperators RAN
EVERYWHERE
19 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LTE SCTP POINTS OF VULNERABILITYS1-AP
PDN GW
eNodeB
MME S10
S11
S6a
SCTP
IP
Lower Layers
S-GWPDN-GW
E-UTRAN H-PCRF
HSS
Gx SGi
Rx
L-GW
SGi
S9
S8
OCS( )
SS(HLR, AuC)
Internet
HPLMN
S6aInternet
IPX Cloud
DIAMETER
SCTP
IP
S9
DIAMETER
SCTP
IP
Lower
OCS
Gy
N d B
MME
S10S11 S6 SGi
VPLMN
SGiS1-AP
SCTP
IP
Lower 3rd Party
IPX CloudLower Layers
Lower Layers
PDN-GW
E-UTRAN
eNodeB S6a
Gx
L-GW
Lower Layers
3 Party Application FunctionDomainDIAMETER
SCTP
IP
S-GW
20 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
V-PCRF
( )HSS
(HLR, AuC)
RxIP
Lower Layers
LTE SCTP VULNERABILITYSCTP Association hijacking:
Address camping or stealingIf attacker can take over an IP address they can restart theIf attacker can take over an IP address they can restart the association Man-in-the-middle
Bombing attacks:Get a server to amplify packets to an innocent victimAllows an attacker to use an arbitrary SCTP endpoint to sendAllows an attacker to use an arbitrary SCTP endpoint to send multiple packets to a victim in response to one packetAllows an attacker to use an SCTP server to send a larger packet to a victim than it sent to the SCTP serverto a victim than it sent to the SCTP server
Association redirection - http://tools.ietf.org/html/rfc5062
21 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LTE DIAMETER POINTS OF VULNERABILITY
PDN GW
eNodeB
MME S10
S11
S6a
S-GWPDN-GW
E-UTRAN H-PCRF
HSS
Gx SGi
Rx
L-GW
SGi
S9
S8
OCS( )
SS(HLR, AuC)
Internet
HPLMN
S6aInternet
IPX Cloud
DIAMETER
SCTP
IP
S9
DIAMETER
SCTP
IP
Lower
OCS
Gy
N d B
MME
S10S11 S6 SGi
VPLMN
SGi
3rd Party
IPX CloudLower Layers
Lower Layers
PDN-GW
E-UTRAN
eNodeB S6a
Gx
L-GW
3 Party Application FunctionDomainDIAMETER
SCTP
IP
S-GW
22 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
V-PCRF
( )HSS
(HLR, AuC)
RxIP
Lower Layers
LTE DIAMETER VULNERABILITYDiameter attacks
Negotiation attack – could cause Diameter server to choose a less secure authentication method (CHAP, PAP, for example)secure authentication method (CHAP, PAP, for example)Connection hijacking – attacker attempts to inject packetsReplay S i k tSnooping packetsPacket modificationsImpersonation – rogue NEs with forged IP addressesMan-on-the-middle attack – attackers gain control of a Diameter agent, modifying packets in transit
23 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LTE PEERING VULNERABILITY - GTP
PDN GW
eNodeB
MME S10
S11
S6a
S-GWPDN-GW
E-UTRAN H-PCRF
HSS
Gx SGi
Rx
L-GW
SGi
S9
S8
GTPv2GTP-UOCS
( )SS
(HLR, AuC)Internet
HPLMN
S6aInternet
IPX Cloud
S9UDP
IP
Lower Layers
OCS
Gy
N d B
MME
S10S11 S6
VPLMN
SGi
3rd Party
IPX Cloud
PDN-GW
E-UTRAN
eNodeB S6a
Gx
SGiL-GW
3 Party Application FunctionDomainS-GW
24 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
V-PCRF
( )HSS
(HLR, AuC)
Rx
LTE PEERING VULNERABILITYAttacks from a peering side – GTPv2 and GTP-U
GTP-in-GTP could be used as an attack – spoofing NEs, recursive GTP packet processingGTP packet processingRogue data from “trusted” partners
Remember – although GTP is “GPRS Tunnelling Protocol” there is no built-in encryption
25 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LTE SGI VULNERABILITY
PDN GW
eNodeB
MME S10
S11
S6aIP
S-GWPDN-GW
E-UTRAN H-PCRF
HSS
Gx SGi
Rx
L-GW
SGi
Lower Layers
IP
Lower S9
S8
OCS( )
SS(HLR, AuC)
Internet
HPLMN
S6aInternet
Layers
IPX Cloud
S9 OCS
Gy
N d B
MME
S10S11 S6
VPLMN
SGiIP
Lower
IP
Lower Layers
3rd Party
IPX Cloud
PDN-GW
E-UTRAN
eNodeB S6a
Gx
SGiL-GW
Lower Layers
3 Party Application FunctionDomainS-GW
26 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
V-PCRF
( )HSS
(HLR, AuC)
Rx
LTE SGI VULNERABILITYAttacks from the Internet – SGi
DDoS attacksBotnetsBotnetsExploit core network elements and turn them into attack vectorsViruses, worms, Trojans, OverbillingEtc… etc… etc
27 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LTE UE VULNERABILITYSMS Trojans –
Polymorphic, mutating with every downloadKnown as server-side polymorphismExisted in the world of desktopsMore can be found here -http://www.techworld.com.au/article/414311/symantec_warns_android_trojans_mutate_every_download
Attacks evolved from SMS-type to application layer coveringAttacks evolved from SMS type to application layer, covering ALL handheld devices – iPhones/IPads, Androids, RIM, Notebooks, etc, etc, etc…
Spam messagesExploit of unregistered pre-paid SIM cardsExploit of signaling fraud
28 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
p g g
HENCE, LTE PROTECTION MUST HAPPEN @UE
Network Infrastructure
RANs
Against known and unknown attacksg
29 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
WHERE SHOULD LTE PROTECTION HAPPEN –A CLOSER LOOK …
PDN GW
eNodeB
MME S10
S11
S6a
LTE-FW
S-GWPDN-GW
E-UTRAN H-PCRF
HSS
Gx SGi
Rx
L-GW
SGiS8
OCS
LTE-FW
LTE-FW
( )SS
(HLR, AuC)Internet
HPLMNInternet
IPX Cloud
S9OCS
Gy
LTE-FW
S6a
N d B
MME
S10S11 S6
VPLMN
SGi
3rd Party
LTE-FW
LTE-FWLTE-FW
PDN-GW
E-UTRAN
eNodeB S6a
Gx
SGiL-GW
3 Party Application FunctionDomainS-GW
LTE FWLTE-FW
30 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
V-PCRF
( )HSS
(HLR, AuC)
RxLTE-FW
Current States of Concern
31 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
CURRENT STATE OF CONCERN
From operator’s perspective
From user’s perspectivep p
From industry standard’s perspective
32 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
CURRENT STATE OF CONCERN – OPERATOR(1 OF 2)
While convergence sounds great, should I converge all my networks – wireline, wireless, voice, data, others (?)
How do I protect my cloud?Where is my “walled garden”?Where is my walled garden ?IP transport + UEs (walking servers) apps bring security concernsProtocols vulnerabilities at signaling/control planesOpen protocols/applicationsLack of apps standardsWhat are the possible vulnerabilities?pIs it good enough to just do NAT/CGNAT?Are the threats really there?
33 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
CURRENT STATE OF CONCERN – OPERATOR (2 OF 2)Exponential spread of UEs
Is this a de ja vu of wired line 10-15 years ago?How do I detect an infected UE?What do I do with infected UE?Should I do policy enforcement with an infected UE?p y
Can I be held liable for delivering customer traffic securely?Cost vs. riskComplexity vs. ease of management
IPv6IPv6Transition toCould IP within IP pose more threat?
34 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
CURRENT STATE OF CONCERN - USERProtect
My phone from viruses, Trojan attacks, worm, etc.Integrity of my dataMy privacy
EnsureEnsure Secure accessSecure servicesProper billingOptimal use of my phone, including its battery lifePrivacyy
35 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
CURRENT STATE OF CONCERN - STANDARDSTakes a long time
From standards security perspectivey p pMissing holistic view - it is rather piecemealOptional encryption of EVERYTHING
Is it enough?
36 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SOME PREVENTATIVE MEASUREMENTSBe careful with new Apps
Anything free could bite you back – free WiFi, free app, free …
Check for availability of security solutions for your UEs
Be proactive in designing your protectionInclude protection of the protectors – firewallsDeploy FWsDeploy IPSec VPNsp y
Be careful with what is encrypted,Ensure you trust the termination elements of IPSecCan you afford to trust them?
37 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Can you afford to trust them?
SOME KEY STRATEGY ELEMENTSUnderstand the “normal”
traffic flowsD fiDefine
Baseline
Throttle Traffic
Throttle at perimeter, as close to source as feasible
Pros – more accurate and
Apply FW
Throttle Traffic Close
to SourcecontrolledCons – could be scaling difficulty
protectiony
Reduces the impact of unknownEvens the traffic flowsEvens the traffic flows
Deploy elements of firewall features for DDoS, etc attacks
38 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
WHO SHOULD BE RESPONSIBLE FOR YOUR MOBILE PROTECTION?You?
Smart phone manufacturer?p
Service provider?
Anybody else?y y
And
Is Mobile protection just that – “mobile” or is it “YOUR Identity” ?p j y
39 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
A THREE-PILLAR VIEW YOU + OPERATOR + MANUFACTURER
40 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
THANK YOU!
QUESTIONS ?
THOUGHTS ?THOUGHTS ?
41 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Recommended