Upload
moayad-mahamead
View
22
Download
0
Embed Size (px)
DESCRIPTION
LTE Backhaul - Security
Citation preview
1 Heavy Reading, Ethernet Backhaul Tracker, June 2013.
Solution Brief
LTE Backhaul - Security Imperative
Scenario
Clear text transmission at
mobile access border creates
significant security exposure
IPsec is industry standard for
site-to-site VPN
Stoke Solution
Strongest industry
confidentiality, integrity,
authentication and availability
Highest encrypted throughput
15 Gbps/RU
Ultra-low Latency< 20 micro
second
Benefits
Prevent unauthorized access to
EPC resources
Maintain needed security levels
without negatively impacting
throughput and latency
Protect EPC against signaling
overload
Is Private Backhaul Now Untrusted?
Private backhaul has long been considered a trusted link for RAN-core and inter-
data center communications. As the 3GPP standards require IPsec encryption only
when backhaul is untrusted, many mobile carriers and large enterprise have
previously considered it unnecessary to secure the traffic carried over trusted
backhaul. This means that traffic will be transmitted as clear (not encrypted) over
the mobile access border (between the eNodeB and the core - S1 interface).
Figure 1. Unencrypted "clear" traffic at the mobile access border.
Wherever there is clear text transmission, there is significant security exposure. If
an attacker can intervene at the cell site, backhaul interconnection point, or at any
other point on the S1 or X2 interface, he can gain access to the clear text and
potentially to the larger network. This includes access to the private subscriber
transmissions (user plane) as well as EPC resources through the control plane.
Carriers are increasingly becoming aware that LTE networks are far less secure than
3G. Heavy Reading has forecast that the percentage of LTE cell sites protected thru
IPsec will more than double in 2015, and exceed 50% of the end of 2017.1
Stoke, Stoke Session Exchange and the Stoke logo are trademarks of Stoke, Inc. Copyright 2013 Stoke, Inc. All rights reserved. Lit# 150-0039-001 2
Once the unauthorized device
has spoofed eNodeB credentials
and gained access into the core, a
hacker can initiate a number of
different attacks on both the
control plane and the user plane
that potentially impact a much
broader service area or even the
entire network."
Interception at the Cell Site
In 3G networks, physical intrusion and vandalism of a cell site, can result in
localized service outages or service degradation. Access through the network, or
over-the-air from the device was not a concern in the proprietary 3G network.
However in LTE networks, by gaining access to an individual eNodeB/ HeNodeB or
to the backhaul links at a site, physically or through a smartphone, a hacker can
potentially gain direct access to the entire packet core.
Malicious Entry
Once the unauthorized device has spoofed eNodeB credentials and gained
access into the core, a hacker can initiate a number of different attacks on both
the control plane and the user plane that potentially impact a much broader
service area or even the entire network:
Control Plane Denial of Service (DoS/DDoS): Injecting large volumes of
signaling traffic (SCTP) or malformed and invalid S1-AP messages can
overload the MME, slowing connection times or making MME resources
unavailable for other services.
User Plan Denial of Service (DoS/DDoS): Injecting large volumes of GTP
traffic into the user plane can overload the serving gateway (SGW).
User-plane packet injection: Malware or other malicious software can be
added to user plane traffic destined for a number of EPC elements.
Packet interception (eavesdropping): User data can be intercepted and
financial credentials or other private user information stolen.
Packet modification (man-in-the-middle): Changing user or control plane
data can result in unbilled and unauthorized rogue use of the network.
Unintentional eNodeB Corruption
Improper software updates, hardware failures, or other software problems can
cause an eNodeB to malfunction, sending malformed or out of order packets or
large streams of connection requests, overloading core resources.
Figure 2. Risks of unauthorized access.
Stoke, Stoke Session Exchange and the Stoke logo are trademarks of Stoke, Inc. Copyright 2013 Stoke, Inc. All rights reserved. Lit# 150-0039-001 3
2 Source: Heavy Reading
By deploying the Stoke solution,
low latency forwarding for real time
data center services is ensured,
the highest level of security
provided and unauthorized access
prevented."
Small Cells Magnify Security Challenges
Small cells, situated in public venues or homes, are more vulnerable to physical
tampering and have less physical security than macro cells. With numbers
expected to exceed 700,000 worldwide by end of 20172, physical security similar to
macro cells is cost prohibitive or impractical. Operators have struggled to keep up
with the security risks. For example, earlier in 2013, Verizon Wireless had to apply
a security fix to its private Femtocell product line.
Interception at Backhaul Interconnection Points
Operators have multiple enormous data centers around the world that balance
traffic loads and synchronize application and user data. Although connections from
the public internet are encrypted via SSL, the traffic is unsecured or clear once it
passes through the front end servers and enters the unsecured domain of the
private network cloud. The unsecured domain includes multiple potential
interception points such as shared datacenters, undersea cable landings, internet
exchange points and dedicated domestic point-to-point links. A breach at any of
these points would allow user data to be intercepted.
Stoke Solution
Stoke Security eXchange is a cost efficient, carrier grade gateway solution,
commercially proven in public networks to provide the highest level of secure
backhaul protection without adding any appreciable latency. This defense in
depth approach provides multiple layers of protection.
The compact, 5 RU chassis provides the IPsec gateway and front-ends the servers
connecting each data center, seamlessly originating and terminating IPsec tunnels
and maintaining up to 80 Gbps encrypted throughput per chassis, even for the
smallest packet sizes. The energy efficient solution provides the highest encrypted
throughput per rack unit and per megawatt of power. Key features include:
2048 Bit Certificate Support: Exponentially ensures the validity of security
associations between two network nodes
Ultra-aggressive Automatic Re-keying: Configurable option automatically
resets key, limiting the amount of data available if a breach occurs.
Public Key Infrastructure: Eliminates human error of pre-shared key.
Perfect forwarding secrecy (PFS) ensures old keys will not be re-used.
By deploying the Stoke Security eXchange solution, low latency forwarding for real
time data center services is ensured, the highest level of security provided and
unauthorized access prevented.