-
1 Heavy Reading, Ethernet Backhaul Tracker, June 2013.
Solution Brief
LTE Backhaul - Security Imperative
Scenario
Clear text transmission at
mobile access border creates
significant security exposure
IPsec is industry standard for
site-to-site VPN
Stoke Solution
Strongest industry
confidentiality, integrity,
authentication and availability
Highest encrypted throughput
15 Gbps/RU
Ultra-low Latency< 20 micro
second
Benefits
Prevent unauthorized access to
EPC resources
Maintain needed security levels
without negatively impacting
throughput and latency
Protect EPC against signaling
overload
Is Private Backhaul Now Untrusted?
Private backhaul has long been considered a trusted link for
RAN-core and inter-
data center communications. As the 3GPP standards require IPsec
encryption only
when backhaul is untrusted, many mobile carriers and large
enterprise have
previously considered it unnecessary to secure the traffic
carried over trusted
backhaul. This means that traffic will be transmitted as clear
(not encrypted) over
the mobile access border (between the eNodeB and the core - S1
interface).
Figure 1. Unencrypted "clear" traffic at the mobile access
border.
Wherever there is clear text transmission, there is significant
security exposure. If
an attacker can intervene at the cell site, backhaul
interconnection point, or at any
other point on the S1 or X2 interface, he can gain access to the
clear text and
potentially to the larger network. This includes access to the
private subscriber
transmissions (user plane) as well as EPC resources through the
control plane.
Carriers are increasingly becoming aware that LTE networks are
far less secure than
3G. Heavy Reading has forecast that the percentage of LTE cell
sites protected thru
IPsec will more than double in 2015, and exceed 50% of the end
of 2017.1
-
Stoke, Stoke Session Exchange and the Stoke logo are trademarks
of Stoke, Inc. Copyright 2013 Stoke, Inc. All rights reserved. Lit#
150-0039-001 2
Once the unauthorized device
has spoofed eNodeB credentials
and gained access into the core, a
hacker can initiate a number of
different attacks on both the
control plane and the user plane
that potentially impact a much
broader service area or even the
entire network."
Interception at the Cell Site
In 3G networks, physical intrusion and vandalism of a cell site,
can result in
localized service outages or service degradation. Access through
the network, or
over-the-air from the device was not a concern in the
proprietary 3G network.
However in LTE networks, by gaining access to an individual
eNodeB/ HeNodeB or
to the backhaul links at a site, physically or through a
smartphone, a hacker can
potentially gain direct access to the entire packet core.
Malicious Entry
Once the unauthorized device has spoofed eNodeB credentials and
gained
access into the core, a hacker can initiate a number of
different attacks on both
the control plane and the user plane that potentially impact a
much broader
service area or even the entire network:
Control Plane Denial of Service (DoS/DDoS): Injecting large
volumes of
signaling traffic (SCTP) or malformed and invalid S1-AP messages
can
overload the MME, slowing connection times or making MME
resources
unavailable for other services.
User Plan Denial of Service (DoS/DDoS): Injecting large volumes
of GTP
traffic into the user plane can overload the serving gateway
(SGW).
User-plane packet injection: Malware or other malicious software
can be
added to user plane traffic destined for a number of EPC
elements.
Packet interception (eavesdropping): User data can be
intercepted and
financial credentials or other private user information
stolen.
Packet modification (man-in-the-middle): Changing user or
control plane
data can result in unbilled and unauthorized rogue use of the
network.
Unintentional eNodeB Corruption
Improper software updates, hardware failures, or other software
problems can
cause an eNodeB to malfunction, sending malformed or out of
order packets or
large streams of connection requests, overloading core
resources.
Figure 2. Risks of unauthorized access.
-
Stoke, Stoke Session Exchange and the Stoke logo are trademarks
of Stoke, Inc. Copyright 2013 Stoke, Inc. All rights reserved. Lit#
150-0039-001 3
2 Source: Heavy Reading
By deploying the Stoke solution,
low latency forwarding for real time
data center services is ensured,
the highest level of security
provided and unauthorized access
prevented."
Small Cells Magnify Security Challenges
Small cells, situated in public venues or homes, are more
vulnerable to physical
tampering and have less physical security than macro cells. With
numbers
expected to exceed 700,000 worldwide by end of 20172, physical
security similar to
macro cells is cost prohibitive or impractical. Operators have
struggled to keep up
with the security risks. For example, earlier in 2013, Verizon
Wireless had to apply
a security fix to its private Femtocell product line.
Interception at Backhaul Interconnection Points
Operators have multiple enormous data centers around the world
that balance
traffic loads and synchronize application and user data.
Although connections from
the public internet are encrypted via SSL, the traffic is
unsecured or clear once it
passes through the front end servers and enters the unsecured
domain of the
private network cloud. The unsecured domain includes multiple
potential
interception points such as shared datacenters, undersea cable
landings, internet
exchange points and dedicated domestic point-to-point links. A
breach at any of
these points would allow user data to be intercepted.
Stoke Solution
Stoke Security eXchange is a cost efficient, carrier grade
gateway solution,
commercially proven in public networks to provide the highest
level of secure
backhaul protection without adding any appreciable latency. This
defense in
depth approach provides multiple layers of protection.
The compact, 5 RU chassis provides the IPsec gateway and
front-ends the servers
connecting each data center, seamlessly originating and
terminating IPsec tunnels
and maintaining up to 80 Gbps encrypted throughput per chassis,
even for the
smallest packet sizes. The energy efficient solution provides
the highest encrypted
throughput per rack unit and per megawatt of power. Key features
include:
2048 Bit Certificate Support: Exponentially ensures the validity
of security
associations between two network nodes
Ultra-aggressive Automatic Re-keying: Configurable option
automatically
resets key, limiting the amount of data available if a breach
occurs.
Public Key Infrastructure: Eliminates human error of pre-shared
key.
Perfect forwarding secrecy (PFS) ensures old keys will not be
re-used.
By deploying the Stoke Security eXchange solution, low latency
forwarding for real
time data center services is ensured, the highest level of
security provided and
unauthorized access prevented.
