7/27/2019 1308PSC40-45backh
http://slidepdf.com/reader/full/1308psc40-45backh 1/3
40 PUBLIC SAFETY COMMUNICATIONS ◀ ∥ ▶ august 2013 ◀ ∥ ▶ www.APCOINTL.Org www.APCOINTL.Org ◀ ∥ ▶ august 2013 ◀ ∥ ▶ PUBLIC SAFETY COMMUNICATIONS 41
Mobile BackhaulPrivacy
A c c e
s s C o
n t r o l
Dat a C o n d e n t i a l i t y
Co m m u n i c
a t i o n S e
c u r i t y
A v a i l a b i l i t y
LMRLTE IP/MPLS
IP/MPLS
LTE Evolved
Packed Core
FIGURE 1 Securing the CommunicationsFlow in Mobile Backhaul
LMRController
An IP/MPLS BackhaulNetwork Provides Resilience& Enhanced Security Against
Cyber Attacks
By DaviD Christophe
ybersecurity threats and attacks ongovernment systems are increasing infrequency. In these and other emer-
gency situations, it’s critical to ensurethe availability of mission-critical landmobile radio (LMR) voice communica-tions with minimal interruptions betweenfirst responders and dispatch. As publicsafety, utility and transportation agen-cies extend LMR backhaul networks toeliminate coverage gaps, and while they build capacity and an extended footprintfor mobile broadband with LTE, they alsopossess an excellent opportunity to furtherenhance security. Of course, with today’stight budgets, any solutions must have aminimal impact on the overall cost.
Globally, agencies are deployingbackhaul solutions based on IP/MPLStechnology as their LMR network foot-print expands, as well as to replaceolder backhaul equipment that lackscapacity or is no longer supported. Thisallows them to efficiently support new LMR systems and powerful IP-basedapplications, such as video surveillanceon a single secure network.
Converging all of this new and existingtraffic onto a single backhaul networkincreases flexibility, simplifies networkmanagement, enhances security andreduces costs without jeopardizing reli-ability. For base stations that lack fiberor copper access, agencies are deploy-ing packet microwave radio for transport,
with IP/MPLS riding on top. An IP/ MPLS backhaul network also providesthe required foundation for mobile broad-band with LTE.
Increased securIty
Backhaul communications originate, tran-sit and terminate in remote areas, as wellas in close proximity to citizens, homesand businesses. This potentially offerscyber criminals entry points for hackinginto an agency’s communications network.As a result, an increasing focus on security is warranted for these increasingly moresophisticated threats. Figure 1 (below)identifies several facets to securing theflow of communications in backhaul. Thecapabilities inherent in IP/MPLS proto-cols and routers secure this critical infor-mation and provide a flexible, powerfulplatform for further enhancements.
access control
Limiting physical equipment access toauthorized personnel is a key element insecuring backhaul communications. Thismay include placing equipment in locked
enclosures and securing base station siteperimeters with fencing. In remote areas,a motion-activated camera is deployed ata base station so that when physical secu-rity is compromised, the camera alerts anoperations center and provides images of
whatever activity is taking place at the site.Agencies can then initiate the appropriate,immediate response.
Limiting access to the IP/MPLS routerand supported services is critical, and typi-cally is handled with user IDs and pass-
words with defined spans of control. Forexample, a field technician may use anID and password to access a base stationrouter to initiate troubleshooting, but that
person may only have the ability to view,not change, router system parameters.Strong technician/administrator systemaccess security is provided with industry-standard Simple Network ManagementProtocol (SNMP) v3 confidentiality andintegrity features and Secure Shell (SSH)encryption.
Within the IP/MPLS network, accesscontrol lists (ACLs) and filters areused to control access to specific usersand host IP addresses. These preventspoofing, denial-of-service (DOS)
p h o t o K
e v I n l
I n K
7/27/2019 1308PSC40-45backh
http://slidepdf.com/reader/full/1308psc40-45backh 2/3
42 PUBLIC SAFETY COMMUNICATIONS ◀ ∥ ▶ august 2013 ◀ ∥ ▶ www.APCOINTL.Org
figure 3: Inherent IP/MPLS & IncrementalCapabilities to Secure Communications
a cPassword, Span of Control, Secure Shell(SSH), Access Control Lists, Firewall
d ciii Encryption
cii si VPN, MPLS
pi Network Address Translation, Encryption
aiii
Network Redundancy and Architecture,Intrusion Detection System, Intrusion
Protection System
FIGURE 2 Network Architecture & Use of MPLS Control& Failure Recovery Mechanisms for High Availability
LMR
LMR
LMR LMRLMR
LMR LMR LMR
LMRLMR
LMR
LMR
LMR LMRLMRLMR
LMR
LMR
LTELTE
LTE
LTE
LTE
LTE
LTE
LTE LTE
LTE
LTE
LTELTE
LTE
LTE
LTE
LTE
LTELTE
LTE
LTE
LTE
LTE
LTE
MPLS FastReroute
MPLS FastReroute
MPLS FastReroute
MPLS FastReroute
LTESmallCells
City
GOMOBILESmarter Decisions for Dispatch
Intergraph® Mobile Responder puts I/CAD on your iPad (and other smartphones andtablets, too), improving safety, productivity, and communications. It’s an easy-to-use appthat reduces radio traffic and dispatcher workload. One police agency equipped more than6,000 officers with Mobile Responder, saving $300 mill ion over the next 12 years. Thatagency is making smarter decisions. You can, too.
WWW.INTERGRAPH.COM/PUBLICSAFETY/MOBILE
© 2013 Intergraph Corporation. All rights reserved. Intergraph and the Intergraph logo are registered trademarks of Intergraph
Corporation or its subsidiaries in the United States and in other countries.
attacks and other malicious acts.Network access security can be fur-
ther enhanced with the inclusion of afirewall that helps stop unexpected andunwanted traffic from entering the net-
work through the router. This includes
a set of rules to determine which traf-fic passes or is dropped or rejected ineach direction, based on criteria suchas source and destination address orport. To tightly control access, a specificrule set is assigned to a specific port,host group or protocol. Example: Trafficentering and exiting the port associated
with the LMR base station can only go to, and originate from, the uniqueaddress associated with the controller.Other traffic is dropped or rejected.
data confIdentIalIty
Encryption and authentication can fur-ther enhance traffic privacy and con-
fidentiality in the backhaul network,inhibiting eavesdropping and tampering
with user voice, video and data trafficin transit. Even a cyber criminal whogained network access would not have
visibility of the user traffic. Widely deployed Internet Protocol
Security (IPsec) can be used for Layer 3(IPv4 and IPv6) traffic in a point-to-pointencryption solution. With this protocol,each packet in a communications sessionis authenticated and encrypted. Whena session is initiated, the cryptographic
keys that will be used during the sessionare negotiated.
To inhibit the destabilization of synchronous services, 1588v2 packetauthentication is deployed. For example,this might be used when 1588v2 is pro-
viding timing distribution for the back-haul network to minimize the chance of a cyber criminal destabilizing the syn-chronization and causing base stationsto shutdown to avoid radio frequency interference.
Encryption also can be extended toadditional types of traffic such as TDM(not just IP with IPsec), and router con-trol plane communications. The latterinhibits a cyber criminal from gatheringintelligence on the network topology and then, for example, changing routingadjacencies to disrupt or redirect back-haul traffic flows.
communIcatIon securIty
Virtual private networks (VPNs) isolatetraffic, keeping it private and unaffectedby other data streams. For example, one
VPN is established for LMR user datatraffic from a base station, and another for
signaling traffic. Agencies can maintaincommunications security through the useof VPNs along with MPLS label swap-ping and its associated tables on routers,
which ensure traffic only enters/exits thenetwork at pre-identified points.
prIvacy
To help ensure that the identification anduse of devices on the network remains pri-
vate, a network address translation (NAT)capability is added to an IP/MPLS net-
work. This enables the device address onthe network to remain hidden to outsiders
while permitting access by authorized
Securely extending Mobile backhaul
7/27/2019 1308PSC40-45backh
http://slidepdf.com/reader/full/1308psc40-45backh 3/3
44 PUBLIC SAFETY COMMUNICATIONS ◀ ∥ ▶ august 2013 ◀ ∥ ▶ www.APCOINTL.Org
Established
1946
Santa Ana, CAwww.stancilcorp.com
Bill HouserCell: (760) 519-0671
Melbourne, FLwww.stancil.net
Mike HannerDirect: (888) 431-7950 Option 1
With Stancil You Also Know Where
P25 Validated
NG9-1-1 Ready
Web Access – Tablets
Web Access – Smartphones
Quality ScoringMulti Storage Capabilities
Redaction
GeoCentric Capture & Display
VoIP
RoIP
SIPREC
Video
Text & PicturesScreen Capture
24x7 Support
System Monitoring
tancil ogging ecorder
12/8/2012 at 12:17:13
(310) 555-5555
:
Don’t
Settle.Expect more. A lot more.Call Handling VIPER
®
Call Handling Solutions Power 911®
Emergency
Call Control Power MIS®
Advanced Call Reporting and Analysis
A9-1-1
®
Connect
TM
Purpose-Built Call Handling Appliance
EmergencyCall Tracking System (ECaTS) Call Control Interface NextGen GIS
MapFlexTM 9-1-1 Geospatial Call Management MapSAG®
GIS Data
Management System Enterprise Geospatial Database Management
System (EGDMS) Supplemental Data TXT29-1-1®
BewareSM Incident
Intelligence Smart911TM
Personal Safety Profile Operational Continuity
THOR Shield®
Comprehensive Mobile Emergency Communications Program
HFConnectTM
Emergency Communications of Last Resort
Visit booth #1217 at APCO to discover all we have to offer.
users. Encryption can be deployed inbackhaul to further enhance privacy anddata confidentiality.
avaIlabIlIty
When economically feasible, backhaulcan be architected for high resiliency through a network design that includesmultiple paths to base stations andcontrollers. High network availability
is achieved using control and failurerecovery mechanisms such as MPLSFast Reroute, which switches traffic inless than 50 ms to an alternative pathupon detection of a failure (Figure2, page 42). Mission-critical backhaultraffic can be made resilient to a linkfailure during congested periods whenIP/MPLS is combined with packetmicrowave radio equipped with
intelligent discard, utilizing multipleradio links.
An intrusion detection system (IDS)detects and reports anomalous activitiesand behaviors recognized as attack pat-terns. It’s combined with intrusion pro-tection system (IPS) capabilities thatautomatically contain attacks, furtherensuring high availability throughoutbackhaul.
IDS detects activities that may makethe network unavailable for its intendeduse—for example, denial-of-service(DOS)/distributed denial-of-service(DDOS), transmission control proto-col reset (TCP RST) and TCP SYN(synchronize) attacks. It also detectsthe TCP/UDP port scan activities of cyber-criminals seeking an open portfor network access, and provides valu-able attacker identification.
IPS provides automatic mitigationactions in response to a detected intru-sion. This can include separately definedactions for a service, port or groups. Forexample, for the port associated witha base station, mission-critical back-
haul traffic is placed on a white list toensure that it gets through. Attackingtraffic is blacklisted and excluded. Of course, during the attack mitigationmechanisms will need to maintain thehigh throughput of the mission-criticaltraffic with low latency through thefirewall.
Goal: resIlIence
The capabilities inherent in IP/MPLSrouters are securing backhaul networkcommunications. An opportune timeto further enhance security capabilitiesis when extending a network’s reachand adding capacity in preparation
for mobile broadband with LTE. IP/ MPLS router solutions that providecapabilities such as encryption, fire-
wall, intrusion detection/protection andNAT, along with a resilient networkarchitecture, will make backhaul moreresilient to the growing frequency andsophistication of cyber security attacks.
||PSC||
DaviD Christophe is a marketing director at
Alcatel-Lucent. Send questions or comments to
him at [email protected].
Securely extending Mobile backhaul
Recommended
