As LTE is deployed worldwide, seamless communications among all forms of devices and access methods to the All-IP LTE core are advancing daily. There are now more new services, at higher speeds, and with greater reliability than ever before.
These advances bring new revenue opportunities, but also new and advanced security threats. Historically, carrier-grade telecom networks have had an excellent record for user and network security. However, today’s communications infrastructure is more vulnerable than its predecessors.
The internet is becoming an integral part of all communications. With corporate network security breaches everywhere affecting millions of users, networks must address security at all levels.
Attacks can come in many different shapes and sizes; user malware, fraudulent calls, spam, viruses, data and identity theft, and denial of service, to name just a few examples.
The rise in security threats is partly due to the growing deployment of carrier Wi-Fi access infrastructures and small cells in public areas, offices and homes, and will increase exponentially with M2M and the Internet of Things.
ABI Research predicts that by 2016, half of all small-cell security gateway revenue will come from the enterprise space, reflecting greater exposure to risk and far greater loss potential.
Each enterprise site is an IP access point to the networkthat could potentially be used as an entry point by attackers and hackers. Operators and enterprises need to take steps to ensure their networks are safe, while continuing to respond to the relentless demand for the ubiquitous coverage and faster data speeds both home and enterprise customers expect.
These new security risks are being exposed by the move to the IP-centric LTE architecture. The deployment of LTE is a primary driver behind the security risks as the LTE architecture is much flatter and more IP-centric than 3G, meaning there are fewer steps to access the core network.
With 3G, the radio network controller (RNC) controls all access to the base stations, meaning that potential hackers can’t get close to the core network. In LTE, IP backhaul is mandatory, but the RNC node is eliminated, giving a potential attacker a straighter path to the core network.
Operators recognise that IPsec tunnels will be required at every cell site connected to an insecure network for the purpose of authentication and encryption.
Tiered security solutions
Operators must be prepared to meet every threat. Security gateways and firewalls have been the go-to devices for IP, but not all such devices are configured or priced appropriately to need.
To meet today’s threats, no single device can be the right fit for all circumstances. Operators need to address security as a multi-level problem. IPsec encryption and authentication provides the most basic layer of user and network security.
LTE IP backhaul creates a major risk, potentially exposing both the control and user data plane to attacks. TDM (time-division multiplexing) protocols such as SS7 and end-to-end authentication and encryption in 2G and 3G networks have meant that, historically, wire line and mobile networks have been inherently secure.
However, LTE does not benefit from this mandatory protection. Until recently, the growth of IP in telecoms networks has tended to be in the core network, and therefore was secure, as it was far enough away from the user and edge of the network to be protected by traditional security methods.
This is no longer true. Protection is imperative at the edge of the core; access protection that only a security gateway can provide. To keep the network running smoothly and safely, the less protocol filtering or packet inspection at this point the better.
Core node IPsec and Protocol filtering
Protecting access to the core network is not enough in LTE networks. As shown in Figure 1 above right, there is a direct path from the eNodeB or small cell directly into the network. If secure access to the core is breached, there are innumerable signalling and bearer paths between core network elements to exploit unless protected internally.
Connection protection can be achieved with an embedded IPsec security gateway in each node. This provides encryption of all control and data plane traffic. An advanced security gateway within the core provides checkpoints to ensure that only truly authorised traffic is passing through the network.
DPI (Deep Packet Inspection)
Network security starts with the mobile user and ends up affecting core services. Operators and vendors alike must ensure the highest levels of device security and educate users to protect themselves. Even if encryption is embedded on the device, applications must make use of it, and of course the device itself must be secured by the use of multi-factor authentication.
At the end of the day, even the most secure network cannot protect against bad data packets it may receive from compromised devices. In that case, the network must have protection at the receiving end of the connection.
Security within the network, especially at data centres and service nodes, must be addressed by security applications with DPI capabilities to identify hidden threats in packet streams and prevent attacks on these essential network services.
Once the network is protected, end-to-end, there can be no performance bottlenecks in terms of throughput and latency. Security cannot simply be effective; it must also be highly efficient.
Operators must choose high-throughput, right-featured, flexible security solutions to ensure their competitive advantage. Only then can they continue to build out their networks to reach more users while also protecting them, and enabling them to take advantage of the growth opportunities available in the expanding ultra-broadband mobile market