Scribd Logo
Upload

Welcome to Scribd!

  • Architecturel - NSN LTE Security

    Uploaded by

    Juan
    160 views10 pages
    New evolved networks - new security needs walled garden. Manual network enrollment - Manual commissioning on site - Fully pre-planned network configuration - pre-planned transport relations. IPSec in tunnel mode between Security Gateways IPSec profile and configuration. Authentication Framework Specifies rules for Cross Certification between operators proprietary - NSN Security / May 2012.

    Original Description:

    Original Title

    Architecturel_NSN LTE Security

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    New evolved networks - new security needs walled garden. Manual network enrollment - Manual commissioning on site - Fully pre-planned network configuration - pre-planned transport relations. IPSec in tunnel mode between Security Gateways IPSec profile and configuration. Authentication Framework Specifies rules for Cross Certification between operators proprietary - NSN Security / May 2012.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    160 views10 pages

    Architecturel - NSN LTE Security

    Uploaded by

    Juan
    New evolved networks - new security needs walled garden. Manual network enrollment - Manual commissioning on site - Fully pre-planned network configuration - pre-planned transport relations. IPSec in tunnel mode between Security Gateways IPSec profile and configuration. Authentication Framework Specifies rules for Cross Certification between operators proprietary - NSN Security / May 2012.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 10

    LTE transport network security

    Jason S. Boswell
    Head of Security Sales, NAM
    Nokia Siemens Networks

    1 © Nokia Siemens Networks


    New evolved Networks - new security needs

    Walled Garden Transport


    & Protocols Manual network enrollment
    - E1 / T1
    - ATM - Manual commissioning on
    ….. site
    - MTP - Fully pre-planned network
    mature
    mature - SCCP configuration
    networks
    networks - TUP / ISUP….. - Pre-planned transport
    relations
    - pre-planned security peers

    Open IP based Networks Self Organizing Networks


    “All IP” “SON”
    networks Carrier Grade Ethernet - Plug and Play networks
    IP / SIP / … - Automated network
    configuration
    - Automated network
    integration
    - Automated connection
    establishment

    Public IP
    threats
    Enforcing Ciphering Enforcing Network
    and Integrity Protection Element Authentication

    © Nokia Siemens Networks Proprietary – NSN Security / May 2012


    So why do we need new 3GPP standards?
    In the past - Protected by proprietary
    protocols and a closed environment

    Non IP transport traffic


    Internet Operator
    Services
    3G
    RNC
    Now - We have IP outside of the
    operator buildings – large threat
    footprint in small cell deployments
    Radio Access Transport is now IP Based

    Non IP transport IP transport traffic


    traffic
    Internet Operator
    Services
    LTE

    TS 33.210 - Network Domain Security TS 33.401 - Security Architecture


    •Defines IPSec for S1-MME & X2 Control plane TS 33.310 - Authentication Framework
    •IPSec in tunnel mode between
    and S1 & X2 User plane •Specifies rules for Cross Certification
    Security Gateways between operators
    •IPSec profile and configuration •IKEv2 certificates based authentication
    •Authentication by Public Certificates

    © Nokia Siemens Networks Proprietary – NSN Security / May 2012


    3GPP Standardization Background

    TS 33.210
    Network Domain Security
    •IPSec in tunnel mode between TS 33.401
    Security Gateways Security Architecture
    •IPSec profile and configuration •Defines IPSec for S1-MME & X2
    Control plane and S1 & X2 User
    plane
    •IKEv2 certificates based
    authentication
    •Authentication by Public
    Certificates
    TS 33.310 Technical
    Authentication Framework
    •Specifies rules for Cross
    Specification
    Certification between
    operators

    © Nokia Siemens Networks Proprietary – NSN Security / May 2012


    Security threats to Radio Access transport of LTE

    Eavesdropping of user
    Denial of Service traffic

    eNodeB spoofing Radio Access Unauthorized access


    of eNodeB and other
    Transport in LTE network equipment

    © Nokia Siemens Networks Proprietary – NSN Security / May 2012


    Business impact of materialized threats on Radio
    Access transport of LTE

    Loss of Revenue Subscribers canceling


    their Subscription

    Contractual Penalties Radio Access


    Transport In LTE
    Damage to Image

    © Nokia Siemens Networks Proprietary – NSN Security / May 2012


    LTE Transport Security Solution Overview
    Base stations have IPSec
    Security Gateway Firewalled
    support. *needs to be native/on-board
    for compliance infrastructure
    w/in Core

    IPSec tunnel Internet


    eNB Cert Cert and
    UE Operator
    Services
    Core
    Security Solution components
    Business Benefits
     Risk mitigation of
     Service unavailability (caused by DoS)
     Eavesdropping of user traffic PKI Solution
    Business Benefits
     Unauthorized access of network elements
     eNodeB spoofing O&M
     OPEX effective solution that enables strong mutual
    authentication to establish secure connections
    between network elements
     Multi-vendor capable Transport Security and PKI
    solution that can be integrated to existing
    infrastructure
    © Nokia Siemens Networks Proprietary – NSN Security / May 2012
    Malicious end-user activity
    Can have many forms …
    Man-in-the-Middle (MITM)

    Spoofing

    Eavesdropping, chosen-ciphertext attack,


    substitution attack, replay attack

    IP address spoofing, Caller ID spoofing …

    Distributed Denial-of-Service (DoS)


    Denial-of-Service (DoS)

    Botnets/Dosnets, peer-to-peer attacks, Distributed Reflected


    DoS (DRDoS) attacks like ICMP echo request and DNS
    amplification attacks …
    SYN flood, LAND attack, Smurf attack,
    Ping of death, Teardrop attack …

    © Nokia Siemens Networks Proprietary – NSN Security / May 2012


    LTE Architecture Overview
    Access / Evolved Packet Core (EPC) Services
    Transport
    eNodeB MME HSS PCRF
    IPSec SeGW

    Certificate Integrated X2 Certificate


    SeGW Operator
    Services

    SAE GW
    Integrated
    SeGW Internet
    Certificate

    Certificate
    OSS FW
    Control plane
    User plane
    IPSec
    Certificate Server TLS / HTTPS
    (Identity Management)

    PKI is applied to
    •Authenticate network elements
    •Authorize network access
    •Protect integrity and confidentiality on transport path
    for all planes (control/user/management/sync)

    © Nokia Siemens Networks Proprietary – NSN Security / May 2012


    Closing Points
    3GPP compliant Maintain CIA –
    Certificate Authority Confidentiality,
    and IPSec solution Integrity & Availability
    (TS 33.210, TS 33.401, TS even in “high risk”
    33.310) environments

    Efficient operation through automated certificate


    life cycle management and complete integration
    into O&M systems.
    LTE Transport
    security ensured
    w/out compromising
    Highest security Cost savings through
    performance,
    across all layers zero footprint
    design, flexibility or
    installations w/ inbuilt
    manageability of the
    User plane IPSec + Plug & Play
    network
    Control plane deployment
    Management plane

    © Nokia Siemens Networks Proprietary – NSN Security / May 2012

    You might also like