YOU ARE AT:Evolved Packet Core (EPC)Reader Forum: Next-generation service provider security – dynamic multi-layered defense

Reader Forum: Next-generation service provider security – dynamic multi-layered defense

Editor’s Note: Welcome to our weekly Reader Forum section. In an attempt to broaden our interaction with our readers we have created this forum for those with something meaningful to say to the wireless industry. We want to keep this as open as possible, but we maintain some editorial control to keep it free of commercials or attacks. Please send along submissions for this section to our editors at: dmeyer@rcrwireless.com.

The concept of service provider security is undergoing a significant shift due to changes in several key areas: business, technology and the profile of the attacker.

Business trends

Historically, the main revenue sources for service providers have been voice and messaging; however, data revenue is growing with a clear trend toward new services such a monetization, mobile commerce, banking and mobile health. Can you imagine a mobile health ecosystem without a clear security mechanism that also addresses the network? Or mobile commerce, which currently runs over SMS, without comprehensive security mechanisms that include the overall networking ecosystem?

Do we trust these ecosystems today?

From an information privacy perspective, LTE networks are inherently less secure than previous generations, and without dedicated security mechanisms, user information is easily accessible to the hackers through, for example, man-in-the-middle attacks.
User awareness of the lack of security is definitely increasing, largely due to the NSA case. Service providers will be held responsible if they are not deploying the right security defense systems.

Technology trends

LTE networks are less secure than 3G because there is not protection between ENodeBs and the trusted evolved packet core. With small cells, picocells, Wi-Fi AP and microcells, security risks are accelerating because hackers potentially will have physical access to these devices, enabling them to initiate attacks toward the EPC, even if additional security measures in the form of IPSec VPNs are deployed. (In the latter case, attacks would propagate inside the IPSec tunnel.)

Lately, we are hearing a lot about signaling storms causing network outages and congestions. We know that signaling traffic is increasing almost three-times faster than data traffic and that until recently, it was not a dedicated hacker’s attack behind the signaling storms. A “Heavy Reading Mobile Network Outages and Service Degradations Survey” from October 2013 states: “Over the last 12 months at least 60% of mobile operators have suffered a network outage or service degradation lasting at least one hour that was caused by a malicious attack and affected a substantial part of the network.” That number may now be higher because it’s not easy to analyze the root cause of all incidents or to detect malicious traffic.

Lastly, network functions virtualization and software-defined network trends will require a new security approach and security architectural innovation.

Profile of the attacker

More and more, we are dealing with “for-profit” illegal cyber attackers. In itself, a DDoS attack is very painful, everyone can see it. The challenge is that more cyber criminals are attacking in the “low and slow” manner, trying to fly under the radar of the current generation security systems. This new type of attack is very difficult to detect and sometimes can go on for years before being detected.

What is needed: Dynamic multi-layered defense

To address the above trends and threats, dynamic multi-layered defense has to be developed, not niche point products that can protect from just one or very few security vulnerabilities.

Multi-layered security is an architectural innovation and approach that addresses all aspects of potential vulnerabilities.
Starting from access and device management, strong identity and federated identity, service providers – from a security perspective – should have the knowledge and ability to control devices and users, and then correlate users’ identities across different systems and devices.

Radio access security, sometimes called security gateway, is the new front of potential attacks based on new vulnerabilities in LTE networks architecture. Wi-Fi security is in the same class of radio access security mechanisms that can be addressed in a similar manner.

In addition to the current focus on DNS security and security at the network/data layer, more should be done on the signaling front. This is where hackers, by sending just a few signaling messages, can remain under the radars of service providers and be undetected for years.

Dynamic security

A vast majority of security policy changes are done manually, without correlation to the policy decision mechanism of service providers.

Service providers should have the ability to change security policies dynamically per user and per application in real time based on policies calculated by policy decision mechanisms. For example, in addition to the traditional S/Gi FW capabilities, service providers should be able to change security policies on the S/Gi interface dynamically in real time using protocols that were designed to convey LTE network policy decisions.

All layers, one goal: Comprehensive protection

In today’s environment of constantly evolving threats, service providers require flexible solutions that can dynamically adapt and react. This adaptation should be in orchestration with the real-time policy decisions mechanism that service providers currently use. By making this dynamic security granular, service providers will be much better equipped to protect against both known and unknown patterns.

If even one of these pieces of a comprehensive, multi-layered security approach is missing, service providers can easily be vulnerable to a potential loss of network integrity, revenue and reputation.

ABOUT AUTHOR