adaptivemobile lte whitepaper a4 1212
TRANSCRIPT
-
7/27/2019 AdaptiveMobile LTE Whitepaper A4 1212
1/8
-
7/27/2019 AdaptiveMobile LTE Whitepaper A4 1212
2/8
-
7/27/2019 AdaptiveMobile LTE Whitepaper A4 1212
3/8
3AdaptiveMobile Whitepaper Mobile Network Security: The Challenges & Solutions in an LTE Landscape
In the interim however, there will be a range of back-end core networks being used to
integrate to LTE. This range is fully supported by the LTE, including features such the
use of Circuit-Switched (CS) fall-back to handle voice and SMS in the absence of
IMS networks.
The result of this flexibility is that any associated solutions, in this case security, have to be
equallyflexible.Duetothepresenceofmixednetworks,itisimportantthatanysecurity
solution deployed on LTE networks is able to handle the presence of legacy networks andnot simply assume that all traffic will take one form or one path.
Security Handling in LTE today
DiscussionsaddressingsecurityinLTEnetworksnormallyrevolvearoundthe
following areas:
FlatterandmoreopenIParchitectureastheRadiopartterminatedintheaccess
network, leads to potentially greater attack vectors
Interworkingispossiblewithavarietyoflegacyandnon-telecomnetworks,
which may inject unwanted traffic
LTEallowsplacementofRadionodes(eNodeBs)inuntrustedlocations
To address this most security designs for LTE/4G has focused on low-level
processes, including:
Extendedauthentication&keysharingandendtoendconfidentially
Morecomplexinterworkingsecurity
AdditionalsecurityineNodeBs
The above has been delivered within the standards by various mechanisms such as building in
the key exchange and authentication mechanisms into the signalling flows between the LTE
nodesespeciallythoseinvolvingtheeNodeBs,andalsoviaFirewallmechanism,suchasthe
3GPP defined SEG.
However, while these address potential structural security issues at a low-level, discussion
of security concerns at a higher level in the LTE network seem to have been neglected in
the standards sphere. There has been some discussion about reusing the existing Policy
mechanismsintheLTEnetworktoprovideapplication-levelsecurity.Forexample,within
theLTEnetwork,thePCRFnodefulfilskeyrolesinthePolicyandChargingareasofthe
LTE network. While potentially attractive, this suffers from serious flaws, of which the most
pertinentisthatthePCRFsimplydoesnothavethevisibility,orthecontroltoadequately
handle changing threats. While its functionality can be reused to provide a measure of
security (see later sections for further details) in normal operation it is simply not designedto adequately address the security threats which will arise. What some of these future threats
will be is unknown, however past experience demonstrates the changing nature of telecom
threats requires a platform that is flexible and designed with a core competence in providing
a secure network.
-
7/27/2019 AdaptiveMobile LTE Whitepaper A4 1212
4/8
4 AdaptiveMobile Whitepaper Mobile Network Security: The Challenges & Solutions in an LTE Landscape
Application-level Security threats in LTE
As discussed, LTE is really an evolution of the existing network technologies, and will also
interwork with a variety of legacy radio and core networks. This means that upper-level
security concerns in these legacy networks could be carried over on to the LTE network.
Other reasons why additional threats could emerge over time include:
ReducedpricesformobileIPusageandnetworkaccessmeansthatthecosttosend
spam and generate malicious traffic is reduced
HigherdataratesandproliferationofIPdevices(includingthosefromoutsidetheLTE
network) will result in an increase in the number of bad actors and make identifying
maliciously infected devices more difficult
Anincreasingnumberofnon-humanattendeddevices(M2Metc)willbepresent
on the same network, with potential for misuse, especially in critical areas
Additionalhandsetfunctionality,morecapabledevicesandadditionalprocessingpower,
combined with greater data usage increases the ability to run botnets and viruses
Mobiledevice-basedAVscanningsolutions(asperthePCmodel)willbecome
increasingly less sustainable due to increasing battery demands and the continuing rise in
the amount of mobile malware the AV solution have to look for
Changesintechnologyandcommunicationuses;forexamplemessagingsessionsinLTE
will no longer be confined only to 2 users and 160 characters, instead LTE will allow
multi-user conversations with file transfers, making security for spam and malware links
much more difficult to implement
In addition to these emerging threats existing telecom frauds will continue, such as the
monetization of premium-rate numbers by mobile malware or voice fraud, the exposure of
key personal information via a handset or the network and the revenue opportunities for
those who continue sending unwanted communications or spam.
So while security concerns at the lower level of LTE have been addressed, upper-level
security threats still need to be tackled and are becoming more urgent.
To provide effective protection it is essential to identify threats as they occur. The key
hindrance in an LTE network is the sheer amount of data, resulting in the need for
sophisticated off-line analysis in order to determine when traffic is unwanted,
malicious or harmful.
-
7/27/2019 AdaptiveMobile LTE Whitepaper A4 1212
5/8
-
7/27/2019 AdaptiveMobile LTE Whitepaper A4 1212
6/8
6 AdaptiveMobile Whitepaper Mobile Network Security: The Challenges & Solutions in an LTE Landscape
In combining these two functionalities, the Analytics system is able to provide a web-based
user interface which allows security analysts the ability to review the current state of the
network, analyse threats and take actions - such as making network adjustments in order to
block, re-route or throttle data traffic.
From Detection to Mitigation
Once the data has been analyzed and any security threats detected, an integrated network
solution is required to mitigate the threat. In many cases, threat intelligence can determine
with absolute confidence that an attack is underway. Traffic destined for known phishing
sites or to botnet command and control hosts are compelling evidence that an immediate
response is required.
However, there are also occasions when a degree of uncertainty is involved. A sudden
increase is messaging traffic could be a legitimate marketing campaign or it could be a
spam attack. A large number of subscribers accessing a web-site can be the result of a
successful viral marketing campaign or it could be a distributed denial of service attack.
This uncertainty is best resolved by application layer inspection of traffic flows, in which
casetheseflowsneedstobeforwardedtoamitigationsolution.Dependingonthenatureof
the attack it may also be prudent to throttle this traffic temporarily; therefore reducing theimmediate impact while the situation is analyzed by an inline mitigation device.
Analytics not only provides the means to detect new threats, but also the intelligence to take
appropriate action to minimize the risk to subscribers and to the network infrastructure.
Security threats are dynamic and constantly evolving; for example, bots may lie dormant on
devices and then spring to action, malware can be inadvertently installed on a device at any
time and phishing attacks can be triggered by receiving email or other message. Therefore
the LTE architecture for IP-network security must take this dynamic aspect into account.
Action
AdaptiveMobilesNetwork+ProtectionPlatform(NPP+)hasbeendesignedtoprovide
a consistent policy-based view of user behavior across all services including SMS, MMS,
Email, Voice and Web, allowing operators to identify new exploits; whether these are mobile
viruses, denial of service attacks, spam or fraudulent phishing attacks, and respond rapidly to
protect their network assets, subscriber privacy and subscriber credit.
OncetheNPP+securityplatformhasdetectedanewthreat,itiscriticalthataresponseis
implementedimmediately.TheNPP+appliestheseresponsesasnetworkActions.Howthese
Actions are enforced depends on the network architecture available. The following section
reviews some network architecture options and discusses the advantages and disadvantages
of each.
RespondingtosecuritythreatsbymakingpolicychangeswithinthePCRFinfrastructureis
assumed by some network architects to be an appropriate response. The assumption here isthatservicecontrolistheresponsibilityofthePCRFandtrafficuserplanenodessuchasthe
GGSN,PDSNorPGWwithinthePacketCore,withthePCRFactingasthepolicydecision
point and the nodes within the packet core responsible for subsequent enforcement of
these decisions. However there are some serious drawbacks to this approach when it comes
to security.
-
7/27/2019 AdaptiveMobile LTE Whitepaper A4 1212
7/8
-
7/27/2019 AdaptiveMobile LTE Whitepaper A4 1212
8/8
ActionsVia PCRF
(to User
Plane Node)
Direct to User
Plane Nod(with integrated
DPI unction)
Standalone
DPI
Bandwidth Throttling DependsonVendor
Blacklisting Rules
Static Routing Rules
Per Subscriber Policy
Dynamic Routing Rules DependsonVendor
URL Filtering DependsonVendor DependsonVendor
Traffic Scrubbing
Real-Time Threat Response
Application Layer Filtering DependsonVendor
Filtering TCP/IP Flows DependsonVendor
AdaptiveMobile therefore recommends, as best practice for security in LTE networks, the
integratedapproachtosecuritythatispossiblewithDPIvendorsusingthearchitecture
showninFig.4.However,asTrafficUserplanevendorsaddtherichsetofcapabilities
availableonDPIplatformstoday(asanintegratedDPIfunction)theywillthenbeina
positiontoofferaviablealternativetoDPI-basedapproaches,andsoallowmoreupper-level
security facilities be implemented on these platforms.
About AdaptiveMobile
AdaptiveMobile is the only mobile security company offering solutions designed to protect
all of the services on the network. Our deep expertise and unique focus on network security,
we continue to lead the market, a reason why many of the worlds leading security and
telecom equipment vendors have chosen to partner with us.
Our mission is to provide a safe and trusted mobile experience for consumers and
enterprises worldwide.
Head Ofce: Ferry House, 48-52 Lower Mount Street, Dublin 2. Tel: +353 (1) 5249000
US Ofce: Adaptive Mobile Security Inc. 2591 Dallas Parkway, Suite 300, Frisco, TX 75034, Tel: +1 972 377 0014
Regional Sales Contact Numbers:
www.adaptivemobile.com
UK Sales:
+44 808 120 7638
Middle East Sales:
+971 4 312 4423
Arica Sales:
+27 837 044 111
Asia Sales:
+603 2298 7275
European Sales:
+353 (1) 524 9000
R