adaptivemobile lte whitepaper a4 1212

7/27/2019 AdaptiveMobile LTE Whitepaper A4 1212

1/8


2/8


3/8

3AdaptiveMobile Whitepaper Mobile Network Security: The Challenges & Solutions in an LTE Landscape

In the interim however, there will be a range of back-end core networks being used to

integrate to LTE. This range is fully supported by the LTE, including features such the

use of Circuit-Switched (CS) fall-back to handle voice and SMS in the absence of

IMS networks.

The result of this flexibility is that any associated solutions, in this case security, have to be

equallyflexible.Duetothepresenceofmixednetworks,itisimportantthatanysecurity

solution deployed on LTE networks is able to handle the presence of legacy networks andnot simply assume that all traffic will take one form or one path.

Security Handling in LTE today

DiscussionsaddressingsecurityinLTEnetworksnormallyrevolvearoundthe

following areas:

FlatterandmoreopenIParchitectureastheRadiopartterminatedintheaccess

network, leads to potentially greater attack vectors

Interworkingispossiblewithavarietyoflegacyandnon-telecomnetworks,

which may inject unwanted traffic

LTEallowsplacementofRadionodes(eNodeBs)inuntrustedlocations

To address this most security designs for LTE/4G has focused on low-level

processes, including:

Extendedauthentication&keysharingandendtoendconfidentially

Morecomplexinterworkingsecurity

AdditionalsecurityineNodeBs

The above has been delivered within the standards by various mechanisms such as building in

the key exchange and authentication mechanisms into the signalling flows between the LTE

nodesespeciallythoseinvolvingtheeNodeBs,andalsoviaFirewallmechanism,suchasthe

3GPP defined SEG.

However, while these address potential structural security issues at a low-level, discussion

of security concerns at a higher level in the LTE network seem to have been neglected in

the standards sphere. There has been some discussion about reusing the existing Policy

mechanismsintheLTEnetworktoprovideapplication-levelsecurity.Forexample,within

theLTEnetwork,thePCRFnodefulfilskeyrolesinthePolicyandChargingareasofthe

LTE network. While potentially attractive, this suffers from serious flaws, of which the most

pertinentisthatthePCRFsimplydoesnothavethevisibility,orthecontroltoadequately

handle changing threats. While its functionality can be reused to provide a measure of

security (see later sections for further details) in normal operation it is simply not designedto adequately address the security threats which will arise. What some of these future threats

will be is unknown, however past experience demonstrates the changing nature of telecom

threats requires a platform that is flexible and designed with a core competence in providing

a secure network.


4/8

4 AdaptiveMobile Whitepaper Mobile Network Security: The Challenges & Solutions in an LTE Landscape

Application-level Security threats in LTE

As discussed, LTE is really an evolution of the existing network technologies, and will also

interwork with a variety of legacy radio and core networks. This means that upper-level

security concerns in these legacy networks could be carried over on to the LTE network.

Other reasons why additional threats could emerge over time include:

ReducedpricesformobileIPusageandnetworkaccessmeansthatthecosttosend

spam and generate malicious traffic is reduced

HigherdataratesandproliferationofIPdevices(includingthosefromoutsidetheLTE

network) will result in an increase in the number of bad actors and make identifying

maliciously infected devices more difficult

Anincreasingnumberofnon-humanattendeddevices(M2Metc)willbepresent

on the same network, with potential for misuse, especially in critical areas

Additionalhandsetfunctionality,morecapabledevicesandadditionalprocessingpower,

combined with greater data usage increases the ability to run botnets and viruses

Mobiledevice-basedAVscanningsolutions(asperthePCmodel)willbecome

increasingly less sustainable due to increasing battery demands and the continuing rise in

the amount of mobile malware the AV solution have to look for

Changesintechnologyandcommunicationuses;forexamplemessagingsessionsinLTE

will no longer be confined only to 2 users and 160 characters, instead LTE will allow

multi-user conversations with file transfers, making security for spam and malware links

much more difficult to implement

In addition to these emerging threats existing telecom frauds will continue, such as the

monetization of premium-rate numbers by mobile malware or voice fraud, the exposure of

key personal information via a handset or the network and the revenue opportunities for

those who continue sending unwanted communications or spam.

So while security concerns at the lower level of LTE have been addressed, upper-level

security threats still need to be tackled and are becoming more urgent.

To provide effective protection it is essential to identify threats as they occur. The key

hindrance in an LTE network is the sheer amount of data, resulting in the need for

sophisticated off-line analysis in order to determine when traffic is unwanted,

malicious or harmful.


5/8


6/8

6 AdaptiveMobile Whitepaper Mobile Network Security: The Challenges & Solutions in an LTE Landscape

In combining these two functionalities, the Analytics system is able to provide a web-based

user interface which allows security analysts the ability to review the current state of the

network, analyse threats and take actions - such as making network adjustments in order to

block, re-route or throttle data traffic.

From Detection to Mitigation

Once the data has been analyzed and any security threats detected, an integrated network

solution is required to mitigate the threat. In many cases, threat intelligence can determine

with absolute confidence that an attack is underway. Traffic destined for known phishing

sites or to botnet command and control hosts are compelling evidence that an immediate

response is required.

However, there are also occasions when a degree of uncertainty is involved. A sudden

increase is messaging traffic could be a legitimate marketing campaign or it could be a

spam attack. A large number of subscribers accessing a web-site can be the result of a

successful viral marketing campaign or it could be a distributed denial of service attack.

This uncertainty is best resolved by application layer inspection of traffic flows, in which

casetheseflowsneedstobeforwardedtoamitigationsolution.Dependingonthenatureof

the attack it may also be prudent to throttle this traffic temporarily; therefore reducing theimmediate impact while the situation is analyzed by an inline mitigation device.

Analytics not only provides the means to detect new threats, but also the intelligence to take

appropriate action to minimize the risk to subscribers and to the network infrastructure.

Security threats are dynamic and constantly evolving; for example, bots may lie dormant on

devices and then spring to action, malware can be inadvertently installed on a device at any

time and phishing attacks can be triggered by receiving email or other message. Therefore

the LTE architecture for IP-network security must take this dynamic aspect into account.

Action

AdaptiveMobilesNetwork+ProtectionPlatform(NPP+)hasbeendesignedtoprovide

a consistent policy-based view of user behavior across all services including SMS, MMS,

Email, Voice and Web, allowing operators to identify new exploits; whether these are mobile

viruses, denial of service attacks, spam or fraudulent phishing attacks, and respond rapidly to

protect their network assets, subscriber privacy and subscriber credit.

OncetheNPP+securityplatformhasdetectedanewthreat,itiscriticalthataresponseis

implementedimmediately.TheNPP+appliestheseresponsesasnetworkActions.Howthese

Actions are enforced depends on the network architecture available. The following section

reviews some network architecture options and discusses the advantages and disadvantages

of each.

RespondingtosecuritythreatsbymakingpolicychangeswithinthePCRFinfrastructureis

assumed by some network architects to be an appropriate response. The assumption here isthatservicecontrolistheresponsibilityofthePCRFandtrafficuserplanenodessuchasthe

GGSN,PDSNorPGWwithinthePacketCore,withthePCRFactingasthepolicydecision

point and the nodes within the packet core responsible for subsequent enforcement of

these decisions. However there are some serious drawbacks to this approach when it comes

to security.


7/8


8/8

ActionsVia PCRF

(to User

Plane Node)

Direct to User

Plane Nod(with integrated

DPI unction)

Standalone

DPI

Bandwidth Throttling DependsonVendor

Blacklisting Rules

Static Routing Rules

Per Subscriber Policy

Dynamic Routing Rules DependsonVendor

URL Filtering DependsonVendor DependsonVendor

Traffic Scrubbing

Real-Time Threat Response

Application Layer Filtering DependsonVendor

Filtering TCP/IP Flows DependsonVendor

AdaptiveMobile therefore recommends, as best practice for security in LTE networks, the

integratedapproachtosecuritythatispossiblewithDPIvendorsusingthearchitecture

showninFig.4.However,asTrafficUserplanevendorsaddtherichsetofcapabilities

availableonDPIplatformstoday(asanintegratedDPIfunction)theywillthenbeina

positiontoofferaviablealternativetoDPI-basedapproaches,andsoallowmoreupper-level

security facilities be implemented on these platforms.

About AdaptiveMobile

AdaptiveMobile is the only mobile security company offering solutions designed to protect

all of the services on the network. Our deep expertise and unique focus on network security,

we continue to lead the market, a reason why many of the worlds leading security and

telecom equipment vendors have chosen to partner with us.

Our mission is to provide a safe and trusted mobile experience for consumers and

enterprises worldwide.

Head Ofce: Ferry House, 48-52 Lower Mount Street, Dublin 2. Tel: +353 (1) 5249000

US Ofce: Adaptive Mobile Security Inc. 2591 Dallas Parkway, Suite 300, Frisco, TX 75034, Tel: +1 972 377 0014

Regional Sales Contact Numbers:

www.adaptivemobile.com

UK Sales:

+44 808 120 7638

Middle East Sales:

+971 4 312 4423

Arica Sales:

+27 837 044 111

Asia Sales:

+603 2298 7275

European Sales:

+353 (1) 524 9000

R

adaptivemobile lte whitepaper a4 1212

Documents