lightreading - secure lte

8/12/2019 LightReading - Secure LTe

1/14

Prepared by

Patrick DoneganSenior Analyst,Heavy Reading

www.heavyreading.com

on behalf of

www.juniper.net

www.nsn.com

October 2013

White Paper

Secure LTE: A RevenueOpportunity for Operators

A Heavy ReadingExecutive Overview
http://www.heavyreading.com/http://www.heavyreading.com/http://www.juniper.net/http://www.juniper.net/http://www.nsn.com/http://www.nsn.com/http://www.nsn.com/http://www.juniper.net/http://www.heavyreading.com/


2/14

HEAVY READING | OCTOBER 2013 | WHITE PAPER | SECURE LTE: A REVENUE OPPORTUNITY FOR OPERATORS 2

Executive SummaryThere are significant new security vulnerabilities in the LTE network that didn't existwith 3G. Whereas 3G traffic is encrypted at the end-user device and terminated

deep in the network, LTE's encryption terminates at the base station or eNodeB.Whereas manual authentication of base stations was viable for 3G, it's less and less

viable from a cost and security perspective in the LTE era. And whereas the Giinterface was the primary point of exposure to security attacks from the Internet in3G, in the LTE era other network interfaces are now similarly exposed.

One of the primary fixes for thisthe 3GPP-prescribed use of IPsec from the eNodeBback into the network has not been deployed in many of the early LTE launches,but is starting to be introduced now, especially in Europe. Heavy Reading predicts

increased adoption of IPsec with LTE, so that a majority of LTE cell sites will supportIPsec by the end of 2017. This white paper explains why many operators will increas-ingly turn to IPsec and other network security capabilitiesnot just to protect existing

revenues, but as a critical enabler for growing new revenue streams as well.

New Security Requirements in LTE Networks

Mobile operators are used to world-class network security being baked into theirnetwork infrastructure, and many executives in these companies tend to simply

assume it is there. When they initially rolled out 3G, for example, there was onesingle, seamless instance of 3GPP encryption all the way from the handset to thebase station and on, deep in the network, to the RNC. Moreover, the E1 or DS1

pipes between the base station and the RNC were based on TDM a highlyrobust, highly secure, telecom-grade networking technology.

Figure 1: Security in 3G & LTE Networks

Source: Heavy Reading


3/14


The introduction of mobile data capabilities in the network, beginning with GPRS

and CDMA 2000, required operators to do a little more of their own thinking wherenetwork security is concerned. With the GGSN exposing the network and subscrib-ers to the wilds of the external Internet via the Gi interface, mobile operators

began having to design, procure and deploy firewall and intrusion protectioncapabilities to block malicious traffic. When GPRS roaming was launched, opera-tors had to give similar consideration to monitoring and securing the Gp interface

that supports billing of data roaming services between operators.

The balance between the kind of security that is already baked in and the kind

that must be layered into the network by the operator shifts further toward the do-it-yourself model with LTE. As shown in Figure 1, the 3G model of a single, seamlessinstance of encryption is transformed in LTE by the elimination of the dedicated

RNC node and distribution of its radio resource management functions out to theeNodeB and Evolved Packet Core (EPC), respectively. In the LTE network, encryp-tion terminates at the eNodeB, with the result that the traffic that emerges from

eNodeBthe control plane, user plane and management trafficis all clear text.

IPsec Enables Encryption of LTE Traffic

In cases when the operator considers the intermediary transport network betweenthem to be what it terms "Untrusted," the 3GPP prescribes using IPsec encryption

on the S1 and X2 interfaces between the eNodeB and the EPC. If there is clear textcoming out of the LTE eNodeB, there is a substantial security exposure that requiresclosing off right there, for the following reasons.

By intervening in the network at the cell site or at any other point on the S1or X2interface and gaining access to the clear text stream, an attacker can potentially

gain access to the network. From here, they can potentially trigger an outage orobtain access to the private voice and data transmissions of the operator'scustomers. And while there aren't many voice calls going over the LTE network yet,VoLTE is sure to change that.

It's not just that traffic is unencrypted across the backhaul in LTE, whereas it is

encrypted in 3G; the distributed architecture of the LTE network means that thenumber of potentially insecure network elements is substantially larger than in 3G.In 3G, the RNC node serves as a form of security buffer between the core network

and the access network; whereas in LTE, gaining access to the S1 interfacedirectly exposes the core network, because there is no RNC. The so-called S1-Flexfeature has already been implemented by several LTE operators, allowing different

subscribers attached to any one eNodeB to be connected to a diversity of EPCelements to enhance load balancing. And each eNodeB can be associated withas many as 32 X2 interfaces to other eNodeBs.

PKI Authentication of LTE's IPsec TunnelsIPsec is typically associated with encryption, as shown in the previous section. But it

also provides eNodeB authentication using Public Key Infrastructure (PKI) based on

the Internet Key Exchange Version 2 (IKEv2) and Certificate Management ProtocolVersion 2 (CMPv2). And this use of IPsec for both encryption and authentication isexplicitly recommended for LTE by the 3GPP.

It's all very well traffic from a base station or eNodeB being encrypted, but if theeNodeB itself isn't a legitimate eNodeB deployed by the operator, but rather a


4/14


rogue eNodeB used by an attacker in a so-called man-in-the-middle attack, the

network and the subscriber are exposed. In other words, an eNodeB needs to beproperly authenticated.

The conventional way of carrying out 2G and 3G base station authentication isthe so-called manual, "shared secret," authentication model, whereby a fieldengineer manually enters a cryptographic key at the cell site during the initial

setup process. Once the base station is recognized as legitimate, it will be dulyauthenticated by the network.

There are substantial advantages to using PKI for eNodeB authentication as well astraffic encryption:

PKI authentication avoids human error, which is a drawback of theshared-secret model. The requirement to manage a program of manualkey renewal for security without affecting operational stability is also po-

tentially expensive from an opex perspective.

As shown immediately below, the automated PKI authentication model asdefined by the 3GPP introduces an additional layer of security into the au-

thentication process as compared with the manual shared-secret model.

3GPP Model for Certificate Enrollment in a PKI Environment

Figure 2 shows the basic 3GPP architecture for PKI-based authentication of

eNodeBs in LTE. A RAN vendor provides its own root certificate to the mobileoperator. That root certificate is then pre-installed in the mobile operator's centralRegistration Authority (RA) or Certification Authority (CA). That authority then

serves as the operator's primary source of trust, enabling multiple certificates to beissued by the CA out to the eNodeBs in the field, according to what is, in essence,a client-server model.

The two-way authentication is enabled by the vendor's own signed certificatebeing pre-installed in the eNodeB. Importantly, as mandated by the 3GPP, the

Figure 2: Certificate Enrollment for eNodeBs in LTE

Source: 3GPP TS 33.310


5/14


authentication is supported by the use of CMPv2, an Internet protocol used to

manage the request and distribution of digital certificates within a PKI solution.

Once authenticated the eNodeB is authorized to instantiate one or more IPsec

encryption tunnels and send traffic across the network toward the core with IPsecencryption. Traffic is decrypted at the 3GPP Security Gateway (SEG), in partenabled by the operator's own root certificate being pre-installed.

Enhancements to Existing PKI Systems Based on Internet Protocols

The 3GPP's approach to PKI draws entirely from existing Internet protocols. Themain way in which the 3GPP's deployment model materially differs from most

other PKI implementations is that it is among the first to leverage the CMPv2protocol, and among the first to leverage one particular advanced feature itsupports. This is the capability one that is rendered mandatory by the 3GPP for

LTE to use two certificates, a Vendor Base Station Certificate and an OperatorBase Station Certificate, rather than just one, according to the model used in mostPKI systems until now.

In the LTE environment, the mobile operator has its own certificate, much as any

enterprise running its own PKI would. In addition, however, the authenticationmechanism prescribed by the 3GPP leverages the advanced features of CMPv2

to require a second certificate. This is the RAN vendor's own certificate, which itassigns to the eNodeB during the manufacturing process. The vendor's certificateis then required to authenticate the initial request for the operator's certificate

upon turning up each LTE eNodeB to commercial service for the very first time. Thisvendor certificate effectively replaces a one-time password, which has to beentered manually in typical enterprise PKIs.

After the initial authentication of the eNodeB at the time of service turn-up, allsubsequent update certificates for that eNodeB are authenticated solely by the

operator's certificate according to traditional PKI models. Importantly, however,the requirement for the second certificate to participate in the authentication atthe point of service turn-up provides a valuable additional layer of security. This

goes above and beyond the security and automation provided by the manualshared-secret modeland above and beyond what is provided by most present-day PKI models in the enterprise environment.

Small Cells Strengthen the Case for SecurityNew developments in small-cell security show promise, but small cells still presentsecurity challenges. For example, Verizon Wireless has publicly admitted that inMarch 2013 it had to apply a security fix to its "Network Extender" private femtocell

product line. The flaw had rendered these products vulnerable to exposingcustomer voice and data communications to hackers. Heavy Reading expects700,000 3GPP public access small cells requiring new backhaul to be in live service

worldwide by the end of 2017, with the overwhelming majority of those using LTE.

Small cells are inherently more vulnerable than macro cells, which tend to have

layers of physical security that are either practically unfeasible or cost-prohibitivefor small cells. But small cells in the public access domain represent an evengreater security risk than in the private femto domain, because they are liable to

have communication paths to many more neighboring cells and are much morevulnerable to physical tampering by attackers.


6/14


eNodeB Authentication in the Small-Cell Era

As shown, automation of eNodeB authentication using PKI offers a number ofadvantages over the shared-secret model in terms of both network efficiency and

security. In that sense, using PKI can be seen as a key component of an evolutiontoward self-organizing networks (SON), which operators see as promising a lower-cost and higher-revenue operating environment.

While this is true irrespective of which type of eNodeBs the operator has in thenetwork, the case for using PKI authentication becomes even stronger as the

operator begins transitioning to greater and greater volumes of public accesssmall cells. This is because the conventional shared-secret model becomesincreasingly difficult to manage from an operational cost perspective the greater

the volume of eNodeBs.

In particular, the intent with public access small cells is that a low-skilled technician

should be able to fix a public access small cell in its location, essentially power itup, push a button and be gone in less than an hour. That is inconsistent with theskill level, responsibility and manual alignment with core network parametersassociated with implementing and managing the manual shared-secret model.

Adoption of IPsec With LTEIn the three years since the first commercial launches, each operator that launchedLTE has had to decide whether or not to invest in securing the S1 and X2 interfaces

across what can still be thought of as the backhaul domain of the LTE network.

The diversity of conclusions that different operators have reached is striking.

Japan's NTT Docomo launched with IPsec, but it was the exception rather than therule in that first wave of launches. None of the major U.S. carriers have leveragedIPsec so far; nor have operators in South Korea. In Europe, however, an increasingnumber of operators are using IPsec. For example:

Deutsche Telekomoperates a policy that any of its affiliates that it controlsshould deploy IPsec at all of their LTE sites.

Orange operates a similar policy, although one with greater flexibility thatallows for local market circumstances.

Reflecting the positions of its parent companies, Everything Everywhere'sLTE sites all have IPsec in service.

Telecom Italiais also using IPsec.Europe is becoming the global driver of LTE security, not just as regards adoption

of IPsec, but for comprehensive LTE security with enhanced threat detectioncapabilities, as discussed further on. Nevertheless, many new LTE networks over thelast 12 months still continue to be launched without it.

As shown in Figure 3, this trend of greater, but still patchy, adoption has beencaptured quite closely by Heavy Reading surveys of mobile operators. In two

surveys on mobile backhaul and mobile network security (in December 2010 andSeptember 2012, respectively), we asked different samples of qualified respond-ents in mobile operators worldwide the exact same question about the need for

IPsec in LTE: "For the first three years following the launch of LTE, to what extent doyou expect that IPsec will be needed between the LTE cell site and the LTE core?"


7/14


8/14


In many developing markets, security is a lower priority because people tend to

have less personal information in digital format. In other cases, operators believethat since there are few known precedents for attacks on the S1 or X2 the businesscase for security cannot yet be justified.

Some operators also think in terms of segmenting their traffic into that whichrequires high security and that which doesn't. They argue that applications that

require high security can be encrypted at the application layer, and that there isno point encrypting huge volumes of subscribers' Facebook updates and YouTubeviewings. Unfortunately, the email, text and other messaging applications of these

subscribers are typically not going to be encrypted at the application layer, andso will be exposed without IPsec encryption in the network. And in focusing on theuser plane, this argument does not take into account the vulnerability of the

control and management traffic.

Many operators understand the risks but believe the cost of implementing IPsec is

too high. However, one sometimes misunderstood cost component of the IPsecdeployment model is that initial LTE deployments typically consist of a single IPsectunnel being instantiated at the eNodeB, then kept in service permanently. This afar lower-cost approach than the model that has characterized many enterprise-

based deployments of IPsec, which involve large volumes of tunnels beingdynamically set up and torn down againwhich can indeed be opex-intensive.

In some cases, operators are waiting for a network-wide upgrade to IPv6 so theycan leverage IPsec once it is natively embedded in the v6 standard. The risk is that

the time required for all the operator's vendors to support all the relevant IPv6security features will leave an extended period of time during which S1 and X2traffic will continue to remain exposed.

Other reasons cited for not deploying IPsec are related to network performance.

Some operators fear that encrypting traffic between the LTE RAN and the core willjeopardize the operator's end-to-end latency target, typically 20-30 milliseconds.

Again this is a wholly legitimate consideration, but with the right network engineer-ing rules in place, leading operators have already proved that in partnership withvendors IPsec can be supported in a manner consistent with LTE's latency targets.

And while some operators have investigated using alternative encapsulation andencryption techniques on the S1, IPsec is still the only standard that is formally3GPP-approved for S1 and X2 security.

As they roll out LTE, some operators have in mind securing only their public accesssmall cells and those sites where they leverage leased backhaul that they deemto be "untrusted." In this model, the operator believes that it need not extend the

same security to those among its macro-cells where it has built out the backhaulitself and are therefore "trusted." For some operators this may appear as an

optimal compromise between costs and security, but it still leaves many of its sitesexposed. It also creates two parallel security environments, which can be chal-lenging from an operational perspective, in that it requires different skillsets and

operational procedures depending on the specific cell site.

The EPC Supports Threat ProtectionAs shown in the previous sections, encryption of the S1 and X2 traffic protects thetraffic stream from access by an unauthorized third party. And eNodeB authenti-cation ensures that only traffic from bona fideeNodeBs belonging to the operator

will be admitted to the core network. But this doesn't protect the operator from


9/14


the risk of malicious traffic emanating from the LTE RAN. And as shown in Juniper

Networks'Mobile Threat Center report1of March 2013, there are now more than500 third-party app stores around the world containing malicious apps.

In the 2G and early 3G model, the mobile network's only exposure to the openInternet was via the Gi interface when a user wanted to access data services. Inthat model, user requests are typically triggered by feature phones, transported

over TDM and connected to the Internet via the mobile packet core's Gi inter-face. But with the evolution of 3G and now LTE, the traffic emanating from theRAN is increasingly generated by computing-intensive laptops and smartphones,

and then transported over IP backhaul.

As a result, whereas mobile operators have evolved their networks thinking of the

Gi and SGi interfaces as being the unique point of exposure to malicious trafficfrom the Internet, every point in the LTE network at which an S1 interface termi-nates in the EPC is now a point from which malicious traffic can be delivered,

because eNodeB authentication and traffic encryption using IPsec do nothing toprotect the operator against specific rogue traffic types.

If an eNodeB is compromised in a similar way to the Verizon Wireless example

cited previously, IPsec would neither detect nor protect the mobile network fromthe threat. So in addition to IPsec, stateful firewalling of the mobile protocols canbe leveraged to ensure that compromised nodes, or attackers positioned else-

where in the "untrusted" backhaul network are prevented from interfering with themission-critical control messages, for example by sending the right X2 packets to

turn eNodeBs on and off at will.

Hence at every point where S1 interfaces are terminated in the EPC, operators

need to consider comprehensive LTE security with much the same suite of firewall,IDS/IPS and enhanced threat detection capabilities that they have always

needed on the Gi, in conjunction with the IPsec termination functionality pre-scribed by the 3GPP SEG.

Security as a New Revenue EnablerThe previous sections have shown the steps that operators need to take to securethe revenues from their conventional business model as they evolve from 2G and

3G to LTE. This section will demonstrate how those same security capabilities arealso critical enablers for some of the many new revenue models that the perfor-mance of LTE in terms of cost, speed and low latency is uniquely capable of

unlocking. And it demonstrates how neglecting to implement these securitymeasures risks being a "show-stopper" for operators looking to get the most out ofthese new market opportunities.

In May 2012, for example, Randall Stephenson, Chairman, CEO & President ofAT&T, told an audience at The Milken Institute that "the long pole in the tent" whenit comes to capturing new revenue opportunities in areas such as mCommerce

and mHealth "is going to be getting the ecosystem to be robust in protecting data

and making sure you control who sees the data, how it's shared and how it'stransmitted. Until you get it right, there is going to be inherent apprehension and

concern by all of us about this."

Although user perceptions of security differ greatly by country, by market and bytypes of user, there is some evidence of the global average perception of mobile

users starting to show a greater appreciation of security. In NSN's2013 Acquisition
http://www.juniper.net/us/en/forms/mobile-threats-report/http://www.juniper.net/us/en/forms/mobile-threats-report/http://www.juniper.net/us/en/forms/mobile-threats-report/http://blogs.nsn.com/mobile-networks/2013/05/23/subscribers-look-to-operators-for-telco-security/http://blogs.nsn.com/mobile-networks/2013/05/23/subscribers-look-to-operators-for-telco-security/http://blogs.nsn.com/mobile-networks/2013/05/23/subscribers-look-to-operators-for-telco-security/http://www.juniper.net/us/en/forms/mobile-threats-report/


10/14


and Retention Study2, for example, 38 percent of a global survey sample of more

than 9,000 users worldwide identified security services as one of their top threenew service preferences, representing a 36 percent increase compared with theequivalent survey held in 2011. In addition, security is the key to mobile operators

being able to exploit the new potential for LTE as regards new vertical marketopportunities, such as in mHealth or mCommerce, as detailed below.

New Opportunities in mHealth

A brief consideration of the potential of the mHealth market shows clearly the sizeof the revenue opportunity for the mobile operator and the pivotal role that LTEsecurity plays in determining an operator's prospects in this market.

A February 2012 PricewaterhouseCoopers study on behalf of the GSM Associationconcluded that global mobile health revenue will reach about $23 billion across

all stakeholders mobile operators, device vendors, healthcare providers andcontent/application players by 2017. As shown in Figure 4, PwC predicted thatthe mobile operators will take nearly 50 percent share of that market, correspond-ing to about $11.5 billion.

Some of these services can certainly be delivered over 2G and 3G. But operatorswill increasingly look to LTE, particularly in the case of monitoring and diagnostic

services that require high bandwidths and low latency.

Operators that are security-savvy recognize that allowing clear text to flow at theedge of the LTE network exposes the operator, the healthcare provider and the

patient to a man-in-the-middle attack of the kind that distorts packets during apatient's diagnosis, real-time monitoring or treatment session. Those that aren'tbelieve that the risk of such an attack being carried out successfully is so minisculethat investment in IPsec is overkill.

In support of that argument, the case will often be made that many healthcareproviders already provide their own internally secure overlay environment, for

Figure 4: Breakup of Expected Worldwide Mobile Health Revenues of Mobile Operators by Service Categories

Note: Total opportunity size for mobile operators (2017E): ~$11.5 billionSource: PricewaterhouseCoopers
http://blogs.nsn.com/mobile-networks/2013/05/23/subscribers-look-to-operators-for-telco-security/http://blogs.nsn.com/mobile-networks/2013/05/23/subscribers-look-to-operators-for-telco-security/http://blogs.nsn.com/mobile-networks/2013/05/23/subscribers-look-to-operators-for-telco-security/


11/14


example by offering patients their own secure Web portal to ensure privacy ofcommunications between patient and provider. But the case for pursuing themHealth market and attempting to leverage LTE without IPsec falls down in twosignificant respects that pertain not so much to the detailed technical merits of thiskind of encryption and authentication, but rather to very simple business logic.

First, it tends to be primarily the largest healthcare providers that have the IT

resources to build their own security into the mHealth applications that they pushout to their patients.However, in most countries the healthcare ecosystem is madeup of a variety of large, medium and small care homes, businesses, clinics andpractices that don't have that kind of IT competence. Failing to secure all thepatient-sensitive information flowing in and out of these smaller providers risksreducing the size of the market opportunity that the operator can go after.

Second, since the healthcare providers themselves generate the diagnoses,

monitoring and treatment services for their patients, the patient's primary relation-

ship when they use most mHealth applications is with the healthcare provider.Thatmeans that it is nearly always the healthcare provider, rather than the mobileoperator, that assumes legal liability for the security of any patient data. And this iswhere the case for investing in LTE security becomes potentially decisive: Whenconsidering transmitting highly-sensitive (potentially life-saving) data over the LTE

network, the legal department of any healthcare provider will typically look at theliability and determine that the mobile operator needs to provide as many securityfeatures as possible, to ensure that the healthcare provider has the best chanceof successfully defending against a future lawsuit for loss or misuse of patient dataor to minimize the size of any compensation settlement. To that extent, somedecisions regarding whether to implement LTE security will cease to be a telecom-oriented debate, and will instead become a far simpler mandate along the linesof "because the lawyers say so." Where this arises, LTE operators that invest insecurity will clearly be much better positioned to win.

North America May Not Even Be the Biggest mHealth Market

Reference to a fragmented market in healthcare providers and the risk of lawsuits

tends to focus the security requirements of the mHealth opportunity on the U.S. Buta fragmented market isn't necessarily better suited to overcoming the challengesof scaling up large mHealth projects than a more centralized model. Moreover,Europe and Japan face significantly greater challenges than the U.S. when itcomes to their aging populations and declining birth rates, so the pressure toleverage the mHealth opportunity is at least as great in these markets.

Indeed, in its 2012 report, PwC predicted that Europe and Asia will each accountfor 30 percent of the total $23 billion mHealth market across all stakeholders by2017, with North America predicted to account for 28 percent.

New Opportunities in mCommerce

Depending on how it is defined, mCommerce is still a market opportunity that

mobile operators have yet to fully monetize. And similar to mHealth, it's a marketwhere the most stringent security is a critical building block for building the industrypartnerships needed to succeed.

Many online banking applications leverage Secure Socket Layer (SSL), which isknown to be vulnerable to a variant of man-in-the-middle attacks known as "manin the browser" or "boy in the browser" attacks. These enable attackers to establish


12/14


an instance of an SSL proxy, intervene in the traffic flow and present the onlinebanking user that is accessing their account data with a rogue website mirroringthat of their bank account, in order to steal their access information, distort theirinstructions to the bank or generate their own malicious instructions. Given that amobile operator's network elements (particularly their eNodeBs) are the mostattractive points of intervention for an attacker, it's clear that providing threatdetection as well as traffic encryption and eNodeB authentication leveraging

IPsec is an important building block as the operator looks to pursue new mCom-merce revenues using LTE.

New Opportunities in M2M Apps

The same is true of machine-to-machine (M2M) applications. In August 2013, O2 in

the U.K. said it had been selected for two out of three lots in the U.K.'s smart metertender to provide the communications services across the U.K.'s central andsouthern regions, in a deal worth 1.5 billion ($2.3 billion) over 15 years, subject to

contracts being agreed. Until now and for the near future, it's clear that thevolume in M2M business continues to be in low-data-rate applications that are

perfectly well supported by 2G and 3G.

But over time, the bandwidth and latency performance as well as the cost curvesof M2M modules supporting LTE will make the technology much better suited to

some applications than 3G provided operators are able to provide adequatesecurity to their vertical industry partners. Consider the following examples:

In the summer of 2013, Audi launched the world's first LTE-connected car, the Audi

S3 sport with an option for an embedded LTE module. Consider the opportunity forremote, bandwidth-intensive diagnostics to fix performance issues or anticipate

them before they arise. The data transmitted wirelessly by F1 Grand Prix cars today,for example, is already used to that end. And consider the impact on that LTE-connected car if that connectivity were to be insecure. It won't bebecause muchlike healthcare providers, car manufacturers won't be open to that kind of business

model if it is.

LTE networks can potentially be positioned to support signaling systems for roadtraffic control. Perhaps not permanently, but in some countries developing oropening new intersections can often be delayed by the lack of fiber cabling.

Thanks to its low latency, LTE can potentially be used to fill that gap.

Over time, energy metering systems will evolve to LTE as energy companies

become more sophisticated in their requirements. This will happen as the cost ofLTE M2M modules reaches parity and eventually goes below that of 2G and 3G,and perhaps also as bandwidth requirements increase. One of the capabilitiesthat energy companies are looking to evolve to is the ability to remotely switch off

a customer's energy supply. Once again, consider the implications of looking tooffer that capability without taking every possible measure to prevent attackersfrom being able to access and misuse it.

Adoption of LTE Security Is Set to AccelerateFigure 5 shows Heavy Reading's forecast for the adoption of IPsec with LTE overthe next four years. As shown in red, we expect the proportion of the world's LTE

cell sites that support IPsec will grow from 15 percent at the end of 2013 to 35percent at the end of 2015 and 53 percent by the end of 2017.


13/14


We expect growth will be driven by several factors, including: the ongoingmigration of hacker time and attention from the wireline to the mobile networking

environment; competitive pressures arising from one operator in a market deploy-ing IPsec, driving competitors to respond; the probability of threat incidents arisingfrom operators failing to deploy IPsec and becoming publicized; and the growing

recognition that lack of bulletproof or near-bulletproof security will be a show-stopper when operators look to drive the next generation of revenue opportunities

with major vertical industry partners, such as health insurance providers.

We assume that there will still be a sizeable number of LTE operators that are still

allowing clear text to transit across their backhaul networks four years from now.But we also expect that a financial analysis of LTE operators four years hence willshow a pretty close correlation between support for end-to-end network securityand superior financial performance.

Figure 5: Forecast for IPsec Adoption in LTE Backhaul

Source: Heavy Reading's Ethernet Backhaul Tracker, June 2013


14/14


Background to This Paper

About Juniper Networks

Juniper Networks is in the business of network innovation. From devices to data

centers, from consumers to cloud providers, Juniper Networks delivers the soft-

ware, silicon and systems that transform the experience and economics of net-working. More information can be found atwww.juniper.net/us/en/dm/mobile-lte .

About NSN

Nokia Solutions and Networks (www.nsn.com) is the world's specialist in mobile

broadband. From the first ever call on GSM, to the first call on LTE, we operate atthe forefront of each generation of mobile technology. Our global experts inventthe new capabilities our customers need in their networks. We provide the world's

most efficient mobile networks, the intelligence to maximize the value of thosenetworks, and the services to make it all work seamlessly. With headquarters inEspoo, Finland, we operate in more than 120 countries and had net sales of

approximately 13.4 billion in 2012.

References1 Juniper Networks Mobile Threat Center Third Annual Mobile Threats Report

(March 2013):http://www.juniper.net/us/en/forms/mobile-threats-report

2 "Subscribers look to operators for telco security": http://blogs.nsn.com/mobile-networks/2013/05/23/subscribers-look-to-operators-for-telco-security/
http://www.juniper.net/us/en/dm/mobile-ltehttp://www.juniper.net/us/en/dm/mobile-ltehttp://www.juniper.net/us/en/dm/mobile-ltehttp://www.nsn.com/http://www.nsn.com/http://www.nsn.com/http://www.juniper.net/us/en/forms/mobile-threats-reporthttp://www.juniper.net/us/en/forms/mobile-threats-reporthttp://www.juniper.net/us/en/forms/mobile-threats-reporthttp://blogs.nsn.com/mobile-networks/2013/05/23/subscribers-look-to-operators-for-telco-security/http://blogs.nsn.com/mobile-networks/2013/05/23/subscribers-look-to-operators-for-telco-security/http://blogs.nsn.com/mobile-networks/2013/05/23/subscribers-look-to-operators-for-telco-security/http://blogs.nsn.com/mobile-networks/2013/05/23/subscribers-look-to-operators-for-telco-security/http://blogs.nsn.com/mobile-networks/2013/05/23/subscribers-look-to-operators-for-telco-security/http://blogs.nsn.com/mobile-networks/2013/05/23/subscribers-look-to-operators-for-telco-security/http://blogs.nsn.com/mobile-networks/2013/05/23/subscribers-look-to-operators-for-telco-security/http://blogs.nsn.com/mobile-networks/2013/05/23/subscribers-look-to-operators-for-telco-security/http://www.juniper.net/us/en/forms/mobile-threats-reporthttp://www.nsn.com/http://www.juniper.net/us/en/dm/mobile-lte

lightreading - secure lte

Documents