August, 2013 LTE Security Concepts and Design Considerations
Stoke, Stoke Session Exchange and the Stoke logo are trademarks of Stoke, Inc. Copyright 2013 Stoke, Inc. All rights reserved. Lit# 130-0022-001 2
Table of Contents
Introduction ...................................................................................................... 3 LTE Security Defined in the Standards ............................................................ 3 3GPP High Level Security Architecture .................................................................... 3 3GPP Principals of Network Domain Security ........................................................... 4 A Practical Technical Specification for Domain Security H(e)NB Architecture ........ 6 Operationalizing LTE Network Security ........................................................... 6 Primary Security Domains ........................................................................................ 6 Identifying the Risks .................................................................................................. 7 Comparison of Firewall types: S1 and Internet Firewalls ........................................... 8 Choosing the Right Solution for the Mobile Access Border ....................................... 8 Recommended Solutions .......................................................................................... 9 Looking Forward: Demands are Evolving ...................................................... 10 VoLTE Increases Capacity Requirements .............................................................. 10 Small Cells Increase Tunnel Scale Requirements .................................................. 11 Security eXchange - Stoke's LTE Security Gateway Solution .................... 11 Purpose-built, Standalone Security Gateway .......................................................... 11 VoLTE Ready ......................................................................................................... 11 Small Cells Connectivity ......................................................................................... 12 Added Protection for the Mobile Access Border ...................................................... 12 Performance without Compromise .......................................................................... 13 Conclusions ................................................................................................... 13 Security Gateway Recommended for Mobile Access Border Protection ................. 13 Stoke Security eXchange ....................................................................................... 14 References .................................................................................................... 15
LTE Security Concepts and Design Considerations
Stoke, Stoke Session Exchange and the Stoke logo are trademarks of Stoke, Inc. Copyright 2013 Stoke, Inc. All rights reserved. Lit# 130-0022-001 3 Introduction As with any IP-based network, ensuring network security is of paramount importance. This is especially applicable to todays LTE wireless networks, which are an all-IP, end-to-end network architecture. Aside from the obvious security risk of intercepted wireless communications transmitted to and from user equipment (UE), there are security risks traditionally associated with the fixed line Internet now pertinent to 4G mobile network operators. This is a significant departure for mobile operators because in prior generations of cellular networks, security was baked into standard network functions and integral to the whole system. LTE/SAE presents new challenges in this regard, requiring protection mechanisms at each of the three primary boundaries of the EPC. Additionally there is a new component in their traditional planning a security gateway on the RAN-to-Core boundary (S1), also referred to as the mobile access border. In the early days of LTE deployments this new security component was often considered late in the system design phase and suboptimal decisions were often the result. In her paper Radio-to-core protection in LTE - The widening role of the security gateway, Monica Paolini, analyst from Senza Fili Consulting, highlights the benefits of considering requirements from each of the three phases of LTE evolution when selecting the security gateway, Moreover, IT and Internet security players are jumping at the chance to reposition multi-purpose security appliances designed to protect the SGi ( Internet) interface to requirements at mobile access border (RAN-to-Core / S1 link). While there are some overlapping capabilities between the two, performance characteristics and lack of focus on requirements specific to the S1 interface can result in a suboptimal decision indeed if a multi-purpose security appliance is chosen rather than a standalone security gateway. The purpose of this paper is to clarify the standards around LTE network security, the different security borders of the mobile network, and delve deeper into the requirements of the Mobile Access Border - the border between the RAN and the core (S1). This paper also provides an overview of Security eXchange, Stokes LTE security gateway, and presents data points to demonstrate the value of this purpose-built LTE security gateway solution over multi-purpose security solutions. LTE Security Defined in the Standards 3GPP High Level Security Architecture Security is addressed on many different levels by standard development organizations like 3GPP, ITU, ETSI, and even industry group NGMN. Stokes view on the security requirements for LTE networks are the result of comprehensive study of these standards and recommendations coupled with our companys focus on the Mobile Access, Border. This section presents the relevant work from 3GPP and NGMN to define LTE security requirements which form the foundation for Stoke Security eXchange. Because security is dealt with on many levels by industry working groups and standards committees, casual observers can become confused about what requirements are needed and where they apply. In 3GPP EPS/EPC Security Architecture (3GPP TS 33.401) 3GPP segments the security architecture into five different functional LTE Security Concepts and Design Considerations
Stoke, Stoke Session Exchange and the Stoke logo are trademarks of Stoke, Inc. Copyright 2013 Stoke, Inc. All rights reserved. Lit# 130-0022-001 4 domains. 3GPP TS 33.401 defines these domains as the following: 1. Network access security use of USIM to provide secure access for a user to the EPS. Includes mutual authentication and privacy features. 2. Network domain security refers to features that allow for secure communications between Evolved Packet System/Evolved Packet Core (EPS/EPC) nodes in order to protect against attacks on the network. 3. User domain security securing access to the terminal, e.g. screen lock password, or PIN to enable USIM usage. 4. Application domain security security features used by applications, e.g. HTTP. 5. Visibility and configurability of security features to allow a user to know whether a security feature is in operation or not, and user-configured control over whether use of a service depends on enabled security features. 3GPP Principals of Network Domain Security With the migration from circuit-switched networks to packet-switched networks (GPRS) as well as the use of IP transport in general, there brings a need to provide enhanced protection to traffic running over these networks and associated interfaces. 3GPP has therefore developed specifications for how IP-based traffic is to be secured over the interfaces in the access/transport networks (E-UTRAN), in the core network (EPC), and/or between two or more core networks. Emphasizing interfaces in the core network (EPC), Network domain security for IP (NDS/IP) is defined in 3GPP TS 33.210 and outlines the specifications for protecting the IP-based control-plane traffic. A special consideration is given to the S1-U (user-plane) interface between the E-UTRAN and EPC, an exception in that S1-U is a protected interface in 3GPP networks. NDS/IP introduces a slightly different concept of security domains, which are networks that are managed by a single administrative authority; an example being a single telecom network operator. In practice, an operators network is typically divided into multiple security domains, each domain being a subset of the network that is managed by a single administrative authority. This allows for greater network control and manageability, and implementation of defense-in-depth network security strategies. Figure 1 below illustrates the separation of security domains as defined in 3GPP TS 33.210:
Stoke, Stoke Session Exchange and the Stoke logo are trademarks of Stoke, Inc. Copyright 2013 Stoke, Inc. All rights reserved. Lit# 130-0022-001 5 At the border of the security domain, TS 33.210 specifies the placement of a Security Gateway (SEG) which functions to concentrate and protect all traffic entering or leaving the security domain. The NE (Network Entity) represents any network nodes deployed and belonging to the E-UTRAN, EPC, and/or IMS domains, such as an eNodeB, MME, CSCF, etc. The NDS/IP framework provides for three types of protection: Data origin authentication protecting a node from receiving packet injection from an unknown or rogue entity Data integrity protecting data in transit from being modified (man-in-the-middle) Data confidentiality protecting against information theft (eavesdropping) The method by which the protection mechanisms are implemented is provided via IPsec, specifically IPsec ESP in tunnel mode, with IKE (Internet Key Exchange) used to setup IPsec security associations between SEGs or between SEG and NE. IPsec EPS provides for three levels of security protection each with a wide set of available security algorithms: Authentication provided initially via secure key exchange and mutual authentication between SEGs or SEG and NE using the IKE protocol, and via the Authentication Header (AH) of the IPsec packets to ensure per packet authenticity, using SHA-1 for example. Integrity provided via IPsec cryptographic packet hashing mechanisms, for example SHA-1. Confidentiality provided via IPsec cryptographic packet encapsulation, for example AES. The NDS/IP architecture in Figure 1 is represented in a practical deployment perspective in Figure 2 below:
Figure 2. Practical view of Security Domains in LTE Mobile Network With this depiction it is easy to see how the conceptual 3GPP NDS/IP architecture is applied to a practical LTE deployment. In summary, Za interface aligns to S8 interface between Home- and Visited-PLMN, or between the Home PGW and Visited SGW, for example. LTE Security Concepts and Design Considerations
Stoke, Stoke Session Exchange and the Stoke logo are trademarks of Stoke, Inc. Copyright 2013 Stoke, Inc. All rights reserved. Lit# 130-0022-001 6 Zb interface aligns with S1 and X2 within the individual operators LTE network. Zb applies between NEs or between NE and SEG in a single security domain that is under the control of a single operator. The Zb interface between SEG and EPC-based NE is optional since these nodes are likely collocated in the same data center or residing on the same private LAN network therefore IPsec and IKE are not required. The NE represents any network nodes deployed and belonging to the E-UTRAN, EPC, and/or IMS domains, such as an eNodeB, MME, CSCF, etc. Security for the EPC-to-Internet connection point (SGi interface) is not within the scope of NDS/IP. A Practical Technical Specification for Domain Security H(e)NB Architecture 3GPP TS 32.320 specifies a security framework for the H(e)NB system architecture while implementing the principals outlined in the NDS/IP security domain specification featured in the previous section. H(e)NBs (3G or 4G Femtocells) are typically located at the customers premises, i.e. in the end-users home, and the backhaul typically traverses an unsecured fixed-broadband Internet connection. Because of this, the H(e)NB accesses the operators security domain via the Security Gateway (SEG). Operationalizing LTE Network Security In the previous sections we reviewed the network security requirements defined by 3GPP for LTE/SAE networks. In this section we will examine the risks across the different LTE network interfaces and drill into the available solutions for securing the S1 Interface. Primary Security Domains The diagram in Figure 4 depicts a recognizable view of the Home and Visiting LTE/EPC network architecture and their key network interfaces. Highlighted are the critical areas where distinct network security requirements demand equally distinct solutions.
Figure 3. Contemporary view of LTE network security domains LTE Security Concepts and Design Considerations
Stoke, Stoke Session Exchange and the Stoke logo are trademarks of Stoke, Inc. Copyright 2013 Stoke, Inc. All rights reserved. Lit# 130-0022-001 7 Aside from the interface naming, the highlighted areas can be further described or classified as the following categories: Mobile Access Border (RAN-to-EPC / S1) Internet Border (EPC-to-Internet / SGi) Partner Border (EPC-to-EPC / S8) Identifying the Risks Industry and standards bodies, including 3GPP, ITU-T and NGMN have analyzed the threats and risks of each of the security domains described previously and recommended specific mitigation mechanisms for each domain. This analysis, including signaling load risks and mitigation identified by Stokes primary research with University of Surrey, is summarized in the figure below. Security Domain Threats / Risks Mitigation Strategies Mobile Access Border (RAN-to-EPC/ S1) Physical AP compromise (primarily for small cells) DDoS from compromised eNB / Small Cell User-plane packet injection Packet interception (eavesdropping) Packet modification (man-in-the-middle) Signaling overload 3GPP SEG Strong authentication, authorization PKI IKEv2 IPsec ESP LTE S1 Firewall (GTP, S1-AP) Internet Border (EPC-to-Internet/ SGi) IP / Port scanning EPC IP address exposure Unauthorized EPC network access Malware / Virus implanted on UE(s) DDoS attacks on EPC via SGi Internet Firewall Stateful firewall NAT DDoS mitigation IDS/IPS Malware detection / blocking Anti-virus scanning / blocking Heuristics Partner Border (EPC-to-EPC/ S8) Home EPC IP address exposure IPX network compromise
Border GW / Firewall GTP firewall for control- and user-plane NAT Figure 4. Network security domain risk and mitigation summary As outlined above, each of the described security domains possesses a unique array of threats or risks, necessitating an equally unique set of solutions and strategies to minimize or eliminate the persistence and impact of these threats. Notice that some overlap of solution characterization may occur, so it is important to understand the differences between them and why specific solutions are targeted at specific security domains. LTE Security Concepts and Design Considerations
Stoke, Stoke Session Exchange and the Stoke logo are trademarks of Stoke, Inc. Copyright 2013 Stoke, Inc. All rights reserved. Lit# 130-0022-001 8 Comparison of Firewall types: S1 and Internet Firewalls For example, the term Firewall is used in the solution description for both the EPC-RAN security domain, and the EPC-to-Internet security domain. The LTE S1 Firewall, such as the feature set provided by Stokes Mobile Border Agent solution, which is described later, exemplifies a set of stateful packet filtering, or firewall-like features that are specifically required at the RAN-EPC edge. These features are targeted at the unique set of protocols that reside on the S1 and between RAN-EPC, such as SCTP, S1-AP, and GTP, and the procedures being executed, such as SCTP Initialization, UE Attach/Detach Requests, Service Requests, S1/X2 Handover, and others in order to provide multiple dimensions of protection for the EPC. Conversely, the Internet Firewall comprises set of solution functions which are designed to reside at the border between the EPC and other external IP networks, such as the Internet. It is here in the EPC-Internet security domain where features such as Stateful IP Firewall, Intrusion Detection/Prevention, and Network Address Translation (NAT) are required and can be most effective. For NAT specifically, the purpose of which is to conceal internal UE and EPC IP addressing from external IP networks like the Internet, it is wholly impractical to implement this function at the EPC-RAN security domain; since UE mobility and the fact that the UE IP anchor point (i.e. PDN-GW) resides within the EPC and behind the RAN-EPC edge, would inherently negate the NAT function and disrupt normal EPC functions. Choosing the Right Solution for the Mobile Access Border As described in earlier sections, 3GPP recommends the use of a Security Gateway enabled with IPsec to mitigate the threats faced on the interfaces between RAN and EPC. However, an operator can choose to enable IPsec functionality in a number of different network elements: Existing EPC node (such as an MME) Multi-Service Firewall or Multi-Service Edge Router, or Standalone security gateway IPsec adds overhead to all packets encrypted, but more importantly, places a large processing burden on any network node required to encrypt or decrypt the packets. The throughput of most multi-service firewall or routing systems will degrade at least 50% when IPsec is enabled. The performance degradation is even higher when that same equipment is required to process large volumes of smaller packets (such as with VoLTE.) Additional hardware can, of course, be added to boost throughput, but this adds equipment costs (CAPEX) as well as increasing recurring space and power (OPEX) expenses. Below are some details of the various solution options. EPC Nodes with SEG Adding the security function to EPC network nodes (such as the SGW or MME) may appear financially compelling short-term as it is re-using embedded equipment, but in the long term may greatly overload capacity on these nodes, reducing performance and available capacity. In particular, relying on the EPC's security functionality introduces significant processing requirements that can degrade overall EPC performance, and may not provide the highest possible level of protection. More importantly, expensive LTE Security Concepts and Design Considerations
Stoke, Stoke Session Exchange and the Stoke logo are trademarks of Stoke, Inc. Copyright 2013 Stoke, Inc. All rights reserved. Lit# 130-0022-001 9 network core capacity may be better utilized for growth or as a hedge against an unexpected surge in traffic demand, rather than to provide security. Multi-Service Firewall Solution Vendors that offer multi-service equipment with a broad range of firewall and intrusion prevention features often include IPsec as a value-added feature. However, these platforms, designed to provide flexibility for multiple functions are not optimized for the significant challenges of IPsec encryption and may sacrifice performance to achieve that flexibility. The majority of stateful firewall and intrusion prevention features these solutions include provide no benefit to operators when applied at the RAN- EPC edge, because these are not functions that are needed, per 3GPP recommendations. Essentially operators will be paying for features they cannot use and sacrificing performance that is critically important. Multi-Service Router Solution Similar to multi-service firewalls, many multi-service router vendors provide IPsec as a value-added feature in their products. Typically this functionality is achieved through the addition of a services blade which is comprised of generic hardware processors and not optimized to execute heavy crypto- functions of IPsec. The trade-off operators must make for consolidated functionality are extensive hardware costs to achieve desired scale and performance, as well as limited growth capability for the actual IP routing and switching functions that the MSER is designed for, due to service blades occupying valuable slot real estate in the MSER chassis. Standalone Security Gateway A stand-alone gateway, optimized to handle the processing-intensive IPsec functions, can provide the needed security and aggregation functionality without overloading existing EPC elements or deploying sub-optimal equipment. From a total cost of ownership (TCO) perspective, the ability to provide scalability, end-to-end encryption, high power efficiency and better control over OPEX may increasingly weigh in favor of standalone solutions to address IPsec functions. Recommended Solutions Considering the information presented above, Stokes recommended deployment architecture and placement of solution specific network equipment appears as per the diagram below.
Figure 5. Recommended equipment types for each security domain. HPLMN Internet Home Evolved Packet Core IPX Standalone SEG Border GW w/ FW Stateful Firewall w/ NAT LTE Security Concepts and Design Considerations
Stoke, Stoke Session Exchange and the Stoke logo are trademarks of Stoke, Inc. Copyright 2013 Stoke, Inc. All rights reserved. Lit# 130-0022-001 10 The solution specific recommendation is critical otherwise operators will be constantly dealing with compromise and trade-offs. The core design principles for the security network element on one interface will sacrifice performance, capabilities, and/or attention to details on another. For example, an Internet firewall is optimized for maximum flow capacity and high-rate transactions with perhaps a few VPNs using IPsec only as an add-on feature. This is the right design decision for the SGi interface, but is not for either S8 or S1. In addition, selecting one product that is a fit for two or even all three secure interfaces may be possible, but it offers only false promise. Ultimately the compromises will surface, requiring a disproportionate investment in that network element or worse, a potential security breach and a wholesale change out. The table below illustrates the security device and functions for which operators should seek best of breed performance for each interface requiring security. Security Domain Recommended Product Functions Provided Mobile Access Border (RAN-to-EPC/ S1) Purpose-built, standalone Security Gateway Strong authentication, authorization provided by IKEv1/v2 and PKI protocols such as CMPv2 and CRLv2 Full data confidentiality, integrity, and authentication provided IPsec ESP protocols and crypto algorithms LTE S1 Firewall (GTP, S1-AP firewall) for signaling overload protection Internet Border (EPC-to-Internet/ SGi) Multi-functional security platform
Stateful Firewall Network Address Translation (NAT) to protect internal addressing IDS/IPS Content filtering Partner Border (EPC-to-EPC/ S8) Multi-functional Border Gateway GTP firewall for control- and user-plane NAT Figure 6. Recommended product and functions summary. Looking Forward: Demands are Evolving VoLTE Increases Capacity Requirements Best of breed performance in the S1 security gateway will become especially important as operators add VoLTE into their networks. This is due to the real-time, latency-sensitive nature of voice traffic and the fact that voice is transmitted in very small packet sizes (64 bytes), which taxes the processing capacity of most gateway equipment. Operator and industry data shows that average packet sizes are decreasing due to the growth of high volume / small packet size 4G applications such as VoLTE and M2M apps. As average packet size decreases, the number of packets per second at the same volume of traffic increases dramatically. This is important to network element dimensioning because network elements designed and optimized for a standard Internet traffic mix (IMIX) will LTE Security Concepts and Design Considerations
Stoke, Stoke Session Exchange and the Stoke logo are trademarks of Stoke, Inc. Copyright 2013 Stoke, Inc. All rights reserved. Lit# 130-0022-001 11 underperform and have a major negative impact to users Quality of Experience (QoE). Small Cells Increase Tunnel Scale Requirements As we consider the evolution of LTE networks from todays macro deployments of several thousand or 10s of thousands of sites to potentially 10s or 100s of thousands more small cells (Pico/Femto) we must consider the impact to the EPC network architecture, and in the case of this document, the Security Gateway. The initial impact is obvious tunnel scale. Each and every access point will have an IPsec tunnel established with the SEG to provide RAN-EPC security. Even those operators who have initially opted not to deploy a SEG for their macro LTE RAN backhaul are planning to deploy a SEG to provide security for LTE small cells. The primary reason is due to the fact that small cells will in most cases leverage unknown backhaul across the Internet or some other unknown/untrusted backhaul provider network, which presents the same risks to the operator network as identified earlier in the document. Security eXchange - Stoke's LTE Security Gateway Solution Purpose-built, Standalone Security Gateway Stokes Security eXchange, provided via the SSX-3000 system, is designed specifically to fulfill the SEG requirements of the mobile access border. Stoke Security eXchange addresses all the threats identified by 3GPP and NGMN for the mobile access border (EPC-RAN / S1): Physical Attack User Plane packet injection Packet modification Eavesdropping DDOS attacks from network or UE Unauthorized access Compromise of eNodeB Credentials User data and user identity privacy attacks Attacks on Radio resources and management The solution recommended by industry organizations is IPsec, plus strong authentication and authorization mechanisms, namely IKE and PKI. To support this charter from standards, Stoke Security eXchange was built with a very extensible IPsec solution in both performance and functionality, delivering IPsec functionality at line- rate performance with high-rate throughput. The Stoke solution intentionally excludes features like stateful firewall, IDS/IPS, and NAT functions that are unneeded at the Mobile Access Border and would otherwise compromise IPsec performance. VoLTE Ready Stoke is prepared to meet the additional processing challenges of VoLTE. Figure 8 below compares a LTE Security Concepts and Design Considerations
Stoke, Stoke Session Exchange and the Stoke logo are trademarks of Stoke, Inc. Copyright 2013 Stoke, Inc. All rights reserved. Lit# 130-0022-001 12 representative competitors performance to Stoke SSX-3000, at different average packet sizes. With some competitor equipment, performance (capacity) drops from 80% line rate down to slightly above 40% - a loss of capacity of almost 50% - when average packet size changes from 512 bytes to 384 bytes.
Figure 7. Impact of voice to IPsec throughput Small Cells Connectivity New hardware and software enhancements will allow the Security eXchange to address the demand for small cell connectivity. The same SSX-3000 plans support for new hardware modules, increasing IPsec tunnel scale to over 5x current capacity as well as increasing IPsec throughput by over 2x current performance. Added Protection for the Mobile Access Border IPsec tunnel scale and throughput are certainly not the only concerns. Stoke predicts that such a drastic increase in the number LTE access points introduces a corresponding increase in the risk of having compromised small cells as well as increased network signaling and a greater risk for S1-borne signaling storms. LTE networks must support a higher degree of growth, change and unpredictability in user equipment (UE), applications, latency expectations, speed and accelerating signaling and traffic load, than ever previously anticipated. In response to this trend, Stoke Security eXchange now includes Mobile Border Agent protection. The Mobile Border Agent is a multi-dimensional software-based entity integrated with the Stoke Security eXchange. While the Security eXchange still performs the discrete tasks of IPsec tunnel termination, the Mobile Border Agent works toward protection and optimization goals at the dynamic LTE RAN-EPC border, on behalf of the operator. Key characteristics of the Mobile Border Agent are: Multi-Dimensional Awareness: Continually monitors S1 packets and correlates user plane, control plane, RAN and session volume, state, and other data to identify anomalies and support network goals. Reference Network Model: Maintains a reference model of connected eNodeBs and core elements, normal network conditions, and threshold parameters that define reporting and action triggers. Policy Based Enforcement Action: Enacts specific actions to protect service availability and network LTE Security Concepts and Design Considerations
Stoke, Stoke Session Exchange and the Stoke logo are trademarks of Stoke, Inc. Copyright 2013 Stoke, Inc. All rights reserved. Lit# 130-0022-001 13 assets, interacting with other EPC elements and network management systems to deploy flood prevention and network protection policies. Data Collection/Reporting: Collects data and reports back to network operators, providing a comprehensive perspective of the network. Deeper integration with EPC network elements will allow the Mobile Border Agent to be further enhanced to dynamically respond to externally triggered events and in order to implement protective policies. Examples of protective security policies include: Message flood prevention Malicious endpoint detection Enhanced analytics Malicious subscriber traffic filtering Performance without Compromise Stoke Security eXchange consistently surpasses other LTE Security Gateway providers in all key performance measurements. Stoke performance has been validated through actual commercial deployments, multiple tier 1 operator trials and tests, and internal QA analysis. Specifically, Stoke SSX-3000 has: Highest Throughput: 16 Gbps / RU Highest packets per second: 20.8 million PPS per RU = line rate of 96 Byte packets Lowest Latency: <40 microseconds or less (even at small packet sizes) Lowest Power: 15W per Gbps of throughput High Availability: >99.999% availability, 284 year MTBF Conclusions Security Gateway Recommended for Mobile Access Border Protection LTE/EPC network security covers several distinct domains, each faced with a unique set of security risks and corresponding solutions in order to mitigate or minimize the impact of those risks being exposed or exploited. For each of these distinct domains, several standards bodies and well-known industry groups have converged to make specific and unique recommendations to address each part of the network. For the Mobile Access Border (RAN-EPC) network security domain, these industry groups have recommended a purpose-built Security Gateway platform, using IPsec as the encryption protocol combined with strong authentication and authorization. Other network boundary areas also have been given distinct recommendations, such as intrusion prevention, network address translation, malware detection, and anti-virus protection for the EPC to Internet (SGi) interface While multi-functional platforms may provide similar feature sets, such as IPsec, their underlying design, built to LTE Security Concepts and Design Considerations
Stoke, Stoke Session Exchange and the Stoke logo are trademarks of Stoke, Inc. Copyright 2013 Stoke, Inc. All rights reserved. Lit# 130-0022-001 14 support a broad spectrum of functionality, forces operators to face trade-offs in terms of performance and cost. Poor performance increases equipment costs as well as operational costs for maintenance, space, and power. As operator networks continue to evolve with VoLTE and require even higher throughput, the economic impact of the initial decision is magnified over time. In addition, these multi-function platforms may not provide other valuable RAN-EPC functions such as signaling protection and policy based enforcement. Stoke Security eXchange The Stoke Security eXchange, including the Mobile Border Agent software is an evolved security gateway that extends the 3GPP definition to include expanded functionality to optimize and protect LTE core resources against signaling events and attacks that can impair or paralyze service. The solution includes several functions that add a layer of general security at the mobile border and enables enforcement action based on higher layer (S1-AP) analysis. The Stoke Security eXchange maintains line rate performance - even performing encryption/decryption functions at packet transmission rates experienced when average packet sizes drop when supporting key applications like Voice. This means that the capacity specified for each line card or system does not diminish as the operator network and services mature and network average packet sizes change. This dramatically simplifies operator sizing estimates and reduces the requirement to add equipment as the network traffic profile changes over time. Next generation mobile networks will include a much more complex topology of overlapping LTE access types; including macro cells, indoor and outdoor small cells, and consumer femto cells, as well as Wi-Fi access points and shared networks. Stoke Security eXchange with Mobile Border Agent can provide much needed visibility and control in this fast growing, highly dynamic and critical area of the network.
LTE Security Concepts and Design Considerations
Stoke, Stoke Session Exchange and the Stoke logo are trademarks of Stoke, Inc. Copyright 2013 Stoke, Inc. All rights reserved. Lit# 130-0022-001 15 References
(2012). Security in LTE backhauling. NGMN Alliance. Lescuyer, P. L. (2008). Evolved Packet System (EPS): The LTE and SAE Evolution of 3G UMTS. West Sussex, England: John Wiley & Sons Ltd. Olsson, M. S. (2013). EPC and 4G Packet Networks: Driving the Mobile Broadband Revolution (2nd ed). Oxford, England: Elsevier. Paolini, Monica. (2013). Radio-to-core protection in LTE.The widening role of the security gateway. Senza Fili.