WHITE PAPER

LTE Security Concepts and

Design Considerations
















August, 2013
LTE Security Concepts and Design Considerations


Stoke, Stoke Session Exchange and the Stoke logo are trademarks of Stoke, Inc. Copyright 2013 Stoke, Inc. All rights reserved. Lit# 130-0022-001 2









Table of Contents

Introduction ...................................................................................................... 3
LTE Security Defined in the Standards ............................................................ 3
3GPP High Level Security Architecture .................................................................... 3
3GPP Principals of Network Domain Security ........................................................... 4
A Practical Technical Specification for Domain Security H(e)NB Architecture ........ 6
Operationalizing LTE Network Security ........................................................... 6
Primary Security Domains ........................................................................................ 6
Identifying the Risks .................................................................................................. 7
Comparison of Firewall types: S1 and Internet Firewalls ........................................... 8
Choosing the Right Solution for the Mobile Access Border ....................................... 8
Recommended Solutions .......................................................................................... 9
Looking Forward: Demands are Evolving ...................................................... 10
VoLTE Increases Capacity Requirements .............................................................. 10
Small Cells Increase Tunnel Scale Requirements .................................................. 11
Security eXchange - Stoke's LTE Security Gateway Solution .................... 11
Purpose-built, Standalone Security Gateway .......................................................... 11
VoLTE Ready ......................................................................................................... 11
Small Cells Connectivity ......................................................................................... 12
Added Protection for the Mobile Access Border ...................................................... 12
Performance without Compromise .......................................................................... 13
Conclusions ................................................................................................... 13
Security Gateway Recommended for Mobile Access Border Protection ................. 13
Stoke Security eXchange ....................................................................................... 14
References .................................................................................................... 15



LTE Security Concepts and Design Considerations


Stoke, Stoke Session Exchange and the Stoke logo are trademarks of Stoke, Inc. Copyright 2013 Stoke, Inc. All rights reserved. Lit# 130-0022-001 3
Introduction
As with any IP-based network, ensuring network security is of paramount importance. This is especially
applicable to todays LTE wireless networks, which are an all-IP, end-to-end network architecture. Aside from the
obvious security risk of intercepted wireless communications transmitted to and from user equipment (UE), there
are security risks traditionally associated with the fixed line Internet now pertinent to 4G mobile network
operators. This is a significant departure for mobile operators because in prior generations of cellular networks,
security was baked into standard network functions and integral to the whole system. LTE/SAE presents new
challenges in this regard, requiring protection mechanisms at each of the three primary boundaries of the EPC.
Additionally there is a new component in their traditional planning a security gateway on the RAN-to-Core
boundary (S1), also referred to as the mobile access border.
In the early days of LTE deployments this new security component was often considered late in the system
design phase and suboptimal decisions were often the result. In her paper Radio-to-core protection in LTE -
The widening role of the security gateway, Monica Paolini, analyst from Senza Fili Consulting, highlights the
benefits of considering requirements from each of the three phases of LTE evolution when selecting the security
gateway, Moreover, IT and Internet security players are jumping at the chance to reposition multi-purpose
security appliances designed to protect the SGi ( Internet) interface to requirements at mobile access border
(RAN-to-Core / S1 link). While there are some overlapping capabilities between the two, performance
characteristics and lack of focus on requirements specific to the S1 interface can result in a suboptimal decision
indeed if a multi-purpose security appliance is chosen rather than a standalone security gateway.
The purpose of this paper is to clarify the standards around LTE network security, the different security borders
of the mobile network, and delve deeper into the requirements of the Mobile Access Border - the border
between the RAN and the core (S1). This paper also provides an overview of Security eXchange, Stokes LTE
security gateway, and presents data points to demonstrate the value of this purpose-built LTE security gateway
solution over multi-purpose security solutions.
LTE Security Defined in the Standards
3GPP High Level Security Architecture
Security is addressed on many different levels by standard development organizations like 3GPP, ITU, ETSI, and
even industry group NGMN. Stokes view on the security requirements for LTE networks are the result of
comprehensive study of these standards and recommendations coupled with our companys focus on the Mobile
Access, Border. This section presents the relevant work from 3GPP and NGMN to define LTE security
requirements which form the foundation for Stoke Security eXchange.
Because security is dealt with on many levels by industry working groups and standards committees, casual
observers can become confused about what requirements are needed and where they apply. In 3GPP EPS/EPC
Security Architecture (3GPP TS 33.401) 3GPP segments the security architecture into five different functional
LTE Security Concepts and Design Considerations


Stoke, Stoke Session Exchange and the Stoke logo are trademarks of Stoke, Inc. Copyright 2013 Stoke, Inc. All rights reserved. Lit# 130-0022-001 4
domains. 3GPP TS 33.401 defines these domains as the following:
1. Network access security use of USIM to provide secure access for a user to the EPS. Includes mutual
authentication and privacy features.
2. Network domain security refers to features that allow for secure communications between Evolved
Packet System/Evolved Packet Core (EPS/EPC) nodes in order to protect against attacks on the network.
3. User domain security securing access to the terminal, e.g. screen lock password, or PIN to enable
USIM usage.
4. Application domain security security features used by applications, e.g. HTTP.
5. Visibility and configurability of security features to allow a user to know whether a security feature
is in operation or not, and user-configured control over whether use of a service depends on enabled
security features.
3GPP Principals of Network Domain Security
With the migration from circuit-switched networks to packet-switched networks (GPRS) as well as the use of IP
transport in general, there brings a need to provide enhanced protection to traffic running over these networks
and associated interfaces. 3GPP has therefore developed specifications for how IP-based traffic is to be secured
over the interfaces in the access/transport networks (E-UTRAN), in the core network (EPC), and/or between two
or more core networks.
Emphasizing interfaces in the core network (EPC), Network domain security for IP (NDS/IP) is defined in 3GPP TS
33.210 and outlines the specifications for protecting the IP-based control-plane traffic. A special consideration is
given to the S1-U (user-plane) interface between the E-UTRAN and EPC, an exception in that S1-U is a protected
interface in 3GPP networks. NDS/IP introduces a slightly different concept of security domains, which are
networks that are managed by a single administrative authority; an example being a single telecom network
operator. In practice, an operators network is typically divided into multiple security domains, each domain
being a subset of the network that is managed by a single administrative authority. This allows for greater
network control and manageability, and implementation of defense-in-depth network security strategies.
Figure 1 below illustrates the separation of security domains as defined in 3GPP TS 33.210:

Figure 1. 3GPP TS 33.201 NDS/IP Architecture
LTE Security Concepts and Design Considerations


Stoke, Stoke Session Exchange and the Stoke logo are trademarks of Stoke, Inc. Copyright 2013 Stoke, Inc. All rights reserved. Lit# 130-0022-001 5
At the border of the security domain, TS 33.210 specifies the placement of a Security Gateway (SEG) which
functions to concentrate and protect all traffic entering or leaving the security domain. The NE (Network Entity)
represents any network nodes deployed and belonging to the E-UTRAN, EPC, and/or IMS domains, such as an
eNodeB, MME, CSCF, etc.
The NDS/IP framework provides for three types of protection:
Data origin authentication protecting a node from receiving packet injection from an unknown or
rogue entity
Data integrity protecting data in transit from being modified (man-in-the-middle)
Data confidentiality protecting against information theft (eavesdropping)
The method by which the protection mechanisms are implemented is provided via IPsec, specifically IPsec ESP in
tunnel mode, with IKE (Internet Key Exchange) used to setup IPsec security associations between SEGs or
between SEG and NE. IPsec EPS provides for three levels of security protection each with a wide set of available
security algorithms:
Authentication provided initially via secure key exchange and mutual authentication between SEGs or
SEG and NE using the IKE protocol, and via the Authentication Header (AH) of the IPsec packets to
ensure per packet authenticity, using SHA-1 for example.
Integrity provided via IPsec cryptographic packet hashing mechanisms, for example SHA-1.
Confidentiality provided via IPsec cryptographic packet encapsulation, for example AES.
The NDS/IP architecture in Figure 1 is represented in a practical deployment perspective in Figure 2 below:

Figure 2. Practical view of Security Domains in LTE Mobile Network
With this depiction it is easy to see how the conceptual 3GPP NDS/IP architecture is applied to a practical LTE
deployment. In summary,
Za interface aligns to S8 interface between Home- and Visited-PLMN, or between the Home PGW and
Visited SGW, for example.
LTE Security Concepts and Design Considerations


Stoke, Stoke Session Exchange and the Stoke logo are trademarks of Stoke, Inc. Copyright 2013 Stoke, Inc. All rights reserved. Lit# 130-0022-001 6
Zb interface aligns with S1 and X2 within the individual operators LTE network. Zb applies between NEs
or between NE and SEG in a single security domain that is under the control of a single operator.
The Zb interface between SEG and EPC-based NE is optional since these nodes are likely collocated in
the same data center or residing on the same private LAN network therefore IPsec and IKE are not
required.
The NE represents any network nodes deployed and belonging to the E-UTRAN, EPC, and/or IMS
domains, such as an eNodeB, MME, CSCF, etc.
Security for the EPC-to-Internet connection point (SGi interface) is not within the scope of NDS/IP.
A Practical Technical Specification for Domain Security H(e)NB Architecture
3GPP TS 32.320 specifies a security framework for the H(e)NB system architecture while implementing the
principals outlined in the NDS/IP security domain specification featured in the previous section. H(e)NBs (3G or
4G Femtocells) are typically located at the customers premises, i.e. in the end-users home, and the backhaul
typically traverses an unsecured fixed-broadband Internet connection. Because of this, the H(e)NB accesses the
operators security domain via the Security Gateway (SEG).
Operationalizing LTE Network Security
In the previous sections we reviewed the network security requirements defined by 3GPP for LTE/SAE networks.
In this section we will examine the risks across the different LTE network interfaces and drill into the available
solutions for securing the S1 Interface.
Primary Security Domains
The diagram in Figure 4 depicts a recognizable view of the Home and Visiting LTE/EPC network architecture and
their key network interfaces. Highlighted are the critical areas where distinct network security requirements
demand equally distinct solutions.

Figure 3. Contemporary view of LTE network security domains
LTE Security Concepts and Design Considerations


Stoke, Stoke Session Exchange and the Stoke logo are trademarks of Stoke, Inc. Copyright 2013 Stoke, Inc. All rights reserved. Lit# 130-0022-001 7
Aside from the interface naming, the highlighted areas can be further described or classified as the following
categories:
Mobile Access Border (RAN-to-EPC / S1)
Internet Border (EPC-to-Internet / SGi)
Partner Border (EPC-to-EPC / S8)
Identifying the Risks
Industry and standards bodies, including 3GPP, ITU-T and NGMN have analyzed the threats and risks of each of
the security domains described previously and recommended specific mitigation mechanisms for each domain.
This analysis, including signaling load risks and mitigation identified by Stokes primary research with University
of Surrey, is summarized in the figure below.
Security Domain Threats / Risks Mitigation Strategies
Mobile Access
Border
(RAN-to-EPC/
S1)
Physical AP compromise (primarily for
small cells)
DDoS from compromised eNB / Small Cell
User-plane packet injection
Packet interception (eavesdropping)
Packet modification (man-in-the-middle)
Signaling overload
3GPP SEG
Strong authentication,
authorization
PKI
IKEv2
IPsec ESP
LTE S1 Firewall (GTP, S1-AP)
Internet Border
(EPC-to-Internet/
SGi)
IP / Port scanning
EPC IP address exposure
Unauthorized EPC network access
Malware / Virus implanted on UE(s)
DDoS attacks on EPC via SGi
Internet Firewall
Stateful firewall
NAT
DDoS mitigation
IDS/IPS
Malware detection / blocking
Anti-virus scanning / blocking
Heuristics
Partner Border
(EPC-to-EPC/ S8)
Home EPC IP address exposure
IPX network compromise

Border GW / Firewall
GTP firewall for control- and
user-plane
NAT
Figure 4. Network security domain risk and mitigation summary
As outlined above, each of the described security domains possesses a unique array of threats or risks,
necessitating an equally unique set of solutions and strategies to minimize or eliminate the persistence and
impact of these threats. Notice that some overlap of solution characterization may occur, so it is important to
understand the differences between them and why specific solutions are targeted at specific security domains.
LTE Security Concepts and Design Considerations


Stoke, Stoke Session Exchange and the Stoke logo are trademarks of Stoke, Inc. Copyright 2013 Stoke, Inc. All rights reserved. Lit# 130-0022-001 8
Comparison of Firewall types: S1 and Internet Firewalls
For example, the term Firewall is used in the solution description for both the EPC-RAN security domain, and
the EPC-to-Internet security domain. The LTE S1 Firewall, such as the feature set provided by Stokes Mobile
Border Agent solution, which is described later, exemplifies a set of stateful packet filtering, or firewall-like
features that are specifically required at the RAN-EPC edge. These features are targeted at the unique set of
protocols that reside on the S1 and between RAN-EPC, such as SCTP, S1-AP, and GTP, and the procedures being
executed, such as SCTP Initialization, UE Attach/Detach Requests, Service Requests, S1/X2 Handover, and others
in order to provide multiple dimensions of protection for the EPC.
Conversely, the Internet Firewall comprises set of solution functions which are designed to reside at the border
between the EPC and other external IP networks, such as the Internet. It is here in the EPC-Internet security
domain where features such as Stateful IP Firewall, Intrusion Detection/Prevention, and Network Address
Translation (NAT) are required and can be most effective.
For NAT specifically, the purpose of which is to conceal internal UE and EPC IP addressing from external IP
networks like the Internet, it is wholly impractical to implement this function at the EPC-RAN security domain;
since UE mobility and the fact that the UE IP anchor point (i.e. PDN-GW) resides within the EPC and behind the
RAN-EPC edge, would inherently negate the NAT function and disrupt normal EPC functions.
Choosing the Right Solution for the Mobile Access Border
As described in earlier sections, 3GPP recommends the use of a Security Gateway enabled with IPsec to mitigate
the threats faced on the interfaces between RAN and EPC. However, an operator can choose to enable IPsec
functionality in a number of different network elements:
Existing EPC node (such as an MME)
Multi-Service Firewall or Multi-Service Edge Router, or
Standalone security gateway
IPsec adds overhead to all packets encrypted, but more importantly, places a large processing burden on any
network node required to encrypt or decrypt the packets. The throughput of most multi-service firewall or
routing systems will degrade at least 50% when IPsec is enabled. The performance degradation is even higher
when that same equipment is required to process large volumes of smaller packets (such as with VoLTE.)
Additional hardware can, of course, be added to boost throughput, but this adds equipment costs (CAPEX) as
well as increasing recurring space and power (OPEX) expenses. Below are some details of the various solution
options.
EPC Nodes with SEG
Adding the security function to EPC network nodes (such as the SGW or MME) may appear financially
compelling short-term as it is re-using embedded equipment, but in the long term may greatly overload
capacity on these nodes, reducing performance and available capacity. In particular, relying on the
EPC's security functionality introduces significant processing requirements that can degrade overall EPC
performance, and may not provide the highest possible level of protection. More importantly, expensive
LTE Security Concepts and Design Considerations


Stoke, Stoke Session Exchange and the Stoke logo are trademarks of Stoke, Inc. Copyright 2013 Stoke, Inc. All rights reserved. Lit# 130-0022-001 9
network core capacity may be better utilized for growth or as a hedge against an unexpected surge in
traffic demand, rather than to provide security.
Multi-Service Firewall Solution
Vendors that offer multi-service equipment with a broad range of firewall and intrusion prevention
features often include IPsec as a value-added feature. However, these platforms, designed to provide
flexibility for multiple functions are not optimized for the significant challenges of IPsec encryption and
may sacrifice performance to achieve that flexibility. The majority of stateful firewall and intrusion
prevention features these solutions include provide no benefit to operators when applied at the RAN-
EPC edge, because these are not functions that are needed, per 3GPP recommendations. Essentially
operators will be paying for features they cannot use and sacrificing performance that is critically
important.
Multi-Service Router Solution
Similar to multi-service firewalls, many multi-service router vendors provide IPsec as a value-added
feature in their products. Typically this functionality is achieved through the addition of a services blade
which is comprised of generic hardware processors and not optimized to execute heavy crypto-
functions of IPsec. The trade-off operators must make for consolidated functionality are extensive
hardware costs to achieve desired scale and performance, as well as limited growth capability for the
actual IP routing and switching functions that the MSER is designed for, due to service blades occupying
valuable slot real estate in the MSER chassis.
Standalone Security Gateway
A stand-alone gateway, optimized to handle the processing-intensive IPsec functions, can provide the
needed security and aggregation functionality without overloading existing EPC elements or deploying
sub-optimal equipment. From a total cost of ownership (TCO) perspective, the ability to provide
scalability, end-to-end encryption, high power efficiency and better control over OPEX may increasingly
weigh in favor of standalone solutions to address IPsec functions.
Recommended Solutions
Considering the information presented above, Stokes recommended deployment architecture and placement of
solution specific network equipment appears as per the diagram below.


Figure 5. Recommended equipment types for each security domain.
HPLMN
Internet
Home
Evolved
Packet Core
IPX
Standalone
SEG Border GW
w/ FW
Stateful
Firewall
w/ NAT
LTE Security Concepts and Design Considerations


Stoke, Stoke Session Exchange and the Stoke logo are trademarks of Stoke, Inc. Copyright 2013 Stoke, Inc. All rights reserved. Lit# 130-0022-001 10
The solution specific recommendation is critical otherwise operators will be constantly dealing with compromise
and trade-offs. The core design principles for the security network element on one interface will sacrifice
performance, capabilities, and/or attention to details on another. For example, an Internet firewall is optimized
for maximum flow capacity and high-rate transactions with perhaps a few VPNs using IPsec only as an add-on
feature. This is the right design decision for the SGi interface, but is not for either S8 or S1. In addition,
selecting one product that is a fit for two or even all three secure interfaces may be possible, but it offers only
false promise. Ultimately the compromises will surface, requiring a disproportionate investment in that network
element or worse, a potential security breach and a wholesale change out.
The table below illustrates the security device and functions for which operators should seek best of breed
performance for each interface requiring security.
Security Domain Recommended Product Functions Provided
Mobile Access
Border
(RAN-to-EPC/
S1)
Purpose-built, standalone
Security Gateway
Strong authentication, authorization provided by
IKEv1/v2 and PKI protocols such as CMPv2 and CRLv2
Full data confidentiality, integrity, and authentication
provided IPsec ESP protocols and crypto algorithms
LTE S1 Firewall (GTP, S1-AP firewall) for signaling
overload protection
Internet Border
(EPC-to-Internet/
SGi)
Multi-functional security
platform

Stateful Firewall
Network Address Translation (NAT) to protect internal
addressing
IDS/IPS
Content filtering
Partner Border
(EPC-to-EPC/ S8)
Multi-functional Border
Gateway
GTP firewall for control- and user-plane
NAT
Figure 6. Recommended product and functions summary.
Looking Forward: Demands are Evolving
VoLTE Increases Capacity Requirements
Best of breed performance in the S1 security gateway will become especially important as operators add VoLTE
into their networks. This is due to the real-time, latency-sensitive nature of voice traffic and the fact that voice is
transmitted in very small packet sizes (64 bytes), which taxes the processing capacity of most gateway
equipment.
Operator and industry data shows that average packet sizes are decreasing due to the growth of high volume /
small packet size 4G applications such as VoLTE and M2M apps. As average packet size decreases, the number
of packets per second at the same volume of traffic increases dramatically. This is important to network element
dimensioning because network elements designed and optimized for a standard Internet traffic mix (IMIX) will
LTE Security Concepts and Design Considerations


Stoke, Stoke Session Exchange and the Stoke logo are trademarks of Stoke, Inc. Copyright 2013 Stoke, Inc. All rights reserved. Lit# 130-0022-001 11
underperform and have a major negative impact to users Quality of Experience (QoE).
Small Cells Increase Tunnel Scale Requirements
As we consider the evolution of LTE networks from todays macro deployments of several thousand or 10s of
thousands of sites to potentially 10s or 100s of thousands more small cells (Pico/Femto) we must consider the
impact to the EPC network architecture, and in the case of this document, the Security Gateway.
The initial impact is obvious tunnel scale. Each and every access point will have an IPsec tunnel established
with the SEG to provide RAN-EPC security. Even those operators who have initially opted not to deploy a SEG
for their macro LTE RAN backhaul are planning to deploy a SEG to provide security for LTE small cells. The
primary reason is due to the fact that small cells will in most cases leverage unknown backhaul across the
Internet or some other unknown/untrusted backhaul provider network, which presents the same risks to the
operator network as identified earlier in the document.
Security eXchange - Stoke's LTE Security Gateway Solution
Purpose-built, Standalone Security Gateway
Stokes Security eXchange, provided via the SSX-3000 system, is designed specifically to fulfill the SEG
requirements of the mobile access border. Stoke Security eXchange addresses all the threats identified by 3GPP
and NGMN for the mobile access border (EPC-RAN / S1):
Physical Attack
User Plane packet injection
Packet modification
Eavesdropping
DDOS attacks from network or UE
Unauthorized access
Compromise of eNodeB Credentials
User data and user identity privacy attacks
Attacks on Radio resources and management
The solution recommended by industry organizations is IPsec, plus strong authentication and authorization
mechanisms, namely IKE and PKI. To support this charter from standards, Stoke Security eXchange was built
with a very extensible IPsec solution in both performance and functionality, delivering IPsec functionality at line-
rate performance with high-rate throughput. The Stoke solution intentionally excludes features like stateful
firewall, IDS/IPS, and NAT functions that are unneeded at the Mobile Access Border and would otherwise
compromise IPsec performance.
VoLTE Ready
Stoke is prepared to meet the additional processing challenges of VoLTE. Figure 8 below compares a
LTE Security Concepts and Design Considerations


Stoke, Stoke Session Exchange and the Stoke logo are trademarks of Stoke, Inc. Copyright 2013 Stoke, Inc. All rights reserved. Lit# 130-0022-001 12
representative competitors performance to Stoke SSX-3000, at different average packet sizes. With some
competitor equipment, performance (capacity) drops from 80% line rate down to slightly above 40% - a loss of
capacity of almost 50% - when average packet size changes from 512 bytes to 384 bytes.

Figure 7. Impact of voice to IPsec throughput
Small Cells Connectivity
New hardware and software enhancements will allow the Security eXchange to address the demand for small cell
connectivity. The same SSX-3000 plans support for new hardware modules, increasing IPsec tunnel scale to
over 5x current capacity as well as increasing IPsec throughput by over 2x current performance.
Added Protection for the Mobile Access Border
IPsec tunnel scale and throughput are certainly not the only concerns. Stoke predicts that such a drastic
increase in the number LTE access points introduces a corresponding increase in the risk of having compromised
small cells as well as increased network signaling and a greater risk for S1-borne signaling storms. LTE networks
must support a higher degree of growth, change and unpredictability in user equipment (UE), applications,
latency expectations, speed and accelerating signaling and traffic load, than ever previously anticipated. In
response to this trend, Stoke Security eXchange now includes Mobile Border Agent protection.
The Mobile Border Agent is a multi-dimensional software-based entity integrated with the Stoke Security
eXchange. While the Security eXchange still performs the discrete tasks of IPsec tunnel termination, the Mobile
Border Agent works toward protection and optimization goals at the dynamic LTE RAN-EPC border, on behalf of
the operator. Key characteristics of the Mobile Border Agent are:
Multi-Dimensional Awareness: Continually monitors S1 packets and correlates user plane, control
plane, RAN and session volume, state, and other data to identify anomalies and support network goals.
Reference Network Model: Maintains a reference model of connected eNodeBs and core elements,
normal network conditions, and threshold parameters that define reporting and action triggers.
Policy Based Enforcement Action: Enacts specific actions to protect service availability and network
LTE Security Concepts and Design Considerations


Stoke, Stoke Session Exchange and the Stoke logo are trademarks of Stoke, Inc. Copyright 2013 Stoke, Inc. All rights reserved. Lit# 130-0022-001 13
assets, interacting with other EPC elements and network management systems to deploy flood
prevention and network protection policies.
Data Collection/Reporting: Collects data and reports back to network operators, providing a
comprehensive perspective of the network.
Deeper integration with EPC network elements will allow the Mobile Border Agent to be further enhanced to
dynamically respond to externally triggered events and in order to implement protective policies. Examples of
protective security policies include:
Message flood prevention
Malicious endpoint detection
Enhanced analytics
Malicious subscriber traffic filtering
Performance without Compromise
Stoke Security eXchange consistently surpasses other LTE Security Gateway providers in all key performance
measurements. Stoke performance has been validated through actual commercial deployments, multiple tier 1
operator trials and tests, and internal QA analysis. Specifically, Stoke SSX-3000 has:
Highest Throughput: 16 Gbps / RU Highest packets per second: 20.8 million PPS per RU = line rate of
96 Byte packets
Lowest Latency: <40 microseconds or less (even at small packet sizes)
Lowest Power: 15W per Gbps of throughput
High Availability: >99.999% availability, 284 year MTBF
Conclusions
Security Gateway Recommended for Mobile Access Border Protection
LTE/EPC network security covers several distinct domains, each faced with a unique set of security risks and
corresponding solutions in order to mitigate or minimize the impact of those risks being exposed or exploited.
For each of these distinct domains, several standards bodies and well-known industry groups have converged to
make specific and unique recommendations to address each part of the network.
For the Mobile Access Border (RAN-EPC) network security domain, these industry groups have recommended a
purpose-built Security Gateway platform, using IPsec as the encryption protocol combined with strong
authentication and authorization. Other network boundary areas also have been given distinct
recommendations, such as intrusion prevention, network address translation, malware detection, and anti-virus
protection for the EPC to Internet (SGi) interface
While multi-functional platforms may provide similar feature sets, such as IPsec, their underlying design, built to
LTE Security Concepts and Design Considerations


Stoke, Stoke Session Exchange and the Stoke logo are trademarks of Stoke, Inc. Copyright 2013 Stoke, Inc. All rights reserved. Lit# 130-0022-001 14
support a broad spectrum of functionality, forces operators to face trade-offs in terms of performance and cost.
Poor performance increases equipment costs as well as operational costs for maintenance, space, and power. As
operator networks continue to evolve with VoLTE and require even higher throughput, the economic impact of
the initial decision is magnified over time. In addition, these multi-function platforms may not provide other
valuable RAN-EPC functions such as signaling protection and policy based enforcement.
Stoke Security eXchange
The Stoke Security eXchange, including the Mobile Border Agent software is an evolved security gateway that
extends the 3GPP definition to include expanded functionality to optimize and protect LTE core resources against
signaling events and attacks that can impair or paralyze service. The solution includes several functions that add
a layer of general security at the mobile border and enables enforcement action based on higher layer (S1-AP)
analysis.
The Stoke Security eXchange maintains line rate performance - even performing encryption/decryption functions
at packet transmission rates experienced when average packet sizes drop when supporting key applications like
Voice. This means that the capacity specified for each line card or system does not diminish as the operator
network and services mature and network average packet sizes change. This dramatically simplifies operator
sizing estimates and reduces the requirement to add equipment as the network traffic profile changes over time.
Next generation mobile networks will include a much more complex topology of overlapping LTE access types;
including macro cells, indoor and outdoor small cells, and consumer femto cells, as well as Wi-Fi access points
and shared networks. Stoke Security eXchange with Mobile Border Agent can provide much needed visibility
and control in this fast growing, highly dynamic and critical area of the network.


LTE Security Concepts and Design Considerations


Stoke, Stoke Session Exchange and the Stoke logo are trademarks of Stoke, Inc. Copyright 2013 Stoke, Inc. All rights reserved. Lit# 130-0022-001 15
References

(2012). Security in LTE backhauling. NGMN Alliance.
Lescuyer, P. L. (2008). Evolved Packet System (EPS): The LTE and SAE Evolution of 3G UMTS. West Sussex,
England: John Wiley & Sons Ltd.
Olsson, M. S. (2013). EPC and 4G Packet Networks: Driving the Mobile Broadband Revolution (2nd ed). Oxford,
England: Elsevier.
Paolini, Monica. (2013). Radio-to-core protection in LTE.The widening role of the security gateway. Senza Fili.