Professional Documents
Culture Documents
Securing The Mobile Network
Securing The Mobile Network
AVIAT NETWORKS
WHITE PAPER
TABLE OF CONTENTS
Introduction .....................................................................................................3 Impact of an Unsecure Mobile Network ........................................................3 Benefits of Secure Mobile Networks..............................................................4 Importance of Securing the Microwave Network ..........................................4 Definition of Security Enforcement ................................................................5 ITU-T X.800 Threats Model ...........................................................................5
Physical Site and Equipment Security .................................................................................. 6 Secure Management ............................................................................................................ 6 Centralized user management ............................................................................................. 6 Payload Encryption............................................................................................................... 6
2G and 3G Network Security .........................................................................7 4G Mobile Network Security ..........................................................................7 Solutions for LTE Microwave Backhaul Segments .......................................8 Customer Use Case .......................................................................................9
MTN Ghana use of RADIUS ................................................................................................ 9
Summary ......................................................................................................10
Page 2
WHITE PAPER
INTRODUCTION
In an era of ubiquitous broadband communication at work and home, the issue of security in mobile backhaul is more important than ever. The new generation of LTE wireless technology is an enabler for applications such as mobile commerce, voice over IP (VoIP), and high-definition video delivery to smartphones, but it has also opened some sinkholes in the foundation that pre-LTE architectures and applications have established. This white paper discusses the burgeoning need for Security in Mobile Backhaul in terms of benefits to MNOs and society.
Aside from technology drivers, the public concern over personal privacy and governmental preoccupation with national security are both mandating Mobile Network Operators (MNOs) to protect information confidentiality, integrity, and availability.
Page 3
WHITE PAPER
The impact of that event has had far-reaching consequences in the technology industry and political relations between the United States and China. Dating back to March 2005 is arguably the most infamous and criminal mobile network breach of all time, the scandal dubbed The Athens Affair by writers Vassilis Prevelakis and Diomidis Spinellis. In that security breach on the Vodafone Greece mobile network, equipment was illegally accessed and software was implanted in switching centers and later downloaded directly to cellphones, allowing for unlawful tapping of potentially incriminating phone conversations among targeted Vodafone subscribers, including sitting ministers of the government. It was a highly sophisticated hacking of the network that most carriers could not prevent; however one reason Vodafone received scathing publicity was because it purportedly mishandled informative system log files a function that could have been prevented by more robust security mechanism. Two years after the incident, Vodafone was fined $76 million.
All the effort a corporation endures to build strong brand value can easily be offset by just one security breach
Page 4
WHITE PAPER
Microwave is usually part of a larger network of connected elements in a backhaul design. As such, it is important that security concerns do not make it a weak link in the chain. Specific security threats to microwave equipment can include misconfiguration and/or tampering of provisioning information, whether by malicious intruders or disgruntled employees. In fact, studies have shown that 50-90 percent of all hacking activities are perpetrated by "insiders" or people with physical access to the equipment. Additionally, operators may carry critical traffic for government and financial institutions and other critical traffic across their microwave equipment. Such traffic has strict security requirements traversing all points in the network. Lastly, the migration from TDM to IP as part of the evolution from 2G to 3G and 4G has opened the microwave segment of the backhaul to security concerns stemming from the distributed nature of IP networks.
Critical management and data traffic over unsecured networks means some form of encryption may be needed, beyond just physical equipment and site security. This applies to both microwave and fiber networks.
Page 5
WHITE PAPER
MNOs can fend off these threats by implementing different types of security mechanisms. These mechanisms include: PHYSICAL SITE AND EQUIPMENT SECURITY Whether it is a macro base station tower or an emerging small cell on a busy urban street lamp, devices such as radios, switches and routers can be tampered with if some level of equipment protection is not provided. Many devices include telemetry features that will alert or alarm the network operator if a port card, control unit, backup battery or fan is removed, and typically specialized card pullers and screws are used to keep the network element protected. Additionally, tamper-evident labels can be used to detect intrusions. SECURE MANAGEMENT Secure Management is about securing access and control of the microwave radio. Messages sent from the Network Operations Center (NOC) to the radio are protected and not subject to compromise or malicious spoofing by unauthorized users. Secure Management also protects against accidental or unintentional misconfiguration of the network. Secure Management adds several layers of security and should be implemented in a manner that is FIPS 140-2 Level 2 compliant. CENTRALIZED USER MANAGEMENT Radius is one mechanism that can be used to create centralized user management of a network. Radius includes Authentication, Authorization and Accounting of remote user accounts. It greatly simplifies and expedites changes to user account characteristics. Radius also allows for password enforcement and complexity rules to be tailored to individual organizations according to company policy. PAYLOAD ENCRYPTION There are various forms of payload encryption, one being IPSec (Internet Protocol Security). IPSec requires agent authentication and the sharing of cryptography keys for each packet exchanged during a security session. IPSec has its challenges in mobile networks, namely cost and complexity of implementation and a tight coupling with IPV6. In the microwave radio domain, payload encryption can be achieved using AES encryption on both management and data traffic. This prevents eavesdropping on wireless communications, as any snooping along the transmission path between links or in the transmitters vicinity will only receive a garbled transmission. At a minimum, radios should support AES encryption and 128- or 256-bit symmetric keys, via a randomly generated encryption combination. These combinations are created and negotiated between links using industrystandard key agreement methods, which supports modulo of at least 2048 bits. Payload Encryption should be implemented in compliance with FIPS197, which provides the definition for AES encryption. AES is commonly regarded as one of the leading worldwide encryption schemes accepted by the most demanding entities such as US Government and US Military.
FIPS 140-2 validation is required whenever encryption is specified in any US Federal procurement RFP.
Page 6
WHITE PAPER
WHITE PAPER
The Strong Security suite from Aviat Networks offers solutions for wireless communications protection with options for Secure Management, Payload Encryption and integrated RADIUS capability.
Page 8
WHITE PAPER
Access control protection helps ensure proper privileges for employees, especially new hires, contractors, and lower skilled employees. For Local Access this includes: Identity-based authentication Identity-based privileges Security warning banners Access control lists Automatic Session timeout Disabling unused ports and unsecured protocols and backdoors Encryption and caching of user accounts
For Remote Access this includes: Secure tunneling (TLS) Disabling of unsecure protocols (e.g., Telnet) Secure software download (HTTPS) Closure of all engineering backdoors
Finally, in the Network Operations Center (NOC), SNMPv3, NMS Access control lists, encrypted remote backup and secured system log are provided to better enforce security mechanisms from a centralized point of control.
Traditionally, US federal government and military agencies and their contractors are the primary users of high-level security solutions. Their networks must be compliant per Federal Information Process Standards FIPS-140-2 for management and FIPS-197 for data payload encryption. Because of the extensive validation and testing regimen that vendors must go through for their products, mobile and enterprise operators are embracing these standards.
Page 9
WHITE PAPER
mitigate unauthorized access to the equipment on site. This has assisted MTN Ghana to ensure those who access the equipment are both authorized to do so, and qualified to do the work permitted by the specific set of rights assigned to them within the Secure framework.
Securing the Backbone in MTN Ghana: the backbone network of thousands of microwave radio links connects a nation.
SUMMARY
Security is a necessary function for both users and providers of mobile networks. Mobile network security involves several aspects, from physical site security to data encryption to secure management interfaces. The evolution of mobile networks to a flatter LTE architecture has uncovered some challenges in the security domain. Secure management is perhaps the most effective and simple method to employ, especially in microwave backhaul segments. Aviat Networks provides a full suite of security mechanisms for its microwave product portfolioa key enabler of reliable backhaul functionality around the world.
Although many mobile operators may not appreciate the need for network security today, it will likely be required throughout all portions of the network over time, with microwave transport being a critical segment.
WWW.AVIATNETWORKS.COM
Aviat Networks, Inc. 2013 All Rights Reserved. Subject to change without notice. wp_Securing_MobNtwk_UNIV_17Sep13
Page 10