This page contains a Flash digital edition of a book.
NETWORK MANAGEMENT


Security in the LTE Network IP Threats By Robin Kent, Director of Operations, Adax Europe


Robin Kent discusses security and the move to a flatter, more IP-centric LTE architecture.


Security in IP networks continues to be of great concern to end users, network service providers and therefore to network equipment manufacturers and application developers. This concern is growing during the transition to an All- IP network. The list of security threats is well known. Spam, viruses, worms, data theft, identity theft, identity spoofing, denial of service, distributed denial of service, eavesdropping, modifying data and replaying data are all concerning. Plus, with the move to a flatter, more IP- centric LTE architecture, new security risks are being exposed all the time. The current trend towards smaller


cell sites will increase in the LTE environment. Not only does that mean there are more network elements to manage, but these small cell sites tend to be located in less physically secure locations. Consequently, lots of protocols and data have to be handled by a processor which carries the primary objective of running the application, but the threat cannot be ignored and the data travelling through it must be protected. IPsec has been defined by 3GPP as


the security protocol for both Control and User Plane applications in LTE. It is ideally suited to this type of switching and routing application whereas MACsec is more prevalent in endpoints, while SSL/TLS is the security protocol of choice for application servers.


Control plane security relies on complex logic and tends to be software based, whereas the data plane is more focused on the actual packet processing performance and relies heavily on the underlying hardware.


New Elements The new network elements in the 4G/LTE All-IP world such as the Mobility Management Entity (MME), Serving Gateway (SGW) and Packet Data Network Gateway (PGW) make up the core elements. DPI will also be required to make sense of the packet blizzard flowing through the network. Without DPI there is no way of knowing what protocols, services and applications are to be allowed, disallowed, billed for and prioritised. Based on both shallow and deep packet inspection, traffic management and priorities will be enforced. These networks require new


protocols with SCTP and IPsec providing reliable and secure network signalling for the numerous Diameter interfaces, GTP-C, as well as SIP and Radius. Bearer services on the S1-U from the MME and RTP with SRTP also require these types of lower layer protocols. The Evolved Packet Core (EPC)


is the IP-based core network defined by 3GPP for LTE and other access


technologies. The goal of EPC is to provide simplified all-IP core network architecture to efficiently give access to various services. LTE enables operators to support a wide variety of access types using a common core network. The Mobility Management Entity (MME) is the termination point in the network for ciphering/integrity protection for NAS signalling and handles the security key management. Lawful interception of signalling is also supported. The MME provides a control plane function for mobility between LTE and 2G/3G access networks with the S3 interface terminating at the MME from the SGSN. The Serving Gateway (SGW) is


the termination point of the packet data interface towards E-UTRAN. The SGW routes and forwards user data packets, while also acting as the mobility anchor for the user plane during inter-eNodeB handovers and as the anchor for mobility between LTE and other 3GPP technologies. The PDN Gateway (PGW) is the


termination point of the packet data interface towards the Packet Data Network. As an anchor point for sessions towards the external Packet Data Networks, the PGW also supports Policy Enforcement features, packet filtering and evolved charging support. The PGW provides connectivity from the UE to external Packet Data Networks by being the point of exit and entry of traffic for the UE. The Policy Control and Resource


Function (PCRF) server manages the service policy and sends QoS setting information for each user session and accounting rule information. The PCRF Server combines the Policy Decision Function (PDF) and the Charging Rules Function (CRF).


Security in IP networks continues to be of great concern. 36 NETCOMMS europe Volume II Issue 4 2012


Policy Decisions The PDF is the network entity where the policy decisions are made such as allowing or rejecting the media request, using new or existing PDP context for an incoming media request and checking the allocation of new resources against the authorised maximum.


www.netcommseurope.com


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60