Académique Documents
Professionnel Documents
Culture Documents
Broadband.
New threats, new opportunities
• Patrick Donegan, senior analyst, Heavy Reading
• Christopher Flynn, head of security sales Europe, Nokia Networks
3
Recent security attacks Feb. 3, 2014
June 16, 2014
6
Security In Traditional Closed M2M Models
• Closed • Reactive
• Security built in
• Restrictive
• Little customization
• Reporting of data
• Security a cost
• Re-use of security
7
Security In New Open M2M & IoT Models
• Cloud • Control-oriented
• Third party apps
• Open
• Analytics
8
Potential threats to mobile networks
Attacks with
physical access to Core network
eNodeB
Insider attacks
or human
Attacks with errors
physical access to
the transport
IP based
network
attacks from
external IP Internet
Attacks through networks
mobile devices
Attacks from other
mobile networks
Unauthorized access to operator network, base station and mobile core Protected inside
Eavesdropping on subscriber data trusted buildings
Injection of malicious traffic (signaling & user plane)
Denial of service attacks against mobile core and security
Traffic protected by
3G protocol
BTS RNC SGSN / MME
• S1/X2 encryption
LTE Cell Sites With IPSec LTE Cell Sites Without IPSec
3 500 000
• Regional macro trends
3 000 000
• Security differentiator
0
2012 2013 2014 2015 2016 2017
12
Gi/SGi Firewall
Protecting the packet core from internet borne threats
SGI FW BGW
corporate PDN
100%
TOTAL 100%
14
“How often do DDoS attacks on your company's
mobile network originate from the following sources?”
The number of
DDoS attacks
impacting the
mobile network
is increasing.
Source: Heavy Reading’s Annual Mobile Network Security Survey October 2013
15
“How often do DDoS attacks on your company's
mobile network originate from the following sources?”
Today most
attacks originate
from the Gi /SGi
interface
More attacks
should be
expected from
the RAN
16 Source: Heavy Reading’s Annual Mobile Network Security Survey October 2013
Security for the GRX interface
Architecture
Security components:
Next Generation Perimeter Firewall
S-GW DNS H-PCRF HSS
• Infrastructure & service protection SGi
• IPX interconnect eNodeB
Home network
Visited network
IPX / GRX Internet
S6a
S8
eNodeB
S-GW SGSN V-PCRF
Non-telco servers (email, Web, file sharing, FTP, Telnet!) are connected on the roaming network
OAM Domain
IMS Domain VAS Domain
IP PBX
OSS FW
IMS FW
VAS FW
GP domain
GI domain
BGW
GN GI
SGSN
GP DNS GI FW
GP
GP FW GI DNS
SGSN
DNS64
Corporate PDN
BGW
DCS
CG-SSO FW
GRX network
Charging/supporting
services domain
Other PLMN Other PLMN
CGW
Threats:
Monitor security threats, Detect: Correlate traffic patterns Mitigate: Minimize impact by
e.g. infected subscribers, most from telco network with malware applying automated actions, e.g.:
active malware, affected devices patterns from: • Inform subscriber (SMS)
• Malware intelligence database • Block value added services
• Self-learned patterns
Radio Core
Hypervisor Unprotected
attack virtual NF DoS attack
22 © Nokia Solutions and Networks 2014
Security is a critical factor for mobile broadband networks
The Nokia security strategy
No. 1 10+
24 © Nokia Solutions and Networks 2014
Nokia products designed for security & privacy
Systems engineering
• Security & privacy requirements
• Security architecture specification
Development Vulnerability
• Secure coding
• Product hardening information from
public sources
Integration & verification
• Security & privacy compliance testing
NY Times