Thursday, 5 December 2013
New Security Threat Vectors for All IP Mobile LTE Networks
It could be said that mobile operators are a victim of their own success. In developing countries mobile broadband is the primary delivery mechanism whilst, in the developed world, it’s all about scaling to meet the continuing growth in data.
But as mobile operators move to All-IP networks to meet these challenges, the technology opens new vulnerabilities in end-to-end security. In a short video (less than 20 minutes) Paul Gainham (Senior Director of Service Provider Marketing, EMEA) distils the factors driving growth, the new security threat vectors, and how resilience, network reliability, session scale and IP Security can be reconciled.
The link takes you straight to the video. No sign in, no contact details just click and watch.
View the video here: Mobile Security Solutions
Its Just a LAN That Needs Securing
Imagine if you would the following conversation between the Captain and Co-Pilot of a commercial airliner as they prepare the plane for take off
Captain: “Fuel”? Co-Pilot: “Check”
Captain: “Flaps set”? Co-Pilot: “Check”
Captain: “Doors secured”? Co-Pilot: “err no”
Clearly no airline crew would progress the check any further, the doors would be secured before the check was run again to ensure the plane was in the right condition to fly.
Now imagine the same style of conversation between the CTO and Head of Networks of a Mobile Network Operator ahead of an LTE network launch
CTO: “Internet Secured”? Head of Networks: “Check”
CTO: “Roaming Network Secured”? Head of Networks: “Check”
CTO: “LTE Access Network secured”? Head of Networks: “err no”
Why is it then, according to the (Heavy Reading white paper The security Vulnerabilities of LTE: Opportunity and Risks for Operators) that given the above read out, some 50% of LTE cell sites will remain unsecured by 2016?
Are Mobile Network Operators really still prepared to go ahead and launch their LTE service, in full knowledge that a major part of the network remains unsecured?
No CTO or Head of Networks would dream of launching a network service that delivers Internet access without fully securing the Internet link.
Isn’t it time that the industry woke up to the fact that the LTE access network presents a clear and present security risk and should be treated in the same way an Internet connection would be?
Maybe it’s a confusion of ownership and trust? “I don’t own what’s beyond the link to the Internet or to my roaming partners so I had better place a security barrier between us and treat the other side of that barrier as un-trusted. I DO own the LTE access network out to the cell tower and therefore I trust it”.
Clearly if this is the case, it’s a misguided assumption.
Think of an LTE Network as essentially 4 separate Ethernet LAN’s connected by an Ethernet switch. You have the Internet LAN (SGi), the Roaming LAN (S8), the Evolved Packet Core LAN (S1) and the LTE Access LAN (S1).
Historically, an Enterprise looking at that kind of configuration would have determined which of the networks were trusted and which were un-trusted and put the un-trusted networks behind a firewall.
Then, they would either prohibit ALL originating inbound traffic from that interface or open up an Application Level Gateway or ALG for specific originating traffic only to be allowed through.
The reality of today is and has been the case for some time, is that the trusted network is dead.
Not only would each of the above ports be secured by a fully featured firewall but devices attaching to the ‘owned’ LAN’s would typically be protected by techniques such as UAC so that each device is not only checked for validity but also security threats from viruses / Trojans etc.
The key thing here is NONE of the networks would be left unprotected.
Looking conceptually at the LTE Access (S1) ‘LAN’ for a moment, the primary reason for securing it is maintaining network uptime. The threat vector is predominantly one of rogue denial of service attacks that threatens the gold standard of 99.999% uptime.
It’s a LAN that potentially consists of a large number of ‘bridges’ (eNodeB’s) beyond which millions of devices (handsets and tablets) sit. The devices themselves are authenticated via the SIM process which is fine but there are two other major threat vectors to be wary of
Rogue devices connecting to the downstream side of an authentic ‘bridge’ and initiating DDOS type attacksRogue un-authenticated ‘bridges’ connecting to the network from which DDOS type attacks could be launched.With that type of threat vector, the most appropriate solution would be to ensure that all ‘bridge’ ports were secured so no rogue device could access them and to put in place security to prevent rogue bridges entering the network in the first place.
Given the potential locations these ‘bridges’ may be found in THE most appropriate way to provide security for both of the above is via a centralised, high capacity, high functionality SecGW firewall device capable of encrypting, rate limiting and firewalling access as necessary for this most crucial of ‘LAN’ ports.
From a Juniper Networks perspective, The SRX5800 provides an ideal and common solution to ALL of the security needs outlined above, covering the SGi, S8 and S1 interface requirements at a level of functionality and scale unmatched in the industry. There is a 20 minute talking head video here that outlines some of the key points raised in this blog. Please feel free to pass comments back on this blog or the video.
At the end of the day it’s just a LAN that needs securing.
Bo Diddley and the LTE Security Debate – Who Do You Trust?
I recall as a child repeatedly being told I should not accept lifts (rides) from strangers. And the fact that I’m still around to write this blog can, in part, be attributed to that good advice. But I could have chosen to ignore it, which I didn’t, so I guess I can take some credit for still being here too. In today’s world, while this advice still holds good maybe we should also counsel that you shouldn’t trust your data to strangers either.
Now that’s not so easy is it? Sure, there are a couple of people I know that I share some personal information with. But, in the main, I don’t actually know the majority of people that I freely pass personal data to. Like most of us, the greater part of that which I choose to share I do so with organizations.
It would be easy at this point to get seriously side-tracked by talking about organizations that hold information on me that I either don’t know exist or I don’t approve of. But, for now, I’ll leave that side of the debate to the likes of Snowden and Assange and I’ll focus on the stuff I willingly share - well, as willing as I can be when the option is “supply this information or don’t do business with us” (or even maybe face a fine or a jail term by failing to do so).
The reality is though, with the exception of parents and relations, the majority of lifts I accepted as a child were in fact with strangers. I didn’t actually know a single train or bus driver (and I used these services daily as a child) but there was an implied trust through the reputation of the organization that employed them. Hence, despite the majority of journeys I made as a child being willingly made with strangers, I’m still here to talk about it. Therefore, not knowing the majority of people that I share personal data with doesn’t really trouble me either.
But it gets more complicated. It’s not just about me trusting people and organizations I share data with. I also need to trust the organization(s) that transport that data from me to the recipient. In my case I need to trust my mobile operator just as much, for example, as I trust my bank. And you could argue my bank needs to trust my mobile operator too if it wants me to continue to trade online with it.
So, where is all this leading? Simply this; I don’t believe I can trust my mobile operator to care for my data as much as I used to. Now, this seems a crazy thing to say as most people assume advances in technology bring with it advances in assuring information. But that is not necessarily the case. The move to all IP mobile networks – the Long Term Evolution (LTE) mobile network - is a good example of this. Whereas 3G is encrypted from the mobile device to the Radio Network Controller (RNC) deep in the mobile network, LTE (4G) is only encrypted from the mobile device to the base station. This opens up new security vulnerabilities.
I would be more comfortable if I knew all mobile operators were acting uniformly to address this. But in a white paper commissioned by Juniper Networks, and published by Heavy Reading, Patrick Donegan (Senior Analyst at Heavy Reading) shows this is not always so. Patrick names some of the mobile operators he considers to be adopting good LTE Security practice and highlights some of the drivers behind this. He also draws attention to Heavy Reading’s Ethernet backhaul Tracker published in June of 2013 which forecasts that by 2016 less than half of all LTE Cell sites will have IP Security. This concerns me.
Just as Patrick highlighted the drivers behind some operators adopting LTE Security, so he also identifies the reasons why others [choose to] stay exposed. In all there are seven themes that emerge here. One that leaps out at me is “many operators do understand the risk but believe that the cost of implementing IPSec is too high relative to the amount of risk entailed.” This implies operators are prepared to put my information at risk and, at risk also, is my trust in them to handle my personal information.
With a sizeable number of mobile operators allowing clear text to transit across their backhaul networks, Patrick goes on to predict that there will be “a pretty close correlation between end-to-end network security and superior financial performance” in years to come. At a time when mobile operators have the technology to develop exciting new revenue streams it seems the actions of some may directly affect their ability to exploit this.
Just as when I was a child I had a part to play in ensuring my own survival, I also have a part to play in ensuring my sensitive data is shared with organisations I can trust. Patrick Donegan’s white paper will encourage me to be more vigilant. To paraphrase the great Bo Diddly, who do you trust?
You can download the Heavy Reading white paper titled “The Security Vulnerabilities of LTE: Opportunities and Risks for Operators” by clicking on attachment link below. The paper will download straight from the link.
Service Providers not adapting their organizations to embrace SDN won’t succeed
Brian Levy, EMEA SP Sector CTO, myself in SP Solutions Marketing and other colleagues at Juniper have been around, meeting with Service Providers around Europe Middle East and Africa, talking about SDN and NFV, both, very hot topics. I recently had a chance to sit with Brian to exchange our experiences that you can see in the video here.
First, what our customers really wanted to know about it, is what SDN and NFV really means… but beyond the hype of those new topics, Service Providers are really interested to know what’s in SDN and NFV for them. And as I wrote in my previous blog, this was the case as well at Broadband World Forum. The second question we usually get is around what Juniper brings to the SDN world and here we also have some exiting news around Contrail’s support in multiple hypervisors and the new Juniper Metafabric architecture.
The best way to understand the advantages that SDN and NFV brings, is to talk about different use-cases that help SPs to generate new revenue. The first one we discuss in the video is around providing more agile services on top of the traditional connectivity thanks to virtualizing certain network functions, starting from transforming the traditional enterprise CPE into a virtual CPE (or vCPE). The second use case for SDN is to help Service Providers to get inserted into the Cloud value chain, highlighting the value of the Network, the service wrap with single point of contact and finally the compliance to have the data in the right place. This last use-case is explained with details at this video-blog by Chloe Ma: Building Elastic, Adaptive and Secure Enterprise Private Cloud with Contrail
However, there is a big obstacle in adopting SDN and NFV by service providers, and it is not technical. Those disruptive technologies go across organizational boundaries, is it under CTO or CIO organizations? I remember writing about a similar cross-organizational boundary issue created by the introduction of MPLS directly over optical layers; that time, Kireeti Kompella named it The Purple Line, do you remember it? Most SPs went through an organizational transformation to be able to embrace it... a kind of Déjà vu?
Those Service providers that don’t react to the SDN technology and don’t create an organization that embraceit are really going to suffer in the next few years. SDN will be the platform that enables both: much greater network efficiency and much greater service capabilities, and Service providers really needs them.
Get your organizations ready and let’s embrace SDN!
The Empire Strikes Back ... with “Hyper Dense HetNet”
Continuing on the saga of mobile architecture wars, the first stop on our journey is to get some peak on QCOM’s activities. It is befitting to give them the title of “The Empire” as they spent the good part of the last decade acting as patent bullies collecting royalties from their CDMA arsenal. After the global adoption of LTE as the standard for evolving both 3GPP and 3GPP2 based RAN, the CDMA gravy train has come to a screeching halt, so they have shifted their focus lately on selling real stuff However, they need to sell a lot more of these tiny processors to continue their growth profile. Recently they have been pitching the “1000x data challenge” in various industry events. Guess what, who is going to benefit from this vision, of course “The Empire”.
Embedded in this 1000x data challenge is their vision of “Hyper Dense HetNet”, as the illustration below implies we need to buy whole bunch of QCOM powered small cells to enable this vision.
QCOM visionaries ensure us that it is very cost effective to deploy this kind of hyper dense HetNet. The basis of this assertion is that somehow magically everyone on this planet will deploy one of these femtos (HeNb) to augment the capacity provided by the macro footprint. Since these suckers will foot the bill for these fancy femtos and also pay for the cost to backhaul the traffic, the bottom line impact to deep pocketed operator is dismal compared to investing equivalent amount of capacity in their macro footprint. Genius, isn’t it!
These visionaries have ignored the fact that almost everyone would deploy a WiFi router at home for the benefit it provides, cutting the bulky cords on most of the gizmos at home. However, if anyone has to deploy a femto just because the coverage or the capacity provided by their operator sucks then it is time to pull a switcheroo on this operator. It is no surprise that femtos are nothing but a straight admission from the operator that “we don’t know how to do a good RF planning” or even better “we are running short on chump change, can you please pay for the coverage of the expensive service we are going to bill you later”.
The QCOM visionaries are admitting that one of the biggest challenges after convincing everyone on this planet to deploy these femots is to open the access to everyone. For WiFi this has been done through “fon” service, however, the same logic of opening WiFi AP does not work for femto (HeNb), as there is no incentive for the sucker who bought the femto to open it up with the promise that he can get the coverage somewhere else. The mobile service comes with the promise that you will get the coverage at most of the places. Then there is licensed vs. unlicensed spectrum issue and a bunch of commercial and regulatory issues have to be addressed to make it practical.
The same visionaries also claim that this approach to scale RAN is technically more feasible than the competing approaches such as Massive MIMO or Cloud-RAN as sophisticated coordination is required for the competing approaches. Vow, and it will be a piece of cake to manage the interference from billions of these femtos.
Close, but no cigar!
Footnote: the views in this series of blog are my own personal opinions, no corporate kool-aid involved
Building a new mobile backhaul network for tomorrow's needs
In the past, every mobile generation wave was defining all the elements, from radio, to RAN, backhaul and core of the network. The technology cycles where longer and dictated by the industry.
Nowadays, we find mobile operators in certain countries still awarding their 3G licenses, while in some other countries they are deploying LTE, in some other testing LTE-A and in some places discussing 5G. If you are the guy in charge of defining the Mobile Backhaul (MBH) strategy, you better look at requirements for the next few technologies to not fall short. The different MBH requirements aren't just about capacity, but also about more accurate timing and synchronization, lower latency, more flexibility in defining routes, security...
In the attached video-presentation, I explain at high level what is our vision for Mobile Backhaul and some recommendations on how to evolve it. Designing a seamless network from the begin, will simplify it's evolution towards service abstraction and service enrichment.
Technologies such as seamless-MPLS, SDN and NFV will be key!
Link to presentation
Attendee Feedback of Juniper Networks’ First EMEA Partner Marketing Academy 2013, Berlin
I had the pleasure of taking part in the recent Juniper Networks Partner Marketing Academy in Berlin, the event was buzzing for two days with great speakers and lots of ideas circulating. I met so many of our partners I had worked with online and within the social networks; it was a pleasure to meet up with those I hadn’t met in person before. The following lists some of the feedback I’ve received about this event;
“Attending the Juniper Networks' EMEA Partner Marketing Academy has been very valuable. Both, the speakers, the covered topics and the workshops as well as sharing and discussing experiences with Juniper’s and other channel partners’ marketers that face the same challenges have been informative, significant and very inspiring. Many thanks to Juniper for these two great days and an exciting event!”
Kirsten Schmitz, Xantaro
“The Juniper Partner Marketing Academy was staged at an inspiring location which engaged the senses and provoked ideas from the moment I checked in. I really enjoyed the insightful presentations by passionate speakers that touched on so many key areas of what we do in Marketing. Workshops which saw Partners, Distributors and Vendors alike engage in very open and candid discussions about challenges, opportunities and developments that we all share. The event definitely exceeded all of my expectations and I think everyone left Berlin full of great new ideas that they can't wait to apply.
An extremely successful event by any standards.”
Pieter Arts, Avnet
“Just wanted to say a big thank you to you and your team for a really enjoyable couple of days. And useful too – I especially enjoyed Richard’s presentation, something new in there to pick out. And I’ll be picking up with Bill on some of the TechTarget ideas. The Social Media workshop I participated in was a really dynamic session which allowed the group to challenge standard campaign thinking and come up with some really exciting and thought-provoking ideas for future campaign execution. Great job!”
Andrew Davidson, Fujitsu
“Me voilà de retour à Paris, le voyage a été plutôt bon.
Merci encore pour cet événement, c'était très intéressant et j'espère avoir l'occasion de revenir l'année prochaine !”
Mathieu DUBOIS, Nomios
“Here I am back in Paris, the trip was really good.
Thanks again for this event, it was very interesting and I hope to have the opportunity to be part also next year!”
Mathieu DUBOIS, Nomios
“We at Network Utilities wanted to say a big thank you to everyone involved in the Juniper Networks EMEA Partner Marketing Academy. It was really well organised and hosted. The presentations were extremely useful. We have come away with much to think about and as a result we will be putting a plan in place to make some all important changes to our marketing approach. A very useful event and we look forward to the next one!”
Vanessa Cardwell, Network Utilities
Ellen Le Beer, SecureLink
“This week’s Juniper marketing academy in Berlin was a great initiative. There were excellent speakers across a number of fields, stimulating many ideas. I think if we can put even a few of these into practice we can improve results and generate both financial and brand benefits over the coming year.”
Neil Rampe, Alternative
Nicky Bennett, Alternative
“I thoroughly enjoyed the first Juniper EMEA Partner Marketing Academy. It was great to meet Juniper Partners from other counties and the programme of external speakers Juniper had put together gave a valuable insight into how the social/digital revolution is changing the buying behaviours in the B2B market place.”
Judith Finch, Telindus
"Different, diverse & delightful!
Yes, I would say this is a certain hit, the venue was bright pink and the speakers were just as colourful. It was very interesting to meet other partners from across Europe especially those from the UK. Met some old and new faces from Juniper, good to pick up with Paul Gainham again and also to spend some time with Dave Silke. Speakers I found particularly interesting were Natalie Horne - Behavioural Economics, Paul Trotter - Customer Engagement Study and Bill Crowley - The Social/Digital Relationship. A big thank you to all the Juniper team that helped to put this together. A final thanks to Alan Butler UKI Marketing Manager for being the perfect host.
Business needs to be... SIMPLE, SMART & OPEN just like Juniper's new MetaFabric!"
Steve Tester, Imtech ICT
"A big thanks to Juniper that put together this event! The agenda and the topics were spot on the current marketing trends! It was very inspiring to meet so many marketing people from across Europe to share experiences and discuss future opportunities. I hope Juniper will follow up the success next year. J Highly recommended!"
Marit Lund, IPnett AS
For more information on Juniper Networks’ Partners, finding your local partner or if you are interested in becoming a Juniper Partner and selling our products, then do get into touch with us. If you’re a current Juniper Partner, then please don’t forget to log into the partner resource centre for all your Juniper information.
Finally, if you attended the Juniper Networks EMEA Partner Marketing Academy 2013, in Berlin then I would love to hear your thoughts on the event, so please leave a comment below. Thanks!