Labels: needs , Securing

Its Just a LAN That Needs Securing

Imagine if you would the following conversation between the Captain and Co-Pilot of a commercial airliner as they prepare the plane for take off

Captain: “Fuel”?                               Co-Pilot: “Check”

Captain: “Flaps set”?                      Co-Pilot: “Check”

Captain: “Doors secured”?           Co-Pilot: “err no”

Clearly no airline crew would progress the check any further, the doors would be secured before the check was run again to ensure the plane was in the right condition to fly.

Now imagine the same style of conversation between the CTO and Head of Networks of a Mobile Network Operator ahead of an LTE network launch

CTO: “Internet Secured”?                            Head of Networks: “Check”

CTO: “Roaming Network Secured”?         Head of Networks: “Check”

CTO: “LTE Access Network secured”?     Head of Networks: “err no”

Why is it then, according to the (Heavy Reading white paper The security Vulnerabilities of LTE: Opportunity and Risks for Operators) that given the above read out, some 50% of LTE cell sites will remain unsecured by 2016?

Are Mobile Network Operators really still prepared to go ahead and launch their LTE service, in full knowledge that a major part of the network remains unsecured?

No CTO or Head of Networks would dream of launching a network service that delivers Internet access without fully securing the Internet link.

Isn’t it time that the industry woke up to the fact that the LTE access network presents a clear and present security risk and should be treated in the same way an Internet connection would be?

Maybe it’s a confusion of ownership and trust?  “I don’t own what’s beyond the link to the Internet or to my roaming partners so I had better place a security barrier between us and treat the other side of that barrier as un-trusted.  I DO own the LTE access network out to the cell tower and therefore I trust it”. 

Clearly if this is the case, it’s a misguided assumption.

Think of an LTE Network as essentially 4 separate Ethernet LAN’s connected by an Ethernet switch.  You have the Internet LAN (SGi), the Roaming LAN (S8), the Evolved Packet Core LAN (S1) and the LTE Access LAN (S1). 

Historically, an Enterprise looking at that kind of configuration would have determined which of the networks were trusted and which were un-trusted and put the un-trusted networks behind a firewall.

Then, they would either prohibit ALL originating inbound traffic from that interface or open up an Application Level Gateway or ALG for specific originating traffic only to be allowed through.

The reality of today is and has been the case for some time, is that the trusted network is dead. 

Not only would each of the above ports be secured by a fully featured firewall but devices attaching to the ‘owned’ LAN’s would typically be protected by techniques such as UAC so that each device is not only checked for validity but also security threats from viruses / Trojans etc.

The key thing here is NONE of the networks would be left unprotected.

Looking conceptually at the LTE Access (S1) ‘LAN’ for a moment, the primary reason for securing it is maintaining network uptime.  The threat vector is predominantly one of rogue denial of service attacks that threatens the gold standard of 99.999% uptime.

It’s a LAN that potentially consists of a large number of ‘bridges’ (eNodeB’s) beyond which millions of devices (handsets and tablets) sit.  The devices themselves are authenticated via the SIM process which is fine but there are two other major threat vectors to be wary of

Rogue devices connecting to the downstream side of an authentic  ‘bridge’ and initiating DDOS type attacksRogue un-authenticated ‘bridges’ connecting to the network from which DDOS type attacks could be launched.

With that type of threat vector, the most appropriate solution would be to ensure that all ‘bridge’ ports were secured so no rogue device could access them and to put in place security to prevent rogue bridges entering the network in the first place.

Given the potential locations these ‘bridges’ may be found in THE most appropriate way to provide security for both of the above is via a centralised, high capacity, high functionality SecGW firewall device capable of encrypting, rate limiting and firewalling access as necessary for this most crucial of ‘LAN’ ports.

From a Juniper Networks perspective, The SRX5800 provides an ideal and common solution to ALL of the security needs outlined above, covering the SGi, S8 and S1 interface requirements at a level of functionality and scale unmatched in the industry.    There is a 20 minute talking head video here that outlines some of the key points raised in this blog.  Please feel free to pass comments back on this blog or the video.

At the end of the day it’s just a LAN that needs securing.

View the original article here