Thursday, 5 December 2013
New Security Threat Vectors for All IP Mobile LTE Networks
It could be said that mobile operators are a victim of their own success. In developing countries mobile broadband is the primary delivery mechanism whilst, in the developed world, it’s all about scaling to meet the continuing growth in data.
But as mobile operators move to All-IP networks to meet these challenges, the technology opens new vulnerabilities in end-to-end security. In a short video (less than 20 minutes) Paul Gainham (Senior Director of Service Provider Marketing, EMEA) distils the factors driving growth, the new security threat vectors, and how resilience, network reliability, session scale and IP Security can be reconciled.
The link takes you straight to the video. No sign in, no contact details just click and watch.
View the video here: Mobile Security Solutions
Bo Diddley and the LTE Security Debate – Who Do You Trust?
I recall as a child repeatedly being told I should not accept lifts (rides) from strangers. And the fact that I’m still around to write this blog can, in part, be attributed to that good advice. But I could have chosen to ignore it, which I didn’t, so I guess I can take some credit for still being here too. In today’s world, while this advice still holds good maybe we should also counsel that you shouldn’t trust your data to strangers either.
Now that’s not so easy is it? Sure, there are a couple of people I know that I share some personal information with. But, in the main, I don’t actually know the majority of people that I freely pass personal data to. Like most of us, the greater part of that which I choose to share I do so with organizations.
It would be easy at this point to get seriously side-tracked by talking about organizations that hold information on me that I either don’t know exist or I don’t approve of. But, for now, I’ll leave that side of the debate to the likes of Snowden and Assange and I’ll focus on the stuff I willingly share - well, as willing as I can be when the option is “supply this information or don’t do business with us” (or even maybe face a fine or a jail term by failing to do so).
The reality is though, with the exception of parents and relations, the majority of lifts I accepted as a child were in fact with strangers. I didn’t actually know a single train or bus driver (and I used these services daily as a child) but there was an implied trust through the reputation of the organization that employed them. Hence, despite the majority of journeys I made as a child being willingly made with strangers, I’m still here to talk about it. Therefore, not knowing the majority of people that I share personal data with doesn’t really trouble me either.
But it gets more complicated. It’s not just about me trusting people and organizations I share data with. I also need to trust the organization(s) that transport that data from me to the recipient. In my case I need to trust my mobile operator just as much, for example, as I trust my bank. And you could argue my bank needs to trust my mobile operator too if it wants me to continue to trade online with it.
So, where is all this leading? Simply this; I don’t believe I can trust my mobile operator to care for my data as much as I used to. Now, this seems a crazy thing to say as most people assume advances in technology bring with it advances in assuring information. But that is not necessarily the case. The move to all IP mobile networks – the Long Term Evolution (LTE) mobile network - is a good example of this. Whereas 3G is encrypted from the mobile device to the Radio Network Controller (RNC) deep in the mobile network, LTE (4G) is only encrypted from the mobile device to the base station. This opens up new security vulnerabilities.
I would be more comfortable if I knew all mobile operators were acting uniformly to address this. But in a white paper commissioned by Juniper Networks, and published by Heavy Reading, Patrick Donegan (Senior Analyst at Heavy Reading) shows this is not always so. Patrick names some of the mobile operators he considers to be adopting good LTE Security practice and highlights some of the drivers behind this. He also draws attention to Heavy Reading’s Ethernet backhaul Tracker published in June of 2013 which forecasts that by 2016 less than half of all LTE Cell sites will have IP Security. This concerns me.
Just as Patrick highlighted the drivers behind some operators adopting LTE Security, so he also identifies the reasons why others [choose to] stay exposed. In all there are seven themes that emerge here. One that leaps out at me is “many operators do understand the risk but believe that the cost of implementing IPSec is too high relative to the amount of risk entailed.” This implies operators are prepared to put my information at risk and, at risk also, is my trust in them to handle my personal information.
With a sizeable number of mobile operators allowing clear text to transit across their backhaul networks, Patrick goes on to predict that there will be “a pretty close correlation between end-to-end network security and superior financial performance” in years to come. At a time when mobile operators have the technology to develop exciting new revenue streams it seems the actions of some may directly affect their ability to exploit this.
Just as when I was a child I had a part to play in ensuring my own survival, I also have a part to play in ensuring my sensitive data is shared with organisations I can trust. Patrick Donegan’s white paper will encourage me to be more vigilant. To paraphrase the great Bo Diddly, who do you trust?
You can download the Heavy Reading white paper titled “The Security Vulnerabilities of LTE: Opportunities and Risks for Operators” by clicking on attachment link below. The paper will download straight from the link.
LTE Security as Mobile Operators Transition to All-IP Networks
In his video, Paul Gainham looks specifically at the topic of security. In an accessible manner he outlines the issues and challenges facing mobile operators before suggesting solutions that can be adopted. For Paul there are three security insertion points: Mobile device security, network infrastructure, and applications. And, for this presentation, Paul focuses on the network infrastructure. He acknowledges that the Gi/SGi and Gp/S8 interfaces (to the internet and roaming respectively) are understood and mobile operators have a good track record in securing these boundaries. The area of concern for Paul is the LTE Security Gateway. To bring this to life Paul compares and contrasts the 3G and LTE environments highlighting the fact that 3GPP standards do not mandate security for the LTE Access network. The video then takes a quick look at LTE Security solutions and here Paul is keen to challenge the myths surrounding security, resilience and latency. Why not follow the link below and take a look at the video? At 18 minutes it won’t take long and there is plenty to learn from what Paul has to say. View the video: Mobile Network Security Solutions
Security with Access - Don’t ignore the hype: IT trends deliver security with access
This is a guest blog post. Views expressed in this post are original thoughts posted by Malcolm Adedeji Orekoya, Senior Technical Presales Consultant at Network Utilities. These views are his own and in no way do they represent the views of the company he works for.
How do we enhance security but allow users access to the data and resources they need seamlessly and improve enterprise productivity, while still keeping up with the trends in mobility, consumerisation and cloud? The answer is by following those trends.
Look beyond the technology and look at the people that use the technology. This tells us two things: users do not prioritise security, and your enterprise productivity is directly related to the ability of your users to perform their tasks efficiently. So companies cannot adopt a “lock everything down” mentality. It is effectively a denial of service attack against yourself, because you are essentially denying access to the essential services needed by your users. So security, and enforcement of it, is solely the responsibility of the enterprise. It may sound harsh, but it is the reality; employees are accountable for the procedures, guidelines and policies to which they are required to adhere to.
The only viable way to build a secure network that moves with consumerisation of IT (CoIT) is to use existing corporate user identity systems (such as Active Directory, LDAP, SQL) to integrate with evolving ideas to automatically provision context-aware applications and resources.
So how to secure data and the network while still allowing seamless access and speedy resource allocation? Don’t ignore the trends in the IT industry. Cloud and hosted applications are continually increasing in adoption because they guarantee a certain level of security of access, ease of access, flexibility, automated provisioning, ease of upgrades, cross platform compatibility and reduced CAPEX, while maintaining compliance and security standards. The providers of these solutions are themselves heavily regulated and required to adhere to high standards of data and network security.
If you prefer to retain in-house control of applications, then virtual desktop infrastructure (VDI) means you benefit from reduced costs over time of purchasing user endpoint machines by moving to thin clients. But also these VDI platforms allow control of what applications employees have access to, and provide much more granular control on what tasks users can perform. Because a lot of the VDI platforms allow “hot-desking”, as user profiles are maintained on centralised servers, they provide access flexibility and remote access, which fit with CoIT needs.
Zero-Day protection is also another useful trend; the means by which an enterprise can protect its data and resources from threats and vulnerabilities that are currently unknown, so consequently do not have a fix. Zero-Day application exploits, targeted attacks, advanced information stealing malware and Advanced Persistent Threats (APTs) all pose a serious security threat to enterprises, but as these threats evolve, so does the approach to effective and manageable protection. Active defence, which discourages attacks by focusing on raising costs and risks to attackers, is slowly creeping into enterprise strategy. Proactive protection - including advanced Web Application Firewalls (WAF), counterstrike and intrusion deception techniques - are all protection methods that have seen a revival. For example, in 2012 Juniper Networks acquired Mykonos Software’s intrusion deception software (Junos WebApp Secure) to enhance its web application security portfolio. It places deception points along the way. When an attacker trips one of those tripwires, we are alerted to the fact they are there and can watch them.
The reality is that vulnerabilities and threats exist, and come from inside as well as outside the network. The biggest insider threats are the employees, but we can only educate staff on how to handle sensitive corporate data and how to use corporate resources. For outsider threats, innovation brings assistance.
To find out more on Juniper Networks' vision for an Empowered Enterprise and the solutions available to an organisation, then please visit this site.
Consumerisation of IT without Risk - There’s no effective risk management without end-to-end security
This is a guest blog post. Views expressed in this post are original thoughts posted by Malcolm Adedeji Orekoya,
Senior Technical Presales Consultant at Network Utilities. These views are his own and in no way do they represent the views of the company he works for.Everything delivered by the IT department nowadays is frequently classified as a service function. With Consumerisation of IT (CoIT), the consumption of these services is affected by the trends in mobility, bring-your-own-device (BYOD) and cloud, which in turn puts pressure on the scalable infrastructure you need.
The number one risk management concern for IT managers with CoIT is security, but in what context? As workers become more mobile, adopting BYOD and accessing corporate applications and information remotely, an IT manager needs to be able to guarantee the access and authentication from these devices is secure - as well as make sure that if these devices are lost or stolen, the information they hold and can access does not end up in the wrong hands.
One way of achieving this is via profiling based on the user, type of device (managed or unmanaged), resources being accessed, location being accessed from and the role of the user. For example, an employee using a corporate device accessing the network remotely and an employee using a personally owned device, accessing the network via the wireless local area network (WLAN), are two distinct profiles that require different policy enforcement.
To minimise risk, authentication (user and device) needs to work with posture checking of endpoints, secure remote access, mobile device management (MDM) and secure wireless connectivity. An end-to-end security infrastructure is required; one that is easy to deploy and manage, as well as one that can provide the performance, access and integration needed. For example, Juniper Networks provides the single Junos Pulse endpoint client, capable of providing secure mobile remote VPN access and network access control (NAC), with role based access control and 802.1x authentication. In addition, the Junos Pulse Mobile Security Suite MDM is purpose-built for mobile devices and provides anti-virus, anti-spam, anti-malware, endpoint firewall, loss and theft protection and endpoint monitoring.
CoIT is not the same as BYOD; it covers the changing trend in the way technology is used. Therefore, cloud services such as storage (Dropbox, Box, Google Drive) and applications (Office365, Salesforce, GoogleApps) - as well as in house developed proprietary applications - all need to be secured within their virtualised environments.
The underlying infrastructure of the virtualised environment and the networking infrastructure (switches, routers, firewalls) needs to provide an end-to-end approach that is secure, scalable and resilient. For example, the single operating system in the Junos OS from Juniper Networks runs across many of its security platforms, allowing administrators to consistently apply policies across the board without having to learn and manage a variety of systems. The innovative technology for securing the virtualisation space is Juniper Networks’ virtual gateway (vGW) product, which focuses on security within the hypervisor and between virtual machines as they communicate in the virtualised platform, as well as outbound. This is a further example of how vendors and manufacturers need to understand the elements that form the foundation of front end resources.
Numerous surveys have shown the impact of the proliferation of personally owned mobile devices onto the enterprise network. One of the impacts of this over the last few years has been the malware threat, and general increase in the amount of cyber threats specifically targeting mobile devices - especially Android devices. Risk management needs to focus beyond managing mobile devices via MDM platforms, to actually securing the corporate data in transit. This involves sandboxing technologies, such as Secure Virtual Workspaces (SVW), which were the initial and most popular solutions in the early days of mobility, to new smarter devices that encrypt data on the devices and in transit, or provide dual boot functionality with physically or logically separated segments on the device.
CoIT is here to stay; we have been talking about these trends for a few years now. If you are managing risk, the next step is to understand the solutions currently available, which will help manage it from end to end.
To find out more on Juniper Networks' vision for an Empowered Enterprise and the solutions available to an organisation, then please visit this site.
LTE Security - Taking Us All Out Of Our Comfort Zone
We all have something or somewhere that makes us feel comfortable. It could be a restaurant, a holiday destination, a favourite chair, or even an old jacket. It’s something we continually return to. Whatever it is they all have one thing in common – they seem oblivious to change. And that’s just how we like it. After all, it’s the familiarity, the lack of surprise, the “knowing what to expect” that makes us feel at ease and safe. But, every now and again, something happens that upsets our sense of order, something changes and we are forced to discard the old and familiar, as painful as it is, and confront the new.
And that’s exactly where mobile operators find themselves today. For years they were comfortable to sell voice and SMS plans and build out networks to support this. With the exception of a foray into data via the dongle nothing much else happened and mobile service providers got comfortable. Revenues grew, stockholders were delighted and customers were undemanding; happy days indeed. The lack of ambition on the part of MSPs was not shared by others though. Enter the smartphone, which appeared to take MSPs by surprise, and they’ve basically been playing catch up with the consequences ever since.
The game changer for MSPs is the development and deployment of LTE networks. Innovative MSPs can realistically look to new services and revenue streams while their customers’ experience is significantly heightened. We are already seeing differentiation between the services offered by MSPs and this is a good thing. But it’s not just the overt services that offer opportunity to differentiate; the implied services are equally fruitful. Security is a great example of this.
The interesting thing is that customers pretty much assume security is standard; that is until something goes wrong. In a new white paper published by Juniper Networks (LTE Security For Mobile Service Provider Networks, link at the foot of this article), the contention is that the adoption of security practices across MSPs is not the same and that this could be a differentiator too.
The paper looks at security from two perspectives; the first concerns the integrity of customer data. Our mobile usage will become far more transactional based than it currently is. This requires access to, and transmission of, far more sensitive personal information (e.g. banking details). The second is network integrity where continuity of service becomes imperative (for streaming services) yet new vulnerabilities are introduced by the deployment of LTE networks.
There’s a whole bundle of stuff in this paper, and I’m not going to cover it all here, but I will call out a few things. The paper discusses the fundamental architectural differences between 2G/3G and LTE networks and the implications these differences have on security. It also examines the impact of the trend towards small cells and how some of the assumptions around physical security associated with cell sites needs to be reappraised. It goes on to consider man-in-the-middle threats and how third party applications and the growth in M2M and MTC services can generate signalling storms.
But it’s not all gloom and doom. The paper concludes with the belief that these issues are manageable providing network planners incorporate an LTE security gateway that not only authenticates eNodeB’s and encrypts traffic with IP Sec but also provides SCTP functionality to protect the mobile packet core.
So, the new looks good. Time to move on from the old and familiar, but only when I can be sure my MSP has done all it can to adopt the necessary security measures. Whoever gets there first gets my custom and that’s what differentiation is all about.
Follow the link, click on the white papers tab and download LTE Security For Mobile Service Provider Networks.
Sunday, 9 June 2013
The Learning Network Blog: 6 Q's About the News | National Security Agency Maintains Vast Database of Americans' Phone Records
7:25 a.m. | Updated
In the article “U.S. Confirms That It Gathers Online Data Overseas,” Charlie Savage, Edward Wyatt and Peter Baker write about the disclosure that the federal government appears to have been secretly obtaining data from the largest Internet companies for nearly six years.
WHO has been compiling a huge database of calling logs of Americans’ domestic communications, as well as information on foreigners overseas from the nation’s largest Internet companies, for at least six years?
WHY has this agency been compiling these records?
WHY have some responded to news of the programs with alarm?
WHEN did this government surveillance program begin?
WHAT is the Prism program?
WHAT information do these programs seem to collect, warehouse and analyze?
WHERE was this news first reported?
HOW, according to James Clapper, the director of national intelligence, can the Prism information not be used?
HOW did the Obama administration and some members of Congress defend the program?
HOW do you feel about this news?
HOW does this raise new questions about the tradeoffs between security and civil liberties?
Related: Our Resources for Teaching the Constitution and a 2001 lesson plan, “For the Sake of Security.”