Imagine the following scenario: a European company provides on-demand sports video streaming and interactive chat services to smartphone users. Our fictitious company uses a special app and a video platform hosted by a major mobile operator. Late in 2008, customers of the video service started to complain that they received very high bills, for services that had not been delivered. Following a police investigation it turned out that a server in the mobile network had been hacked by the criminal community. The sports streaming company immediately changed service provider, and the publicity from the case led to several other major customers defecting — a severe direct revenue loss for the company, not counting the loss of operational credibility. Is this scenario far-fetched? Well, three years ago it would have been so. But with the recent advances in technology and the resulting changes in user behaviour, mobile networks are now being used for applications
for which previously PCs and fixed broadband networks were needed.
This shift is having a huge effect on the network. Networks that are today designed for voice — plus some data — will in a few years have to become optimised or data — plus some voice.
We see this already in the LTE standards, 3GPP release 8, where voice is only supported embedded in the IP data traffic. This transition is not something unique to mobile networks. Many fixed wireline networks have been undergoing the same evolution in recent years and the lessons they learned are pertinent for all mobile operators.
So how much should I really care about network security? In the early days of the internet, when traffic as limited to mail and basic web browsing, the stereotypical hacker was usually an amateurish, bored
teenager. However now that the internet is used for critical business applications, these early hackers are being replaced by organised criminals.
As a result, security infractions now are much more serious and costly than in the past. In addition to the fictitious scenario described above we are seeing almost weekly instances of phishing and data loss. The
website www.datalossdb.org keeps track of these, and it is a sobering insight into today’s security realities. However, on a global basis many more incidents of illegal network access and service loss are not being
reported, and sometimes not even detected.
Undesirables
As network operators are at the centre of today’s ondemand economy, the services and infrastructure they operate are uniquely vulnerable to undesirables bent on causing service outage and direct financial loss.
Famously, Willie Sutton, a well-known yet serially unsuccessful bank robber of the 1930s answered the question why he kept robbing banks: “Because that’s where the money is.” Today, the money is floating around in networks, and the theft is done remotely. The result is a higher probability of success and a lower risk of getting caught.
What steps do I need to take to protect my network?
One thing that the history of network security has taught us is not to rely on just a single line of defence. For instance, you could have the most secure border firewalls, but what if these were compromised by
configuration error, for example, or what if the bad guys find a way around it? Instead, network security needs to be applied in multiple layers, as shown in the drawing.
Access control
The first layer of defence is access control. This discourages opportunistic attacks from outsiders. In GSM/UMTS networks this is achieved with UMEI and IMSI — unique numbers identifying respectively
the handset and the SIM card, often linked to a user. Access control should also be implemented throughout the transport network. For example, routers should be configured to accept only user traffic from
known sources, accept routing updates only using authentication and accept encrypted management connections only from known stations.
In addition, routers should be configured to separate traffic types strictly using MPLS VPNs. The third layer of defense is firewalls, deployed at
all external borders of the network — for example, to the internet, to peering operators and customers — but also at important internal boundaries, such as etween network and OSS, between RAN and core,
in front of the data centre, and so on. tateful firewalls, when regularly updated with new ignatures, look at the packet header and provide
excellent protection against denial of service, distributed denial of service and many other types of attacks. Stateful firewall blades can also be used in routers to provide distributed protection for both the router
and its traffic.
Co-sponsored feature: Juniper Networks
Now that the internet is used for critical business applications, amateur hackers are being succeeded by organised criminals. Gijs van Kersen warns that security breaches are much more serious and costly than they were, and operators need several layers of defence.A layered approach to protecting the mobile network A fourth protective layer is built with intrusion detection and prevention systems at key borders and
boundaries.
These provide full content inspection — packet
header and payload — and can include antivirus and
anti-spam capabilities. Content inspection is the only way to stop the
signalling network, application servers and end-user devices from being attacked with viruses, worms, trojans, spyware, keyloggers or adware.
Besides user traffic, voice signalling sessions also need to be protected. This is done using session border controllers, which can be distributed and embedded in the routers. Without SBCs, it is very easy to hijack
voice conversations based on SIP signalling — the only type of voice conversation supported in LTE.
A last protective layer is not in the network but in the devices. While firewalls and anti-virus applications are standard on PCs, they are not so evident in mobile handsets. Lastly, all layers should be connected to a centralised dynamic policy system, monitoring anomalies and adjusting policies in real-time. For example, if the system detects a worm in an
email from a particular user, that user should be automatically
alerted with an email or SMS and allowed access only to an internal portal where step-by-step remediation is offered. A useful analogy is to compare the above layers of security to those seen at airports. Access control can
be seen as a parallel to passport control where you have to prove who you are, have good intentions and match who you say you are in order to be allowed through. Firewalls are the customs guys looking at your bags
and intrusion prevention systems are the scanning devices looking inside them.
Each has its own speciality, and when combined in
a layered approach they provide a very effective, scalable
combination to overall security.
Security, but at what cost?
Clearly security does not come free of charge. Yet it does not have to be prohibitively costly, especially when compared with the cost of not having enough security.
Modern security appliances can integrate firewall and IDP in the same chassis, by adding appropriate cards. This saves on external interfaces and reduces operating costs — power and maintenance — and in
some cases integrates the reporting as well, another prime consideration when looking at the costs of security deployments. The latest appliances also virtualise the security processes on optimised parallel processing hardware, making them extremely scalable and flexible. Consider the case in which the network traffic grows faster than forecast, and the installed firewalls are becoming a bottleneck.
The result of not replacing or upgrading them in time will be that some of the traffic is dropped, or the devices crash completely — both cases resulting in unhappy customers and potentially lost revenue both
long and short term. When we look at the recent growth rate for mobile
HSPA data of 400% or more, it is clear that there will be plenty of mobile networks which are running the risk of firewall blockages. Care should also be taken that firewalls scale not only in raw throughput, but also in the number of sessions supported. Most firewalls in mobile networks
today are not designed for full web pages, which can consist of 20 or more images, each using a separate firewall session.
Security as a service
The need for network security can also be considered a revenue opportunity, as enterprise customers will also need a level of security protection and in most cases will not have the skill sets in-house. Mobile
security services include: SSL VPNs, which support secure connections for remote workers. SSL clients exist for the iPhone and for smartphones running Symbian or Windows Mobile, allowing these to be used for mission-critical remote access applications.
Clean pipe service: Service providers can offer to filter internet and internal traffic for customers and remove viruses, spam and the like. Modern security appliances support many domains, and dedicated
hardware per customer is not needed. Backup WAN connection: currently most branch offices are connected using frame relay or ethernet services, often with ISDN as backup. The 3G mobile network has plenty of capacity to act as alternative backup and is a lot simpler to install and maintain. All
it needs is a data card with SIM for the WAN router. The evolution of mobile networks is leading them to become full next generation IP networks — making them very fast, efficient and service rich, but also
opening them to potential security issues.
We can apply the lessons learned from fixed networks which have undergone the same evolution already, especially that network security is best when applied in layers. Modern security appliances can combine
firewall, IDP and VPN functionality and allow scaling in small increments to match the service growth and control operational cost versus revenue opportunity. A greater focus on security becomes an inherent requirement for the convergence of next generation packet technologies. The discussion should not centre on the cost of securing the network and its
services, but the cost of not doing so.
The sports video streaming example in this article - although make-believe in its detail — demonstrates the real business risks of treating security as reactive overhead and not as a proactive business process
within a high-performance network infrastructure.
please sign in to rate this article
45187