Next Generation Service Provider Security: Dynamic Multi-Layered Defense for LTE Networks – Part 1

Leonid Burakovsky Sr. Director, Strategic Solutions for F5 Networks

With Apple’s iCloud’s coming under the spotlight in recent days for recent high profile data thefts, Leonid Burakovsky Sr. Director, Strategic Solutions for F5 Networks takes a timely look at security in LTE networks.

The concept of security for service providers is undergoing significant changes. Several key trends are contributing to this change: as it relates to business, to technology and who is attacking.

Historically, the main sources of operators’ revenue were voice and SMS. More recently, data revenue is the new star, together with the forays toward new services and service monetization such as mobile commerce, banking, mobile health, and others.

The need for tight security is clear, for example, in the mobile health ecosystem that would require end-to-end security mechanisms including the participating operator’s network. Or for example, mobile commerce, which is currently running over SMS, and obviously can’t function without comprehensive security mechanisms including the network as part of the overall ecosystem.

But do we truly the trust these ecosystems today?

(more…)

Interview: General manager of the Traffix Division of F5 Networks: “We’ve had great resonance in the market, which increased visibility supporting our work.”

Ben Volkow, general manager of the Traffix Division of F5 Networks

Following the successful LTE Awards 2013, we speak to Ben Volkow, general manager of the Traffix Division of F5 Networks, about the company’s win in the ‘Best LTE Core Network Element’ category.

Tell us more about your entry in the LTE Awards 2013.

F5’s Traffix Diameter Signaling Delivery Controller (SDC) enables operators to control and steer signalling in ways that optimise, monetise and secure an LTE network for maximum revenue generation. You can find the SDC in more field deployments than any other Diameter signalling solution. It is the market’s most mature product as our DRA was the first in the market to be deployed, in 2009. It’s a comprehensive Diameter signalling solution offering a DEA, DRA, IWF, Diameter Gateway all consolidated into one platform powered by an extensive central network management system that not just reports and displays network statistics, but is configured to prevent network problems.

(more…)

LTE Means Rethinking Security in the All-IP World

This is a guest post by Frank Yue, technical marketing manager for the Service Provider vertical at F5 Networks.

As communications service providers (CSPs) continue to build and deploy 4G LTE networks, they are finding that they need to understand some critical concepts as they move from circuit switched 2G and 3G networks to all IP packet switched networks.  Of these, IP security rides high on that list of technologies to master. The Internet has become an open environment susceptible to malicious activity. If your assets are not secured, you are guaranteed to be attacked and compromised by one or more unscrupulous organisations. 

They may do it for financial gain, selling the stolen data to parties, as a paid service, for your competitors to disrupt your business, or even just for personal enjoyment because they found that they could compromise your infrastructure. We may not use resources such as the M61 Vulcan shown in the picture, it is important to develop and implement the proper security tools to protect the latest wireless networks.

Growth in the Data Plane

While many CSPs already have solutions in place to protect parts of the packet data network (PDN) infrastructure, they often do not understand how the implementation of a 4G LTE network architecture changes the security requirements. The S/Gi interface, or the part of the network connecting the mobile subscribers to the Internet will have a significant increase in data volumes as more LTE enabled mobile devices are used. In addition, with the increased speeds available, we expect to see 4G wireless technologies competing with fixed-line data services such as DSL and cable. This will change the type of content seen and the mobile CSP will need to develop enhanced policies to manage and secure these services.

Another concern is that LTE expects the mobile devices to be IPv6 enabled, while much of the PDN is still expected to be using IPv4 technologies for some time.  This requires the ability to translate IPv6 addresses to IPv4 addresses using a carrier-grade NAT (CGNAT) technology, while maintaining a proper security infrastructure. This includes the ability to protect the pool of IPv4 addresses being used in the CGNAT solution and all of the devices’ communications being translated.

Packets in the Control Plane

More significantly, the control plane of the LTE network will change from a circuit-switched network to an IP-based architecture.  Diameter, SIP and DNS are the primary protocols that will be used to manage the control plane as the CSPs start implementing voice over LTE (VoLTE).  Securing and managing this infrastructure will be critical to the services delivered to the subscribers and protecting their privacy.  The Home Subscriber Service (HSS) and Policy Charging and Rules Function (PCRF) depend on Diameter, an open standardised protocol used on IP networks, while the Call Session and Control Function (CSCF) systems and Application Servers (AS) within the IP Multimedia Subsystem (IMS) utilise another public standardised communication technology called Session Initiation Protocol (SIP).

Figure 1. The complexity of the IMS network architecture

It is important to note that third-party applications developed by independent people in addition to the subscribers and their LTE device will have direct access to the IMS network components through the SIP protocol. This means that potential malicious or poor programming will have the ability to directly affect and access the control plane of the LTE network and be able to disrupt it or obtain unauthorised access to private information such as subscriber profiles, unless proper security measures are put in place.

The CSPs need to understand the implications of migrating to an IP network infrastructure and how the packet-based network must be managed significantly differently from the legacy circuit-switched environment. Proper planning and testing is required to successfully build a robust and secure 4G LTE network. It is important to leverage the existing work done on IP networks over the past 20 years, utilise the knowledge of your colleagues and vendors. Apply the proper availability and security practices learned from these resources to design the next generation wireless networks.

To speak with F5 look out for them on the exhibition floor at the LTE World Summit, the premier 4G event for the telecoms industry, taking place on the 24^th-26^th June 2013, at the Amsterdam RAI, Netherlands. Click here to download a brochure for the event.

F5 have been nominated in the Best LTE Core Network Element category at the LTE Awards 2013, taking place at the 25 June 2013, De Duif, Amsterdam, Netherlands. 

Why ‘Context Awareness’ is the future of mobility

This is a guest post by Frank Yue, technical marketing manager for the Service Provider vertical at F5 Networks. In this post, Frank looks at how network intelligence will be crucial to the development of mobile networks and how it will affect their success.

I have been reading a lot of articles and analyst reviews looking at the trends in the mobile network environment and trying to predict what the ‘Next Big Thing’ will be. I see some people talking about location-based services or the increase in wireless speeds with the rollout of 4G LTE networks worldwide. Other people are talking about the explosion of hardware platforms and operating systems that are available. Then there are the smart devices being introduced, such as intelligent watches, health and fitness monitors, and tracking devices for pets.

All of these technologies depend on wireless networks but they do not encompass and embrace the true value of being wireless. 4G LTE networks enable subscribers to access content at unprecedented speeds that reach 100Mbps and beyond. This means that mobile data is finally reaching the speeds of fixed-line services such as DSL, cable, and even Ethernet to the premise.  It is now possible to build applications that can access big data and deliver the services that mobile data has been envisioning for many years.

All of the mobile future predictions have a central concept in common.  The future of mobility resides in the concept of Context Awareness and providing intelligence based on that context. Mobility offers the opportunity to gain awareness of the individual and their interactions with their ever changing surroundings. This context also includes situational awareness. That means location, biometrics, weather data, data about other individuals, and any other relative data based on mobile context will be used to deliver a fuller environmental awareness.

There are some interesting examples being developed.  Layar is a company that specialises in augmented reality.  It has produced an application that overlays a live camera image of one’s surroundings with relevant information. This could be an image of a store front on the street with overlaid information about current sales promotions.  You could point your camera at an image in a fashion magazine and the application can suggest an online boutique to buy the outfit being worn.  Another example is the company, myTaxi. It pairs customers with taxi cabs in various cities based on the relative location of the client to the taxi, time, desired destination, cost and other factors.  While location is important, these other factors are leveraged to make an intelligent decision. 

Within the communications service provider (CSP) network, the infrastructure needs to start becoming intelligent as well. The elements in the network that have visibility into the subscriber information and their data traffic need to start becoming context aware. The CSP can leverage the contextual awareness provided by this insight to deliver enhanced and premium services. Mobile bandwidth is becoming readily available with the delivery of 4G LTE.

The CSPs are discovering that their networks are becoming commoditised for the delivery of over-the-top (OTT) traffic provided by third-party vendors such as NetFlix, YouTube and Facebook. By understanding the context of the subscriber and the OTT traffic, the CSP can add value to their customer’s experience. Video optimisation, parental controls, on-demand bandwidth and QoS controls, and enhanced security through anti-virus/spam are only a few of the services that the CSP is able to offer.

The CSP can obtain the context of the subscriber from the information received through their subscriber management system’s Diameter infrastructure (PCRF, HSS, OCS) and IMS services using SIP architecture. The CSP combines this data with awareness of the subscriber’s data through the use of Traffic Detection Function (TDF) and PCEF components that can inspect the data and identify the subscriber’s sessions and the applications being used.  It is now possible for the CSP to make intelligent decisions using policies that they define to manipulate the subscriber’s sessions using techniques, like QoS and rate limiting, or to steer that traffic to advanced Value Added Services (VAS) that can modify and enhance the content to deliver a richer customer experience.

Ultimately, context awareness for mobile applications in conjunction with context awareness and policy enforcement within the CSP network infrastructure will be key drivers to the growth and development of the mobile internet. These concepts will drive the development and enhancement of technologies such as big data, mobile cloud computing, wearable tech, and mobile commerce. The mobile CSPs that are able to take advantage of the contextual awareness and integrate it into their business model will be the ones that ultimately succeed in this rapidly evolving environment.

Signalling change – The state of the LTE market today

 

This is the second in a series of guest blogs from significant voices in the industry with something to say about LTE. This time we hear from Ben Volkow, VP Product of Product Development for F5 Traffix.

I know this is becoming my mantra, and may therefore sound a bit repetitive but I’ll say it again. One of the main success factors of LTE roll out and services is dependent on the quality of an operator’s Diameter Signalling Solutions. Allow me to explain.

LTE devices, including smartphones, tablets, dongles, and all of the other connected devices generate an unprecedented volume of signalling, sometimes even more than 100 times the amount of signalling we are used to experiencing in legacy networks. Signalling is the network’s internal communication system, and the language that signalling “speaks” in LTE is an IP-based stream control transmission protocol called Diameter. It plays a connecting and routing function among LTE networks and inside the network between the different network nodes.

Diameter exists everywhere in the network, for example, among enabling elements for policy management and enforcement, billing and charging, authentication, mobility management, and roaming services.

LTE was designed on the drawing board as a Greenfield technology, replacing existing legacy 2G, 2.5G, and 3G networks and building new 4G networks from scratch. Keep in mind however, that in telecoms there tends to be more evolution than revolution. So, in practice, next-generation elements are deployed side-by-side with existing legacy network functionalities. This two-generation hybrid complicates the network by filling it up with a patchwork of technologies, interfaces, and protocols. And this complication—referred to as network fragmentation—is extremely costly if not handled properly. Minimally, it requires connectivity between the LTE interfaces, protocols, and elements, as well as connectivity between the new and legacy components.

In addition, there is the huge task of simplifying this network spaghetti, and only a robust Diameter Signalling router can succeed here.

Now back to the LTE devices. Many are designed with power-saving mechanisms to preserve battery life. However, simply touching the device catalyzes signalling. Many consumers leave several applications open, such as mobile games and social networking sites—and this causes constant, massive signalling.

The “always-on” state of LTE devices are constantly pinging the network with signalling, creating a volume of signalling messages that are greater than ever experienced by a network.

The high level buzz around LTE speaks about an enhanced multimedia, personalised, and interactive experience. More specifically, LTE is expected to deliver advanced services and charging schemes such as family data plans, tiered data plans, video optimisation, and faster speeds of mobile data. Each one of these improvements involves complicated “back-office” support in the network.

Each LTE service comes with a complex navigation route among network elements like PCRFs (policy charging & rules function) that tells the network what level of data plan has been purchased by the subscriber. OCS (online charging system) elements are needed to serve prepaid customers, and BSS (business support systems) elements that are connected to data centres across vast geographic areas and require signalling to deliver the billing charges to the correct data centre.

In short, it is the Diameter Signalling router (more commonly known as DRA) that ensures that the correct information about the right subscriber is transmitted to the designated server in the network.

So, my take on the state of the LTE market is that we have witnessed a great beginning. And from our perspective, there are two types of service providers. The first is the service provider who plans for signalling routing and gateway solutions from the beginning, and the second is the service provider who doesn’t add it to the plan and ultimately experiences pain due to signalling surges and overloads. This second type of service provider quickly realises its mistakes and rushes to deploy Diameter routers and load balancers to ensure network reliability and maximum performance.

In both scenarios, LTE networks experience a bombardment of signalling at unprecedented levels. This signalling must be managed, or it will upset network performance significantly or bring network operations to a halt.

The LTE World Summit is taking place on the 23-24 May 2012 CCIB, Barcelona, Spain. Click here to register your interest.