Sochi 2014 is a good example of just how connected we are today: who wasn’t using a mobile app to keep up with Olympic events? Innovations in radio access technologies have indeed brought the network closer to the user, yet those very technologies are now potential access points for attackers and hackers.While a Security Gateway will help protect those networks, they are not all created equal. There are some key features you should consider when choosing the right Security Gateway for your network. Read the Securing Ultra-Broadband Mobile Access Application Note.
Increased Network Threats
The evolution towards LTE is driving a flatter end-to-end IP network. This architecture is vulnerable to the kinds of threats known on fixed networks plus some new ones that are specific to mobile networks, such as signaling storms.
Also there is a massive — and growing — deployment of carrier Wi-Fi access infrastructures and small cells (such as metro, enterprise and residential cells) in metro areas, households and offices. Each of these sites creates an IP access point to the network that could potentially be used as an entry point by attackers/hackers.
Operators need to take steps now to ensure that their networks are safe, but they must do so while continuing to respond to the relentless demand for more ubiquitous and faster bandwidth.
Critical Features in Security Gateway
So what is the optimal approach to ensure the highest levels of security? Here are some key factors to consider:
1. Common Platform A common security model that lets operators interoperate effectively with any radio access sites – whether it’s accessed over a trusted network or third-party and/or untrusted network – will prove most effective. It is more efficient in terms of both OPEX and CAPEX to rely on a single solution to address different requirements compared to implementing multiple single-purpose solutions.
Given the need to secure a range of connections, operators have different models they may choose to implement, depending on the level of trust. For trusted networks, IPSec may or may not be implemented. For untrusted networks, however, they will definitely want to implement a layer of security that can be applied to control plane, data plane, or management (OAM) traffic, or any combination of the three.
2. High Throughput Given the capabilities of the radio access technologies, and the amount of radio access sites being deployed as part of ultra-broadband mobile access networks, this will require hundreds of gigabytes of IPSec throughput on the security gateways. Look for a Security Gateway with advanced application capabilities including:
- ability to terminate IPSec tunnels from the full range of radio access sites, including macro, small cell and carrier Wi-Fi
- flexible architecture to easily scale as traffic volumes increase
- high-touch packet operations for deeper levels of integrated service capabilities
- stateful failover so that all the tunnel states are synchronized between two chassis, helping simplify operational deployment. This will mean that IPSec inter-chassis failover is totally transparent to the IPSec peer and there is no need to renegotiate tunnel
3. Standards Compliance With demand for connectivity coming from many different types of radio access technologies, the ultra-broadband network must interoperate with equipment from many vendors, so reliance on standards is imperative. The 3GPP standards body articulated its concept of a security gateway through the 3GPP 33.210 and 3GPP 33.310 specifications. The 3GPP security gateway relies on IPSec and Certificate Management capabilities to provide access control through authentication, and traffic confidentiality and integrity through encryption. Authentication and encryption may be extended to the user plane, the control plane, and management traffic through multiple backhauling options.
Other complementary standards and protocols exist to aid in the process of securing communications between the radio access sites and the security gateway and your Security Gateway must be able to support them. A Security Gateway that automates the process will be most time and cost-efficient.
There are also deployment scenarios where it is necessary to restrict the range of destinations an IPSec client – such as a small cell – can reach. Typically this traffic type is identified by lists of destination subnet/ranges.
Gateway to Competitive Advantage
Operators who choose a high throughput, full-featured, flexible security gateway that interworks with all radio access types will have a great competitive advantage. They can continue to build out their networks to reach more users while also protecting their networks. And they won’t hinder their ability to take advantage of the growth opportunities available in the expanding ultra-broadband mobile market.
Find out more about the Alcatel-Lucent Security solution. Read the Application Note Securing Ultra-Broadband Mobile Access: Deploying the Alcatel-Lucent Security Gateway to address the challenges of a flatter IP network architecture.
For information on related topics please read:
To contact the author or request additional information, please send an email to firstname.lastname@example.org.