Security Solutions for LTE Networks€¦ · Security Solutions for LTE Networks Siva Ananmalay, Sr....
Transcript of Security Solutions for LTE Networks€¦ · Security Solutions for LTE Networks Siva Ananmalay, Sr....
Security Solutions for LTE Networks Siva Ananmalay, Sr. Security Architect, Service Providers Advanced Technology Group John Veizades, Product Line Manager – Service Provider Security Business Unit
2 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LEGAL STATEMENT
This statement of product direction sets forth Juniper Networks’ current intention and is subject to change at any time without notice. No purchases are contingent
upon Juniper Networks delivering any feature or functionality depicted on this statement.
This presentation contains proprietary roadmap and architecture information and should not be discussed
or shared in conjunction with a NDA.
3 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
P-GW
Roaming Exchange
Other PLMN Other PLMN
MOBILE PACKET CORE OSS IMS VAS CSS
WapGW IPTV music email MMSC Store
New Services
MOBILE NETWORK SECURITY THREAT VECTORS
S-GW
eNodeB
MME
Peering Points Enterprise Roaming Interface
Backhaul Network
SP Backend
Device
Network Interface
Service Security
4 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
AGENDA
Juniper Networks provides a comprehensive set of security products to address threats across the range of threat vectors in a mobile network including
§ SRX – high availability, high capacity FW § Extensively customized and extended for Mobile SP applications
§ Application level security – Mykynos § Virtualized datacenter firewall – vGW § Handset – Junos Pulse § Management, Event Correlation –Junos Space, STRM
This presentation will focus on 2 key areas § S1/S1-MME and X2 security threats and solutions § Gp/Gn security threats and solutions
S1/X2 FIREWALL SECURITY
6 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
RAN ACCESS NETWORK SECURITY – S1 FW
RAN
SP & Internet
S1-U
OSS/BSS/CSS
X2
S-GW P-GW
MME
S1-MME
S1 Security § Protect EPC from rogue, compromised, malfunctioning eNodeB § Protect eNodeBs from rogue, compromised, malfunctioning EPC § Protect mobile from detrimental system issues, e.g. paging storms § No protection of user traffic to/from mobile. § Reference Interface(s): S1-MME (S1-AP) and S1-U (GTP-U)
eNodeB
eNodeB
Note: This presentation focuses on LTE, largely ignoring the 2/3G security between the core and the RAN. This is in line with the operators’ and standards view;in 2/3G networks the RAN (RNC) was consider trusted, while in LTE the eNodeB is much less so.
Gi F/W
7 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
RAN ACCESS NETWORK SECURITY – S1 FW
RAN
SP & Internet
S1-U
OSS/BSS/CSS
X2
S-GW P-GW
MME
S1-MME
Security functions § Authentication, integrity protection, encryption: IKEv2, IPsec, PKI
§ Note: While IPsec is optional, SCTP and GTP firewalling offer value regardless of the deployment of IPsec
§ Firewall header inspection and stateful protocol analysis: § SCTP, S1-AP, UDP, GTP-U
§ Rate limiting, shaping, DoS attack prevention § Statistics, metering, policy enforcement
eNodeB
eNodeB
Note: This presentation focuses on LTE, largely ignoring the 2/3G security between the core and the RAN. This is in line with the operators’ and standards view;in 2/3G networks the RAN (RNC) was consider trusted, while in LTE the eNodeB is much less so.
Gi F/W
8 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
S1 SECURITY THREAT MATRIX Threat Mitigation
Device Paging storm from the EPC Paging message rate limiting
Mobile RAN
DoS attack on eNodeBs from compromised EPC network DoS attack on eNodeBs from compromised EPC components Device/SW probing of eNodeB from compromised EPC GTP-C used as an attack inside GTP-U GTP control path DoS attack, e.g. via Path Echo
Only allow authenticated traffic Rate limit traffic to eNodeB Filter and analyze protocols inside IPsec tunnels White-list allowed encapsulated destinations Filter and disallow GTP-C inside GTP-U Rate limit and stateful inspection of Path Echo messages
Mobile Core
DoS attack on EPC from compromised access network DoS attack on EPC from compromised eNodeB Device/SW probing of EPC from compromised eNodeB GTP-C used as an attack inside GTP-U GTP control path DoS attack, e.g. via Path Echo
Only allow authenticated traffic Rate limit traffic to EPC Filter and analyze protocols inside IPsec tunnels White-list allowed encapsulated destinations Filter and disallow GTP inside GTP-U Rate limit and stateful inspection of Path Echo messages
9 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
RAN ACCESS NETWORK SECURITY – X2 FW
RAN
SP & Internet S1-U
OSS/BSS/CSS
X2
S-GW P-GW
MME
S1-MME
X2 security gateway § Protect eNodeBs from a rogue, compromised, malfunctioning eNodeB § No protection of user traffic to/from mobile. § Reference Interface(s): X2 (X2-AP and GTP-U)
eNodeB
eNodeB
Gi F/W
10 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
RAN ACCESS NETWORK SECURITY – X2 FW
RAN
SP & Internet S1-U
OSS/BSS/CSS
X2
S-GW P-GW
MME
S1-MME
Security functions § Authentication, integrity protection, encryption: IKEv2, IPsec, PKI § Firewall header inspection and stateful protocol analysis: SCTP, X2-AP,
UDP, GTP-U § Rate limiting, shaping, DoS attack prevention § Statistics, metering, policy enforcement § Firewalling based on eNodeB topology and X2 adjacency maps
eNodeB
eNodeB
Gi F/W
11 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
X2 SECURITY THREAT MATRIX Threat Mitigation
Device -
Mobile RAN
DoS attack on eNBs from compromised network DoS attack on eNBs from compromised eNodeB Device/SW probing of eNodeB from compromised eNodeB Modification of eNodeB parameters from compromised eNodeB X2-AP hidden and used as an attack inside GTP-U GTP control path DoS attack, e.g. via Path Echo
Only allow authenticated traffic Rate limit traffic to eNodeB Filter, analyze protocols inside IPsec tunnels X2 adjacency firewalling Filter and disallow X2-AP inside GTP-U Rate limit and stateful inspection of Path Echo messages
Mobile Core -
-
12 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
DETAILS OF SECGW REQUIREMENTS Support authorization of RAN infrastructure to EPC
§ IPSec support for site-to-site VPN
Must support complete resiliency § Voice and Data services over LTE require the same level of system uptime that were achieved
for 2G voice and data i.e. dial tone level uptime § Clustered deployments Active/Passive and Active/Active § Capacity upgrades without data loss § Software updates without an outage
IPSec Requirements § Tunnel scale § Integration with PKI § Bootstrapping trust
New Requirements § SCTP firewalling § GTP firewalling § X2 firewall and mirroring § Control traffic rate limiting
13 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
IPSEC ON S1-MME
Solar powered cell site
Cell site in a streetlamp
Physical security of cell-sites is a concern, a compromised eNodeB is a serious threat. Using certificate-based authentication with IPsec ensures that only authentic eNodeBs are able to connect to the network. The certificate infrastructure (PKI) allows the revocation of an eNodeB’s access. Encryption on S1 ensures confidentiality and minimizes the risk of attacks (man-in-the-middle, replay, etc.).
14 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
PHYSICAL SECURITY = NETWORK SECURITY
15 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
IPSEC FOR X2
X2 is the interface allowing peer-to-peer (eNodeB-to-eNodeB) signaling between cell sites for handover
X2 avoids the core nodes, and hence, reduces latency
Both NSN and E/// recommend encrypting the X2 traffic and routing it through a Security GW (i.e. X2-to-X2 traffic becomes hub-and-spoke X2-SecGW-X2 model)
Support mirroring of X2 for handoff troubleshooting
Support group based firewalling to limit conversation between elements that are not in the same adjacent area
Core
RAN
S1-U S1-MME
MME
SAE-GW
16 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
FIREWALL FUNCTIONS ON LTE SECURITY GW
Stateful firewalling is a basic security feature § It needs to support the protocols at the S1-MME/U, X2-C/U interfaces § It can be used as first line of defense for the core – particularly as addresses, ports,
and protocols are well-known (e.g. SCTP to MME pool, GTP-U to S-GW, some O&M traffic)
§ Juniper is unique in offering these protections in an IPsec concentrator
eUTRAN
eNodeB S-GW
MME
Evolved Packet Core
O&M
eNodeB
SRX in HA mode
17 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SCTP FIREWALLING
The Solution to RFC5062 SCTP Threats § SRX monitors the INIT exchange to establish source/destination address lists and tags for
SCTP connection (src/dest lists will have >1 IP addresses for multi-homed eNodeB) § The association is stored in the same way as a TCP session would be § SCTP sessions can only be opened for an established association if the src/dest addresses are
in the association lists and the tag matches § Gives stateful security for SCTP in a similar vein to TCP firewalling
Juniper is only vendor with a stateful SCTP firewall § Other vendors’ solutions that are optimized for IPsec/TCP/UDP/ICMP provide unpredictable
results with SCTP § Facilitates stateful A/A solution for secure, rapid signaling failover for multi-homed eNodeBs
Path A
Path B
IP A
IP B
SCTP Primary path
Path X
Path Y
IP X
IP Y
eNodeB MME
18 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
INTEROPERABILITY TESTING FOR LTE
IOT Completed with:
eNodeB performance issues resolved in SRX
Ongoing IOT with new software versions
Working on extending standards to accommodate operational use cases
§ Child-SAs for differing traffic types (DSCP)
19 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
HIGH AVAILABILITY/RESILIENCE ON SECURITY GATEWAY
MME
Key components of Juniper SecGW HA solution • IPsec SAs are synched
• No downtime on failure of SecGW • Stateless HA solution can lead to minutes of
downtime; loss of signalling/calls for all end users • Support HW upgrade and capacity increase with
no downtime • Inter-box HA
• Intra-box still leaves a single point of failure • Other SecGW solutions use intra-box • Inter-box HA allows for Active-Active design
scenarios which facilitate multi-homed signalling on disparate paths
• ISSU (In-Service Software Upgrades) • Upgrade firmware with zero downtime (IPsec
support roadmap item) • User/signalling plane sessions are synched
• Provide stateful SCTP firewalling • Enhance security for administrative (O&M)
sessions
S-GW
UE eNodeB
RAN
IPsec SA is synched to backup device
IPsec VPN
20 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
FAILOVER EXAMPLE A/P SINGLE TUNNEL
S-GW MME
MS eNodeB
RAN
X
1
2
3
3
1
3
2
4
In Active/Passive, signalling and user flow go through a single IPsec VPN
Failure condition – in this case, SRX loses power
Cluster fails over. IPsec VPN moves to new master
Signalling and user plane move to secondary unit, SAs and stateful sessions are maintained and traffic continues to flow – failover time ~ 2-3 seconds
4
21 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LTE SECGW – FINDINGS AFTER SEVERAL YEARS OF EXPERIENCE
Interoperability Testing (IOT) § Absolutely required but ongoing long term operation still finds
issues
Jumbo frames and fragmentation § Not all back haul networks are ready for IPSec § Fragmentation is evil
Facilitates evolution from 3G/2G to 4G § All IP network § Moving 2G and 3G traffic to a converged network
DSCP traffic steering is valuable § Basic and premium services
S8 FIREWALL SECURITY
23 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
BG
SGSN
BG
SGSN
GGSN
GGSN
SGSN
Gi
Gp
Gi
PLMN A
PLMN B
-
Intra- and Inter-PLMN Backbone Networks
GTP security functionality on SRX falls into four categories
Policy filtering Define specific APN or APN group matches (wildcards permitted) Define IMSI prefixes (mcc-mnc) GTP message length filtering
Message content checking Validate GTP message conformance to 3GPP standards Implicit (non-configurable) and explicit (configurable) validation options
Rate limiting Limit GTP-C messages globally, per-GSN or per GSN group Prevent flood attacks and protect GSN resources
GTP stateful inspection Ensure GTP-C messages follow expected patterns of state regarding tunnel setup/modification/deletion GSN redirection/handover group awareness Sequence number validation
GTP SECURITY – FUNCTIONAL OVERVIEW
Inter PLMN Backbone
Packet Data Network (PDN)
Gn Gn
24 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
GTP – POLICY FILTERING
MS
RAN Mobile Core
HPLMN
SGSN GGSN
VPLMN1 VPLMN2
SGSN SGSN
Roaming Exchange
Configurable profiles give granular control over GTP traffic
Filter based on APN, selection mode and IMSI prefix (mcc-mnc) GTP profiles can be applied globally, to GSN groups or to individual GSN pairs via security policies SRX logs any GTP traffic which is dropped due to policy violations
SRX applies GTP policy profiles – can be global or highly granular
25 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
GTP – MESSAGE CONTENT CHECKING Explicit (configurable) and implicit (non-configurable) options for message validation
Implicit checks validate packet standards – correct TLV format, sequential IEs, presence of mandatory IEs, and more User configurable maximum and minimum message length Ability to define acceptable GTP messages on a per version Explicit checks can be applied to GSN groups or globally
Bits
Octet 8 7 6 5 4 3 2 1
1 Version PT (*) E S PN
2 Message Type
3 Length (1st octet)
4 Length (2nd octet)
5 TEID (1st octet)
6 TEID (2nd octet)
7 TEID (3rd octet)
8 TEID (4th octet)
9 Sequence Number (1st octet)
10 Sequence Number (2nd octet)
11 N-PDU Number
12 Next Extension Header Type
GTP header fields
GTP engine checks adhesion to 3GPP standards and enforces administrator message policy
26 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
GTP – RATE LIMITING
Protect GSN resources from floods/DoS attacks
Rate limiting applied to GTP-C messages Applied per profile allowing variable rate limitations per GSN/GSN group/roaming partner/globally SRX drops and logs packets over the rate limit threshold Preserves GSN resources in case of flood
Element to Element Rate limiting and Alarms
Schedule in 1H2013
SGSN groups – HPLMN/VPLMN
GGSNs
Rate limiting applied per profile, giving flexibility per GSN groups/roaming partners
27 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
GTP – STATEFUL INSPECTION
Ensures stateful lifetime of GTP contexts
Implicit stateful checks ensure tunnel state lifecycle is maintained – for example, if tunnel is not present, any message except ‘Create PDP Request’ will be dropped Allows tunnel modification and deletion with knowledge of state Enables GSN handover groups Administrator can add GTP packet sequence number validation per-profile
SRX creates GTP tunnel entry with GSN IP addresses and TEID
Create PDP Context Request
Create PDP Context Response
SRX modifies GTP tunnel entry; profiles can be used to ring-fence handover groups
Update PDP Context Request
Update PDP Context Response
SRX deletes tunnel entry
Delete PDP Context Request
Delete PDP Context Response
28 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
GTP-IN-GTP DETECTION
MS
RAN Mobile Core
HPLMN
SGSN GGSN
Roaming Exchange
GTP-in-GTP traffic can be used as an attack vector
Simple to generate Can spoof other GSNs or be used to create recursive processing of GTP packets, causing strange behaviour, resource shortage or DoS Multiple embedded GTP headers can be used to exacerbate an attack Common attack – seen in logs by many carriers implementing GTP security
GTP-in-GTP detection scheduled for 1H2012
Checks for additional GTP header within outer header; drops packet if detected One of the few possible use cases for GTP firewall on Gn
GTP GTP GTP TCP IP
GTP packet contains multiple embedded GTP headers – may cause GSN to perform recursive processing