Security Solutions for LTE Networks€¦ · Security Solutions for LTE Networks Siva Ananmalay, Sr....

Security Solutions for LTE Networks Siva Ananmalay, Sr. Security Architect, Service Providers Advanced Technology Group John Veizades, Product Line Manager – Service Provider Security Business Unit

2 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

LEGAL STATEMENT

This statement of product direction sets forth Juniper Networks’ current intention and is subject to change at any time without notice. No purchases are contingent

upon Juniper Networks delivering any feature or functionality depicted on this statement.

This presentation contains proprietary roadmap and architecture information and should not be discussed

or shared in conjunction with a NDA.


P-GW

Roaming Exchange

Other PLMN Other PLMN

MOBILE PACKET CORE OSS IMS VAS CSS

WapGW IPTV music email MMSC Store

New Services

MOBILE NETWORK SECURITY THREAT VECTORS

S-GW

eNodeB

MME

Peering Points Enterprise Roaming Interface

Backhaul Network

SP Backend

Device

Network Interface

Service Security


AGENDA

  Juniper Networks provides a comprehensive set of security products to address threats across the range of threat vectors in a mobile network including

§  SRX – high availability, high capacity FW §  Extensively customized and extended for Mobile SP applications

§  Application level security – Mykynos §  Virtualized datacenter firewall – vGW §  Handset – Junos Pulse §  Management, Event Correlation –Junos Space, STRM

  This presentation will focus on 2 key areas §  S1/S1-MME and X2 security threats and solutions §  Gp/Gn security threats and solutions

S1/X2 FIREWALL SECURITY


RAN ACCESS NETWORK SECURITY – S1 FW

RAN

SP & Internet

S1-U

OSS/BSS/CSS

X2

S-GW P-GW

MME

S1-MME

S1 Security §  Protect EPC from rogue, compromised, malfunctioning eNodeB §  Protect eNodeBs from rogue, compromised, malfunctioning EPC §  Protect mobile from detrimental system issues, e.g. paging storms §  No protection of user traffic to/from mobile. §  Reference Interface(s): S1-MME (S1-AP) and S1-U (GTP-U)

eNodeB

eNodeB

Note: This presentation focuses on LTE, largely ignoring the 2/3G security between the core and the RAN. This is in line with the operators’ and standards view;in 2/3G networks the RAN (RNC) was consider trusted, while in LTE the eNodeB is much less so.

Gi F/W


RAN ACCESS NETWORK SECURITY – S1 FW

RAN

SP & Internet

S1-U

OSS/BSS/CSS

X2

S-GW P-GW

MME

S1-MME

Security functions §  Authentication, integrity protection, encryption: IKEv2, IPsec, PKI

§  Note: While IPsec is optional, SCTP and GTP firewalling offer value regardless of the deployment of IPsec

§  Firewall header inspection and stateful protocol analysis: §  SCTP, S1-AP, UDP, GTP-U

§  Rate limiting, shaping, DoS attack prevention §  Statistics, metering, policy enforcement

eNodeB

eNodeB

Note: This presentation focuses on LTE, largely ignoring the 2/3G security between the core and the RAN. This is in line with the operators’ and standards view;in 2/3G networks the RAN (RNC) was consider trusted, while in LTE the eNodeB is much less so.

Gi F/W


S1 SECURITY THREAT MATRIX Threat Mitigation

Device Paging storm from the EPC Paging message rate limiting

Mobile RAN

DoS attack on eNodeBs from compromised EPC network DoS attack on eNodeBs from compromised EPC components Device/SW probing of eNodeB from compromised EPC GTP-C used as an attack inside GTP-U GTP control path DoS attack, e.g. via Path Echo

Only allow authenticated traffic Rate limit traffic to eNodeB Filter and analyze protocols inside IPsec tunnels White-list allowed encapsulated destinations Filter and disallow GTP-C inside GTP-U Rate limit and stateful inspection of Path Echo messages

Mobile Core

DoS attack on EPC from compromised access network DoS attack on EPC from compromised eNodeB Device/SW probing of EPC from compromised eNodeB GTP-C used as an attack inside GTP-U GTP control path DoS attack, e.g. via Path Echo

Only allow authenticated traffic Rate limit traffic to EPC Filter and analyze protocols inside IPsec tunnels White-list allowed encapsulated destinations Filter and disallow GTP inside GTP-U Rate limit and stateful inspection of Path Echo messages


RAN ACCESS NETWORK SECURITY – X2 FW

RAN

SP & Internet S1-U

OSS/BSS/CSS

X2

S-GW P-GW

MME

S1-MME

X2 security gateway §  Protect eNodeBs from a rogue, compromised, malfunctioning eNodeB §  No protection of user traffic to/from mobile. §  Reference Interface(s): X2 (X2-AP and GTP-U)

eNodeB

eNodeB

Gi F/W


RAN ACCESS NETWORK SECURITY – X2 FW

RAN

SP & Internet S1-U

OSS/BSS/CSS

X2

S-GW P-GW

MME

S1-MME

Security functions §  Authentication, integrity protection, encryption: IKEv2, IPsec, PKI §  Firewall header inspection and stateful protocol analysis: SCTP, X2-AP,

UDP, GTP-U §  Rate limiting, shaping, DoS attack prevention §  Statistics, metering, policy enforcement §  Firewalling based on eNodeB topology and X2 adjacency maps

eNodeB

eNodeB

Gi F/W


X2 SECURITY THREAT MATRIX Threat Mitigation

Device -

Mobile RAN

DoS attack on eNBs from compromised network DoS attack on eNBs from compromised eNodeB Device/SW probing of eNodeB from compromised eNodeB Modification of eNodeB parameters from compromised eNodeB X2-AP hidden and used as an attack inside GTP-U GTP control path DoS attack, e.g. via Path Echo

Only allow authenticated traffic Rate limit traffic to eNodeB Filter, analyze protocols inside IPsec tunnels X2 adjacency firewalling Filter and disallow X2-AP inside GTP-U Rate limit and stateful inspection of Path Echo messages

Mobile Core -

-


DETAILS OF SECGW REQUIREMENTS   Support authorization of RAN infrastructure to EPC

§  IPSec support for site-to-site VPN

  Must support complete resiliency §  Voice and Data services over LTE require the same level of system uptime that were achieved

for 2G voice and data i.e. dial tone level uptime §  Clustered deployments Active/Passive and Active/Active §  Capacity upgrades without data loss §  Software updates without an outage

  IPSec Requirements §  Tunnel scale §  Integration with PKI §  Bootstrapping trust

  New Requirements §  SCTP firewalling §  GTP firewalling §  X2 firewall and mirroring §  Control traffic rate limiting


IPSEC ON S1-MME

Solar powered cell site

Cell site in a streetlamp

Physical security of cell-sites is a concern, a compromised eNodeB is a serious threat. Using certificate-based authentication with IPsec ensures that only authentic eNodeBs are able to connect to the network. The certificate infrastructure (PKI) allows the revocation of an eNodeB’s access. Encryption on S1 ensures confidentiality and minimizes the risk of attacks (man-in-the-middle, replay, etc.).


PHYSICAL SECURITY = NETWORK SECURITY


IPSEC FOR X2

X2 is the interface allowing peer-to-peer (eNodeB-to-eNodeB) signaling between cell sites for handover

X2 avoids the core nodes, and hence, reduces latency

Both NSN and E/// recommend encrypting the X2 traffic and routing it through a Security GW (i.e. X2-to-X2 traffic becomes hub-and-spoke X2-SecGW-X2 model)

Support mirroring of X2 for handoff troubleshooting

Support group based firewalling to limit conversation between elements that are not in the same adjacent area

Core

RAN

S1-U S1-MME

MME

SAE-GW


FIREWALL FUNCTIONS ON LTE SECURITY GW

  Stateful firewalling is a basic security feature §  It needs to support the protocols at the S1-MME/U, X2-C/U interfaces §  It can be used as first line of defense for the core – particularly as addresses, ports,

and protocols are well-known (e.g. SCTP to MME pool, GTP-U to S-GW, some O&M traffic)

§  Juniper is unique in offering these protections in an IPsec concentrator

eUTRAN

eNodeB S-GW

MME

Evolved Packet Core

O&M

eNodeB

SRX in HA mode


SCTP FIREWALLING

  The Solution to RFC5062 SCTP Threats §  SRX monitors the INIT exchange to establish source/destination address lists and tags for

SCTP connection (src/dest lists will have >1 IP addresses for multi-homed eNodeB) §  The association is stored in the same way as a TCP session would be §  SCTP sessions can only be opened for an established association if the src/dest addresses are

in the association lists and the tag matches §  Gives stateful security for SCTP in a similar vein to TCP firewalling

  Juniper is only vendor with a stateful SCTP firewall §  Other vendors’ solutions that are optimized for IPsec/TCP/UDP/ICMP provide unpredictable

results with SCTP §  Facilitates stateful A/A solution for secure, rapid signaling failover for multi-homed eNodeBs

  Path A

  Path B

  IP A

  IP B

  SCTP Primary path

  Path X

  Path Y

  IP X

  IP Y

  eNodeB   MME


INTEROPERABILITY TESTING FOR LTE

  IOT Completed with:

  eNodeB performance issues resolved in SRX

  Ongoing IOT with new software versions

  Working on extending standards to accommodate operational use cases

§  Child-SAs for differing traffic types (DSCP)


HIGH AVAILABILITY/RESILIENCE ON SECURITY GATEWAY

MME

Key components of Juniper SecGW HA solution •  IPsec SAs are synched

•  No downtime on failure of SecGW •  Stateless HA solution can lead to minutes of

downtime; loss of signalling/calls for all end users •  Support HW upgrade and capacity increase with

no downtime •  Inter-box HA

•  Intra-box still leaves a single point of failure •  Other SecGW solutions use intra-box •  Inter-box HA allows for Active-Active design

scenarios which facilitate multi-homed signalling on disparate paths

•  ISSU (In-Service Software Upgrades) •  Upgrade firmware with zero downtime (IPsec

support roadmap item) •  User/signalling plane sessions are synched

•  Provide stateful SCTP firewalling •  Enhance security for administrative (O&M)

sessions

S-GW

UE eNodeB

RAN

IPsec SA is synched to backup device

IPsec VPN


FAILOVER EXAMPLE A/P SINGLE TUNNEL

S-GW MME

MS eNodeB

RAN

X

1

2

3

3

1

3

2

4

In Active/Passive, signalling and user flow go through a single IPsec VPN

Failure condition – in this case, SRX loses power

Cluster fails over. IPsec VPN moves to new master

Signalling and user plane move to secondary unit, SAs and stateful sessions are maintained and traffic continues to flow – failover time ~ 2-3 seconds

4


LTE SECGW – FINDINGS AFTER SEVERAL YEARS OF EXPERIENCE

  Interoperability Testing (IOT) §  Absolutely required but ongoing long term operation still finds

issues

  Jumbo frames and fragmentation §  Not all back haul networks are ready for IPSec §  Fragmentation is evil

  Facilitates evolution from 3G/2G to 4G §  All IP network §  Moving 2G and 3G traffic to a converged network

  DSCP traffic steering is valuable §  Basic and premium services

S8 FIREWALL SECURITY


BG

SGSN

BG

SGSN

GGSN

GGSN

SGSN

Gi

Gp

Gi

PLMN A

PLMN B

-

Intra- and Inter-PLMN Backbone Networks

GTP security functionality on SRX falls into four categories

Policy filtering Define specific APN or APN group matches (wildcards permitted) Define IMSI prefixes (mcc-mnc) GTP message length filtering

Message content checking Validate GTP message conformance to 3GPP standards Implicit (non-configurable) and explicit (configurable) validation options

Rate limiting Limit GTP-C messages globally, per-GSN or per GSN group Prevent flood attacks and protect GSN resources

GTP stateful inspection Ensure GTP-C messages follow expected patterns of state regarding tunnel setup/modification/deletion GSN redirection/handover group awareness Sequence number validation

GTP SECURITY – FUNCTIONAL OVERVIEW

Inter PLMN Backbone

Packet Data Network (PDN)

Gn Gn


GTP – POLICY FILTERING

MS

RAN Mobile Core

HPLMN

SGSN GGSN

VPLMN1 VPLMN2

SGSN SGSN

Roaming Exchange

Configurable profiles give granular control over GTP traffic

Filter based on APN, selection mode and IMSI prefix (mcc-mnc) GTP profiles can be applied globally, to GSN groups or to individual GSN pairs via security policies SRX logs any GTP traffic which is dropped due to policy violations

SRX applies GTP policy profiles – can be global or highly granular


GTP – MESSAGE CONTENT CHECKING Explicit (configurable) and implicit (non-configurable) options for message validation

Implicit checks validate packet standards – correct TLV format, sequential IEs, presence of mandatory IEs, and more User configurable maximum and minimum message length Ability to define acceptable GTP messages on a per version Explicit checks can be applied to GSN groups or globally

Bits

Octet 8 7 6 5 4 3 2 1

1 Version PT (*) E S PN

2 Message Type

3 Length (1st octet)

4 Length (2nd octet)

5 TEID (1st octet)

6 TEID (2nd octet)

7 TEID (3rd octet)

8 TEID (4th octet)

9 Sequence Number (1st octet)

10 Sequence Number (2nd octet)

11 N-PDU Number

12 Next Extension Header Type

GTP header fields

GTP engine checks adhesion to 3GPP standards and enforces administrator message policy


GTP – RATE LIMITING

Protect GSN resources from floods/DoS attacks

Rate limiting applied to GTP-C messages Applied per profile allowing variable rate limitations per GSN/GSN group/roaming partner/globally SRX drops and logs packets over the rate limit threshold Preserves GSN resources in case of flood

Element to Element Rate limiting and Alarms

Schedule in 1H2013

SGSN groups – HPLMN/VPLMN

GGSNs

Rate limiting applied per profile, giving flexibility per GSN groups/roaming partners


GTP – STATEFUL INSPECTION

Ensures stateful lifetime of GTP contexts

Implicit stateful checks ensure tunnel state lifecycle is maintained – for example, if tunnel is not present, any message except ‘Create PDP Request’ will be dropped Allows tunnel modification and deletion with knowledge of state Enables GSN handover groups Administrator can add GTP packet sequence number validation per-profile

SRX creates GTP tunnel entry with GSN IP addresses and TEID

Create PDP Context Request

Create PDP Context Response

SRX modifies GTP tunnel entry; profiles can be used to ring-fence handover groups

Update PDP Context Request

Update PDP Context Response

SRX deletes tunnel entry

Delete PDP Context Request

Delete PDP Context Response


GTP-IN-GTP DETECTION

MS

RAN Mobile Core

HPLMN

SGSN GGSN

Roaming Exchange

GTP-in-GTP traffic can be used as an attack vector

Simple to generate Can spoof other GSNs or be used to create recursive processing of GTP packets, causing strange behaviour, resource shortage or DoS Multiple embedded GTP headers can be used to exacerbate an attack Common attack – seen in logs by many carriers implementing GTP security

GTP-in-GTP detection scheduled for 1H2012

Checks for additional GTP header within outer header; drops packet if detected One of the few possible use cases for GTP firewall on Gn

GTP GTP GTP TCP IP

GTP packet contains multiple embedded GTP headers – may cause GSN to perform recursive processing

Security Solutions for LTE Networks€¦ · Security Solutions for LTE Networks Siva Ananmalay, Sr....

Documents

Transcript of Security Solutions for LTE Networks€¦ · Security Solutions for LTE Networks Siva Ananmalay, Sr....