© 2014 Stoke
Securing the LTE Core – the Road to NFV
| Proprietary and Confidential
Dilip Pillaipakam
Vice President, Product Management and Marketing
© 2014 Stoke 2
The LTE Security Framework
S9
S1-C
Internet
S1-U S5/S8
S6A
Gx
Gz/Gy
Other LTE Network
S11
RAN-Core Border
SEG
The border between RAN and Core (S1) requires protection against specific risks to critical infrastructure at that interface
Control Plane Functions- IKE- AAA- Routing
DRA
SBCIMS Core
SGW
MME
CSCF
Internet Border
Policy / Charging Control
SGi
Data Plane Functions- Forwarding- QoS- ACL- Packet Inspection
Device and Application
© 2014 Stoke
LTE Security at the S1 Link – Emerging Trends
3
Challenge Requirements
Stronger Security• 2048 bit key length
• PKI
Signaling Protection - New Threat Vectors
• Protect core - exponential transaction increase
• S1 protocol/state validation
VoLTE Rollout• Low latency transport
• Sub-1 second recovery
Elastic Deployment• Virtualized security gateway on COTS
• SDN integration
Scalable Small Cell Deployments
• Dense session aggregation
• Intelligent load balancing
© 2014 Stoke 4
Use Case: Macro and Small Cell Security
» Unsecured backhaul
» Rapidly increasing throughput
» High tunnel density
» Ultra-low latency
» Directly impacts subscriber QoE
44
MME
SGW
Office
Home
OutdoorMetrocell
Small Cells
4G LTE
EPC
Millions of
Tunnels
MME
SGW
EPC
E2E Latency Budget = 100 ms
VoLTE:Low Latency
Small Packets
High Bandwidth
© 2014 Stoke
Office
Home
OutdoorMetrocell
Small Cells
Use Case: Signaling Overload
» Signaling Overload Threats
» Application initiated
» Compromised eNodeBs
» Natural disasters
» Prioritized Traffic
» Already connected subscribers
» Specific eNodeBs
SGW
4G LTE
EPCMillions of Service Requests MME
Application Update Server
QoE: Prioritize
5
© 2014 Stoke 6
The LTE Security FrameworkvSEG Phase 1
S9
Internet
S5/S8
S6A
Gx
Gz/Gy
Other LTE Network
S11
RAN-Core Border
Control Plane Functions- IKE- AAA- Routing
DRA
SBC
IMS Core
SGW
MME
CSCF
Internet Border
Policy / Charging Control
SGi
Data Plane Functions- Forwarding- QoS- ACL- Inspections
Device and Application
» vSEG on COTS hardware on Linux
» Similar deployment and operational model as today
» Benefits: » Removes restriction of physical
chassis» scale to very large number of line
cards
SEGv-SEG (DP)
v-SEG (CP)
© 2014 Stoke 7
The LTE Security FrameworkvSEG Phase 2
Other LTE Network
SGW
MME
DRA
SBC
CSCF
Internet Border
Policy / Charging Control
Internet
S1-C
S1-U
Internet
V-EPC
RAN-Core Border
v-SEG (DP)
v-SEG (CP)
Security Gateway Cloud
QoS InspectionACLs
IKE AAA Routing
SEG Controller
SDN Controller
» Disaggregate control plane and data plane functions to scale each function independently.
» Can be integrated with Operator's SDN infrastructure
» Benefits » Fully elastic on-demand deployment» Capacity can be added dynamically
by adding more service nodes» Scale some functions
disproportionately
© 2014 Stoke 8
Conclusions
» Each domain of the LTE Security Framework provides protection against specific threats and therefore has unique functional and performance requirements
» S1 Link has stringent performance and latency requirements
» Purpose built platforms will remain the mainstay for next few years
» Virtualization has benefits, but is not the answer for all use cases
| Proprietary and Confidential
Top Related