Hybrid Networks: Defend and Extend Mobile Revenues

 

Tom Hussey, Director of Business Development, Azaire Networks  

 

Introduction

 

Mobile operators face increased expenditures to provide adequate in-building voice coverage during peak periods of the day and at the same time satisfy the appetite of mobile, multi-media savvy subscribers who are consuming media-rich, bandwidth-intensive data applications. 

 

Fixed-Mobile Convergence (FMC) solutions such as Unlicensed Mobile Access (UMA), Femtocells and Integrated WLAN (I-WLAN) offer techniques to lower these capacity and operating costs by utilizing less expensive radio technologies and residential broadband access to the Internet.  The big challenges that remain are (1) the specific manner in which these multi-access networks are interconnected to the mobile operator core network, and (2) the security methods implemented to safeguard the subscriber and the mobile operator network from Internet-caliber security risks.

 

Azaire Networks is focused on the FMC solutions which drive cost out of mobile operator networks by providing 3GPP standard interfaces from multi-access IP networks to operator core networks.  This paper describes the approaches and the Azaire solutions to the challenges of core network integration and operator-caliber security for deployment of an “always best connected” multi-access IP network. 

 

 

The Case for Multi-Access Networks

 

Mobile operators are looking to harness alternate radio access technologies to complement macro-cellular networks and solve the in-building penetration challenge to reduce churn and increase fixed-mobile substitution.  Mobile operators are also looking to enhanced voice and multimedia services to deliver growth in the face of declining voice ARPU.  High bandwidth requirements strain the radio capacity required to provide coverage for in-building environments.  While mobile operators have traditionally relied exclusively on licensed spectrum for additional capacity, it is not the most cost-effective way to meet the emerging high-bandwidth demands on both spectrum and backhaul capacity when most voice and data usage actually occurs indoors.  WiFi and broadband are ubiquitous and cost-effective solutions for indoor coverage and backhaul cost reduction, however they need to be secured end-to-end to provide the same degree of security that operators have grown to expect with their macro-cellular networks.

 

 

Internet Security Challenges for Multi-Access Networks

 

Historically the mobile operator has been in complete control of the radio and backhaul networks.  While utilizing residential broadband stands to benefit the operator from a CAPEX and OPEX perspective, these networks increase the risks and costs of security intrusions. Strong subscriber authentication and authorization enforcement based on USIM is necessary but not sufficient: Now the network needs to be mutually authenticated to the handset to prevent redirection of sensitive user passwords to rogue network devices (aka “Man in the Middle”).  Secondly, malicious traffic can also be injected into public networks at alarming rates which disable network nodes and temporarily bring down revenue generating service for millions of subscribers.  These “Denial of Service” attacks can corrupt and incapacitate network nodes and databases (eg HLR) such that the restoration time could even be hours or days or never. Thirdly, and most insidiously, application specific (eg SIP) attacks can masquerade as legitimate traffic to steal service without payment for many months before detected.  The costs of these unchecked security breaches could outweigh any cost advantages of FMC.

 

 

User and Network Security for UMA/2G

 

Some mobile operators have decided to utilize UMA as an FMC strategy to offload traffic at a much lower cost than the 2G RAN.  This approach necessitates a mutual authentication scheme between the UMA handset and a Security Gateway, which front-ends the UMA Network Controller (UNC). 

 

The UMA handset and the Security Gateway (SEGW) act as a trusted pair and create a secure channel to ensure that no rogue network elements are in the network path and the handset is authorized to use the UMA network services. The UMA Security Gateway immunizes the UNC and interconnects the unsecured broadband access to the secure core network interfaces. This provides the benefit of offloading the 2G RAN as depicted below:

 

 

  

 

In the above scenario, security is provided as follows:

 

• Azaire’s Metro-WSG functions as the Security Gateway (SEGW) and the SCN-RAC functions as the AAA Server/Authentication Engine (AuE) for subscribers. 
  
  
• The Metro-WSG protects the operator core network with IKEv2/IPsec running End-to-End between the Dual Mode Handset and the Metro-WSG (SEGW) 

• IKEv2 is used to setup the IPsec tunnel through which all traffic is encrypted
• Each handset is individually authenticated by the Metro-WSG
• EAP-AKA is used for mutual authentication between the handset and SEGW
• Other authentication methods like EAP-MD5 for CHAP or EAP-GTC can be supported for username/password

 

 

User and Network Security for Femtocell /3G

 

Femtocell technology provides an attractive option to extend 3G coverage and provide re-use of 3G mobile operator applications, services and terminals based on UMTS and HSPA.  These high speed technologies are seen as the path to revenue growth amidst declining voice revenues for the mobile operator.  Femtocell has the opportunity to deliver benefits based on utilizing relatively inexpensive Femtocell 3G base stations and  IP networks for backhaul offload.  There are 2 major models envisioned for Femtocell.

 

 

Femtocell Approach using Tunneled IuB over IP

 

The tunneled IuB approach is most similar to UMA and preserves traditional signaling along the interface between the Femto RNC and the Femto base station.  This link traverses the Internet and therefore requires security measures to be implemented, most commonly using IPSec with a key exchange protocol such as IKEv2. This approach has the following characteristics:

 

• Traditional backhaul resources are offloaded from the operator RAN to IP networks and Mobility is provided through traditional circuit and packet cores
• IuCS and IuPS internetworking is required from each femtocell, necessitating CAPEX investments in MSC and SGSN as well as OPEX in E1/T1
• Vendors implement different functional splits between the Femto base station and RNC which requires a single vendor solution (as in most 3G Radio Access)
• A Security Gateway & Firewall is required, such as Azaire Networks Metro-WSG

 

Derivatives of this approach include the Femto Concentrator (where more of the function is in the Femto base station), as well as the UMA Network Controller which aggregates Femto base stations that support the UMA terminal interface (Upi).  Note this approach does not allow the UMA Femtocell and 3G terminal to also participate in IMS services except for that which flows on the IuPS interface.  Essentially, the 3G Femtocell is running in 2G compatibility mode for WLAN. 

 

Much like UMA, the IP backhaul requires a secure, authenticated connection into the mobile operator core network.  Unlike UMA, individual handsets are not authenticated using IPSec/IKEv2 (standard 3G handsets do not utilize these authentication methods).  All voice and data traffic from the mobile is encrypted through the secure IPsec tunnel between the Femtocell and the SEGW in this scenario:

 

• Azaire’s Metro-WSG functions as the Security Gateway (SEGW).  The Azaire SCN-RAC functions as the AAA Server/Authentication Engine (AuE). 
• The Metro-WSG protects the mobile operator core network with IKEv2/IPsec running between the Femtocell at home and the Metro-WSG. 
• EAP-AKA is used for 3-way mutual authentication between the Femtocell and the SEGW and AAA Server
• The SEGW sits at the edge of the packet network and protects the 3G data services network by functioning as a firewall.

 

 

Femtocell Approach using SIP/IMS with Packet Data Gateways (PDG)

 

The SIP/PDG Femto approach provides services over an all-IP infrastructure, including voice.  Capacity can be inexpensively added instead of continuing investments in legacy infrastructure.  This approach takes on two deployment options: (1) Where SIP is used as an MSC interworking function or (2) Where IMS (or pre-IMS) is used for call control and mobility is achieved through Voice Call Continuity (VCC) such as the IMS VCC Application Server provided on the Azaire Metro SCN-VCC . 

 

The Azaire SIP/IMS PDG approach is depicted below:

 

 

 

Existing voice services are supported through a SIP interworking function or an IMS based interface to the Circuit switched network   In both cases the SIP user agent on the Femtocell must insulate the non-SIP based mobile handset from awareness over where and how mobile voice and data services are delivered.  Azaire Networks believes this approach will be the most viable long-term option and consistent with the evolution to all-ip converged networks.  The specific security capabilities are:

 

• Azaire’s Metro-WSG functions as the Security (SEGW), Packet Data (PDG) and Tunnel Termination Gateways (TTG for IPSec-GTP tunnel switching). The SCN-RAC functions as the AAA Server/Authentication Engine (AuE). 
• The Metro-WSG protects the mobile operator core network with IKEv2/IPsec running between the Femtocell and the Metro-WSG and by functioning as firewall. 
• EAP-AKA is used for 3-way mutual authentication between the Femtocell and the Metro-WSG and AAA Server
• The Metro-VCC Application Server provides Voice Call Continuity for the Femto

 

All voice and data traffic from the mobile is secured through the IPsec tunnel between the Femtocell and the SEGW rather than transport specific security using TLS.  This is important for securing all traffic through a single encrypted IPSec tunnel and future proof to accommodate multiple applications and types of IP access. 

 

Note that for existing GGSN data services to be preserved, a 3GPP PDG/TTG hybrid solution is required (as provided by the Azaire Metro-WSG) to provide the Gn’ interface for existing PS domain services (Web browsing, push email, etc) from GPRS to Broadband Femto (PS-PS) as well as CS-PS handover capability for voice. 

 

Additionally with the SIP Femto approach, the mobile operator can more rapidly add richer combinational services (such as Presence based services such as Push-to-talk and Video sharing) without requiring continued investment in legacy infrastructure (MSC, SGSN) and services. These IMS services and fast Internet access can be delivered thru the PDG on a dedicated, low-latency breakout interface (Wi) direct to the IMS and GGSN based services without the need to physically pass thru the packet core and GGSN. 

 

This gives the mobile operator all of the service control benefits (charging, security) without carrying the CAPEX and OPEX of the bursty, high-bandwidth data traffic through their infrastructure.  The business case for Femto favors the SIP/PDG approach because of the potential to provide revenue generating services while at the same time completely offload the operator radio, circuit and packet core networks and still enforce the necessary security and service control.   

 

In fact, Gabriel Brown of Unstrung[1] has estimated the costs related to core network integration cost for each of the Femtocell approaches and has concluded that the costs are:

• $40/Femto using RAN approach – IuB over IP
• $25/Femto using UMA/GAN
• $15-20/Femto using IMS/SIP approach

 

 

Azaire Solution Flexibility: Femtocell and Integrated-WLAN

 

Azaire’s Security Gateway and PDG/TTG can be deployed for mixed UMA, Femtocell and I-WLAN markets simultaneously. This solution provides comprehensive voice and data services with full mobility and handoff and provides the utmost flexibility for mobile operators to position a single network solution to evolve as requirements change.  In other words, Mobile Network Operators have the flexibility to go where the market takes them and the Metro-WSG adapts to ensure their Azaire investments are protected.

 

It also is preferred for functions to be combined on a single node wherever possible in order to avoid the additional latency and jitter introduced by the network inter-connection between disparate nodes.  This would prefer solutions which co-locate the functions of SEGW, providing the secure tunnel between Femto and core, and the PDG or PDIF to authenticate and authorize individual users based on EAP-SIM or EAP-AKA.  

 

The Metro goes further by extending that service set to both Femto and I-WLAN users.  In this scenario, the Femtocell base station is secured using the Femtocell methods described above.  In addition, WiFi traffic from dual-mode handsets can be supported using end-to-end authentication and encryption.  When present, the dual-mode 3G/WLAN mobile in the same residence can connect to the “fastest” WiFi air interface, and free up the Femtocell base station to service additional Femtocell users.

  

The following diagram depicts this dual Femto-WiFi solution:   

  

 

 

 

In fact, when both Femto and I-WLAN are present in the same residence, further optimization is possible. Azaire’s Metro-WSG can be configured to function as the Security Gateway and PDG for securing the Femtocells and the I-WLAN traffic on a single IPSec tunnel, thereby eliminating the secondary tunnel and processing overhead on the handset.  This requires a primary IPsec tunnel from the Home Gateway/Femtocell through which we establish a second level handset authentication for username-password or CHAP authentication for the user:

 

• IKEv2 is used to setup the IPsec tunnel and EAP-AKA is used for mutual authentication between the Home Gateway and the Metro-WSG. 
• All Femtocell and IWLAN traffic from the mobile nodes are securely transported through the IPsec tunnel between the HGW and the Metro-WSG (SEGW/PDG).

 

This optimization emphasizes one of the advantages of using IPSec as the security layer for all application traffic as opposed to specific per-application encryption using TLS (Transport Layer Security at OSI layer 4) which many times is tunneled in IPSec as well.

 

 

Looking Forward: Enhanced GAN Architecture

 

3GPP is currently is defining the standards that will facilitate a mature market for core network convergence of alternate access networks in the “Enhanced Generic Access Networks (EGAN)” work.  This defines access interfaces requiring no changes to the existing packet and circuit interfaces in order to support new access such as Femtocell.  The EGAN concentrator (EGANC) is defined to support simultaneous combinations of UMA, Femtocells and I-WLAN across a common infrastructure.  Azaire Networks has contributed to this approach in 3GPP which is gaining acceptance as the best way to protect mobile operator investments. 

 

 

 

 

Application Level Security

 

The advantages of functional co-location of network and user privacy/security will provide further benefits when combined with protection against the malicious intents of authenticated users or rogue applications.   The Azaire Metro-WSG provides protection against attacks for both IPSec establishment as well as SIP border gateway security.  IPSec authentication, SIP registration and media flooding attacks are just a few examples of the Denial of Service (DoS) weapons that hackers can use to steal traffic or bring down a network.

 

 

Preventing DoS attacks

 

• IKEv2 protocol DoS protection -- The Metro-WSG prevents IKEv2 flooding attacks.
• IPsec setup rate limiting – The Metro-WSG sets a configurable limit on the IPsec tunnel setup rate from a given range of IP addresses.
• Per subscriber IPSec tunnel limiting – The Metro-WSG caps the number of simultaneous tunnels per user (configurable). 
• Interface Specific Traffic – The Metro-WSG provides subscriber services only on the interface towards the WLAN network.  The management interface ports are connected only to the management network that is protected from other networks. The interfaces on the switch blades are used for service connections and are connected only to those networks. Management traffic (specifically SNMP traffic) does not pass through these interfaces.
• Inner IP address spoof check – Azaire Metro-WSG can check the source address of the inner encapsulated packet.  If required, any traffic with an IP address outside the assigned range can be dropped.
• The Metro-WSG stores very little “attackable” state on the Metro-WSG until the completion of IKE_AUTH (UE and the Metro-WSG perform mutual authentication)
• Unwanted services are disabled on the Metro-WSG – Most Inetd services that enable network connections are turned off, leaving essential services enabled like sftp & ssh and preventing logins through serial ports, stack protection against buffer overflow attacks, randomizing initial TCP sequence numbers.
• General System hardening, including preventing CTRL+ALT+DEL shutdown from console, restricting access to certain directories and logs only to certain user and group accounts, tracking all failed logins and associated information.

 

 

Preventing SIP attacks at the Metro-WSG

The Azaire Metro-WSG provides mechanisms for securing SIP/IMS related traffic:

 

• SIP Policy & DoS – The Metro-WSG can provide DoS protection for SIP control packets by allowing SIP traffic only from authenticated users and limiting these rates.  
• Pinhole Creation – The Metro-WSG can dynamically create pinholes for SIP control messages that were exchanged between the client and the operator network based on a 5-tuple (source address, destination address, protocol, source port and destination port).  The rules are dynamically pushed to Metro-WSG by nodes like PDF or P-CSCF.
• Application level firewall – The Metro-WSG operates as a firewall for any application traffic that needs to be blocked or rate-limited based on dynamically pushed rules.
• SIP message tampering – The Metro-WSG prevents the SIP messages from being tampered by any MiTM (Man in The Middle).  Or, SIP message manipulation (CallID tags, contact header expiry, SDP for codec restrictions) can be used to enforce policies.
• NAT traversal for privacy and topology hiding
• DiffServ Marking for QoS based on 5-tuple filters after IPSec decapsulation on uplink;  DiffServ code points are copied from original IP header to the outer IPSec header after encapsulation on downlink.

 

The Azaire security architecture is illustrated below:

 

 

 

 

Conclusion

 

UMA, Femtocell and I-WLAN deployments represent advantages and challenges for the mobile operator to address inexpensively adding in-building coverage with the data speeds required for revenue generating high-bandwidth applications. The economics of these deployments can only be justified if cost-advantaged core network integration and adequate security measures are taken to secure the traffic and prevent against theft of service and malicious attacks on the mobile operator network.  Azaire Networks provides a future-proof solution to protect mobile operator investments while these emerging strategies continue to evolve.  The Azaire Metro-WSG can support mixed deployments with a single solution to evolve with the market and avoid deployment of multiple network nodes to securely integrate multi-access radio networks and protect the revenue generating mobile operator core network and services domains.

 

For more information, please visit www.azairenet.com.