View
76
Download
1
Category
Tags:
Preview:
DESCRIPTION
What will it take to make virtualized LTE security a practical option? Stoke examines the drivers, roadblocks and milestones in this presentation first given in London in May, 2014
Citation preview
© 2014 Stoke
Securing the LTE Core – the Road to NFV
| Proprietary and Confidential
Dilip Pillaipakam Vice President, Product Management and Marketing
© 2014 Stoke
The LTE Security Framework
2
S9
S1-C
Internet
S1-U S5/S8
S6A
Gx
Gz/Gy
Other LTE Network
S11
RAN-Core Border
SEG
The border between RAN and Core (S1) requires protection against specific risks to critical infrastructure at that interface
Control Plane Functions - IKE - AAA - Routing
DRA
SBC IMS Core
SGW
MME
CSCF
Internet Border
Policy / Charging Control
SGi
Data Plane Functions - Forwarding - QoS - ACL - Packet Inspection
Device and Application
© 2014 Stoke
LTE Security at the S1 Link – Emerging Trends
3
Challenge Requirements
Stronger Security • 2048 bit key length • PKI
Signaling Protection - New Threat Vectors
• Protect core - exponential transaction increase • S1 protocol/state validation
VoLTE Rollout • Low latency transport • Sub-1 second recovery
Elastic Deployment • Virtualized security gateway on COTS • SDN integration
Scalable Small Cell Deployments
• Dense session aggregation • Intelligent load balancing
© 2014 Stoke
Use Case: Macro and Small Cell Security
4
» Unsecured backhaul » Rapidly increasing throughput » High tunnel density » Ultra-low latency » Directly impacts subscriber QoE
4 4
MME
SGW
Office
Home Outdoor Metrocell
Small Cells
4G LTE EPC
Millions of
Tunnels
MME
SGW
EPC
E2E Latency Budget = 100 ms
VoLTE: Low Latency
Small Packets
High Bandwidth
© 2014 Stoke
Office
Home Outdoor Metrocell
Small Cells
Use Case: Signaling Overload
» Signaling Overload Threats » Application initiated » Compromised eNodeBs » Natural disasters
» Prioritized Traffic » Already connected subscribers » Specific eNodeBs
SGW
4G LTE EPC Millions of
Service Requests MME
Application Update Server
QoE: Prioritize
5
© 2014 Stoke
The LTE Security Framework vSEG Phase 1
6
S9
Internet
S5/S8
S6A
Gx
Gz/Gy
Other LTE Network
S11
RAN-Core Border
Control Plane Functions - IKE - AAA - Routing
DRA
SBC
IMS Core
SGW
MME
CSCF
Internet Border
Policy / Charging Control
SGi
Data Plane Functions - Forwarding - QoS - ACL - Inspections
Device and Application
» vSEG on COTS hardware on Linux
» Similar deployment and operational model as today
» Benefits: » Removes restriction of physical
chassis » scale to very large number of line
cards
SEG v-SEG (DP)
v-SEG (CP)
© 2014 Stoke
The LTE Security Framework vSEG Phase 2
7
Other LTE Network
SGW
MME
DRA
SBC
CSCF
Internet Border
Policy / Charging Control
Internet
S1-C
S1-U
Internet
V-EPC
RAN-Core Border
v-SEG (DP)
v-SEG (CP)
Security Gateway Cloud
QoS Inspection ACLs
IKE AAA Routing
SEG Controller
SDN Controller
» Disaggregate control plane and data plane functions to scale each function independently.
» Can be integrated with Operator's SDN infrastructure
» Benefits » Fully elastic on-demand
deployment » Capacity can be added dynamically
by adding more service nodes » Scale some functions
disproportionately
© 2014 Stoke
Conclusions
8
» Each domain of the LTE Security Framework provides protection against specific threats and therefore has unique functional and performance requirements
» S1 Link has stringent performance and latency requirements
» Purpose built platforms will remain the mainstay for next few years
» Virtualization has benefits, but is not the answer for all use cases
| Proprietary and Confidential
Recommended