4G Security White Paper

FIREWALL

APPLICATIONCONTROL

WIRELESS

ANTISPAM

FORTI FORTIOS

DLP

WAN OPTIMIZATION

ANTIVIRUS

IP

White Paper 4G Security

ASIC

APPLICATION CONTROL

WIRELESS DATABASE

ANTISPA VPN

FORTIOS

WEB FILTERIN

G

ROUTING

White Paper

4G Security

1. What is 4G and what is LTE

The need and the hunger for more bandwidth are growing rapidly.Fixed and Mobile network do increase speed indication of growth of speed versus time with mobile and fixed networks

The figure above shows

At the end of the mobile/wireless path you see the terminology LTE. LTE is short for Long Term Evolution. It comes from the fact that the 3GPP standardization body is defining more and more elements that builds together the new networks, concepts and archworld is adapting to these wireless architectures and concepts (eg usage of IMS in the TISPAN) Before we dive into this we must clarify a few things upfront.1st of all we must define the different names and acronymsconfusion while discussion the new technologies.What is LTE, SAE, EPS and EPC and what is the difference between them ?

• LTE stands for Long Term Evolution and is the new Radio Access Technology. It is the evolution of 2G Radio (GSM/GPRS Packet Radio Service) and 3G (WCDMA/HSPA

4G Security Whitepaper

4G and what is LTE – SAE – EPS – EPC

The need and the hunger for more bandwidth are growing rapidly. Fixed and Mobile network do increase speed dramatically. The picture below gives an indication of growth of speed versus time with mobile and fixed networks

The figure above shows the bandwidth increase over time

At the end of the mobile/wireless path you see the terminology LTE. LTE is short for Long Term

It comes from the fact that the 3GPP standardization body is defining more and more elements that builds together the new networks, concepts and architectures. Even the fixed and wireline world is adapting to these wireless architectures and concepts (eg usage of IMS in the TISPAN)

Before we dive into this we must clarify a few things upfront. of all we must define the different names and acronyms. Otherwise we would end up in a

confusion while discussion the new technologies. What is LTE, SAE, EPS and EPC and what is the difference between them ?

LTE stands for Long Term Evolution and is the new Radio Access Technology. It is the Radio (GSM/GPRS – Global System for Mobil Communication / General

Packet Radio Service) and 3G (WCDMA/HSPA – Wide Band CDMA / High Speed Packet

dramatically. The picture below gives an

the bandwidth increase over time.

At the end of the mobile/wireless path you see the terminology LTE. LTE is short for Long Term

It comes from the fact that the 3GPP standardization body is defining more and more elements itectures. Even the fixed and wireline

world is adapting to these wireless architectures and concepts (eg usage of IMS in the TISPAN)

. Otherwise we would end up in a

LTE stands for Long Term Evolution and is the new Radio Access Technology. It is the Global System for Mobil Communication / General

Wide Band CDMA / High Speed Packet

Access). It is therefore called as the 4G Radio Technology. It provides much faster bandwidth for radio cells as


• SAE stands for System Architecture Evolution and is the name for the working group within the 3GPP. Its target is to work on the technical study and specifications towards an all-IP network. The work provided by this Architectural Group incorporates the overall 4G concept, incl. Radio and Core Networks. Its target was to simplify the network, make it more flexible, provides interworking with its course to make it much faster.

• EPC stands for Evolved Packet Core, and is defining the Core

independent of the radio access network assumptions of the different radio network are influencing the core. EPC work is including as well nonbetween different 3GPP (like GSM, WCDMA/HSPA and LTE) and nonradio-access technologies.

• EPS stands for Evolved Packet System. This includes LTE and EPC. It is the outcome of

the SAE working group and describing and specifying thnetwork. The documents describe not only 3GPP radioWCDMA/HSPA and LTE) it is including nonWiMAX, etc).

Access). It is therefore called as the 4G Radio Technology. It provides much faster bandwidth for radio cells as shown in the figure below

The figure above shows the mobile up/downstream bandwidth evolution

SAE stands for System Architecture Evolution and is the name for the working group within the 3GPP. Its target is to work on the technical study and specifications towards

IP network. The work provided by this Architectural Group incorporates the erall 4G concept, incl. Radio and Core Networks. Its target was to simplify the

network, make it more flexible, provides interworking with its predecessor course to make it much faster.

EPC stands for Evolved Packet Core, and is defining the Core network itself. It is independent of the radio access network – this is not totally true since some basic assumptions of the different radio network are influencing the core. EPC work is including as well non-3GPP radio technology and of course mobility prbetween different 3GPP (like GSM, WCDMA/HSPA and LTE) and non-

access technologies.

EPS stands for Evolved Packet System. This includes LTE and EPC. It is the outcome of the SAE working group and describing and specifying the new 4G radio and core network. The documents describe not only 3GPP radio-access technologies (like GSM, WCDMA/HSPA and LTE) it is including non-3GPP radio-access technologies (like WLAN,

Access). It is therefore called as the 4G Radio Technology. It provides much faster

the mobile up/downstream bandwidth evolution.

SAE stands for System Architecture Evolution and is the name for the working group within the 3GPP. Its target is to work on the technical study and specifications towards

IP network. The work provided by this Architectural Group incorporates the erall 4G concept, incl. Radio and Core Networks. Its target was to simplify the

predecessor and of

network itself. It is this is not totally true since some basic

assumptions of the different radio network are influencing the core. EPC work is 3GPP radio technology and of course mobility procedures

-3GPP (like WLAN)

EPS stands for Evolved Packet System. This includes LTE and EPC. It is the outcome of e new 4G radio and core access technologies (like GSM,

access technologies (like WLAN,

The figure above shows a Now that we know what are the acronyms stands for and what they cover the next questions are: “Why this new technology”, “Who needs 4G” and finally “Commercial implications of 4G”However, this goes beyond the purpose of this document, but bandwidth is aand 2G/3G is not fast enough for many applications, the world is moving on, more applications for mobile users, higher throughput, faster access, IPv6 capabilities, VoIP, IPTV, etc. Just to name a few topics that can be easily covered by L The eNodebs will be meshed for an optimization of the traffic while handovers as shown in the figure below. The interface between the eNodeBs are called X2, and the interface between eNodeBs and MME/S-GW are called S1 (

The figure above shows a 3G and a 4G network.

Now that we know what are the acronyms stands for and what they cover the next questions are: “Why this new technology”, “Who needs 4G” and finally “Commercial implications of 4G”However, this goes beyond the purpose of this document, but bandwidth is aand 2G/3G is not fast enough for many applications, the world is moving on, more applications for mobile users, higher throughput, faster access, IPv6 capabilities, VoIP, IPTV, etc. Just to name a few topics that can be easily covered by LTE/SAE or just the new 4G networks.

The eNodebs will be meshed for an optimization of the traffic while handovers as shown in the figure below. The interface between the eNodeBs are called X2, and the interface between

GW are called S1 (S1-MME and S1-SGW)

Now that we know what are the acronyms stands for and what they cover the next questions are: “Why this new technology”, “Who needs 4G” and finally “Commercial implications of 4G” However, this goes beyond the purpose of this document, but bandwidth is always increasing and 2G/3G is not fast enough for many applications, the world is moving on, more applications for mobile users, higher throughput, faster access, IPv6 capabilities, VoIP, IPTV, etc. Just to

TE/SAE or just the new 4G networks.

The eNodebs will be meshed for an optimization of the traffic while handovers as shown in the figure below. The interface between the eNodeBs are called X2, and the interface between

2. How 4G works

Mobile Radio evolution: Long Term Evolution (LTE) is boost and much better spectral efficiency to the successor between WiMAX and LTE. After quite some time it is now clear that LTE is the follow-on of UMTS (and its improvements) and now called 4G. preconditions to have a smooth migration from 2G/realized, but due to the constraints it was the best solution found.This was a key requirement and allows previous standards and LTE. LTE is the latest approved generation of the 3GPP standardsR10) do describe HNB (HomeNodeB for 3G), HeNB (Homeenhancements. HNB and H(e)NB are commonly known as Femtocellsspecifies an IP-only networkThese high data rates will enables new applications and services such as voice over IP, streaming multimedia, videoconferencing or even a highstep in the LTE development. While in previous standards (GSM and UMTS), VoIP was possible, and Circuit-Switched Voice was the standard way for placing calls, it has changed with the advent of LTE/SAE. VoIP is now the proposed standard way for placing calls. LTE speeds will be equivalent to what today’s user might see at home on a or fast cable modem. The LTE standard is designed to enable 1uplink over a wide area. While 1each user’s bandwidth will depend on how carriers deploy their network and available bandwidth. Supporting high rates and reducing Here are some highlights of the LTE standard:

• Peak data rate • Control-plane latency• Control-plane capacity

Long Term Evolution (LTE) is meaningful because it will bring up to a 40-times and much better spectral efficiency to mobile networks. After 3G a race was opened for

the successor between WiMAX and LTE. After quite some time it is now clear that LTE is the on of UMTS (and its improvements) and now called 4G. LTE was build around the

preconditions to have a smooth migration from 2G/2,5G and 3G into 4G. It is not completely realized, but due to the constraints it was the best solution found. This was a key requirement and allows seamless handoff and complete connectivity between previous standards and LTE.

generation of the 3GPP standards (Rel 8). Later generations (R9 and R10) do describe HNB (HomeNodeB for 3G), HeNB (Home-e-NodeB for 4G) and further enhancements. HNB and H(e)NB are commonly known as Femtocells. The LTE standard

only network supporting data rates up to 160/50 Mbps (downstream/upstream)These high data rates will enables new applications and services such as voice over IP, streaming multimedia, videoconferencing or even a high-speed cellular modem.

LTE development. While in previous standards (GSM and UMTS), VoIP was possible, Switched Voice was the standard way for placing calls, it has changed with the

advent of LTE/SAE. VoIP is now the proposed standard way for placing calls.

eeds will be equivalent to what today’s user might see at home on a newest DSL modem fast cable modem. The LTE standard is designed to enable 160 Mbps downlink and 50 Mbps

uplink over a wide area. While 160/50 Mbps is LTE’s theoretical top downlink/each user’s bandwidth will depend on how carriers deploy their network and available

and reducing power was a key design challenge.

Here are some highlights of the LTE standard:

latency plane capacity

times performance After 3G a race was opened for

the successor between WiMAX and LTE. After quite some time it is now clear that LTE is the was build around the

2,5G and 3G into 4G. It is not completely

seamless handoff and complete connectivity between

Later generations (R9 and and further

The LTE standard (downstream/upstream).

These high data rates will enables new applications and services such as voice over IP, speed cellular modem. VoIP is a major

LTE development. While in previous standards (GSM and UMTS), VoIP was possible, Switched Voice was the standard way for placing calls, it has changed with the

advent of LTE/SAE. VoIP is now the proposed standard way for placing calls.

newest DSL modem 0 Mbps downlink and 50 Mbps

downlink/uplink speed, each user’s bandwidth will depend on how carriers deploy their network and available

• Minimum 200 concurrent within the spectrum allocations

• User-plane latency • Important for the VoIP usage and the overall user experience is the latency of l

than 5 ms in unload condition• User throughput

• Downlink: 160MHz• Uplink: 50MHz

• Spectrum efficiency• Mobility

• Coverage • Throughput, spectrum efficiency and mobility targets above should be met for 5 km

cells, and with a

• Spectrum flexibility • Co-existence and Inter• Architecture and migration• Radio Resource Management requirements

• Enhanced support for end to end QoS• Efficient support for tra• Support of load sharing and policy management across different Radio Access

Technologies The picture below shows the network evolution and crossWCDMA, WLAN and LTE. It is obvious that 2G/3G, WCDMA the Circuit Switched world. In contrast 4G and non 3GPP (such as WLAN) do have only a connection to the IMS network, which in turn can convert VoIP intothe normal case.

The figure above shows a

concurrent users per cell should be supported in the active state spectrum allocations of up to 5 MHz

Important for the VoIP usage and the overall user experience is the latency of l

ms in unload condition for small IP packet

Downlink: 160MHz

Spectrum efficiency

Throughput, spectrum efficiency and mobility targets above should be met for 5 km cells, and with a slight degradation for 30 km cells.

existence and Inter-working with 3GPP Radio Access Technology (RAT)

Architecture and migration Radio Resource Management requirements

Enhanced support for end to end QoS Efficient support for transmission of higher layers Support of load sharing and policy management across different Radio Access

the network evolution and cross-site interworking with 2G/3G, WCDMA, WLAN and LTE. It is obvious that 2G/3G, WCDMA –GERAN and UTRANthe Circuit Switched world. In contrast 4G and non 3GPP (such as WLAN) do have only a connection to the IMS network, which in turn can convert VoIP into Circuit Switched. So VoIP is

shows an overview of different wireless technologies and their

attachment to the PSTN and the PDN.

users per cell should be supported in the active state

Important for the VoIP usage and the overall user experience is the latency of less

Throughput, spectrum efficiency and mobility targets above should be met for 5 km

working with 3GPP Radio Access Technology (RAT)

Support of load sharing and policy management across different Radio Access

site interworking with 2G/3G, GERAN and UTRAN- are connected to

the Circuit Switched world. In contrast 4G and non 3GPP (such as WLAN) do have only a Circuit Switched. So VoIP is

overview of different wireless technologies and their

The Evolution from 2G, 2,5G and 3G towards 4G4G is the natural evolution of 2G and 3G. Introducing 2G or GSM quite some time ago was a huge step. It gives the freedom to make calls while moving. It comes with less audio quality then we were know from the PSTN (toll quality speech connection, 64kbps, – once properly dimensioned, etc). With GSM it was different, voice quality was not as good as in PSTN, but we gained mobility, always reachable! GPRS was the next step, known a s 2,5G. It was introducing data traffic in a more sophisticomparing to 3G or even 4G it was as fast as snail. But we got data onto the 2G network. Radio Technology was not changing, it was just an update on how we can use the timeslots in the radio network more efficientchanges in the Radio Access Network technology). 2G networks consist out of

• ME (Mobile Equipment) • BTS (Base Station Transceiver)

between the ME and the operators network• BSC (Base Station Controller)

network thousands of BTS do exist, they need a hierarchy to be centrally controlled• TCE (Transcoding Equipment)

64kbps Codec G.711” • MSC (Mobile Switching Center)

from the PSTN, receives SS7 messages, analyze them and mthem

• VLR (Visiting Location Register) can be reached in this network and where reached

• HLR (Home Location Register) belonging to this network can be reached.

• EIR and AuC (Equipment Identification Register and Authentication Center) elements do identify the user equipment, the user and its credentials whether is his allowed to make calls

• GMSC (Gateway Mobile Switching Center) network to the PSTN )the Public Switched Telephone Network)

Additional elements for the upgrade towards the

• SGSN (Serving GPRS Support Node) network. It plays a key role in the mobility of users with its data applications.

The Evolution from 2G, 2,5G and 3G towards 4G 4G is the natural evolution of 2G and 3G. Introducing 2G or GSM quite some time ago was a huge step. It gives the freedom to make calls while moving. It comes with less audio quality then we were know from the PSTN (toll quality speech connection, 64kbps,

once properly dimensioned, etc). With GSM it was different, voice quality was not as good as in PSTN, but we gained mobility, always reachable! GPRS was the next step, known a s 2,5G. It was introducing data traffic in a more sophistic way. Speed was for this time quite high, comparing to 3G or even 4G it was as fast as snail. But we got data onto the 2G network. Radio Technology was not changing, it was just an update on how we can use the timeslots in the radio network more efficient, therefore only 2,5G (it is named 2,5G because there are no changes in the Radio Access Network technology).

ME (Mobile Equipment) - the user handset BTS (Base Station Transceiver) – the Radio Equipment terminating the Radio Lbetween the ME and the operators network BSC (Base Station Controller) – the logical unit controlling many BTS network thousands of BTS do exist, they need a hierarchy to be centrally controlledTCE (Transcoding Equipment) – a device transcoding Mobile Codecs into “the fixed 64kbps Codec G.711” – later on this functionality moved into the MSCMSC (Mobile Switching Center) – this device is controlling the BCS. It acts like a Switch from the PSTN, receives SS7 messages, analyze them and make decision where to route

VLR (Visiting Location Register) – basically a database hosting information which user can be reached in this network and where – which radio node is close

HLR (Home Location Register) - basically a database hosting information where a user belonging to this network can be reached. EIR and AuC (Equipment Identification Register and Authentication Center) elements do identify the user equipment, the user and its credentials whether is his

make calls GMSC (Gateway Mobile Switching Center) – this device is connecting the mobile network to the PSTN )the Public Switched Telephone Network)

The figure above shows a 2G network.

Additional elements for the upgrade towards the 2,5G network are the SGSN and the GGSNSGSN (Serving GPRS Support Node) – this element is similar to the MSC in the 2G core network. It plays a key role in the mobility of users with its data applications.

4G is the natural evolution of 2G and 3G. Introducing 2G or GSM quite some time ago was a huge step. It gives the freedom to make calls while moving. It comes with less audio quality then we were know from the PSTN (toll quality speech connection, 64kbps, almost no busy sign

once properly dimensioned, etc). With GSM it was different, voice quality was not as good as in PSTN, but we gained mobility, always reachable! GPRS was the next step, known a s 2,5G. It

c way. Speed was for this time quite high, comparing to 3G or even 4G it was as fast as snail. But we got data onto the 2G network. Radio Technology was not changing, it was just an update on how we can use the timeslots in the

, therefore only 2,5G (it is named 2,5G because there are no

the Radio Equipment terminating the Radio Link

the logical unit controlling many BTS – in an operator network thousands of BTS do exist, they need a hierarchy to be centrally controlled

ranscoding Mobile Codecs into “the fixed later on this functionality moved into the MSC

this device is controlling the BCS. It acts like a Switch ake decision where to route

basically a database hosting information which user which radio node is close - it can be

base hosting information where a user

EIR and AuC (Equipment Identification Register and Authentication Center) – this elements do identify the user equipment, the user and its credentials whether is his

this device is connecting the mobile

2,5G network are the SGSN and the GGSN this element is similar to the MSC in the 2G core

network. It plays a key role in the mobility of users with its data applications.

• GGSN (Gateway GPRS Support Node network. It acts as the anchor point for the mobility management of users with its data applications.

The figure above shows a 2G 3G is mainly known as UMTS (Universal Mobile Telephony System). reworked radio technology (UTRAN UMTS Terrestrial Radio Access Network). It still uses the 2G mobile network for voice communication, while updating the radio part. The task was that the core network shall be re-used. It brings much fasThe mobile core elements shown in the figure above (the 2G network with the MSC/GMSC, BTS, BSC, VLR, HLR, AuC and EIR, and for the 2,5G network with the SGSN and GGSN) are used again in the 3G mobile core network.

The figure above shows a 2G The 2G, 2,5G and 3G network is using the introduced new interfaces and reference points. As indicated in the picture above 2,5G was adding with the SGSN and the GGSN 2 new Core Nodes, while leaving the Radio Access Network –RAN- untouched (called GERAN). 3G was leaving the Core Nodes

GGSN (Gateway GPRS Support Node – this element is similar to the GMSC in the 2G network. It acts as the anchor point for the mobility management of users with its data

The figure above shows a 2G and 2,5G network.

3G is mainly known as UMTS (Universal Mobile Telephony System). It comes with a new reworked radio technology (UTRAN UMTS Terrestrial Radio Access Network). It still uses the 2G mobile network for voice communication, while updating the radio part. The task was that the

used. It brings much faster speed and higher throughput.The mobile core elements shown in the figure above (the 2G network with the MSC/GMSC, BTS, BSC, VLR, HLR, AuC and EIR, and for the 2,5G network with the SGSN and GGSN) are used again in the 3G mobile core network.

The figure above shows a 2G, 2,5 and 3G network.

The 2G, 2,5G and 3G network is using the same protocols between the nodes. introduced new interfaces and reference points. As indicated in the picture above 2,5G was adding with the SGSN and the GGSN 2 new Core Nodes, while leaving the Radio Access Network

untouched (called GERAN). 3G was leaving the Core Nodes untouched and changed the

similar to the GMSC in the 2G network. It acts as the anchor point for the mobility management of users with its data

It comes with a new reworked radio technology (UTRAN UMTS Terrestrial Radio Access Network). It still uses the 2G mobile network for voice communication, while updating the radio part. The task was that the

ter speed and higher throughput. The mobile core elements shown in the figure above (the 2G network with the MSC/GMSC, BTS, BSC, VLR, HLR, AuC and EIR, and for the 2,5G network with the SGSN and GGSN) are used again

protocols between the nodes. 2,5G and 3G introduced new interfaces and reference points. As indicated in the picture above 2,5G was adding with the SGSN and the GGSN 2 new Core Nodes, while leaving the Radio Access Network

untouched and changed the

Radio Access Network towards the UTRAN. This way the interfaces and reference points within the Core Networks did not changed. Only throughput was increased. The new 4G network is changing with the stepwise approach: with the steVoice is still circuit switched, while the new Data Network is packet switched. From 2.5G to 3G Voice stays the same (circuit switched), and new Data Network is again packet switched. Updates are required on the radio interfaces and mobiltowards 4G brings a major step. Voice is now packet switched (with the attached IMS network), the Data Network is using new core components as shown below.

In the radio network the 3G NodeB will be replaced at LTE with the eNodeB. The newly introduced MME (Mobility Management Entity), S(Packet Data Network Gateway) do replace the SGSN/GGSN architecture of the older 2,5G/3G.


Radio Access Network towards the UTRAN. This way the interfaces and reference points within the Core Networks did not changed. Only throughput was increased.

The new 4G network is changing with the stepwise approach: with the step from 2G to 2,5G Voice is still circuit switched, while the new Data Network is packet switched. From 2.5G to 3G Voice stays the same (circuit switched), and new Data Network is again packet switched. Updates are required on the radio interfaces and mobile equipment. The update from 3G towards 4G brings a major step. Voice is now packet switched (with the attached IMS network), the Data Network is using new core components as shown below.

The figure above shows a 4G network.

In the radio network the 3G NodeB will be replaced at LTE with the eNodeB. The newly introduced MME (Mobility Management Entity), S-GW (Serving Gateway) and PDN GW (Packet Data Network Gateway) do replace the SGSN/GGSN architecture of the older 2,5G/3G.

The figure above shows the 3GPP evolution path from R6 to

Radio Access Network towards the UTRAN. This way the interfaces and reference points within

p from 2G to 2,5G Voice is still circuit switched, while the new Data Network is packet switched. From 2.5G to 3G Voice stays the same (circuit switched), and new Data Network is again packet switched.

e equipment. The update from 3G towards 4G brings a major step. Voice is now packet switched (with the attached IMS network),

In the radio network the 3G NodeB will be replaced at LTE with the eNodeB. GW (Serving Gateway) and PDN GW

(Packet Data Network Gateway) do replace the SGSN/GGSN architecture of the older 2,5G/3G.

the 3GPP evolution path from R6 to R8

A fundamental step in the 4G networking is the introduction of VoLTE. VoLTEa dedicated way of the VoIP technology. Based on IMS networking the Voice Communication is treated in the IMS Domain. The figure below indicates that over time the Operator adds network after network.

Starting from the 2G network with the GERAN and the Circuit Switched Network (2 networks) he migrates over to 2.5G still with GERAN, the Circuit Switched Network and a Packet Core Network (3 networks) the next evolution step was the introduction of the 3G time the Operator moves into network with UTRAN, the Circuit Switched Network and a Packet Core Networkintroduction of LTE and the parallel appearance of nonOperators owns 6 Networks Network and the IMS). When looking at OPEX it becomes obvious that for commercial reasons the amount of networks to operate must be decreased. FuCircuit Switched Network reached enddevelopment is done, etc. After some time the new network of the Operator will look like the following figure.

A fundamental step in the 4G networking is the introduction of VoLTE. VoLTEa dedicated way of the VoIP technology. Based on IMS networking the Voice Communication is treated in the IMS Domain. The figure below indicates that over time the Operator adds

Starting from the 2G network with the GERAN and the Circuit Switched Network (2 networks) he migrates over to 2.5G still with GERAN, the Circuit Switched Network and a Packet Core Network (3 networks) the next evolution step was the introduction of the 3G time the Operator moves into 4 (later after the switch-off of the GERAN network into 3)

RAN, the Circuit Switched Network and a Packet Core Networkintroduction of LTE and the parallel appearance of non-3GPP networks (such as WiFi) the Operators owns 6 Networks (3 RAN networks, the Circuit Switched Network, the Packet Core

. When looking at OPEX it becomes obvious that for commercial reasons the amount of networks to operate must be decreased. Further to that, the lifetime of the Circuit Switched Network reached end-of-life. Hardware components are not available, no

After some time the new network of the Operator will look like the following figure.

A fundamental step in the 4G networking is the introduction of VoLTE. VoLTE is Voice-over-LTE, a dedicated way of the VoIP technology. Based on IMS networking the Voice Communication is treated in the IMS Domain. The figure below indicates that over time the Operator adds

Starting from the 2G network with the GERAN and the Circuit Switched Network (2 networks) he migrates over to 2.5G still with GERAN, the Circuit Switched Network and a Packet Core Network (3 networks) the next evolution step was the introduction of the 3G network. At this

off of the GERAN network into 3) RAN, the Circuit Switched Network and a Packet Core Network. With the

ks (such as WiFi) the , the Circuit Switched Network, the Packet Core

. When looking at OPEX it becomes obvious that for commercial reasons rther to that, the lifetime of the

life. Hardware components are not available, no

After some time the new network of the Operator will look like the following figure.

The number of networks decreased to 2 RAN (LTE and WiFi) and 2 Core networks (evolved Packet Core and the IMS). This way OPEX saving can be achieved.However, the introduction of VoLTE is not an easy transition. At day 1 there is no complete coverage of LTE (base for VoLTFallBack). Another possible intermediate step as show below is the SRContinuation Communication).

A substantial effort while working on the new 4G standards was spend for integrating and interworking with the existing 2G, 2,5G and 3G networks. The concept was made such that interworking with non-3GPP radio technologies, such as WLAN and WiMAX, is po

tworks decreased to 2 RAN (LTE and WiFi) and 2 Core networks (evolved Packet Core and the IMS). This way OPEX saving can be achieved. However, the introduction of VoLTE is not an easy transition. At day 1 there is no complete coverage of LTE (base for VoLTE). During this time the fallback solution is CSFB (CircuitFallBack). Another possible intermediate step as show below is the SR-VCC (SingleContinuation Communication). There are all possible migration steps possible as shown below.

A substantial effort while working on the new 4G standards was spend for integrating and interworking with the existing 2G, 2,5G and 3G networks. The concept was made such that

3GPP radio technologies, such as WLAN and WiMAX, is po

tworks decreased to 2 RAN (LTE and WiFi) and 2 Core networks (evolved

However, the introduction of VoLTE is not an easy transition. At day 1 there is no complete E). During this time the fallback solution is CSFB (Circuit-Switch

VCC (Single-Radio Voice There are all possible migration steps possible as shown below.

A substantial effort while working on the new 4G standards was spend for integrating and interworking with the existing 2G, 2,5G and 3G networks. The concept was made such that

3GPP radio technologies, such as WLAN and WiMAX, is possible as well.


As can be seen in the picture above, all kind of RAN (Radio Access Technology) can be connected together. 2G is attached via the BTS/BSC towards the SGSN. 3G is attached via the SGSN or directly to the SMME. To make things more complex (there is always a trade off between feature richness and complexity) is that 4G is designed to work with other technologieindicated in the picture below (so called non

The figure above shows a 4G core network, with 2G and 3G RAN

As can be seen in the picture above, all kind of RAN (Radio Access Technology) can be connected together. 2G is attached via the BTS/BSC towards the SGSN. 3G is attached via the SGSN or directly to the S-GW. While 4G is connected straightforward to the S

To make things more complex (there is always a trade off between feature richness and complexity) is that 4G is designed to work with other technologies, such as WLAN, WiMAX as indicated in the picture below (so called non-3GPP Access.

, with 2G and 3G RAN.

As can be seen in the picture above, all kind of RAN (Radio Access Technology) can be connected together. 2G is attached via the BTS/BSC towards the SGSN. 3G is attached either

GW. While 4G is connected straightforward to the S-GW and

To make things more complex (there is always a trade off between feature richness and s, such as WLAN, WiMAX as

The figure above shows a 4G core network, non

More complexity Another level of complexity is added due to the fact that the capability of Handover and Roaming between different operators, between different Radio Access technologies (3GPP and non-3GPP) and different Mobile Core technologies (3G and 4G) are applicable.case would be crossing the border between France and Spain and switching from LTE with Operator A in Country X to UMTS with Operator B in Country Y. This gives a handful matrix options for interworking between the different RAN (Radio Accessdifferent CN (Core Networks). With a single user database that must be reachable from all sites. In the following figures the protocolMobility Management Entity GW – Serving Gateway - (for data traffic) is shown.

The figure above shows a 4G core network, non-3GPP Access Networks.

Another level of complexity is added due to the fact that the capability of Handover and Roaming between different operators, between different Radio Access technologies (3GPP and

3GPP) and different Mobile Core technologies (3G and 4G) are applicable.case would be crossing the border between France and Spain and switching from LTE with Operator A in Country X to UMTS with Operator B in Country Y. This gives a handful matrix options for interworking between the different RAN (Radio Access Network) technologies and different CN (Core Networks). With a single user database that must be reachable from all sites.

In the following figures the protocol stack between the UE – User Equipment Mobility Management Entity - (for signaling) and between the UE – User Equipment

(for data traffic) is shown.

3GPP Access Networks.

Another level of complexity is added due to the fact that the capability of Handover and Roaming between different operators, between different Radio Access technologies (3GPP and

3GPP) and different Mobile Core technologies (3G and 4G) are applicable. A typical use case would be crossing the border between France and Spain and switching from LTE with Operator A in Country X to UMTS with Operator B in Country Y. This gives a handful matrix

Network) technologies and different CN (Core Networks). With a single user database that must be reachable from all sites.

User Equipment - and the MME – User Equipment - and the S-



The figure above shows the protocol stack for Signaling

The figure above shows the protocol stack for Data Traffic

the protocol stack for Signaling.

the protocol stack for Data Traffic.

The figure above shows Obviously between the eNodeB and the MME runs the S1AP protocol to control the radio, and other important functions (call control and session management) on top of SCTP. Between the eNodeB and the S-GW runs the application protocol direct on top of the enhanced GTP protocol.

3. 4G Security

After many discussion about 4G Security one will see that many interpretation of “what is 4G Security” exists.

The figure above shows the protocol stack for Control Traffic

the eNodeB and the MME runs the S1AP protocol to control the radio, and other important functions (call control and session management) on top of SCTP. Between the

GW runs the application protocol direct on top of the enhanced GTP protocol.

After many discussion about 4G Security one will see that many interpretation of “what is 4G

the protocol stack for Control Traffic.

the eNodeB and the MME runs the S1AP protocol to control the radio, and other important functions (call control and session management) on top of SCTP. Between the

GW runs the application protocol direct on top of the enhanced GTP protocol.

After many discussion about 4G Security one will see that many interpretation of “what is 4G

In the figure above a few 4G Security domains are shown. The most important one (and most people talk about this) is the Mobile Backhauling. The second most important Security domain is the Evolved Packet Core Security. This deals with the protection of thSGW, PGW, HSS, etc). Another Security domain is the SGi interface, providing security from/to the public Internet. Further we have Roaming Security, IMS Security, WiFi Offloading Security and some more. Whenever Broadband is around, traffic generators. With the advent of Smartphones and Femtmanipulate end-devices in order to attack Carriers Networks at largebenefit of LTE will arise out the fact that users will plug in adaptors into Laptop/Notebooks/Netbooks to get a highLaptop/Notebooks/Netbooks will have a direct connection to the mobile network and malware on these devices can be send via the LTE highaware of this malfunction, but it looks like a huge mobile botnet. has to be protected in various ways and levels (from layer 1 to layer 7)security within the „LTE stack“ Information Security at 4G networks is based on:

� System Security � Application Security� Protocol Security � Platform Security � Security Primitives (eg Cryptography)

The 3GPP standardization has defined 5meets certain threats and accomplishes certain security objectives:

• Network access security (I):access to services, and which in particular plink.

• Network domain security (II):securely exchange signalling data, user data (between AN and SN and within AN), and protect against attacks on the wireline n

• User domain security (III):stations.

• Application domain security (IV):in the user and in the provider domain to securely exchange messages.

• Visibility and configurability of security (V):to inform himself whether a security featand provision of services should depend on the security feature.

In the figure above a few 4G Security domains are shown. The most important one (and most people talk about this) is the Mobile Backhauling. The second most important Security domain is the Evolved Packet Core Security. This deals with the protection of the Core elements (MME, SGW, PGW, HSS, etc). Another Security domain is the SGi interface, providing security from/to the public Internet. Further we have Roaming Security, IMS Security, WiFi Offloading Security

Whenever Broadband is around, it opens the door for intruders, hackers and other malicWith the advent of Smartphones and Femto/Pico-Cells hackers can infect or

devices in order to attack Carriers Networks at large. A broad usage and E will arise out the fact that users will plug in adaptors into

Laptop/Notebooks/Netbooks to get a high-speed connection while traveling. This way, Laptop/Notebooks/Netbooks will have a direct connection to the mobile network and malware

an be send via the LTE high-speed link to the mobile core. User might not be aware of this malfunction, but it looks like a huge mobile botnet. Thereforehas to be protected in various ways and levels (from layer 1 to layer 7) - different security within the „LTE stack“.

Information Security at 4G networks is based on:

Application Security

Security Primitives (eg Cryptography)

The 3GPP standardization has defined 5 security feature groups. Each of these meets certain threats and accomplishes certain security objectives:

Network access security (I): the set of security features that provide users with secure access to services, and which in particular protect against attacks on the (radio) access

Network domain security (II): the set of security features that enable nodes to securely exchange signalling data, user data (between AN and SN and within AN), and protect against attacks on the wireline network. User domain security (III): the set of security features that secure access to mobile

Application domain security (IV): the set of security features that enable applications in the user and in the provider domain to securely exchange messages.Visibility and configurability of security (V): the set of features that enables the user to inform himself whether a security feature is in operation or not and whether the use and provision of services should depend on the security feature.

In the figure above a few 4G Security domains are shown. The most important one (and most people talk about this) is the Mobile Backhauling. The second most important Security domain

e Core elements (MME, SGW, PGW, HSS, etc). Another Security domain is the SGi interface, providing security from/to the public Internet. Further we have Roaming Security, IMS Security, WiFi Offloading Security

it opens the door for intruders, hackers and other malicious Cells hackers can infect or . A broad usage and

speed connection while traveling. This way, Laptop/Notebooks/Netbooks will have a direct connection to the mobile network and malware

speed link to the mobile core. User might not be e Carrier Networks ifferent levels of

security feature groups. Each of these feature groups

the set of security features that provide users with secure rotect against attacks on the (radio) access

the set of security features that enable nodes to securely exchange signalling data, user data (between AN and SN and within AN), and

the set of security features that secure access to mobile

the set of security features that enable applications in the user and in the provider domain to securely exchange messages.

the set of features that enables the user ure is in operation or not and whether the use


The 3GPP standardization about “Network Domain Security Architecture” is here the usage of IPSec Tunnels between internal and external equipment. IPSec transports all kind of traffic (due its flexibility). All kind means here TCP, SCTP, UDP, and it means good traffic and bad traffic (any kind of malware), which can trasince FW can not decrypt this traffic. The standards define the following:

• Security Gateways (SEGs) are entities on the borders of the IP security domains and will be used for securing native IP based protocols.communication over the Zasecurity domains.

• All NDS/IP traffic shall pass through a SEG before entering or leaving the security domain. Each security domain can have

• The security gateways shall be responsible for enforcing security policies for the interworking between networks. The security may include filtering policies and firewall functionality not required in this specification.

• SEGs are responsible for security sensitive operations and shall be physically secured. They shall offer capabilities for secure storage of longIKEv2 authentication.

The figure above shows the 3GPP security architecture

The 3GPP standardization about “Network Domain Security Architecture” is here the usage of IPSec Tunnels between internal and external equipment. IPSec transports all kind of traffic (due its flexibility). All kind means here TCP, SCTP, UDP, and it means good traffic and bad traffic (any kind of malware), which can travel along the path without being inspected, since FW can not decrypt this traffic.

The standards define the following: Security Gateways (SEGs) are entities on the borders of the IP security domains and will be used for securing native IP based protocols. The SEGs are defined to handle communication over the Za-interface, which is located between SEGs from different IP

All NDS/IP traffic shall pass through a SEG before entering or leaving the security domain. Each security domain can have one or more SEGs. The security gateways shall be responsible for enforcing security policies for the interworking between networks. The security may include filtering policies and firewall functionality not required in this specification.

sible for security sensitive operations and shall be physically secured. They shall offer capabilities for secure storage of long-term keys used for IKEv1 and IKEv2 authentication.

security architecture

The 3GPP standardization about “Network Domain Security Architecture” is here defining only the usage of IPSec Tunnels between internal and external equipment. IPSec transports all kind of traffic (due its flexibility). All kind means here TCP, SCTP, UDP, and it means good traffic

vel along the path without being inspected,

Security Gateways (SEGs) are entities on the borders of the IP security domains and will The SEGs are defined to handle

interface, which is located between SEGs from different IP

All NDS/IP traffic shall pass through a SEG before entering or leaving the security

The security gateways shall be responsible for enforcing security policies for the interworking between networks. The security may include filtering policies and firewall

sible for security sensitive operations and shall be physically secured. term keys used for IKEv1 and

The figure above shows a Protection of IP-based interfaces in EPS is implemented in accordance with recommendations outlinNetwork Domain IP-based (NDS/IP) interfaces. Security protection is provided at the network layer using IPSec security protocols as defined by the IETF in RFC 2401 [IPSec].

Security protocol Encapsulating security payload ESP (RFC 4303/2406) with support for RFC 4303 as Priority

Security mode Tunnel (mandatory)Transport (optional)

Encryption algorithms

Null (RFC 2410), 3DESblock size, AES

Authentication algorithm

HMAC-SHAto be su

Security association Single (mandatory)Bundle (optional)

However, in the 3GPP standards the security is more relying on purely IPSec between the different nodes. It is obvious when thinking about the location of eNodeBscan´t prevent from using IPSec as the network connection method between eNodeBs and the Core elements (MME, SGW, HSS, PCRF, PDNGW). A hacker can open the plain IP connection and insert easily a Switch – with a short inthe Switch the hacker could eavesdrop the complete network traffic (signaling, media and OAM traffic). Another step for the hacker would be then to insert special crafted packet to bring down the core elements (overloading)

The figure above shows a 3GPP network domain security approach

based interfaces in EPS is implemented in accordance with recommendations outlined in 33.210 [10], which define the security architecture for

based (NDS/IP) interfaces. Security protection is provided at the using IPSec security protocols as defined by the IETF in RFC 2401 [IPSec].

Encapsulating security payload ESP (RFC 4303/2406) with support for RFC 4303 as Priority

Tunnel (mandatory) Transport (optional)

Null (RFC 2410), 3DES-CBC (RFC 2405/2451) with 3x64-block size, AES-CBC (RFC 3602) with 128-bit key, 128-bit block size

SHA-1-96 (RFC 2404) with 160-bit key, 512-bit block size, Null is not to be supported

Single (mandatory) Bundle (optional)

However, in the 3GPP standards the security is more relying on purely IPSec between the

It is obvious when thinking about the location of eNodeBs that physical security is a must but can´t prevent from using IPSec as the network connection method between eNodeBs and the Core elements (MME, SGW, HSS, PCRF, PDNGW). A hacker can open the plain IP connection and

with a short interruption of the traffic. When connecting a computer to the Switch the hacker could eavesdrop the complete network traffic (signaling, media and OAM traffic). Another step for the hacker would be then to insert special crafted packet to bring

e elements (overloading).

domain security approach

based interfaces in EPS is implemented in accordance with the security architecture for

based (NDS/IP) interfaces. Security protection is provided at the using IPSec security protocols as defined by the IETF in RFC 2401 [IPSec].

Encapsulating security payload ESP (RFC 4303/2406) with support for RFC

-bit key, 64-bit bit block size

bit block size, Null is not

However, in the 3GPP standards the security is more relying on purely IPSec between the

that physical security is a must but can´t prevent from using IPSec as the network connection method between eNodeBs and the Core elements (MME, SGW, HSS, PCRF, PDNGW). A hacker can open the plain IP connection and

terruption of the traffic. When connecting a computer to the Switch the hacker could eavesdrop the complete network traffic (signaling, media and OAM traffic). Another step for the hacker would be then to insert special crafted packet to bring

Some eNodeBs are hard to hack … see pictures below

Some eNodeBs are easier to access … see pictures below

Some eNodeBs are easy to hack … see pictures below

Some eNodeBs are hard to hack … see pictures below

Some eNodeBs are easier to access … see pictures below

Some eNodeBs are easy to hack … see pictures below

For this reason it is recommended to use IPSec bet

Thru the usage of IPSec you can prevent hackers to eavesdrop and easily insert malicious crated packet, or easily generate a DOS attack by inserting millions of SCTP INIT packet, resulting in an overload situation Important is further to define the IPSec setup: how to connect the eNodeB with the SecGW (Security GW). On average every eNodeB is surrounded by 6 eNodeBs for coverage reasons as indicated in the figure below

For this reason it is recommended to use IPSec between the eNodeB and the Core Network

ec you can prevent hackers to eavesdrop and easily insert malicious crated packet, or easily generate a DOS attack by inserting millions of SCTP INIT packet, resulting in an overload situation for the MME.

Important is further to define the IPSec setup: how to connect the eNodeB with the SecGW (Security GW). On average every eNodeB is surrounded by 6 eNodeBs for coverage reasons as indicated in the figure below

ween the eNodeB and the Core Network

ec you can prevent hackers to eavesdrop and easily insert malicious crated packet, or easily generate a DOS attack by inserting millions of SCTP INIT packet,

Important is further to define the IPSec setup: how to connect the eNodeB with the SecGW (Security GW). On average every eNodeB is surrounded by 6 eNodeBs for coverage reasons as

The link of this (blue marked) eNodeB is composed of S1 and X2 traffic. In the simples case you have for every eNodeB one IPSec Tunnel

Resulting in a lower number of IPSec Tunnels. You can further divide the different traffic types and encapsulate in different IPSec Tunn

Resulting in a higher number of IPSec Tunnels. The S1 traffic is forwarded to the Core elements, while the X2 traffic is locally routed back as shown in the figure below

Additional IPSec tunnels, doubling the number are coming thru the fact of Redundancy and every eNodeB is connected with 2 SecGW. More IPSec tunnels per eNodeB results in greater complexity but give more freedom to the network design and architectur

ue marked) eNodeB is composed of S1 and X2 traffic. In the simples case you have for every eNodeB one IPSec Tunnel

Resulting in a lower number of IPSec Tunnels.

You can further divide the different traffic types and encapsulate in different IPSec Tunn

Resulting in a higher number of IPSec Tunnels.

The S1 traffic is forwarded to the Core elements, while the X2 traffic is locally routed back as

Additional IPSec tunnels, doubling the number are coming thru the fact of Redundancy and every eNodeB is connected with 2 SecGW.

More IPSec tunnels per eNodeB results in greater complexity but give more freedom to the network design and architecture team.

ue marked) eNodeB is composed of S1 and X2 traffic. In the simples case you

You can further divide the different traffic types and encapsulate in different IPSec Tunnels

The S1 traffic is forwarded to the Core elements, while the X2 traffic is locally routed back as

Additional IPSec tunnels, doubling the number are coming thru the fact of Redundancy – each

More IPSec tunnels per eNodeB results in greater complexity but give more freedom to the

Below a figure that comes close to real deployments Each eNodeB is connected in a redundant way, and we have 3 IPSec tunnels deployed. S1, X2 and OAM traffic are separated

Hereafter you find a short introduction about the overall setup and the core elements – including IPSec.

Below a figure that comes close to real deployments Each eNodeB is connected in a redundant way, and we have 3 IPSec tunnels deployed. S1, X2 and OAM traffic are separated

Hereafter you find a short introduction about the overall setup of security between the handset including IPSec.

Each eNodeB is connected in a redundant way, and we have 3 IPSec tunnels deployed. S1, X2

of security between the handset

A new definition of security within 4G requires all aspects covering all different layers.

Security at the different layers is a strong requirement.At the IP layer IPv4, IPv6, ICMP, IGMP, etc and routing protocols must be protected. Many concepts out the 3G networks shall be used in this case.At the TCP/UDP layer SCTP and GTP (runs on top of UDP) becomes mandatory. The support of IPSec is a key point, incl. the IKE variansupport most of the protocols in HW in order supporting the performance requirements and keep pace with the throughputAt the Applications layer packets must be inspected for malicious and harmful tall malware must be detected protecting end users, and the core network protection can be ensured. Hackers have proven that 4G networks are not secure already:UE do start to get connected as a first step over the Radio Interface, once cosecurity procedures will take place. Comparing the credentials stored in the USIM card with the credentials stored in the HSS.The figure below shows the procedure: an initial NAS message is send from the UE to the MME, which then sends a Diameter (over SCTP) Request to the HSS. Keys are derived and compared as indicated in the figure.


Security at the different layers is a strong requirement. IPv6, ICMP, IGMP, etc and routing protocols must be protected. Many

concepts out the 3G networks shall be used in this case. At the TCP/UDP layer SCTP and GTP (runs on top of UDP) becomes mandatory. The support of IPSec is a key point, incl. the IKE variants. The massive amount of traffic makes it essential to support most of the protocols in HW in order supporting the performance requirements and

throughput. At the Applications layer packets must be inspected for malicious and harmful tall malware must be detected protecting end users, and the core network protection can be

Hackers have proven that 4G networks are not secure already: UE do start to get connected as a first step over the Radio Interface, once cosecurity procedures will take place. Comparing the credentials stored in the USIM card with the credentials stored in the HSS. The figure below shows the procedure: an initial NAS message is send from the UE to the MME,

ter (over SCTP) Request to the HSS. Keys are derived and compared


IPv6, ICMP, IGMP, etc and routing protocols must be protected. Many

At the TCP/UDP layer SCTP and GTP (runs on top of UDP) becomes mandatory. The support of ts. The massive amount of traffic makes it essential to

support most of the protocols in HW in order supporting the performance requirements and

At the Applications layer packets must be inspected for malicious and harmful traffic. This way all malware must be detected protecting end users, and the core network protection can be

UE do start to get connected as a first step over the Radio Interface, once connected the security procedures will take place. Comparing the credentials stored in the USIM card with the

The figure below shows the procedure: an initial NAS message is send from the UE to the MME, ter (over SCTP) Request to the HSS. Keys are derived and compared –

However, in order to get this done the UE needs to connect first to the MME (thru the eNodeB).This is done as shown in the figure below:A NAS Attach Request is triggering the eNodeB to open a SCTP association with the MME. In case of misuse, the UE can be manipulated to sends ways too much traffic towards the eNodeB (which forwards the traffic to the MME) and can overload the MME processin

Remark: the UE are no smartphones as we think of today. Hackers do use evaluation boards or simple USB Dongle since they are easier to program and configure.

A more complete security architecture is required to solve the Security topics at the different nodes in the network, with the different protocols, and transported on applications (such as Worms, viruses, malware).

However, in order to get this done the UE needs to connect first to the MME (thru the eNodeB).This is done as shown in the figure below: A NAS Attach Request is triggering the eNodeB to open a SCTP association with the MME. In case of misuse, the UE can be manipulated to sends ways too much traffic towards the eNodeB (which forwards the traffic to the MME) and can overload the MME processin

Remark: the UE are no smartphones as we think of today. Hackers do use evaluation boards or simple USB Dongle since they are easier to program and configure.

complete security architecture is required to solve the Security topics at the different nodes in the network, with the different protocols, and transported on applications (such as

However, in order to get this done the UE needs to connect first to the MME (thru the eNodeB).

A NAS Attach Request is triggering the eNodeB to open a SCTP association with the MME. In case of misuse, the UE can be manipulated to sends ways too much traffic towards the eNodeB (which forwards the traffic to the MME) and can overload the MME processing power.

Remark: the UE are no smartphones as we think of today. Hackers do use evaluation boards or

complete security architecture is required to solve the Security topics at the different nodes in the network, with the different protocols, and transported on applications (such as

The outlook from all involved parties (core nesupplier, handset/end-user equipment supplier, etc) must be taken care for an evolution into IPv6, which will become eminence The ETSI Technical Specification requirements describes several types of attacks.

• Unauthorized access to sensitive data (violation of confidentiality)• Eavesdropping• Masquerading• Traffic analysis• Browsing • Leakage • Inference

• Unauthorized manipulation of sensitive data (Violation of integrity) • Manipulation of messages

• Disturbing or misusing network services (leading to denial of service or reduced availability)

• Intervention• Resource exhaustion• Misuse of privileges• Abuse of services

• Repudiation • Unauthorized access to services

• Intruders can access services by masquerading as users or network entities.• Users or network entities can get unauthorized access to services by misusing

their access rights. The weakest link in the chain is the user equipFirmware that can be installed is a key point. Another huge topic in the 4G Security domain is AAA((Authentication, Authorization and Accounting), including key hierarchy, key agreement procedures, user identity codevice confidentially, ciphering, and integrity protection. However, this is not covered in this paper Based on the fact that the interworking between

• different 3GPP radio technologies (3G and 4G)• different access technologies (WiMAX/WLAN• different providers (roaming)

The outlook from all involved parties (core network supplier, radio network supplier, content user equipment supplier, etc) must be taken care for an evolution into

eminence for mobile networks in the short future

The ETSI Technical Specification ETSI TS 121 133 (UMTS); 3G security; Security threats and describes several types of attacks.

Unauthorized access to sensitive data (violation of confidentiality) Eavesdropping Masquerading Traffic analysis

pulation of sensitive data (Violation of integrity) Manipulation of messages

Disturbing or misusing network services (leading to denial of service or reduced

Intervention Resource exhaustion Misuse of privileges Abuse of services

Unauthorized access to services Intruders can access services by masquerading as users or network entities.Users or network entities can get unauthorized access to services by misusing their access rights.

The weakest link in the chain is the user equipment. The trust level, that no malicious Firmware that can be installed is a key point.

Another huge topic in the 4G Security domain is AAA((Authentication, Authorization and Accounting), including key hierarchy, key agreement procedures, user identity codevice confidentially, ciphering, and integrity protection. However, this is not covered in this

Based on the fact that the interworking between 3GPP radio technologies (3G and 4G)

different access technologies (WiMAX/WLAN and 3GPP) different providers (roaming)

twork supplier, radio network supplier, content user equipment supplier, etc) must be taken care for an evolution into

121 133 (UMTS); 3G security; Security threats and

pulation of sensitive data (Violation of integrity)

Disturbing or misusing network services (leading to denial of service or reduced

Intruders can access services by masquerading as users or network entities. Users or network entities can get unauthorized access to services by misusing

ment. The trust level, that no malicious

Another huge topic in the 4G Security domain is AAA((Authentication, Authorization and Accounting), including key hierarchy, key agreement procedures, user identity confidentially, device confidentially, ciphering, and integrity protection. However, this is not covered in this

The figure above shows The installed base of 3G network must be connected to the newly 4G network. So interworking between the “old 3G” and the “new 4G” is essential.

The figure above shows the The carriers do move more and more into Carriers nontraffic freeing radio resources. In this case connected to the newly 4G network. So interworking between the “must be done.

The figure above shows the interworking between 3G and 4G

The installed base of 3G network must be connected to the newly 4G network. So interworking between the “old 3G” and the “new 4G” is essential.

re above shows the interworking between 3GPP and non-3GPP (WLAN, WiMAX, etc)

The carriers do move more and more into Carriers non-3GPP networking to offload from 3GPP traffic freeing radio resources. In this case the installed base of non-3G netwoconnected to the newly 4G network. So interworking between the “non-3GPP

interworking between 3G and 4G

The installed base of 3G network must be connected to the newly 4G network. So interworking

3GPP (WLAN, WiMAX, etc)

3GPP networking to offload from 3GPP 3G network must be

PP” and “3GPP”

The figure above shows the

The figure above shows the Out of the history we have learnt that roaming is one of the most important between carriers, sharing the radio access and some core network elements.As one can see from the figureRoaming is known since years (when introduced in 2G /GSM/ networks already)around the globe do use GTP Firewalls and SeGW to secure their connection points towards other carriers either directly or via the GRX (GPRS Exchange), described by thAssociation). With the introduction of 4G the GSMA has moved on from GRX towards the IPX (IP Packet Exchange) with enhanced features for 4G interconnect. In the 2 figures above once can clearly see that for the 2 cases you need either GTP & Diaare known since years with 2.5G/3G networks, so the update by using GTPv2 is a relatively small step. The Diameter is a new interface that comes into play and will add new concerns in

re above shows the roaming case / home-routed traffic

re above shows the roaming case / local-breakout traffic

Out of the history we have learnt that roaming is one of the most important between carriers, sharing the radio access and some core network elements.As one can see from the figures above the two roaming cases are an essential element.

known since years (when introduced in 2G /GSM/ networks already)around the globe do use GTP Firewalls and SeGW to secure their connection points towards other carriers either directly or via the GRX (GPRS Exchange), described by th

With the introduction of 4G the GSMA has moved on from GRX towards the IPX (IP Packet Exchange) with enhanced features for 4G interconnect. In the 2 figures above once can clearly see that for the 2 cases you need either GTP & Diameter or just a Diameter interface. GTP FWs are known since years with 2.5G/3G networks, so the update by using GTPv2 is a relatively small step. The Diameter is a new interface that comes into play and will add new concerns in

routed traffic

breakout traffic

Out of the history we have learnt that roaming is one of the most important security issues between carriers, sharing the radio access and some core network elements.

cases are an essential element. known since years (when introduced in 2G /GSM/ networks already). Mobile carrier

around the globe do use GTP Firewalls and SeGW to secure their connection points towards other carriers either directly or via the GRX (GPRS Exchange), described by the GSMA (GSM

With the introduction of 4G the GSMA has moved on from GRX towards the IPX (IP Packet Exchange) with enhanced features for 4G interconnect. In the 2 figures above once can clearly

meter or just a Diameter interface. GTP FWs are known since years with 2.5G/3G networks, so the update by using GTPv2 is a relatively small step. The Diameter is a new interface that comes into play and will add new concerns in

Carrier Security Groups. Eveit adds more concerns. Yet another concern here that Diameter will come with SCTP as the transport protocol of choice. However, clearly the Diameter interconnection shouts for a Diameter FThe interconnections towards other carriers (either direct, or via IPX/GRX) do need protection at the border. However, once making up the whole network diagram (as shown below) one can see some issues that are known as the security topics within the 4


1. Threat #1 o Attacks on an IP Level, DOS, DDOS, etc on the SGi interface

2. Threat #2 o Overbilling Attacks like in 3G on the SGi interface

3. Threat #3 o Attacks on

4. Threat #4 o Attacks based on SCTP/Diameter manipulating Database entries

5. Threat #5 o Attacks the NMS level manipulating settings and configurations

6. Threat #6 o Attacks the IP helping service level

protocols7. Threat #7

o Attacks based on SCTP/GTP from 4G Roaming Partners8. Threat #8

o Attacks based on GTP from 3G Roaming Partners

Carrier Security Groups. Even by analyzing the usage of Diameter (Database retrieval protocol) it adds more concerns. Yet another concern here that Diameter will come with SCTP as the transport protocol of choice.

However, clearly the Diameter interconnection shouts for a Diameter FW. The interconnections towards other carriers (either direct, or via IPX/GRX) do need protection

However, once making up the whole network diagram (as shown below) one can see some issues that are known as the security topics within the 4G Security Architecture.

The figure above shows a 4G network with possible attack scenarios

Attacks on an IP Level, DOS, DDOS, etc on the SGi interface

Overbilling Attacks like in 3G on the SGi interface

Attacks on open and insecure IP interfaces at the access (eNodeB)

Attacks based on SCTP/Diameter manipulating Database entries

Attacks the NMS level manipulating settings and configurations

Attacks the IP helping service level manipulating IP settings and base protocols

Attacks based on SCTP/GTP from 4G Roaming Partners

Attacks based on GTP from 3G Roaming Partners

n by analyzing the usage of Diameter (Database retrieval protocol) it adds more concerns. Yet another concern here that Diameter will come with SCTP as the

The interconnections towards other carriers (either direct, or via IPX/GRX) do need protection

However, once making up the whole network diagram (as shown below) one can see some G Security Architecture.

with possible attack scenarios

Attacks on an IP Level, DOS, DDOS, etc on the SGi interface

open and insecure IP interfaces at the access (eNodeB)

Attacks based on SCTP/Diameter manipulating Database entries

Attacks the NMS level manipulating settings and configurations

manipulating IP settings and base

9. Threat #9 o Attacks based on SCTP for manipulating MME functions

10. Threat #10 o Attacks based on

11. Threat #11 o Attacks the IMS level manipulating the VoLTE

12. Threat #12 o Attacks on a higher layers introducing all kind of malware

To mitigate this threats Operators must implement Security from the vis a basic rule in the design: Security is part of the architecture ! The implementation can be done in various steps. According to the possible sequence below is given: Step 1:

• SGi FW – Protecting from the Internet and Overbilling• Basic SecGW + FW• HSS FW – Securing the most important Network Element (APT)• NMS/OAM Security • IP Services Security

Attacks based on SCTP for manipulating MME functions

Attacks based on GTP for manipulating S-GW functions

Attacks the IMS level manipulating the VoLTE – IMS - VoIP network

Attacks on a higher layers introducing all kind of malware

To mitigate this threats Operators must implement Security from the very first moment and it is a basic rule in the design: Security is part of the architecture !

The implementation can be done in various steps. According to the priorities of the threats a possible sequence below is given:

Protecting from the Internet and Overbilling Basic SecGW + FW- Protecting from the Access

Securing the most important Network Element (APT)NMS/OAM Security – Protect the Central Management IP Services Security – Protection from misuse (eg DNS Tunnel

VoIP network

Attacks on a higher layers introducing all kind of malware

ery first moment and it

priorities of the threats a

Securing the most important Network Element (APT)

NS Tunneling)

Step 2: • Roaming Security

Step 3:

• Enhanced SecGW + FW + SCTP FW

Roaming Security – Protecting from the Roaming Partners

Enhanced SecGW + FW + SCTP FW – enhanced Protection from the Access

enhanced Protection from the Access

Step 4: • Enhanced SecGW + FW + GTP FW

Step 5:

• SIP/RTP FW for VoLTE

Enhanced SecGW + FW + GTP FW – enhanced Protection from the Access

SIP/RTP FW for VoLTE – Protection from/to the IMS Core Network

enhanced Protection from the Access

Protection from/to the IMS Core Network

Basic assumptions for the steps proposed above is that in Step 1 LTE is only offered to domestic users. In Step 2 Roaming (inbound and outbound) is activated. Step 3 is the dedicaprotection of the heart of the LTE systems: the MME will be protected. Step 4 is the dedicated protection of the User Traffic part of the LTE systems: the SGW will be protected. Step 5 is the final step for a protection from/to the IMS Voice domain.For a wise decision of the security elements it is helpful to decide for a product that can be enabled to perform all the described security function a single redesign must be taken for activating additional security features.As IPSec is a good tool to provide a secure transport between network elements it is proposed by the 3GPP to be used between eNodeBs and the Core Elements (MME, SGW).

The figure above shows the SEG (IPSec termination) within the eNodeB and as standalone device in the Packet Core. In the 3GPP Technical Specifications Tunnel Mode with ESP and IKEv2 is proposed. For a real world deployment it is important to understand the influence of “where are the SEG are located”. There is a Centralized Model vs the DecentraCentralized SEG are directly in front of the MME/SGW (same amount of SEG as MME/SGW locations). While in the Decentralized Modelfigures below show the 2 models:

Basic assumptions for the steps proposed above is that in Step 1 LTE is only offered to domestic users. In Step 2 Roaming (inbound and outbound) is activated. Step 3 is the dedicaprotection of the heart of the LTE systems: the MME will be protected. Step 4 is the dedicated protection of the User Traffic part of the LTE systems: the SGW will be protected. Step 5 is the final step for a protection from/to the IMS Voice domain.

r a wise decision of the security elements it is helpful to decide for a product that can be enabled to perform all the described security function a single node. This way no network redesign must be taken for activating additional security features.

Sec is a good tool to provide a secure transport between network elements it is proposed by the 3GPP to be used between eNodeBs and the Core Elements (MME, SGW).

The figure above shows the SEG (IPSec termination) within the eNodeB and as standalone ce in the Packet Core. In the 3GPP Technical Specifications Tunnel Mode with ESP and

IKEv2 is proposed. For a real world deployment it is important to understand the influence of “where are the SEG are located”. There is a Centralized Model vs the DecentraCentralized SEG are directly in front of the MME/SGW (same amount of SEG as MME/SGW locations). While in the Decentralized Model there are more SEG than MME/SGW locations. The figures below show the 2 models:

Decentralized Model for the SEG

Basic assumptions for the steps proposed above is that in Step 1 LTE is only offered to domestic users. In Step 2 Roaming (inbound and outbound) is activated. Step 3 is the dedicated protection of the heart of the LTE systems: the MME will be protected. Step 4 is the dedicated protection of the User Traffic part of the LTE systems: the SGW will be protected. Step 5 is the

r a wise decision of the security elements it is helpful to decide for a product that can be node. This way no network

Sec is a good tool to provide a secure transport between network elements it is proposed by the 3GPP to be used between eNodeBs and the Core Elements (MME, SGW).

The figure above shows the SEG (IPSec termination) within the eNodeB and as standalone

ce in the Packet Core. In the 3GPP Technical Specifications Tunnel Mode with ESP and IKEv2 is proposed. For a real world deployment it is important to understand the influence of “where are the SEG are located”. There is a Centralized Model vs the Decentralized Model. Centralized SEG are directly in front of the MME/SGW (same amount of SEG as MME/SGW

there are more SEG than MME/SGW locations. The

All of them must be addressed to overcome the threats, and to ensure proper and secure networking and interworking. All elements are quite critical and must be observed.


Centralized Model for the SEG


The figure above shows a 4G network with possible Firewall locations


with possible Firewall locations

As in the figure above it is clear that Security plays a major role in 4G networks. Due to the Virtualization of the Fortinet Firewalls the different functions can be accomplished by one HW FW. The functions are just sharRoaming partners (3G and 4G) and have a dedicated FW (Virtual Domains Partner with individual settings (as highlighted with b and c). Even further Virtualization is possible that other functions like the VoIP FW (as highlighted with h), and the Gi FW capabilities – on different layers with a and e). HW Acceleration Further to the rich capabilities the Fortinet 4G

• Packet Forwarding • Different processing architectures deliver widely differing results• FortiGate CPU is not used for the

features • Power

• More powerful processors generate• Typically ten times that required by an ASIC

• Thermal • With power comes heat, limiting the

The figure above shows the advantage of using ASIC technology / compared to common CPU As an example a Fortinet 3950B FW is able

• to handle more than 120 Gbps. For achieving higher capacity they can be easily clustered and concatenated to achieve higher performance figures.

• to handle more than 20 million concurrent sessions. For achieving more concurrent session capacity they can be easily clustered and concatenated to achieve higher performance figures

• to handle more than 250k new sessions per second. For achieving more new session per second capacity they can be easily clustered and concatenated to achieveperformance figures

As in the figure above it is clear that Security plays a major role in 4G networks. Due to the Virtualization of the Fortinet Firewalls the different functions can be accomplished by one HW FW. The functions are just shared. As an example it is possible to connect to many hundreds Roaming partners (3G and 4G) and have a dedicated FW (Virtual Domains – VDOMs) per Roaming Partner with individual settings (as highlighted with b and c). Even further Virtualization is

that other functions like the VoIP FW (as highlighted with h), and the Gi FW on different layers – can be combined in one physical Hardware (as highlighted

Further to the rich capabilities the Fortinet 4G Firewall is supporting HW acceleration

Different processing architectures deliver widely differing resultsFortiGate CPU is not used for the packet forwarding, freeing it for

More powerful processors generate require more power Typically ten times that required by an ASIC

With power comes heat, limiting the scalability of any CPU only based device

the advantage of using ASIC technology / compared to common CPU

Fortinet 3950B FW is able to handle more than 120 Gbps. For achieving higher capacity they can be easily clustered and concatenated to achieve higher performance figures. to handle more than 20 million concurrent sessions. For achieving more concurrent

ssion capacity they can be easily clustered and concatenated to achieve higher performance figures to handle more than 250k new sessions per second. For achieving more new session per second capacity they can be easily clustered and concatenated to achieveperformance figures

As in the figure above it is clear that Security plays a major role in 4G networks. Due to the Virtualization of the Fortinet Firewalls the different functions can be accomplished by one HW

ed. As an example it is possible to connect to many hundreds VDOMs) per Roaming

Partner with individual settings (as highlighted with b and c). Even further Virtualization is that other functions like the VoIP FW (as highlighted with h), and the Gi FW

can be combined in one physical Hardware (as highlighted

Firewall is supporting HW acceleration

Different processing architectures deliver widely differing results packet forwarding, freeing it for other

scalability of any CPU only based device

the advantage of using ASIC technology / compared to common CPU

to handle more than 120 Gbps. For achieving higher capacity they can be easily

to handle more than 20 million concurrent sessions. For achieving more concurrent ssion capacity they can be easily clustered and concatenated to achieve higher

to handle more than 250k new sessions per second. For achieving more new session per second capacity they can be easily clustered and concatenated to achieve higher

• to handle more than 50 Gbps of 3DES/AES (eg. IPSec) throughput. For achieving higher performance they can be easily clustered and concatenated to achieve higher performance figures

• to handle more than 19,6 Gbps of IPS throughputthey can be easily clustered and concatenated to achieve higher performance figures.

Once comparing this figure with the requirements one can see that a small number of such Firewalls can safe a complete carrier network Virtualization On top to the features described above the capabilities are further enriched by using virtualization This functionality is called Virtual Domains

• FW policies configurable per Virtual Domain (VDOM)• Allows individual configuration per • Overlapping address space within the same hardware platform• Multiple Public/Private peers• And much more

The figure above shows Virtual domains (VDOMs) are a method of dividing a units that function as multiple independent units. VDOMs can provide separate firewalland, in NAT/Route mode, completely separate configurations for routing andeach connected network or VDOMs let you split your physical FortiGate unit into multiple virtual units. The resultingbenefits range from limiting space and power requirements. Effectively you can split your mobile network by using VDOMs onto several VDOM and one physical HW device. Such as

• VDOM#3 is the SCTP FW, • VDOM#4 is the GTP FW, • VDOM#5 is the Diameter• VDOM#6 is the SIP FW, • VDOM#7 is the IPSec VPN termination,• etc

Or to divide your network into regions

• VDOM#3 is the East Region,

to handle more than 50 Gbps of 3DES/AES (eg. IPSec) throughput. For achieving higher performance they can be easily clustered and concatenated to achieve higher performance figures to handle more than 19,6 Gbps of IPS throughput. For achieving higher performance they can be easily clustered and concatenated to achieve higher performance figures.

Once comparing this figure with the requirements one can see that a small number of such Firewalls can safe a complete carrier network.

On top to the features described above the capabilities are further enriched by using

Virtual Domains FW policies configurable per Virtual Domain (VDOM) Allows individual configuration per external VoIP network interface Overlapping address space within the same hardware platform Multiple Public/Private peers

The figure above shows the advantage of using Virtualization

Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtualunits that function as multiple independent units. VDOMs can provide separate firewalland, in NAT/Route mode, completely separate configurations for routing andeach connected network or organization. VDOMs let you split your physical FortiGate unit into multiple virtual units. The resultingbenefits range from limiting transparent mode ports to simplified administration, andspace and power requirements.

your mobile network by using VDOMs onto several VDOM and one

VDOM#3 is the SCTP FW, P FW,

Diameter FW, P FW,

IPSec VPN termination,

k into regions East Region,

to handle more than 50 Gbps of 3DES/AES (eg. IPSec) throughput. For achieving higher performance they can be easily clustered and concatenated to achieve higher

. For achieving higher performance they can be easily clustered and concatenated to achieve higher performance figures.

Once comparing this figure with the requirements one can see that a small number of such

On top to the features described above the capabilities are further enriched by using

the advantage of using Virtualization

FortiGate unit into two or more virtual units that function as multiple independent units. VDOMs can provide separate firewall policies and, in NAT/Route mode, completely separate configurations for routing and VPN services for

VDOMs let you split your physical FortiGate unit into multiple virtual units. The resulting ransparent mode ports to simplified administration, and reduced

your mobile network by using VDOMs onto several VDOM and one

• VDOM#4 is the West Region• VDOM#5 is the South Region• VDOM#6 is the North Region• VDOM#7 is the Major Capitol 1,• etc

or even a combination of the 2 above.

4. 4G Firewall Functions of the 4G FW Securing Protocols within 4G networks LTE is a substantial part of the business of mobile operators and it is important to keep this network up and running. This is true for many reasons• the outage creates a substantial loss of revenues• the outage comes to along w• it is a national interest that the telecommunication infrastructure is always available

How can we achieve this target ? Not only with one single item. It is a combination of many.

First and most important element is the network architecture, that the systems are built, designed and evaluated that outages are minimal, and not affecting the whole network, but only small regions.

The second element is clearly the policy on how to handle the netwhich element, how are patches, updates, changes, etc treated. Another element that comes along with policy is that equipment, and new elements (whether HW, SW, updates, etc) are always carefully tested and evaluated.

The third element is a network infrastructure and network service protection by means of Firewalls. These Firewalls must be LTE ready and protect the critical elements from attacks on every layer. But what means LTE ready ? supported and that the performance does not degrade the throughput and makeexperience weak. This way it is important that the relevant protocols are analyzed and checked against misuse, or just integrity to protect core elements.By looking at the different interfaces within LTE (which are all named Sx) one can see that a number of protocols are used to transport LTE. One is GTP. GTP is used in 2,5G and 3G on the Gn and Gp interface between the GGSN and the SGSN (Gn interface if SGSN is within the home network, and Gp interface if SGSN is within the visited network). In LTE GTP is used on the S3, S4, S5, S8, S10, S11 and the S16 interface. The number of interfaces using GTP has increased from 2 to 7. Another one is SCTP SCTP is used on the different S6x, STa, SWx, Gx, Rx, S9 and S13 interfaces between AAA involved nodes and the AAA Server and Policy Server.On top of that Diameter is used heavily in 3GPP networks (IMS IP Multimedia Subsystem) and 4G networks for Database retrieval.important. Yet another quite important protocol is IPSec with IKE. It is used on several interfaces to secure the traffic flow. According to the 3GPP TS33.210 standardization, between all elements required.

West Region, South Region, North Region, Major Capitol 1,

or even a combination of the 2 above.

Protocols within 4G networks

LTE is a substantial part of the business of mobile operators and it is important to keep this network up and running. This is true for many reasons

the outage creates a substantial loss of revenues the outage comes to along with a loss of creditability (with shareholders and end users)it is a national interest that the telecommunication infrastructure is always available


most important element is the network architecture, that the systems are built, designed and evaluated that outages are minimal, and not affecting the whole network, but

The second element is clearly the policy on how to handle the network. Who has access to which element, how are patches, updates, changes, etc treated. Another element that comes along with policy is that equipment, and new elements (whether HW, SW, updates, etc) are always carefully tested and evaluated.

ment is a network infrastructure and network service protection by means of Firewalls. These Firewalls must be LTE ready and protect the critical elements from attacks on every layer. But what means LTE ready ? This indicates that the important protocols msupported and that the performance does not degrade the throughput and makeexperience weak. This way it is important that the relevant protocols are analyzed and checked against misuse, or just integrity to protect core elements. By looking at the different interfaces within LTE (which are all named Sx) one can see that a number of protocols are used to transport LTE. One is GTP. GTP is used in 2,5G and 3G on the Gn and Gp interface between the GGSN and the

GSN is within the home network, and Gp interface if SGSN is within the visited network). In LTE GTP is used on the S3, S4, S5, S8, S10, S11 and the S16 interface. The number of interfaces using GTP has increased from 2 to 7.

ed on the different S6x, STa, SWx, Gx, Rx, S9 and S13 interfaces between AAA involved nodes and the AAA Server and Policy Server. On top of that Diameter is used heavily in 3GPP networks (IMS IP Multimedia Subsystem) and 4G networks for Database retrieval. Protection of Diameter is protecting Databases and very

Yet another quite important protocol is IPSec with IKE. It is used on several interfaces to secure the traffic flow. According to the 3GPP TS33.210 standardization, between all elements to proper IPv4 and IPv6 communication a secure path is

LTE is a substantial part of the business of mobile operators and it is important to keep this

ith a loss of creditability (with shareholders and end users) it is a national interest that the telecommunication infrastructure is always available


most important element is the network architecture, that the systems are built, designed and evaluated that outages are minimal, and not affecting the whole network, but

work. Who has access to which element, how are patches, updates, changes, etc treated. Another element that comes along with policy is that equipment, and new elements (whether HW, SW, updates, etc) are

ment is a network infrastructure and network service protection by means of Firewalls. These Firewalls must be LTE ready and protect the critical elements from attacks on

that the important protocols must be supported and that the performance does not degrade the throughput and makes the user experience weak. This way it is important that the relevant protocols are analyzed and

By looking at the different interfaces within LTE (which are all named Sx) one can see that a

One is GTP. GTP is used in 2,5G and 3G on the Gn and Gp interface between the GGSN and the GSN is within the home network, and Gp interface if SGSN is within the

visited network). In LTE GTP is used on the S3, S4, S5, S8, S10, S11 and the S16 interface. The

ed on the different S6x, STa, SWx, Gx, Rx, S9 and S13 interfaces between AAA

On top of that Diameter is used heavily in 3GPP networks (IMS IP Multimedia Subsystem) and 4G Protection of Diameter is protecting Databases and very

It is used on several interfaces to secure the traffic flow. According to the 3GPP TS33.210 to proper IPv4 and IPv6 communication a secure path is

Quite important is the performance and scalability of the product.Once introducing VoLTE the delay plays a substantial role. For the dimensioning the degradation of performance (throughput)

The figure above shows the degradation of different vendors. Dimensioning a network properly where the throughput depends greatly from the packet size becomes a nightmare. The difference between large packets (1514 byte) and small packetsof 6. For a proper network design you must be able to define upfront the average packet size and the distribution of how much small packets (eg 132 bytes for VoLTE) and large packets (browsing, email) is assumed.

5. Outlook

We have seen in the recent years what hackers and activist can do and perform large scale attacks. Further to this way of attacks we will see more political motivated attacks. As an example (by far not the only one report. Prior to that we will look at a quite old market study for comparison predicted” and “what do we see today”. What was predicted: The Market Study is the Gartner Study about Increase Vulnerability dated from January 13Herein you find statements like

….The aspects of cyberwarfare have been considered for years. Future cyberattacks couldtype as part of a larger campaignmilitary operation, has two components operations…

Quite important is the performance and scalability of the product. Once introducing VoLTE the delay plays a substantial role. For the dimensioning the degradation of performance (throughput) is important.

The figure above shows the degradation of different vendors. Dimensioning a network properly where the throughput depends greatly from the packet size becomes a nightmare. The difference between large packets (1514 byte) and small packets (64 byte) can be up to factor of 6. For a proper network design you must be able to define upfront the average packet size and the distribution of how much small packets (eg 132 bytes for VoLTE) and large packets (browsing, email) is assumed.

in the recent years what hackers and activist can do and perform large scale attacks. Further to this way of attacks we will see more political motivated attacks. As an example (by far not the only one – but good documented) we will delve into report. Prior to that we will look at a quite old market study for comparison predicted” and “what do we see today”.

The Market Study is the Gartner Study about Cyberwarfare: VoIP and Convergencedated from January 13th 2004.

Herein you find statements like ….The aspects of cyberwarfare have been considered for years. Future cyberattacks could constitute an entire war or an attack type as part of a larger campaign. Cyberwarfare, like any military operation, has two components — offensive and defensive

Once introducing VoLTE the delay plays a substantial role. For the dimensioning the

The figure above shows the degradation of different vendors. Dimensioning a network properly where the throughput depends greatly from the packet size becomes a nightmare. The

(64 byte) can be up to factor of 6. For a proper network design you must be able to define upfront the average packet size and the distribution of how much small packets (eg 132 bytes for VoLTE) and large packets

in the recent years what hackers and activist can do and perform large scale attacks. Further to this way of attacks we will see more political motivated attacks. As an

but good documented) we will delve into the Mandiant APT1 report. Prior to that we will look at a quite old market study for comparison of “what was

Cyberwarfare: VoIP and Convergence

….The aspects of cyberwarfare have been considered for years. constitute an entire war or an attack

Cyberwarfare, like any offensive and defensive

…The U.S. military complex continues work on Presid ential Directive 16, including developing the rules and to ols. United States is not the only governmecyberattacks. In the second quarter of 1995, Major General Wang Pufeng of The Chinese Army published a paper, “The Challenge of Information Warfare.” In this paper, Pufeng writes that the information era will touch off a revolution in mil

Even 18 years ago the Chinese Army started to work on Cyberwarfare. What do we see today : The Mandiant Report APT1

Is describing in its report the linkage of the Chinese Army and the Hacking Unit (261398)

…The U.S. military complex continues work on Presid ential Directive 16, including developing the rules and to ols. United States is not the only government thinking about

. In the second quarter of 1995, Major General Wang Pufeng of The Chinese Army published a paper, “The Challenge of Information Warfare.” In this paper, Pufeng writes that the information era will touch off a revolution in mil itary affairs …

Even 18 years ago the Chinese Army started to work on Cyberwarfare.

Is describing in its report the linkage of the Chinese Army and the Hacking Unit (2

…The U.S. military complex continues work on Presid ential Directive 16, including developing the rules and to ols. The

nt thinking about . In the second quarter of 1995, Major General Wang

Pufeng of The Chinese Army published a paper, “The Challenge of Information Warfare.” In this paper, Pufeng writes that the

itary affairs …

Is describing in its report the linkage of the Chinese Army and the Hacking Unit (2nd Bureau Unit

In this report you may find lots of details of how hacking is done nowadays. But how should this influence operators ?As a baseline, operators shallwell and have security in mind for starting the farchitecture. The most effective way of protecting networks and services is done through a dedicated network design, through proper security rules and uptools. When designing a secure network IPSec comes always across. IPSec is an excellent tool for designing secure communication and data exchange. But IPSec has limitation. It does not ensure that content is modified or compromised at Computers and Workstations. ThereIPSec ensure a safe and secure transport. For the proper content of the IPSec Tunnels a dedicated Firewall in front or after the IPSec Tunnel is required.This applies for all traffic of S1 and X2 interfaces at 4G networks, and it applies to all netwomanagement traffic (for all kind of networks).Network Management is anyhow very special, since an opponent can get full control over the network when compromising the Network Management Computers and Workstations.above with the APT1 report ofComputers and Workstations and the highest level of Security must be applied here. Operations of the Mobile Network can fall fully apart when a hacker has through APT control of the network.

Author: Rainer Baeder – [email protected]

report you may find lots of details of how hacking is done nowadays.

But how should this influence operators ? all act very sensitive, understand their network architecture very

have security in mind for starting the first assumption and designing the network

protecting networks and services is done through a dedicated network design, through proper security rules and up-to-date policies, and the usage of proper

designing a secure network IPSec comes always across. IPSec is an excellent tool for designing secure communication and data exchange. But IPSec has limitation. It does not ensure that content is modified or compromised at Computers and Workstations. ThereIPSec ensure a safe and secure transport. For the proper content of the IPSec Tunnels a dedicated Firewall in front or after the IPSec Tunnel is required. This applies for all traffic of S1 and X2 interfaces at 4G networks, and it applies to all netwomanagement traffic (for all kind of networks). Network Management is anyhow very special, since an opponent can get full control over the network when compromising the Network Management Computers and Workstations.above with the APT1 report of Mandiant Operators must be sensitive with Network Management Computers and Workstations and the highest level of Security must be applied here. Operations of the Mobile Network can fall fully apart when a hacker has through APT control of the

[email protected]

report you may find lots of details of how hacking is done nowadays.

sensitive, understand their network architecture very irst assumption and designing the network

protecting networks and services is done through a dedicated date policies, and the usage of proper

designing a secure network IPSec comes always across. IPSec is an excellent tool for designing secure communication and data exchange. But IPSec has limitation. It does not ensure that content is modified or compromised at Computers and Workstations. Therefore IPSec ensure a safe and secure transport. For the proper content of the IPSec Tunnels a

This applies for all traffic of S1 and X2 interfaces at 4G networks, and it applies to all network

Network Management is anyhow very special, since an opponent can get full control over the network when compromising the Network Management Computers and Workstations. As shown

Mandiant Operators must be sensitive with Network Management Computers and Workstations and the highest level of Security must be applied here. Operations of the Mobile Network can fall fully apart when a hacker has through APT control of the

Fortinet

Fortinet (NASDAQ: FTNT) is a worldwide provider of network security appliances and a market leader in unified threat management (UTM). Our products and subscription services provide broad, integrated and high-performance protection against dynamic security threats while simplifying the IT security infrastructure. Our customers include enterprises, service providers and government entities worldwide, including the majority of the 2011 Fortinet is headquartered in Sunnyvale, Calif., with offices around the world.

Fortinet's flagship FortiGate security appliances deliver ASICintegrates multiple layers of security designed to help protect athreats. Our broad product line of complementary solutions goes beyond UTM to help secure the extended enterprise - from endpoints, to the perimeter and the core, including databases and applications.

To date, Fortinet has shipped more than worldwide, including:

• 61 of the Global 100 • 8 of the top 10 Fortune companies in Americas

• 9 of the top 10 Fortune companies in EMEA • 9 of the top 10 Fortune companies in APAC • 7 of the top 10 Fortune telecommunications companies

• 9 of the top 10 Fortune banking companies • 9 of the top 10 Fortune defense/aerospace companies

A key differentiator, Fortinet's customFortiGate systems to detect and eliminate even complex, blended threats in real time without degrading network performance, while an extensive set of complementary management, analysis, database and endpoint protection solutions increases deployment flexibility, ascompliance with industry and government regulations, and reduces the operational costs of security management.

Fortinet (NASDAQ: FTNT) is a worldwide provider of network security appliances and a market leader in unified threat management (UTM). Our products and subscription services provide

performance protection against dynamic security threats while simplifying the IT security infrastructure. Our customers include enterprises, service providers and government entities worldwide, including the majority of the 2011 Fortune Global 100. Fortinet is headquartered in Sunnyvale, Calif., with offices around the world.

Fortinet's flagship FortiGate security appliances deliver ASIC-accelerated performance and integrates multiple layers of security designed to help protect against application and network threats. Our broad product line of complementary solutions goes beyond UTM to help secure

from endpoints, to the perimeter and the core, including databases

hipped more than 1,250,000 appliances to more than 1

61 of the Global 100 8 of the top 10 Fortune companies in Americas

9 of the top 10 Fortune companies in EMEA 9 of the top 10 Fortune companies in APAC

op 10 Fortune telecommunications companies

9 of the top 10 Fortune banking companies 9 of the top 10 Fortune defense/aerospace companies

A key differentiator, Fortinet's custom-built FortiASIC content and network processors enable systems to detect and eliminate even complex, blended threats in real time without

degrading network performance, while an extensive set of complementary management, analysis, database and endpoint protection solutions increases deployment flexibility, ascompliance with industry and government regulations, and reduces the operational costs of

Fortinet (NASDAQ: FTNT) is a worldwide provider of network security appliances and a market leader in unified threat management (UTM). Our products and subscription services provide

performance protection against dynamic security threats while simplifying the IT security infrastructure. Our customers include enterprises, service providers

Fortune Global 100. Fortinet is headquartered in Sunnyvale, Calif., with offices around the world.

accelerated performance and gainst application and network

threats. Our broad product line of complementary solutions goes beyond UTM to help secure from endpoints, to the perimeter and the core, including databases

,000 appliances to more than 160,000 customers

built FortiASIC content and network processors enable systems to detect and eliminate even complex, blended threats in real time without

degrading network performance, while an extensive set of complementary management, analysis, database and endpoint protection solutions increases deployment flexibility, assists in compliance with industry and government regulations, and reduces the operational costs of

Documents

4G Security White Paper