future lte-based pmr networks identification and effective...
TRANSCRIPT
www.thalesgroup.com THALES CONFIDENTIEL COMMERCIAL
Future LTE-based PMR networks
Identification and effective
reduction of cyberthreats
2
Ce
do
cu
me
nt
ne
pe
ut
êtr
e re
pro
du
it, m
od
ifié
, a
da
pté
, p
ub
lié,
tra
du
it,
d'u
ne
qu
elc
on
qu
e f
aç
on
, e
n t
ou
t o
u
pa
rtie
, n
i div
ulg
ué
à u
n t
iers
sa
ns
l'ac
co
rd p
réa
lab
le e
t é
crit
de
Th
ale
s-
©Th
ale
s2
01
5 T
ou
s D
roits
rése
rvé
s.
OPEN
Thales: a market-oriented organisation
▌Secure Communications
and Information Systems
DEFEN
CE-S
EC
UR
ITY
CO
NTI
NU
UM
Radiocommunication
Products
Network and Infrastructure Systems
Protection Systems
Critical Information Systems
and Cybersecurity
Consulting
Risk Analysis
Test &Evaluation
24/7 Cybersecurity
Supervision
Managed Security Services
Rapid Reaction Team Management
Crisis
Critical IT Design,
Development, integration and Deployment
Training
CrisisManagement
Training
Complex Project
Management
CybersecurityProducts
Critical IT Operation
Cloud Computing
Secure IT Outsourcing
Full-service
partner
Services Products Systems
3
Ce
do
cu
me
nt
ne
pe
ut
êtr
e re
pro
du
it, m
od
ifié
, a
da
pté
, p
ub
lié,
tra
du
it,
d'u
ne
qu
elc
on
qu
e f
aç
on
, e
n t
ou
t o
u
pa
rtie
, n
i div
ulg
ué
à u
n t
iers
sa
ns
l'ac
co
rd p
réa
lab
le e
t é
crit
de
Th
ale
s-
©Th
ale
s2
01
5 T
ou
s D
roits
rése
rvé
s.
OPEN
What is an LTE network ? Key Features and Architecture Overview
▌ Higher throughput
Combination of various techniques such as TDD, FDD, MIMO
300 Mbps peak downlink and 75 Mbps peak uplink
High data rates allowing streaming multimedia and videoconf
eNodeB
eNodeBeNodeB
MME
Serving
Gateway
IP Transport Network
eUTRAN ePC
PDN
Gateway
PCRFHSS PMR
Application
function
Internet
▌ IP-based network (incl. end-user devices)
Flattened network for better efficiency and simplification
Seamless connection to other networks and Internet
All elements exposed to third-party/external interactions
Lower OPEX
▌ Better user experience
Low latency
Enhanced mobility management
Better QoS control
Enabled for PMR
4
Ce
do
cu
me
nt
ne
pe
ut
êtr
e re
pro
du
it, m
od
ifié
, a
da
pté
, p
ub
lié,
tra
du
it,
d'u
ne
qu
elc
on
qu
e f
aç
on
, e
n t
ou
t o
u
pa
rtie
, n
i div
ulg
ué
à u
n t
iers
sa
ns
l'ac
co
rd p
réa
lab
le e
t é
crit
de
Th
ale
s-
©Th
ale
s2
01
5 T
ou
s D
roits
rése
rvé
s.
OPEN
Addressing security within LTE - A Layered Approach
Operational Security•CyberSecurity vulnerabilities watch
•CyberSecurity monitoring
•CyberSecurity flaws remediation
•CyberSecurity incident reactionOperational security
•Addressing specific applicable regulations
•Security industry best practices
•Anti-DDoS measures
•Protection from non-trusted third-parties
•Node-level hardening
End-to-End secured infrastructure
•Standards core compliancy (3GPP, …)
•Authentication of users and network
•Protection of RAN and access (flows encryption)
•Node level security features (partial)
Standards-based security mechanisms
3GPP standards
scopeOperator/Vendor
scope
End-to-End Secured
Infrastructure and
Mission Delivery Platform
Security at Node Level
5
Ce
do
cu
me
nt
ne
pe
ut
êtr
e re
pro
du
it, m
od
ifié
, a
da
pté
, p
ub
lié,
tra
du
it,
d'u
ne
qu
elc
on
qu
e f
aç
on
, e
n t
ou
t o
u
pa
rtie
, n
i div
ulg
ué
à u
n t
iers
sa
ns
l'ac
co
rd p
réa
lab
le e
t é
crit
de
Th
ale
s-
©Th
ale
s2
01
5 T
ou
s D
roits
rése
rvé
s.
OPEN
Security in LTE by default – main principles as per LTE standards
eNodeB
eNodeBeNodeB
MME
Serving
Gateway
IP Transport Network
eUTRAN ePC
PDN
Gateway
PCRFHSS
PMRApplication
function
Internet
Key cornerstone = USIM card
•Fundamental principle relies on strong authentication and key agreement at connection setup between ME (USIM) and Network (MME)
Specific security hardening requirements for the
eNodeB
•Secure environment embedded in eNodeB for keys storage, sensitive functions and configuration data
•(mutual) authentication of O&AM access
•Software integrity and authentication
Separate over-the-air security from network
security
•Over the air signaling and user traffic protection (integrity and confidentiality) with specific keys between ME and eNodeB
•RRC (signaling) ciphering and integrity (ME <-> eNodeB)
•User plane ciphering (ME <-> eNodeB)
•Mobility management and session management ciphering and integrity (ME <-> MME)
Network security
•Relies on use of IPsec to protect protocols … with X.509 certificates (or preshared keys) for nodes authentication and key setup
6
Ce
do
cu
me
nt
ne
pe
ut
êtr
e re
pro
du
it, m
od
ifié
, a
da
pté
, p
ub
lié,
tra
du
it,
d'u
ne
qu
elc
on
qu
e f
aç
on
, e
n t
ou
t o
u
pa
rtie
, n
i div
ulg
ué
à u
n t
iers
sa
ns
l'ac
co
rd p
réa
lab
le e
t é
crit
de
Th
ale
s-
©Th
ale
s2
01
5 T
ou
s D
roits
rése
rvé
s.
OPEN
Beyond what the standards require by default
▌Standards do not address all security threats aspects
SGi interface with Internet, Management plane, operational risks…
Connection with IS of Operator
Concrete network architecture and design
▌Additional, though key, threats not covered in standards approach
Protection of UE’s against malicious usage (malware…)
External connectivity is not only Internet but also MNO’s and roaming partners
Attacks coming via insiders (employees…)
PMR Applications (remote access, malicious applications…)
7
Ce
do
cu
me
nt
ne
pe
ut
êtr
e re
pro
du
it, m
od
ifié
, a
da
pté
, p
ub
lié,
tra
du
it,
d'u
ne
qu
elc
on
qu
e f
aç
on
, e
n t
ou
t o
u
pa
rtie
, n
i div
ulg
ué
à u
n t
iers
sa
ns
l'ac
co
rd p
réa
lab
le e
t é
crit
de
Th
ale
s-
©Th
ale
s2
01
5 T
ou
s D
roits
rése
rvé
s.
OPEN
Beyond what the standards require - Additional cyberthreats for LTE/PMR
IP MOBILE CORE
5780 Dynamic Services Controller
9471 Wireless Mobility Manager
MME
S/PGW
PARTNER’S CORE NETWORK INFRASTRUCTURE
PCRF
• Use of protocol vulnerabilities (GTP or SCTP) to attempt service
disruption or malicious access
• Malicious user attempting access to control core elements from
IPX
• Misuse of control elements at roaming partner side can lead to
unexpected messages or traffic volume
Signaling attack from rogue device
or malware on Base Station
Use of protocol weaknesses (forged GTP
messages) to attempt service disruption
• Unauthorized access to Management servers can lead
to misconfiguration of critical assets
• Malware, inserted via management platforms (PC’s, …)
Mobile backhaul
network
LTE MOBILE CORE
MME
SGW
NMS
PGW
HSS PCRF
PMR
Application
function
Internet
• Malicious access to critical core elements (eg: HSS)
and data modification (eg: K, charging data)
• Malware modifies the configuration of communication
gateway
• Modification of HSS data can lead to stealing service
• Intrusion attempts leveraging
protocols vulnerabilities or open
services
• denial of service on gateways
Mobile backhaul network
• Eavesdropping
• Data Tampering
• Unauthorized access to application servers can
lead to misconfiguration of critical assets
• Malware, inserted via applications
8
Ce
do
cu
me
nt
ne
pe
ut
êtr
e re
pro
du
it, m
od
ifié
, a
da
pté
, p
ub
lié,
tra
du
it,
d'u
ne
qu
elc
on
qu
e f
aç
on
, e
n t
ou
t o
u
pa
rtie
, n
i div
ulg
ué
à u
n t
iers
sa
ns
l'ac
co
rd p
réa
lab
le e
t é
crit
de
Th
ale
s-
©Th
ale
s2
01
5 T
ou
s D
roits
rése
rvé
s.
OPEN
LTE Infrastructure Protection - Main Principles
•Goal: Limit exposure to untrusted networks to only the required components
•Means: Topology hiding, reverse proxies, inbound NAT, filtering …Reduce the attack surface
•Goal: identify and protect network function exposed to threat agents
•Means: Multiple security functions with firewall, IDS/IPS, anti-malware, anti-DDoS, …
Enhanced protection on the most exposed components
•Goal: Increase security through the implementation of several complementary barriers of defense
•Means: Grouping server with similar sensitivity and/or exposure, Security Tiers definition, DMZ, firewalling, internal segregation
Defense In Depth
•Goal: maintain clear separation of OAM, Control, Media traffic
•Means: Traffic isolation through a combination of mechanisms (VLAN, VPRN, VDOM).
Strong segregation across security plane
•Goal: cover individual assets and network components against targeted attacks
•Means: antimalware, system hardeningAssets individual protection
9
Ce
do
cu
me
nt
ne
pe
ut
êtr
e re
pro
du
it, m
od
ifié
, a
da
pté
, p
ub
lié,
tra
du
it,
d'u
ne
qu
elc
on
qu
e f
aç
on
, e
n t
ou
t o
u
pa
rtie
, n
i div
ulg
ué
à u
n t
iers
sa
ns
l'ac
co
rd p
réa
lab
le e
t é
crit
de
Th
ale
s-
©Th
ale
s2
01
5 T
ou
s D
roits
rése
rvé
s.
OPEN
LTE Infrastructure Protection - Main Principles
IP MOBILE CORE
5780 Dynamic Services Controller
9471 Wireless
Mobility Manager
MME
S/PGW
PARTNER’S CORE NETWORK INFRASTRUCTURE
PCRF
Mobile backhaul
network
Mobile backhaul
networkLTE
MOBILE CORE
MME
SGW
NMS
PGW
HSS
PCRF
PMR
Application
function
Internet
ROAMING INTERFACES PROTECTION
• CTRL Plane S6a and S9 firewalling to
protect homed critical assets
• USER Plan: S8 traffic inspection
• Anti-DDoS protection
RAN INTERFACE SECURITY:
ePC mgmt infrastructure protection from RAN network
CTRL Plane: SCTP (S1-MME) filtering
USER Plane: GTP (S1-U) inspection
Data Confidentiality
Anti-DDoS protection
APPLICATIONS SECURITY:
• Anti-malware
• Patching
• Security of Third-Party Remote
Access
BACKBONE SIDE SECURITY:
Exposure reduction to external networks
User Plane protection
Anti-DDoS protection
CORE EPC SECURITY:
Control & Management logical
planes segmentation (defense-in-
depth)
Data assets protection (users
database, charging database)
10
Ce
do
cu
me
nt
ne
pe
ut
êtr
e re
pro
du
it, m
od
ifié
, a
da
pté
, p
ub
lié,
tra
du
it,
d'u
ne
qu
elc
on
qu
e f
aç
on
, e
n t
ou
t o
u
pa
rtie
, n
i div
ulg
ué
à u
n t
iers
sa
ns
l'ac
co
rd p
réa
lab
le e
t é
crit
de
Th
ale
s-
©Th
ale
s2
01
5 T
ou
s D
roits
rése
rvé
s.
OPEN
Addressing the continuum by building/using a CybersecurityOperations Centre
▌ A CSOC is the tower control unifying a wide set of complementary cybersecurity functions
Risk Management to get a clear view of the level of risk (what is secured vs. what is not secured) and to limit the unknowns
Vulnerability Management relying on vulnerability scans
Mission oriented reporting and communication complementing the technical one
Cyberthreat intelligence enabling to better tune the countermeasures
Security Monitoring by collecting logs and events from the infrastructure
Do I clearly understand the level of risks and level of unknowns for my infrastructure ?
Am I certain that noone is penetrating into the network and systems ? Am I not being hackedthrough a back door ?
Do I have the right level of patches amongst all the systems ? Do I need to patch everythingcontinuously ?
How can I continuously see what happens just like with CCTV’s ?
MissionOriented
Communication
GovernanceRisk Management
Compliance
VulnerabilityManagement
CyberThreatIntelligence
ngProbes
Sandboxes
Logs F/W,
Servers, etc.
Cyber
Threat
Intel
Security
Monitoring
Logs / Events
Storage
End Devices Networking
Flows
Applications
Multiple
Sources
Explicit Rules
Behavioral AnalysisDynamic Rules
Vulnerability
Scanner
11
Ce
do
cu
me
nt
ne
pe
ut
êtr
e re
pro
du
it, m
od
ifié
, a
da
pté
, p
ub
lié,
tra
du
it,
d'u
ne
qu
elc
on
qu
e f
aç
on
, e
n t
ou
t o
u
pa
rtie
, n
i div
ulg
ué
à u
n t
iers
sa
ns
l'ac
co
rd p
réa
lab
le e
t é
crit
de
Th
ale
s-
©Th
ale
s2
01
5 T
ou
s D
roits
rése
rvé
s.
OPEN
Key takeways
1
•PMR- based on LTE opens new possibilities but brings new cybersecuritychallenges with it due to the openness nature of LTE
2•Implement a securely designed system. Think holistically
3
•Adopt a cybersecurity operations approach to help in prevention, detection and response to cyberthreats
4•Thales is best placed in supporting you to address cyberthreats thanks to its
cybersecurity solutions and services covering the full spectrum of needs
Please, visit our booth for more information
12
Ce
do
cu
me
nt
ne
pe
ut
êtr
e re
pro
du
it, m
od
ifié
, a
da
pté
, p
ub
lié,
tra
du
it,
d'u
ne
qu
elc
on
qu
e f
aç
on
, e
n t
ou
t o
u
pa
rtie
, n
i div
ulg
ué
à u
n t
iers
sa
ns
l'ac
co
rd p
réa
lab
le e
t é
crit
de
Th
ale
s-
©Th
ale
s2
01
5 T
ou
s D
roits
rése
rvé
s.
OPEN