White Paper Backhaul Security for Wi-Fi & Small Cells

Prepared by Patrick Donegan Senior Analyst, Heavy Reading www.heavyreading.com on behalf of

www.radisys.com March 2012

HEAVY READING | MARCH 2012 | WHITE PAPER | BACKHAUL SECURITY FOR WI-FI & SMALL CELLS 2

Network Security & the Small-Cell Era While mobile operators are right to think positively about the opportunity that Wi-Fi and small cells represent, they also need to be hard-headed and strategic about addressing the risk of new security exposures that small cells will inevitably bring to their network assets and their customer's user experience. 3GPP specifies a Security Gateway or SEG that serves as a security gateway for supporting a growing proportion of the operator's investment in new small cells as well as macrocells.

The Beginning of the Small-Cell Era There is no industry-agreed definition on precise cell site types, but Heavy Reading defines microcells as medium-sized base stations designed for capacity fill-in, typically deployed in urban areas in conjunction with higher capacity macrocells. Our definition of a microcell is a base station product that supports between 5 watts and 10 watts of power output per sector; up to four sectors; is portable, weighing perhaps 20-30 kg; a range of perhaps 500 meters; and capable of having the baseband and RF elements separated out and deployed several meters away, allowing greater flexibility regarding where they can be deployed. Microcells, as Heavy Reading defines them, were launched by all the major 2G and 3G infrastructure vendors in the late 1990s or early 2000s and came to be the key product for cellular network planners in the first decade of the 21st century. As mobile operators went from 20 percent mobile subscriber penetration to 100 percent, as more and more people began using their cell phone as their primary phone, as the extraordinary boom in text messaging took off, and then as the first HSPA and EVDO upgrades started to be rolled out in earnest, most mobile opera-tors deployed substantial volumes of microcells in the network to keep up with the new capacity demands. They deployed them because they provided a capacity fill-in solution that was more targeted, more flexible, more environmentally-friendly and lower cost than conventional high-capacity macrocells that cost a lot more, consume a lot more power and take up a lot more space.

Small Cells – The Next Generation In much the same way that new patterns of user demand drove the deployment of microcells in the mobile network in the first decade of this century, new patterns of demand in this second decade of the century – specifically the huge consump-tion of data via 3G- and 4G-enabled laptops, smartphones, tablets and other devices – is driving the business case for a new generation of still smaller cells. Again, in the absence of industry-wide agreement on what the precise definition is, Heavy Reading chooses to define this new generation simply as small cells. In Heavy Reading's definition, a small cell is defined in the following way:

· Very small form factors weighing a few kilograms, some no heavier than 1 or 2 kg.

· Typically a single-sector device with omni- or directional antenna.

· Low power output compared with macro- and microcells, some as low as 250 milliwatts.

· A range of no more than 100-150 meters in urban environments, often less.

HEAVY READING | MARCH 2012 | WHITE PAPER | BACKHAUL SECURITY FOR WI-FI & SMALL CELLS 3

The value proposition of small cells today is essentially the same as that of the first microcells ten years ago – by reducing a base station's footprint still further, so that small cells can be held in the palm of the hand, additional spectrum can be accessed or existing spectrum used more efficiently; the miniaturized size allows even greater flexibility of deployment; there is even less environmental impact in terms of power consumption and obtrusive objects in the public domain. In sum, new generations of small cells hold out the promise of serving as the next base station type for keeping up with the demand for mobile data – but doing so at a lower cost that enables the operator to maintain profitability.

The Three Main Types of Small Cell From a mobile operator's perspective, small cells can be broken down into three primary types:

· 3GPP-compliant 2G, 3G or 4G femtocells for closed user groups in residen-tial and enterprise markets, managed separately from the macro network.

· 3GPP-compliant public-access small cells for use by all subscribers, inte-grated with the macro network; and

· Mobile operator-deployed Wi-Fi access points.

3GPP Femtocells for Closed User Groups A lot of mobile operators are already deriving benefits from deploying small cells in volume, of course. 2G and 3G femtocells – small cells for closed user groups in the residential or enterprise environment – are being widely deployed by mobile operators throughout the world. According to the Small Cell Forum, there were more than 2 million femtocells in service as of June 2011. As of June 2011, femtocells were being actively deployed by 31 operators throughout the world including AT&T, Verizon Wireless, Vodafone, Telefónica, T-Mobile, NTT Docomo, KDDI and China Unicom. This was up from 19 in February 2011, leveraging an infrastructure market of 25 femtocell vendors. The majority of deployments today are residential-only, although some operators are also deploying femtocells in enterprise environments, as well.

3GPP Small Cells for Public Access These are still very early days for operators in terms of evaluating the business case for deploying public-access small cells that are accessible to any of their custom-ers. But Heavy Reading expects 2012 to be the year when many vendors launch their first 3GPP public-access small-cell products. That said, there is already evidence of some initial deployments. For example:

· In November 2011, for example, Vodafone UK announced it is extending its rollout of Alcatel-Lucent's femtocell products into trialing some of its wide-area small-cell products, including Alcatel-Lucent's 9364 3G Metro-cell product, which has dimensions of 24 cm x 24 cm x 5 cm and weighs just 2 kg. These trials are targeted at rural environments in the U.K., where

HEAVY READING | MARCH 2012 | WHITE PAPER | BACKHAUL SECURITY FOR WI-FI & SMALL CELLS 4

small cells in remote communities could deliver mobile broadband speeds to relatively small numbers of users at a lower cost point than either the fixed network or conventional macro- and microcell-based approaches.

· South Korea's SK Telecom is deploying a new 16-user public-access small cell developed by Contela, a Korean company. SK Telecom is currently rolling out Contela's new 2FA public-access small cells, supporting both HSPA and Wi-Fi, in major shopping malls and airports around the country.

2012 will see many more vendors announcing new small-cell products. Many of the 25 femtocell vendors are re-spinning their platforms to deliver products into this space that support the higher capacity needed and allow integration with the macro and micro layers. Mainstream 3GPP infrastructure vendors will also be launching new products in this space in 2012, some of which will be small versions of their current microcell portfolio, while others will be based on new purpose-built small cell platforms. There will be dedicated 2G, 3G and 4G small cells, as well as products that support two or more of those generations in one device. There will also be small cells that combine one or more cellular radio interfaces along with Wi-Fi, with the latter serving either as a subscriber access option or to backhaul the 3GPP traffic.

Wi-Fi Access Points A Wi-Fi access point meets Heavy Reading's definition of a small-cell product that is already available to mobile operators. Because it operates in unlicensed spectrum that is more vulnerable to interference than licensed 3GPP spectrum, Wi-Fi has traditionally been considered something of a poor relation of licensed cellular radio standards in mobile operator circles. Mobile operators do have experience of leveraging Wi-Fi, but it is typically as a parallel access network to the mobile network. While users can get basic Internet access from a mobile operator's approved co-branded Wi-Fi access network, today they typically can't access the mobile operator's unique suite of services delivered from its core network. This is even true today in most cases where mobile operators deploy their own Wi-Fi access points.

Figure 1: Connection Types By Device and OS

Source: comScore

HEAVY READING | MARCH 2012 | WHITE PAPER | BACKHAUL SECURITY FOR WI-FI & SMALL CELLS 5

As they contemplate the future role of small cells in their network, many mobile operators are also looking again at the role of Wi-Fi in their access networks. As reflected in the comScore data referring to the U.S. market during 3Q11 (Figure 1), it is not uncommon for mobile operators to report that their customer's smartphone usage is now split roughly evenly between Wi-Fi and 3GPP access networks. The number of connections on AT&T's Wi-Fi networks has increased from just 20 million in 2008 to 381.2 million in 2010 and stood at 745 million for 2011 by the end of 3Q11. Leading Wi-Fi vendors are driving the Wi-Fi industry roadmap in the direction of greater carrier-grade performance and user mobility features. Most notably the Hotspot 2.0 Task Group was formed in 2010 within the Wi-Fi Alliance to create a common set of standards for common, seamless Wi-Fi authentication and roaming that seeks to mirror the user experience with 3G. Examples of mobile operators all over the world are looking again at how they use Wi-Fi to handle rising data traffic volumes and compliment their service offerings:

· During 2011 Japan's KDDI began rolling out what is probably the world's largest mobile operator-built Wi-Fi network focused on 3G capacity relief in urban hotspots. Deployed in a data offload configuration to relieve ca-pacity on KDDI's CDMA 2000 RAN and mobile packet core capacity, and backhauled via the operator's preexisting WiMax network at 2.5GHz, this network is due to reach 100,000 Wi-Fi access points in downtown Tokyo by 1Q12. KDDI's post-paid data customers are offered free access with auto-authentication to the Wi-Fi network for data applications.

· With the London Olympics upcoming, in January 2012 O2 announced that it is building out what it says will be Europe's largest Wi-Fi Zone and "inte-grating new layers of technology into the existing network to enable a seamless and sustained customer experience."

· Having been reluctant to use Wi-Fi up until recently, China Mobile is now intent on deploying up to 1 million Wi-Fi access points throughout China.

Some 3GPP-driven RAN vendors are altering their strategies to make way for greater leveraging of Wi-Fi networks. Nokia Siemens Networks (NSN) now markets a "Smart Offload" solution that leverages Wi-Fi, a development that would have been unthinkable a few years ago.

Unique Security Challenges With Small Cells So far, only the positive opportunity presented by small cells has been discussed. It is certainly substantial, but the small-cell era necessarily creates new challenges from a security perspective as well. The specific issues relating to each of the three small cell categories identified will be addressed shortly, but they can also be generally summarized at a high level in the following way:

· Hundreds of thousands of macro- and microcells were deployed when the mobile operator's initial transport network was built around secure TDM protocols, and when all manner of IP-based Internet security attacks were confined to wireline-connected PCs. By contrast, when small cells are rolled out in volume, it will be into an increasingly IP-oriented mobile net-work environment, where the security vulnerabilities are inevitably greater.

HEAVY READING | MARCH 2012 | WHITE PAPER | BACKHAUL SECURITY FOR WI-FI & SMALL CELLS 6

· Unlike conventional macrocell sites that have strong physical security – including heavily locked doors, alarms and strict access control – due to their form factor small cells are more likely to be deployed in a relatively openly accessible, public place, such as a shopping mall or a street light or other utility pole. Here they can much more easily be physically tam-pered with and potentially compromised by unauthorized parties.

· Because they support fewer subscribers than a macro- or microcell, as previously stated in many cases small cells need to leverage preexisting fixed access networks for backhaul. In cases where that is a DSL connec-tion, the mobile user's traffic is liable to be exposed to the untrusted open Internet environment, rather than managed end-to-end across the mobile operator's dedicated, trusted facilities.

· Many mobile operators will roll out LTE small cells. This is important from a security perspective because unlike with 2G and 3G, where 3GPP man-dates encryption between the air interface and the BSC or RNC, in LTE the 3GPP-mandated encryption terminates in the eNodeB, with the result that there is no native or embedded encryption in LTE between the eNodeB and the core of the network.

· Mirroring the femtocell model, many 3G public-access small cells are also designed with a subset of radio resource management features built in, so that they too can bypass the RNC if the operator wants to. Although it is not mandated in 3GPP's 3G standards in the same way that it is in LTE, the result of this model is nevertheless the same as in LTE, in that encryption is terminated in the 3G public-access small cell, so the operator needs to encrypt it again across the backhaul to secure it effectively.

While these five security issues are generic to small cells – particularly to 3GPP small cells – the following sections will explore security issues relating to the three specific small cell types.

Femtocells: A Model for Small Cell Security The industry already has a well-established model for mitigating small-cell security risks in the way the 3GPP has redefined security specifically for femtocells. And this model has the potential to serve as the basis for securing other small cells, as well. There are three major exposures in the femtocell model as compared with conventional macro- and microcell security:

· Since it is deployed by the user themselves in the home or enterprise, the femtocell device itself is obviously vulnerable to physical tampering.

· Femtocells are independent of the mobile operator's macro and micro layer, in that the traffic they generate is routed directly to the operator's core network, rather than to a BSC or RNC. With a femtocell, the 3GPP encryption that would normally terminate at the BSC or RNC terminates in the femtocell itself. Hence femtocell user traffic is no longer protected by 3GPP encryption, but is clear text that could potentially be intercepted.

· In the femtocell model, particularly in home environments, the access network providing the backhaul is not the mobile operator's own dedi-cated transport service. Rather it is a simple DSL connection, with all the exposure to the public Internet and security vulnerability that that entails.

HEAVY READING | MARCH 2012 | WHITE PAPER | BACKHAUL SECURITY FOR WI-FI & SMALL CELLS 7

As shown in Figure 2, 3GPP provides a unique security architecture for femtocells. The key feature of 3GPP's femtocell security architecture is that it provides for the instantiation of an IPsec tunnel within the femtocell or Home eNodeB itself for encryption and authentication of the traffic as it exits the femtocell and is trans-ported across the access network. That tunnel is then unencrypted by a security gateway in the operators' core network.

What is essentially this security architecture has already been successfully dep-loyed to support all of the 2 million femtocells in service today, and will serve for future femtocell and Home eNodeB deployments. The model has been shown to be highly secure to date. There have been a couple of scares, notably relating to security vulnerabilities relating to some early deployments by Vodafone and SFR. In the Vodafone case, detected at the start of 2010, hackers demonstrated that an engineering serial port connection that had been used for debugging in trials of its Sure Signal femtocells had been left live, together with default passwords, with the result that the traffic from the femtocell could potentially be intercepted. A security patch was automatically issued to all Sure Signal devices within a few weeks of the vulnerability being identified, and no actual damage was done to any of Vodafone's customers, but the episode served to highlight the potential exposure across small-cell product types and the nature of the new security challenges. The experience of femtocell deployments thus far is therefore that the security architecture is performing extremely well, although operators need to remain permanently vigilant with respect to potential future vulnerabilities.

Figure 2: HeNB Security Femto, Pico and Small Cells

Source: Radisys

HEAVY READING | MARCH 2012 | WHITE PAPER | BACKHAUL SECURITY FOR WI-FI & SMALL CELLS 8

Security for 3GPP Public-Access Small Cells 3GPP-based public-access small cells share many of the same security vulnerabili-ties as closed user group femtocells in the home or enterprise. For that reason, 3GPP foresees substantially reusing the femtocell security architecture for securing public-access small cells. There are some differences in the risk profile of a public-access small cell as compared with a femtocell:

· A public-access small cell that has a radio-based backhaul which is a physically separate unit, rather than being one integrated device, will have the additional vulnerability of interception of traffic in the wired or wireless communication path between the two devices.

· In cases where the X2 interface between cells is used in LTE public-access small cells, an attacker might not just be able to access a single cell, but could potentially look to leverage the X2 to access several adjacent cells as well.

It's clear that while there will be very little variation in the security architectures that mobile operators use in the case of femtocells, the greater variety and complexity associated with deploying and managing public-access small cells will give rise to a lot more variation in the security model that operators adopt as these are rolled out. There is certainly an opportunity to reuse the same security gateway to terminate both femtocell and public-access small-cell traffic. The benefits of this approach are obvious from both a capex and opex perspective. The operator can share the same security architecture across public and private domain small cells as well as the same physical equipment, providing it is able to scale sufficiently to support hundreds of thousands or even millions of subscribers. There are reasons why some operators might want to forego the benefits of sharing the same physical security gateway and instead have separate gateways for femtocells and public-access small cells. For example, Integration and coordi-nation with the macro- and microcell layers as regards handover and provisioning is going to be very important for public-access small cells. And unlike in the femtocell environment, many operators are likely to want their public-access small cells to trigger a security alarm in their NOC if they are tampered with. It is true that many microwave and other radio-based backhaul solutions do support their own very robust encryption. The disadvantage for the operator in relying on this as an alternative to IPsec is that IPsec provides the operator with a uniform approach not just for encryption, but also for authentication across all of its insecure cells.

Enhanced Security for Carrier Deployed Wi-Fi With its origins as a self-deployed home and enterprise access technology, security didn't feature as a key consideration in the evolution of Wi-Fi, as it did in the case of cellular standards. The resulting ease with which countless numbers of users have had sensitive, personal information copied and stolen is well known.

HEAVY READING | MARCH 2012 | WHITE PAPER | BACKHAUL SECURITY FOR WI-FI & SMALL CELLS 9

But consistent with the increasing interest of fixed and mobile operators in using Wi-Fi as a complimentary broadband access network in their portfolio, a lot of work is being done to render Wi-Fi networking more secure in terms of both the user-facing air interface and the network-facing transport or backhaul service. Industry efforts to provide integration of Wi-Fi into a mobile operator's access portfolio date back more than 10 years to Unlicensed Mobile Access (UMA), which provides for hand-off between wide-area GSM and indoor Wi-Fi usage, and Interworking Wireless LAN (I-WLAN), which provides for Wi-Fi integration with a mobile operator's 3G mobile packet core elements. Whereas UMA saw very little adoption, there is ongoing interest in both I-WLAN for 3G and increasingly for Wi-Fi integration with the Evolved Packet Core (EPC). As shown in Figure 3, 3GPP's I-WLAN standard specifies the instantiation of an IPsec tunnel in the smartphone or other end-user device as a means of securing what it defines as "untrusted" Wi-Fi traffic coming into the 3G core. The tunnel is termi-nated before the traffic hits the mobile packet core by a Packet Data Gateway (PDG) or Tunnel Termination Gateway (TTG) performing much the same role as the Femto Gateway in femtocell deployments.

3GPP therefore provides a means by which mobile operators can leverage the same security architecture based on IPsec for all its small-cell deployments – whether they be femtocells, 3GPP public-access small cells or carrier deployed Wi-Fi access points.

Figure 3: The I-WLAN Security Architecture

Source: Radisys

HEAVY READING | MARCH 2012 | WHITE PAPER | BACKHAUL SECURITY FOR WI-FI & SMALL CELLS 10

It should be noted that there have been other parallel developments in the Wi-Fi security space in the years since the I-WLAN standard was first written. For exam-ple, a combination of Generic Routing Encapsulation (GRE) encryption and the IEEE's 802.1x authentication is now an alternative approach for mobile operators to secure Wi-Fi access networks. It has the advantage that there has so far been faster initial adoption of 802.1x than IPsec among smartphone vendors, although most smartphone vendors have IPsec in their roadmaps. Nevertheless, this alterna-tive has the disadvantage that opting for different security environments for different types of small cells creates challenges from both a capex and opex perspective. The 802.1x and GRE approach is also not formally approved by 3GPP, whereas I-WLAN, with its endorsement of IPsec as the encryption mechanism for securing Wi-Fi traffic, is.

The Additional Need for IPsec at Macro Sites So far this paper has demonstrated how security issues are different for small cells as compared with conventional macro- and microcells. It has shown how the instantiation of IPsec tunnels by 3G and LTE small cells and their termination in a security gateway is provided for by 3GPP, and how that same security infrastruc-ture can be reused for carrier-deployed Wi-Fi access points to provide a common security infrastructure for small cells. It's also worth adding that in the case of LTE, where encryption is always termi-nated in the eNodeB irrespective of whether the eNodeB is a large macrocell or a public-access small cell, 3GPP also recommends the use of IPsec wherever the backhaul is deemed to be "untrusted" by the mobile operator. This means that in addition to being shared across all future small-cell deployments, the IPsec security infrastructure can also be shared across LTE macro and micro sites. Several years further out, operators are going to start dispensing with their dedi-cated 2G and 3G packet cores and begin terminating their 2G and 3G traffic on the EPC. As and when they look to do that, operators will need to look at how they secure that in an all-IP environment, and one potential approach could be to wrap 2G and 3G traffic into IPsec tunnels as well.

Key Requirements in 3GPP Security Gateways Mobile operators need highly scalable and cost effective security solutions to protect their networks and subscribers as small cells are rolled out in volume in the home, the enterprise and the wide-area public-access markets. Carrier-class solutions are preferable to enterprise products, enabling the operator to support potentially very large numbers of concurrent, bidirectional IPSec tunnels on a stateful, high-availability system, at the lowest possible cost per subscriber. Key factors required from a 3GPP SEG to ensure rollout of small cells is accompa-nied by robust security are:

· Carrier-grade availability and redundancy

· Full alignment with 3GPP standards

· Ease of integration into the existing network

HEAVY READING | MARCH 2012 | WHITE PAPER | BACKHAUL SECURITY FOR WI-FI & SMALL CELLS 11

· High scalability

· Reuse of the security solution not just across multiple types of small cell, but for LTE and potentially other macrocells

· Run on a highly secure hardware and software architecture When purchasing a 3GPP SEG, the operator must recognize the location, the performance, the capacity and the reuse of the software throughout the network. Having the SEG collocated or integrated with the primary elements in the mobile network infrastructure such as the RNC, GGSN or PDG, or integrated is recom-mended for deployment.

Conclusion Though not always the first thing people think about, poor security implementa-tions have the potential to delay the large-scale rollout of small cells in the operator's radio access network. Small cells have unique security requirements that are addressed by 3GPP via the SEG. The SEG can serve as a common platform for 3G and LTE public-access small cells; femtocells; Wi-Fi small cells; as well as LTE macrocells. Even though some mobile operators may not want to support all of these different radio access products from the same physical SEG node, there are nevertheless significant advantages to leveraging different instances of the same platform for each. Enterprise platforms are unsuited to the scalability that many mobile operators are liable to need as they roll out small cells in volume. High-capacity, high-availability platforms are likely to be the preferred long-term choice of mobile operators.

Background to This Paper Original Research This Heavy Reading white paper was commissioned by Radisys, but is based on independent research. The research and opinions expressed in this report are those of Heavy Reading.

About Radisys Radisys (Nasdaq: RSYS) is a leading provider of embedded wireless infrastructure solutions for telecom, aerospace, defense and public safety applications. Radisys' market-leading ATCA, IP Media Server and COM Express platforms coupled with world-renowned Trillium software, services and market expertise enable customers to bring high-value products and services to market faster with lower investment and risk. Radisys solutions are used in a wide variety of 3G & 4G/LTE mobile network applications including: Radio Access Networks (RAN) solutions from femtocells to picocells and macrocells, wireless core network applications, DPI and policy management; conferencing and media services including voice, video and data, as well as customized mobile network applications that support the aerospace, defense and public safety markets.