Sec conf london_v07

© 2014 Stoke

Securing the LTE Core – the Road to NFV

| Proprietary and Confidential

Dilip Pillaipakam Vice President, Product Management and Marketing

© 2014 Stoke

The LTE Security Framework

2

S9

S1-C

Internet

S1-U S5/S8

S6A

Gx

Gz/Gy

Other LTE Network

S11

RAN-Core Border

SEG

The border between RAN and Core (S1) requires protection against specific risks to critical infrastructure at that interface

Control Plane Functions -  IKE -  AAA -  Routing

DRA

SBC IMS Core

SGW

MME

CSCF

Internet Border

Policy / Charging Control

SGi

Data Plane Functions -  Forwarding -  QoS -  ACL -  Packet Inspection

Device and Application

© 2014 Stoke

LTE Security at the S1 Link – Emerging Trends

3

Challenge Requirements

Stronger Security •  2048 bit key length •  PKI

Signaling Protection - New Threat Vectors

•  Protect core - exponential transaction increase •  S1 protocol/state validation

VoLTE Rollout •  Low latency transport •  Sub-1 second recovery

Elastic Deployment •  Virtualized security gateway on COTS •  SDN integration

Scalable Small Cell Deployments

•  Dense session aggregation •  Intelligent load balancing

© 2014 Stoke

Use Case: Macro and Small Cell Security

4

»  Unsecured backhaul »  Rapidly increasing throughput »  High tunnel density »  Ultra-low latency »  Directly impacts subscriber QoE

4 4

MME

SGW

Office

Home Outdoor Metrocell

Small Cells

4G LTE EPC

Millions of

Tunnels

MME

SGW

EPC

E2E Latency Budget = 100 ms

VoLTE: Low Latency

Small Packets

High Bandwidth

© 2014 Stoke

Office

Home Outdoor Metrocell

Small Cells

Use Case: Signaling Overload

»  Signaling Overload Threats »  Application initiated »  Compromised eNodeBs »  Natural disasters

»  Prioritized Traffic »  Already connected subscribers »  Specific eNodeBs

SGW

4G LTE EPC Millions of

Service Requests MME

Application Update Server

QoE: Prioritize

5

© 2014 Stoke

The LTE Security Framework vSEG Phase 1

6

S9

Internet

S5/S8

S6A

Gx

Gz/Gy

Other LTE Network

S11

RAN-Core Border

Control Plane Functions -  IKE -  AAA -  Routing

DRA

SBC

IMS Core

SGW

MME

CSCF

Internet Border

Policy / Charging Control

SGi

Data Plane Functions -  Forwarding -  QoS -  ACL -  Inspections

Device and Application

»  vSEG on COTS hardware on Linux

»  Similar deployment and operational model as today

»  Benefits: »  Removes restriction of physical

chassis »  scale to very large number of line

cards

SEG v-SEG (DP)

v-SEG (CP)

© 2014 Stoke

The LTE Security Framework vSEG Phase 2

7

Other LTE Network

SGW

MME

DRA

SBC

CSCF

Internet Border

Policy / Charging Control

Internet

S1-C

S1-U

Internet

V-EPC

RAN-Core Border

v-SEG (DP)

v-SEG (CP)

Security Gateway Cloud

QoS Inspection ACLs

IKE AAA Routing

SEG Controller

SDN Controller

»  Disaggregate control plane and data plane functions to scale each function independently.

»  Can be integrated with Operator's SDN infrastructure

»  Benefits »  Fully elastic on-demand

deployment »  Capacity can be added dynamically

by adding more service nodes »  Scale some functions

disproportionately

© 2014 Stoke

Conclusions

8

»  Each domain of the LTE Security Framework provides protection against specific threats and therefore has unique functional and performance requirements

»  S1 Link has stringent performance and latency requirements

»  Purpose built platforms will remain the mainstay for next few years

»  Virtualization has benefits, but is not the answer for all use cases

| Proprietary and Confidential