From the Security Experts

February 13, 2012

Security in the LTE Network


Security in IP networks continues to be of great concern to end users, network service providers and therefore to network equipment manufacturers and application developers. This concern is growing during the transition to an all-IP network. The list of security threats is well known; spam, viruses, worms, data theft, identity theft, identity spoofing, denial of service (DoS), distributed denial of service (DDoS), eavesdropping, modifying data and replaying data are all concerning. Plus, with the move to a flatter and more IP-centric LTE architecture, new security risks are being exposed all the time.

Historically, wireline and mobile networks have been inherently secure because of TDM protocols such as SS7, end-to-end authentication and encryption in 2G/3G networks. However, LTE does not benefit from this mandatory protection. The growth of IP in telecom networks has tended, until recently, to be in the core network and was therefore secure because it is far enough away from the user and edge of the network to be protected by traditional security methods.

The current trend towards smaller cell sites (picocells and femtocells) will increase in the LTE environment. In fact, Heavy Reading has predicted that there will be a sharp increase in the number of cell sites from approximately 2.7 million today to 3.8 million in 2015. Not only does that mean there are more network elements to manage, but these small cell sites tend to be located in less physically secure locations.

Consequently, lots of protocols and data have to be handled by a processor that carries the primary objective of running the application, but the threat cannot be ignored and the data travelling through it must be protected. To prevent bottlenecks, it’s essential to make sure not just that security implementation is effective but also that the security processing engine is highly efficient.  

IPsec has been defined by 3GPP as the security protocol for both control and user plane applications in LTE. It is ideally suited to this type of switching and routing application whereas MACsec is more prevalent in endpoints, while SSL/TLS is the security protocol of choice for application servers. Control plane security relies on complex logic and tends to be software based, whereas the data plane is more focused on the actual packet processing performance and relies heavily on the underlying hardware. IPsec-based security appliances are common, but network elements in LTE/IMS need tightly integrated security solutions that combine the benefits of security software with hardware acceleration.

The new network elements in the 4G/LTE All-IP world such as the Mobility Management Entity (MME), Serving Gateway (SGW) and Packet Data Network Gateway (PGW)make up the core elements. The HSS (Home Subscriber Server) maintains the subscriber database and generates security information from user identity keys. The Policy Control Resource Function (PCRF) servers set Quality of Service, Service Level Agreements, and usage restrictions and are key to new billing paradigms based on emerging fee-for-service models.

New packet-based functions are required in each and every one of these new and enhanced network elements.They offer security as both signalling and user plane services will need to be protected in a mobile network that relies on access to the public Internet.

DPI will also be required to make sense of the packet blizzard flowing through the network. Without DPI, there is no way of knowing what protocols, services and applications are to be allowed, disallowed, billed for and prioritized. Based on both shallow and deep packet inspection, traffic management and priorities will be enforced. 

These new networks require new protocols with SCTP and IPsec providing reliable and secure network signalling for the numerous Diameter interfaces, GTP-C, as well as SIP and Radius. Bearer services on the S1-U from the MME and RTP with SRTP also require these types of lower layer protocols.

The Evolved Packet Core (EPC) is the IP-based core network defined by 3GPP for LTE and other access technologies. The goal of EPC is to provide simplified all-IP core network architecture to efficiently give access to various services. LTE enables operators to support a wide variety of access types using a common core network. EPC solutions typically include backhaul, network management, and video, applications that all monetise the LTE investment. At the same time security features such as subscriber identification and authentication are important for the MME, and the support of offline and online charging is a key attribute of any SGW orPGW.

The Mobility Management Entity (MME) is the termination point in the network for ciphering/integrity protection for NAS signalling and handles the security key management. Lawful interception of signalling is also supported. The MME provides a control plane function for mobility between LTE and 2G/3G access networks with the S3 interface terminating at the MME from the SGSN. The MME terminates the S6a interface towards the home HSS for roaming User Equipment (UEs) and is in charge of all the Control plane functions related to subscriber and session management. From that perspective, the MME must support security procedures for end-user authentication as well as initiation and negotiation of ciphering and integrity protection algorithms.

The Serving Gateway (SGW) is the termination point of the packet data interface towards E-UTRAN. The SGW routes and forwards user data packets, while also acting as the mobility anchor for the user plane during inter-eNodeB handovers and as the anchor for mobility between LTE and other 3GPP technologies (terminating S4 interface and relaying the traffic between 2G/3G systems and PGW). It manages and stores UE contexts, e.g. parameters of the IP bearer service and network internal routing information. It also performs replication of the user traffic in cases of lawful interception. Security must be applied to user plane data and IPsec provides the solution.

The PDN Gateway (PGW) is the termination point of the packet data interface towards the Packet Data Network. As an anchor point for sessions towards the external Packet Data Networks, the PGW also supports Policy Enforcement features (which apply operator-defined rules for resource allocation and usage), packet filtering (like deep packet inspection for virus signature detection) and evolved charging support (like per URL charging).

The PGW provides connectivity from the UE to external Packet Data Networks by being the point of exit and entry of traffic for the UE. A UE may have simultaneous connectivity with more than one PGW for accessing multiple PDNs. The PGW performs policy enforcement, packet filtering for each user, charging support, lawful interception and packet screening. Consequently, the key functions of the PGW are: security, signalling, user plane GTP-U, and DPI/packet filtering for Dynamic/Static Policy Enforcement, QoS, Online/Offline Charging and Session/Bearer Management.

The Policy Control and Resource Function (PCRF) server manages the service policy and sends QoS setting information for each user session and accounting rule information. The PCRF Server combines the Policy Decision Function (PDF) and the Charging Rules Function (CRF).

The PDF is the network entity where the policy decisions are made such as allowing or rejecting the media request, using new or existing PDP context for an incoming media request and checking the allocation of new resources against the authorised maximum.

The CRF’s role is to provide operator-defined charging rules applicable to each service data flow. The CRF selects the relevant charging rules based on information provided by the P-CSCF, such as Application Identifier, Type of Stream (audio, video, etc.), Application Data Rate, etc.

These servers must have the processing power to host the policy and charging applications while at the same time meeting their security and signalling requirements. This requires IPsec to be integrated with SCTP functionality underpinning the required Diameter services.

The HSS (Home Subscriber Server) combines the HLR (Home Location Register) and the AuC (Authentication Centre). The HLR part of the HSS is in charge of storing and updating the database containing all the user subscription information. The AuC part of the HSS is responsible for generating security information from user identity keys. This security information is provided to the HLR and further communicated to other entities in the network. Among other things, the security information is mainly used for network-terminal authentication, radio path ciphering and integrity protection (to ensure data and signalling transmitted between the network and the terminal is neither eavesdropped nor altered), user identification and addressing, and user profile information.

Servers must have the processing power to host the combined HLR and AuC functions within the HSS and deliver the security and signalling requirements to specific Diameter interfaces.  This requires IPsec and SCTPfunctionality and again this must be tightly coupled with the Diameter services.

IPsec is mandatory for IPv6 deployments and every node in the LTE network will eventually need it. However, most users don’t want to know about it, they simply want to use it. The products they are looking for must support all the key functions of the MME, SGW and PGW: security, signalling, and DPI/packet filtering for Dynamic/Static Policy Enforcement, QoS, Online/Offline Charging and Session/Bearer Management. The flexible and scalable architecture of these products will allow the developer to tailor their solution according to the particular needs of their application and scale it accordingly.

A user who doesn’t want to know about security, but simply wishes to use it, is not just a function of the network security itself.   At the same time as delivering security and signalling requirements, the system must have the processing power to run the applications and functions of these new network nodes and elements with no impact on the user experience.

Andrew (Drew) Sproul is currently Director of Marketing at Adax, Inc. During his 20+ year career in telecoms Drew has held management positions in Sales and Marketing at Adax, Trillium, and ObjectStream. Drew has a BA in Human Services from Western Washington University in Bellingham WA.

TMCnet publishes expert commentary on various telecommunications, IT, call center, CRM and other technology-related topics. Are you an expert in one of these fields, and interested in having your perspective published on a site that gets several million unique visitors each month?
Get in touch.

Edited by Rich Steeves