Securing the LTE Core – the Road to NFV Light Reading Mobile Network Security Strategies London, May 21, 2014 Dilip Pillaipakam Vice President, Product Management and Marketing © 2014 Stoke | Proprietary and Confidential The LTE Security Framework Control Plane Functions - IKE AAA Routing Policy / Charging Control S6A Device and Application S1-C MME S9 Other LTE Network DRA Gz/Gy S11 SEG RAN-Core Border Gx S5/S8 S1-U SGW SGi Data Plane Functions - Forwarding QoS ACL Packet Inspection Internet Border Internet SBC IMS Core CSCF The border between RAN and Core (S1) requires protection against specific risks to critical infrastructure at that interface © 2014 Stoke 2 LTE Security at the S1 Link – Emerging Trends Challenge Requirements • 2048 bit key length Stronger Security • PKI Signaling Protection New Threat Vectors • S1 protocol/state validation • Low latency transport VoLTE Rollout Scalable Small Cell Deployments • Protect core - exponential transaction increase • Sub-1 second recovery • Dense session aggregation 3 • Intelligent load balancing • Virtualized security gateway on COTS Elastic Deployment © 2014 Stoke • SDN integration Use Case: Macro and Small Cell Security 4G LTE EPC MME SGW Office Small Cells Home Outdoor Metrocell » Unsecured backhaul VoLTE: Low Latency Small Packets MME EPC » Rapidly increasing throughput » High tunnel density » Ultra-low latency SGW E2E Latency Budget = 100 ms » Directly impacts subscriber QoE © 2014 Stoke 4 4 Use Case: Signaling Overload 4G LTE Millions of Service Requests Small Cells Office Home » » EPC MME SGW QoE: Prioritize Outdoor Metrocell Signaling Overload Threats » Application initiated » Compromised eNodeBs » Natural disasters Application Update Server Prioritized Traffic » Already connected subscribers » Specific eNodeBs © 2014 Stoke 5 The LTE Security Framework vSEG Phase 1 Control Plane Functions - IKE AAA Routing v-SEG (CP) Policy / Charging Control MME S9 Other LTE Network S6A Device and Application DRA Gz/Gy SEG Forwarding QoS, ACL Inspections » » » Internet S5/S8 RAN-Core Border vSEG on COTS hardware on Linux Similar deployment and operational model as today Benefits: » » Gx v-SEG (DP) Data Plane Functions - S11 SGi SGW Internet Border SBC IMS Core CSCF Removes restriction of physical chassis scale to very large number of line cards © 2014 Stoke 6 The LTE Security Framework vSEG Phase 2 SDN Controller Security Gateway Cloud IKE AAA SEG Controller RAN-Core Border Internet v-SEG (CP) Policy / Charging Control Routing S1-C MME Other LTE Network V-EPC DRA QoS ACLs v-SEG (DP) Inspection S1-U SGW Internet Internet Border » » » SBC Disaggregate control plane and data plane functions to scale each function independently. CSCF Can be integrated with Operator's SDN infrastructure Benefits » » » Fully elastic on-demand deployment Capacity can be added dynamically by adding more service nodes Scale some functions disproportionately © 2014 Stoke 7 Conclusions » Each domain of the LTE Security Framework provides protection against specific threats and therefore has unique functional and performance requirements » S1 Link has stringent performance and latency requirements » Purpose built platforms will remain the mainstay for next few years » Virtualization has benefits, but is not the answer for all use cases © 2014 Stoke | Proprietary and Confidential 8