AdaptiveMobile LTE Whitepaper A4 1212

March 18, 2018 | Author: rohitsaxena17 | Category: Ip Multimedia Subsystem, Lte (Telecommunication), Computer Network, 4 G, Computer Security


Comments



Description

WhitepaperMobile Network Security: The Challenges & Solutions in an LTE Landscape Introduction As the rollout of LTE networks rapidly progress in many countries, and with LTE Advanced hot on its heels, the exponential growth in data traffic volumes on mobile networks is expected to continue for thew foreseeable future. The LTE system architecture has been defined to provide the increased traffic speeds and functionality that consumers want, and has also been defined to integrate seamlessly as either an overlay or a complete re-design of operator existing telecom network. Routing, switching and firewall capabilities are co-evolving with this traffic growth – however security, and application level security in particular, is the one area within the LTE system that remains undefined and unanswered. Proposed solutions include the use of non-security specific nodes, which are not designed to meet the need, do not have security as their core competency and do not address the complete security requirements for consumers or reliability for operators. As a result, the implementation of Application layer security to perform advanced threat detection in LTE networks requires a fresh approach. So what is the threat that LTE networks face now and in the future? The ability to monetize attacks or infect mobile devices is still possible and therefore likely on an LTE network. Add to this the growth in the number and type of devices, plus the increased functionality they will have, means the number of potential targets is both wider and deeper. However, the task of analyzing traffic is further complicated by the vast amount of application layer communications LTE generates: URLs, IP-based messaging (email, MMS, IMS-based messaging, OTT messaging), VoIP calls, social networking interactions, mobile app-generated traffic, M2M interactions and other protocols both now and in the future. Therefore to provide a reliable security solution that doesn’t impact network performance requires the use of offline analytics capabilities that are focused on detecting and responding to security threats. These analytics capabilities need to be able to function with both off-line and with real-time data, in order to be able to detect and handle immediate threats while correlating events across multiple traffic streams. Another challenge for LTE is the lack of standardization around application layer security. Once a threat is detected, there are no standards-based mechanisms in place to inform other network nodes what actions they should take to mitigate the threat. In the absence of a clear architectural framework for responding to threats, and the severity of threats likely to be encountered, AdaptiveMobile has put forward a set of recommendations for mobile operators both for deploying green-field LTE networks or for overlaying a security framework within existing deployments. AdaptiveMobile Whitepaper Mobile Network Security: The Challenges & Solutions in an LTE Landscape LTE has major enhancements on the both the Radio side.Suspicious Tra c from Data Plane LTE Overview 3G/4G TAP DPI Internet LTE (Long Term Evolution) is primarily used by HSPA networks that have downlink peak Collector Push Actions to DPI rates of 300Mbit/s.‘ordinary’ LTE is referred to by the public and increasingly by operators as 4G 2 AdaptiveMobile Whitepaper Mobile Network Security: The Challenges & Solutions in an LTE Landscape . voice and SMS within advanced GSM networks. messaging and data) to LTE. 1 Strictly speaking these data rates do not match 4G. uplink peak rates of 75Mbit/s and QoS provisions permitting roundEvent Feed ? trip times of less than 10ms1. all-IP architecture Collector •  Handle interoperability between the air interfaces of different 3GPP networks Event Feed (e. providing the operator with a range of deployment options. 1 LTE Overview LTE Deployment The combined function of these nodes is to handle the accelerated radio network and IP traffic. The result is that LTE is being rolled out and implemented in different ways throughout the world. ‘simple’. while others are adopting ‘pure’ LTE & IMS networks. Although an IMS packet core isn’t required when running data service over LTE. This provides one of the LTE network’s greatest strengths as what exists beyond it is variable. as defined by the ITU. where operators are retiring legacy CDMA voice networks and moving all services (voice.g. and Push AdaptiveMobile NPP+ IP Information (optional) for Analysis on & Filtering the Core side to enable these higher data rates. a number of additional telecom elements are required: eUTRAN Evolved Packet Core IMS eNodeB MME HSS PCRF IMS eNodeB S-GW P-GW LTE Network PDN BTS MSC/ GGSN PSTN & Other Networks ‘Old’ Core Network Fig. if the operator wishes to include voice and SMS services in LTE then an IMS core is recommended . The enhancements the Core side were captured by 3GPP’s SAE (System Architecture Evolution) standardization project. LTE/LTE-Advanced/EDGE/GPRS). especially in the Americas. some interworking with older 3GPP and non-3GPP access networks. H P P o r L a i n t B L 4 6 0 c G 7 H P P o r L a i n t B 4 L 6 0 c G 7 HPPo r La i n t B4 L 6 0 c G7 H P P o r L a i n t B 4 L 6 0 c G 7 HPPo r La i nt BL 4 6 0 c G7 H P P o r L a i n t B L 4 6 0 c G 7 HPPo r La i nt BL 4 6 0 c G7 H P P o r L a i n t B L 4 6 0 c G 7 U I D U I D U I D U I D U I D U I D U I D U I D F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 H P P o r L a i n t B L 4 6 0 c G 7 H P P o r L a i n t B 4 L 6 0 c G 7 HPPo r L a i n t B4 L 6 0 c G7 H P P o r L a i n t B 4 L 6 0 c G 7 HPPo r L a i n t B4 L 6 0 c G7 U I D U I D U I D U I D U I D F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 OK PCRF The purpose of the EPC is to Suspicious Tra c from Data Plane • Support the higher data rates delivered by the advanced LTE radio network 3G/4G TAP Internet • Deliver a flat. This requirement has led to an increased adoption of IMS. described as mixed legacy and LTE networks. and between 3GPP and non-3GPP networks AdaptiveMobile NPP+ (WiMax and CDMA) H P P o r L a i n t B L 4 6 0 c G 7 H P P o r L a i n t B 4 L 6 0 c G 7 HPPo r La i n t B4 L 6 0 c G7 H P P o r L a i n t B 4 L 6 0 c G 7 HPPo r La i nt BL 4 6 0 c G7 H P P o r L a i n t B L 4 6 0 c G 7 HPPo r La i nt BL 4 6 0 c G7 H P P o r L a i n t B L 4 6 0 c G 7 U I D U I D U I D U I D U I D U I D U I D U I D F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 H P P o r L a i n t B L 4 6 0 c G 7 H P P o r L a i n t B 4 L 6 0 c G 7 HPPo r L a i n t B4 L 6 0 c G7 H P P o r L a i n t B 4 L 6 0 c G 7 HPPo r L a i n t B4 L 6 0 c G7 U I D U I D U I D U I D U I D F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 OK Routing rules for suspicious subscribers To supply this required provisioned to 3G/4G network via PCRF for Analysis & Filtering IP Information (optional) functionality in LTE. IMS IMS (IP Multimedia Subsystem) is the updated packet core for handling data.While LTE Advanced is a true 4G technology. which delivered the EPC – Evolved Packet Core model. before the data is handled by any IMS or other core network IP handling technology. Due to the presence of mixed networks. Security Handling in LTE today Discussions addressing security in LTE networks normally revolve around the following areas: •  Flatter and more open IP architecture as the Radio part terminated in the access network. it is important that any security solution deployed on LTE networks is able to handle the presence of legacy networks and not simply assume that all traffic will take one form or one path. including features such the use of Circuit-Switched (CS) fall-back to handle voice and SMS in the absence of IMS networks. there will be a range of back-end core networks being used to integrate to LTE. For example. while these address potential structural security issues at a low-level. within the LTE network. However. the PCRF node fulfils key roles in the Policy and Charging areas of the LTE network. leads to potentially greater attack vectors •  Interworking is possible with a variety of legacy and non-telecom networks. discussion of security concerns at a higher level in the LTE network seem to have been neglected in the standards sphere. What some of these future threats will be is unknown. of which the most pertinent is that the PCRF simply does not have the visibility.In the interim however. including: • Extended authentication & key sharing and end to end confidentially • More complex interworking security • Additional security in eNodeBs The above has been delivered within the standards by various mechanisms such as building in the key exchange and authentication mechanisms into the signalling flows between the LTE nodes – especially those involving the eNodeBs. There has been some discussion about reusing the existing Policy mechanisms in the LTE network to provide application-level security. While potentially attractive. or the control to adequately handle changing threats. The result of this flexibility is that any associated solutions. however past experience demonstrates the changing nature of telecom threats requires a platform that is flexible and designed with a core competence in providing a secure network. This range is fully supported by the LTE. in this case security. While its functionality can be reused to provide a measure of security (see later sections for further details) in normal operation it is simply not designed to adequately address the security threats which will arise. such as the 3GPP defined SEG. which may inject unwanted traffic • LTE allows placement of Radio nodes (eNodeBs) in untrusted locations To address this most security designs for LTE/4G has focused on low-level processes. and also via Firewall mechanism. have to be equally flexible. this suffers from serious flaws. AdaptiveMobile Whitepaper Mobile Network Security: The Challenges & Solutions in an LTE Landscape 3 . malicious or harmful. So while security concerns at the lower level of LTE have been addressed. upper-level security threats still need to be tackled and are becoming more urgent.Application-level Security threats in LTE As discussed. such as the monetization of premium-rate numbers by mobile malware or voice fraud. for example messaging sessions in LTE will no longer be confined only to 2 users and 160 characters. LTE is really an evolution of the existing network technologies. making security for spam and malware links much more difficult to implement In addition to these emerging threats existing telecom frauds will continue. 4 AdaptiveMobile Whitepaper Mobile Network Security: The Challenges & Solutions in an LTE Landscape . and will also interwork with a variety of legacy radio and core networks. instead LTE will allow multi-user conversations with file transfers. combined with greater data usage increases the ability to run botnets and viruses •  Mobile device-based AV scanning solutions (as per the PC model) will become increasingly less sustainable due to increasing battery demands and the continuing rise in the amount of mobile malware the AV solution have to look for •  Changes in technology and communication uses. To provide effective protection it is essential to identify threats as they occur. especially in critical areas •  Additional handset functionality. more capable devices and additional processing power. This means that upper-level security concerns in these legacy networks could be carried over on to the LTE network. Other reasons why additional threats could emerge over time include: •  Reduced prices for mobile IP usage and network access means that the cost to send spam and generate malicious traffic is reduced •  Higher data rates and proliferation of IP devices (including those from outside the LTE network) will result in an increase in the number of bad actors and make identifying maliciously infected devices more difficult •  An increasing number of non-human attended devices (M2M etc) will be present on the same network. resulting in the need for sophisticated off-line analysis in order to determine when traffic is unwanted. the exposure of key personal information via a handset or the network and the revenue opportunities for those who continue sending unwanted communications or spam. The key hindrance in an LTE network is the sheer amount of data. with potential for misuse. Web. to achieve the following functions: OK AdaptiveMobile NPP+ for Analysis & Filtering •  Network behaviour analysis – detecting DoS. application traffic etc) and build up a deep understanding of subscriber behaviour and reputation profile (from a security perspective) for each individual/device active on the network 2. correlating events across all services (voice.The Adaptive Approach Analytics In order to handle the dynamic nature of changing security threats.  Real-time event handling – providing immediate threat response to the most severe threats. The distributed server will perform advanced threat detection using intelligent algorithms.  A method to tap and collect trafficTAP from the network. web. there is a definite need for advanced offline analytical capabilities. SIP-based. spambots. Email) in order to detect ‘Compound Threats’(attacks that utilise multiple network services and to extract eNodeB S-GWfor other attacks) P-GW financial gain or act as a launch point • SMS Spam detection and Fingerprint generation • Phishing attacks BTS LTE Network PDN PSTN & Other Networks MSC/ GGSN ‘Old’ • Spyware detection Core Network AdaptiveMobile Whitepaper Mobile Network Security: The Challenges & Solutions in an LTE Landscape 5 . This Layer 7 or upper layer information can include: Push Actions to DPI H P P o r L a i n t H P P o r L a i n t HPPo r La i n t H P P o r L a i n t HPPo r La i nt H P P o r L a i n t HPPo r La i nt H P P o r L a i n t Internet U I D B L 4 6 0 c G 7 U I D B 4 L 6 0 c G 7 U I D B4 L 6 0 c G7 U I D B 4 L 6 0 c G 7 U I D BL 4 6 0 c G7 U I D B L 4 6 0 c G 7 U I D BL 4 6 0 c G7 U I D B L 4 6 0 c G 7 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 • URLs • User agent information Event Feed H P P o r L a i n t B L 4 6 0 c G 7 H P P o r L a i n t B 4 L 6 0 c G 7 HPPo r L a i n t B4 L 6 0 c G7 H P P o r L a i n t B 4 L 6 0 c G 7 U I D U I D U I D U I D F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 ? HPPo r L a i n t B4 L 6 0 c G7 U I D F L E X 1 F L E X 2 IP Information (optional) OK Push AdaptiveMobile NPP+ for Analysis & Filtering • IP Messaging content (Email. port scanning etc • Anomaly detection eNodeB eUTRAN Evolved Packet Core IMS MME HSS PCRF IMS •  Event correlation across services (SMS. To handle these. the analytical capabilities need to be designed to address two major technological challenges: 1. zero-day attacks. two separate components areData required: 3G/4G DPI 1.  IRouting n order to large amount of data being tapped from the network. while not adversely affecting the traffic flow. NetFlow/IPFIX. a ‘big data’ rules foranalyze suspicious the subscribers IP Information (optional) provisioned to 3G/4G network via PCRF scale. messaging. MMS. combined with immediate instructions to the network to mitigate threats Collector/Pre-Processor TAP TAP Figure 2 Passive Probe (Gi/SGi) Suspicious Tra c from Plane To best handle this. OTT) PCRF • VoIP call setup requests 3G/4G Suspicious Tra c from Data Plane TAP Internet • Social networking messages Collector H P P o r L a i n t H P P o r L a i n t HPPo r La i n t H P P o r L a i n t HPPo r La i nt H P P o r L a i n t HPPo r La i nt H P P o r L a i n t U I D B L 4 6 0 c G 7 U I D B 4 L 6 0 c G 7 U I D B4 L 6 0 c G7 U I D B 4 L 6 0 c G 7 U I D BL 4 6 0 c G7 U I D B L 4 6 0 c G 7 U I D BL 4 6 0 c G7 U I D B L 4 6 0 c G 7 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 • Mobile app data Event Feed H P P o r L a i n t B L 4 6 0 c G 7 H P P o r L a i n t B 4 L 6 0 c G 7 HPPo r L a i n t B4 L 6 0 c G7 H P P o r L a i n t B 4 L 6 0 c G 7 HPPo r L a i n t B4 L 6 0 c G7 U I D U I D U I D U I D U I D F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 2. focused on detecting and responding to security threats. distributed server cluster needs to be deployed. and extract all relevant Internet Layer 7 data Collector from traffic flows.  Offline distributed processing of events to detect new threats. How these Actions are enforced depends on the network architecture available. subscriber privacy and subscriber credit. Voice and Web. whether these are mobile viruses. bots may lie dormant on devices and then spring to action. Email. However.such as making network adjustments in order to block. Traffic destined for known phishing sites or to botnet command and control hosts are compelling evidence that an immediate response is required. PDSN or PGW within the Packet Core. The NPP+ applies these responses as network Actions. for example. Security threats are dynamic and constantly evolving. analyse threats and take actions . the Analytics system is able to provide a web-based user interface which allows security analysts the ability to review the current state of the network. and respond rapidly to protect their network assets. it is critical that a response is implemented immediately. denial of service attacks. spam or fraudulent phishing attacks.In combining these two functionalities. The assumption here is that service control is the responsibility of the PCRF and traffic user plane nodes such as the GGSN. Action AdaptiveMobile’s Network+ Protection Platform (NPP+) has been designed to provide a consistent policy-based view of user behavior across all services including SMS. 6 AdaptiveMobile Whitepaper Mobile Network Security: The Challenges & Solutions in an LTE Landscape . MMS. Therefore the LTE architecture for IP-network security must take this dynamic aspect into account. re-route or throttle data traffic. with the PCRF acting as the policy decision point and the nodes within the packet core responsible for subsequent enforcement of these decisions. allowing operators to identify new exploits. A large number of subscribers accessing a web-site can be the result of a successful viral marketing campaign or it could be a distributed denial of service attack. but also the intelligence to take appropriate action to minimize the risk to subscribers and to the network infrastructure. Analytics not only provides the means to detect new threats. therefore reducing the immediate impact while the situation is analyzed by an inline mitigation device. However there are some serious drawbacks to this approach when it comes to security. threat intelligence can determine with absolute confidence that an attack is underway. This uncertainty is best resolved by application layer inspection of traffic flows. A sudden increase is messaging traffic could be a legitimate marketing campaign or it could be a spam attack. Once the NPP+ security platform has detected a new threat. an integrated network solution is required to mitigate the threat. From Detection to Mitigation Once the data has been analyzed and any security threats detected. there are also occasions when a degree of uncertainty is involved. Depending on the nature of the attack it may also be prudent to throttle this traffic temporarily. malware can be inadvertently installed on a device at any time and phishing attacks can be triggered by receiving email or other message. Responding to security threats by making policy changes within the PCRF infrastructure is assumed by some network architects to be an appropriate response. In many cases. in which case these flows needs to be forwarded to a mitigation solution. The following section reviews some network architecture options and discusses the advantages and disadvantages of each. for the eNodeB bandwidth. QoS andMME the service plan associated with theHSS subscriber. H P P o r L a i n t B L 4 6 0 c G 7 H P P o r L a i n t B 4 L 6 0 c G 7 HPPo r La i n t B4 L 6 0 c G7 H P P o r L a i n t B 4 L 6 0 c G 7 HPPo r La i nt BL 4 6 0 c G7 H P P o r L a i n t B L 4 6 0 c G 7 HPPo r La i nt BL 4 6 0 c G7 H P P o r L a i n t B L 4 6 0 c G 7 PCRF U I D U I D U I D U I D U I D U I D U I D U I D F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 H P P o r L a i n t B L 4 6 0 c G 7 H P P o r L a i n t B 4 L 6 0 c G 7 HPPo r L a i n t B4 L 6 0 c G7 H P P o r L a i n t B 4 L 6 0 c G 7 HPPo r L a i n t B4 L 6 0 c G7 U I D U I D U I D U I D U I D F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 OK Routing rules for suspicious subscribers AdaptiveMobile therefore provisioned to 3G/4G network via PCRF for Analysis & Filtering recommends. 3 PCRF Option: A Limited Approach To Network Security eUTRAN Evolved Packet Core IMS The service control aspects of the Packet Core/PCRF interactions tend to focus on two areas – charging and Quality of Service (QoS). MSC/ Suspicious Tra c from Data Plane 3G/4G TAP Collector H P P o r L a i n t H P P o r L a i n t DPI Push Actions to DPI HPPo r La i n t H P P o r L a i n t HPPo r La i nt H P P o r L a i n t HPPo r La i nt H P P o r L a i n t Internet U I D B L 4 6 0 c G 7 U I D B 4 L 6 0 c G 7 U I D B4 L 6 0 c G7 U I D B 4 L 6 0 c G 7 U I D BL 4 6 0 c G7 U I D B L 4 6 0 c G 7 U I D BL 4 6 0 c G7 U I D B L 4 6 0 c G 7 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 Event Feed H P P o r L a i n t B L 4 6 0 c G 7 H P P o r L a i n t B 4 L 6 0 c G 7 HPPo r L a i n t B4 L 6 0 c G7 H P P o r L a i n t B 4 L 6 0 c G 7 U I D U I D U I D U I D F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 ? HPPo r L a i n t B4 L 6 0 c G7 U I D F L E X 1 F L E X 2 IP Information (optional) OK Push AdaptiveMobile NPP+ for Analysis & Filtering Fig. dynamic response capabilities. these are S-GW P-GW crude or ineffective mechanisms to deal with security threats. However. Feed with rich and granular subscriber policy. and so allow more upper-level security facilities be implemented on these platforms. Security the most part. there is often LTE Network no way to dynamically change network routing rules to selectively forward traffic to a PDN mitigation or trafficCollector/Pre-Processor “scrubbing” mechanism (such as an inline security gateway). as Traffic User plane vendors add the rich set of capabilities available on DPI platforms today (as an integrated then be in a eUTRAN Evolved Packet Core DPI “function”) they will IMS position to offer a viable alternative to DPI-based approaches. fall outside this limited view of service control. denial of service.Event Feed H P P o r L a i n t B L 4 6 0 c G 7 H P P o r L a i n t B 4 L 6 0 c G 7 HPPo r L a i n t B4 L 6 0 c G7 H P P o r L a i n t B 4 L 6 0 c G 7 U I D U I D U I D U I D F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 ? HPPo r L a i n t B4 L 6 0 c G7 U I D F L E X 1 F L E X 2 IP Information (optional) OK Push AdaptiveMobile NPP+ for Analysis & Filtering PCRF Suspicious Tra c from Data Plane TAP Collector H P P o r L a i n t H P P o r L a i n t HPPo r La i n t H P P o r L a i n t HPPo r La i nt H P P o r L a i n t HPPo r La i nt H P P o r L a i n t 3G/4G Internet U I D B L 4 6 0 c G 7 U I D B 4 L 6 0 c G 7 U I D B4 L 6 0 c G7 U I D B 4 L 6 0 c G 7 U I D BL 4 6 0 c G7 U I D B L 4 6 0 c G 7 U I D BL 4 6 0 c G7 U I D B L 4 6 0 c G 7 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 Event Feed H P P o r L a i n t B L 4 6 0 c G 7 H P P o r L a i n t B 4 L 6 0 c G 7 HPPo r L a i n t B4 L 6 0 c G7 H P P o r L a i n t B 4 L 6 0 c G 7 HPPo r L a i n t B4 L 6 0 c G7 U I D U I D U I D U I D U I D F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 F L E X 1 F L E X 2 OK Routing rules for suspicious subscribers provisioned to 3G/4G network via PCRF AdaptiveMobile NPP+ for Analysis & Filtering IP Information (optional) Fig. These features include a subscribercentric view of the Event network. whose singular focus on service control over a number of years has allowed 3G/4G TAP Internet them to build technology platforms that have all the capabilities required to work well in Collector conjunction the NPP+ advanced network security. Security Mitigation working with DPI c from Data Plane A third approach (shown in Fig. eNodeB While it is possible to push blacklisting rules or throttling rules via the PCRF. phishing etc. these remain very much dependent on vendor implementations and often key features are only available in future releases. Layer 7 application awareness. ‘Old’ Core Network TAP However. & TAP BTS Often what is required is a direct interface to the Packet Core toPSTN push security response GGSN Other Networks Internet instructions. PCRF Attacks including spam. – do not fit into the PCRF service control model as there are no Application Layer controls in place.Suspicious 4) is to Tra work with dedicated Deep Packet Inspection (DPI) platforms. eNodeB MME HSS PCRF IMS eNodeB S-GW P-GW LTE Network AdaptiveMobile Whitepaper Mobile Network Security: The Challenges & Solutions in an LTE Landscape 7 PDN . The PCRF authorizes service usage based on IMS issues. spyware. In addition. 4 An Integrated Security Approach: Offline Analytics. IP Informationas (optional) the integrated approach to security that is possible with DPI vendors using the architecture shown in Fig. best practice for security in LTE networks. Some of the more mature user plane platforms have a rich set of capabilities. 4. flexible packet routing capabilities AdaptiveMobile NPP+ etc. However. About AdaptiveMobile AdaptiveMobile is the only mobile security company offering solutions designed to protect all of the services on the network. Head Office: Ferry House. Our deep expertise and unique focus on network security. 4. Tel: +1 972 377 0014 Regional Sales Contact Numbers: UK Sales: +44 808 120 7638 Middle East Sales: +971 4 312 4423 Africa Sales: +27 837 044 111 Asia Sales: +603 2298 7275 European Sales: +353 (1) 524 9000 www. Tel: +353 (1) 5249000 US Office: Adaptive Mobile Security Inc. 48-52 Lower Mount Street. a reason why many of the world’s leading security and telecom equipment vendors have chosen to partner with us. 2591 Dallas Parkway. and so allow more upper-level security facilities be implemented on these platforms. as Traffic User plane vendors add the rich set of capabilities available on DPI platforms today (as an integrated DPI “function”) they will then be in a position to offer a viable alternative to DPI-based approaches. Suite 300.Actions Via PCRF (to User Plane Node) Direct to User Plane Nod (with integrated DPI function) Standalone DPI Bandwidth Throttling Blacklisting Rules Static Routing Rules Per Subscriber Policy Dynamic Routing Rules URL Filtering Traffic Scrubbing Real-Time Threat Response Application Layer Filtering Filtering TCP/IP Flows ✔ ✔ ✔ ✔ ✖ Depends on Vendor Depends on Vendor ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ Depends on Vendor Depends on Vendor ✖ ✖ ✖ ✖ ✖ ✖ Depends on Vendor Depends on Vendor AdaptiveMobile therefore recommends.com R . the integrated approach to security that is possible with DPI vendors using the architecture shown in Fig.adaptivemobile. Dublin 2. as best practice for security in LTE networks. we continue to lead the market. TX 75034. Frisco. Our mission is to provide a safe and trusted mobile experience for consumers and enterprises worldwide.
Copyright © 2024 DOKUMEN.SITE Inc.