Wireless IP services are beginning to take off. Consumers are excited about the promise of new voice and data services they can receive on their mobile devices including streaming video, interactive gaming, and IPTV. Adoption of these services is the key to the future success of wireless carriers.

But behind the door to profitability lurks a significant and burgeoning threat. Already, more than 100 viruses have targeted PDAs and other mobile devices. That number is expected to grow as hackers turn their attention from the wireline to the wireless infrastructure. IBM’s Global Security Business Index predicts that copycats could use worms, which are so prevalent in today’s wireline infrastructure, to trigger a virus outbreak among mobile devices. New technologies like Bluetooth that make it easier to swap files over a short-range wireless connection also make it possible for contaminated handsets to spread viruses simply by coming in range of another Bluetooth-enabled device. These security concerns have prompted some companies to forbid their employees to use new wireless technologies at all—making it that much harder for carriers to sell new mobile services.

Profitability requires both availability and security

Sustaining and growing revenues has always required a stable and secure network. Once used only for best effort data, today’s successful operators are converging multiple access networks into their core IP infrastructure. This forces the need for intelligence further into the core as the backbone must support, prioritize, and appropriately handle these IP-enabled services including telephony, video, and the new mobile services. Each day, major carriers thwart millions of attacks on their IP backbone. Internet traffic is cluttered with malicious activity including network worms and distributed denial-of-service, or DDOS, attacks that send floods of traffic from rogue PCs. With the migration to a converged network in process, the mobile packet core is being exposed to the public Internet for the first time making it vulnerable to attacks and more attractive to hackers. To profit from these IP-based services, carriers need intelligent infrastructure solutions that can provide the performance—and security—these services demand and subscribers expect.

Security measures for mobile operator networks

Until recently security was largely viewed as an enterprise function. To protect wireline assets, most companies set up firewalls as a first line of defense. Others added intrusion detection/prevention and other security features to further protect their local assets. Given the proliferation of wireless endpoints and infrastructure and the growth of IP-enabled services, enterprise measures are insufficient to combat the worsening threat environment alone. Network operators agree that to prevent threats from reaching the enterprise and, more importantly, to ensure the availability and security of their core IP infrastructure, they must implement in-network threat mitigation techniques.

In addition, standards organizations, like The Third Generation Partnership Project (3GPP), that are defining the specifications for new technologies such as IP Multimedia Subsystem (IMS) and Unlicensed Mobile Access (UMA) to enable the converging of networks have included significant security requirements into their latest specifications.

IMS and UMA are exciting new technologies that facilitate new ways for carriers to expand service capabilities. UMA enables users equipped with a dual-mode cellular/Wireless LAN (WLAN) handset to roam between cellular networks and public and private unlicensed WiFi and Bluetooth networks. Consumers will benefit from improved residential coverage by leveraging their in-home broadband wireless network. When an end user places a voice call, UMA encapsulates the call and signaling data in secure encrypted IP tunnels using IPsec to ensure the call’s privacy as it travels over the public Internet.

UMA is a pre-cursor to IMS. IMS enables multiple IP-centric services—allowing operators to offer a rich set of blended services through multiple access infrastructures. With IMS, security concerns remain a top priority with data encryption, firewalling, NAT Traversal and DoS protection being leveraged to protect the media and application servers resident in the core infrastructure.

Developing a defense in depth security strategy

To ensure data integrity and confidentiality for their wireless services, mobile operators must protect and secure the wireless transmissions to their network, and, more importantly, insulate and secure the core network infrastructure from potential security threats. As previously mentioned, 3GPP has documented a security infrastructure for mobile operations to consider in the security requirements for UMA and IMS. However, adequately securing these networks and services requires additional security implementations not explicitly identified in the 3GPP specifications.

Both the UMA and IMS specifications address the challenge of securing a rapidly growing number of VoIP and other IP-centric media endpoints. One approach to addressing this challenge is embodied in a highly scalable security gateway. Deployed at the edge of the core network, the security gateway is specifically designed to ensure secure interconnections between subscribers and core wireless infrastructure associated with those subscribers.

The security gateway is key to safeguarding both the subscriber connections and the mobile packet core against service-disrupting attacks in a wireless network. Mobile operators can use the security gateway to set up three complementary zones of defense in their wireless network:

• Zone One: Is subscriber-facing between the subscriber and security gateway. Here the gateway secures traffic using authentication, encryption, integrity checking, QoS and other associated transmission security techniques to ensure secure, predictable and highly available subscriber experiences.
• Zone Two: Is network-facing between the security gateway and the core. The gateway uses session limiting, DoS protection, firewall pinholing and other firewalling techniques to ensure only valid traffic is passed into the core infrastructure. Additionally, QoS mechanisms may be leveraged to ensure predictable traffic volumes and user experiences are guaranteed from the core network infrastructure. Finally, intrusion detection and prevention techniques may be leveraged to ensure decrypted traffic is evaluated and handled appropriately and to ensure that encrypted traffic from a corrupt handset does not impact overall network operations.
• Zone Three: Protects the gateway itself, which the gateway secures by using the same pinholing, session limiting, DoS protection, and other firewalling techniques to drop corrupt and/or malicious traffic before it impacts gateway operations and, in turn, valid subscriber access and egress through the system.

Figure 1: Mobile operators can use the security gateway to set up three complementary zones of defense in their wireless network

Securing Zone One, the transmission between the subscriber and wireless network

The 3GPP’s UMA and IMS specifications place a high priority on subscriber-facing security. They require the security gateway to provide:

• Authentication and integrity checking
• IPsec encryption to ensure privacy for IP media traffic

To address the full breadth of architectures both transport and tunnel mode IPsec solutions are required. Additionally, since it is highly likely that a great deal of encrypted IP traffic will undergo name and address translation before reaching the public Internet, the security gateway’s ability to support Network Address Translation-Traversal (NAT-T) is critical.

To provide for predictable and potentially contractually obligated user experiences the security gateway should also implement sophisticated QoS enforcement mechanisms and application and destination classification techniques that are capable of policing subscriber traffic destined for the critical core infrastructure. The gateway should also be capable of prioritizing and marking traffic to ensure forwarded traffic receives services appropriately and predictably.

Securing Zone Two to facilitate a highly available, predictable and secure network core

The security solution must implement a stateful firewall that can control the network connections that travel across it and prevent malformed, malicious, and/or suspicious packets from impacting core wireless infrastructure. Single station session limiting is another important feature for protecting against DoS attacks that use session flooding to drain available server resources and block legitimate end users from accessing services.

The wide array of firewalling capabilities required in a security gateway is perhaps best exemplified by the requirements for securing network-facing servers in an IMS deployment. IMS requires the security gateway to provide Network Address and Protocol Translation (NAPT) provisioning and firewall traversal for signaling, policing of signaling, topology hiding, and conversions between IPv4 and IPv6. The security gateway must also control media exchanges across the operator boundary and provide media pinhole establishment control via a SIP application layer gateway (ALG), QoS policing, and dynamic NAPT and firewall traversal. Finally, it must be able to mitigate DoS attacks away from the Session Initiation Protocol (SIP) servers so that user communications are not interrupted.

QoS is also a valuable tool to be leveraged in this zone. As specified above, classification handling and marking of traffic destined for the core is an invaluable tool to ensure proper handling and application and destination classification. Traffic shaping should also be leveraged to ensure traffic destined for the core makes the most efficient use of finite core bandwidth resources

Finally, although the IPsec tunnel’s authentication and integrity checking process ensures that the source of the traffic is known, the content of that traffic, once decrypted, may still be harmful to the network. As mobile phone operating systems become more sophisticated and more widely deployed, they will become ever-more attractive targets for hackers intent on disrupting mobile services. Mobile operators may consider implementing intrusion detection and prevention systems to ensure the integrity of decrypted mobile device traffic.

Using robust firewalling to create a third zone of defense

As detailed above, firewalls are a key consideration of the wireless security infrastructure. The opportunity for mobile devices to negatively impact core network resources increases exponentially as their sophistication increases. A number of security solutions are available for addressing these security issues. However, it is critical that the security solution itself is similarly protected. To ensure this, administrators should implement firewall policies that ensure that only specific types of traffic are allowed to enter, and thus impact, security system resources. For example, the security gateway in a UMA architecture may be administered to only allow TCP traffic on specific ports to access system resources. All other traffic would be immediately dropped before entering into the system thus ensuring only valid traffic is allowed to consume system resources. Session limiting would be similarly leveraged to accomplish the same principle of conserving valuable and finite system resources.

Figure 2: Carriers should implement the Defense In Depth Strategy to ensure the availability and security of fixed mobile convergence services.

Multi-layered defense strategy

Better security in the network won’t eliminate the need for firewalls and antivirus software on personal computers, but it can alleviate the security responsibility that now rests on enterprises and consumers. End-users themselves are the biggest risk. Many consumers find security mechanisms too inconvenient and companies may not be able to keep up with all of the new security threats. To profit from new mobile services, carriers must incorporate network-based security to reduce security threats and expedite service adoption rates. Security must become a fundamental part of carrier networks—their future profitability depends on it.

Cam Cullen is VP of Product Management for Reef Point Systems.

Visit Reef Point Systems online.