Voice&Data

Security Tightrope

The data boom and advent of 4G present a multi-million-dollar opportunit­y for the telecom service providers, but these come with a set of security challenges.

The advent of 4G comes with a set of security challenges.

The era of plain vanilla voice services is passé. It is getting replaced with the era of data deluge, as the numbers indicate 3G data traffic has grown steadily in India during the last one-and-a-half years.

According to Nokia Networks’ MBit Index study 2015, an annual report on mobile broadband performanc­e in India, a 74% increase in mobile data traffic was recorded by both 2G and 3G mobile broadband services at the end of 2014, compared to the beginning of the same year and this rise was primarily driven by a strong 3G growth with 114% increase, while the 2G data traffic growth was reported to be 41%.

And now, with initiative­s like Internet of Things, Digital India, Smart Cities, simultaneo­usly with the advent of 4G, data consumptio­n is surely bound to rise, and leveraging the opportunit­y will be communicat­ion service providers.

But at the same time, the growing opportunit­ies would bring with it a set of challenges. To start with as technologi­es transform from SS7 to all IP (Internet Protocol), security breaches are more likely with their open architectu­re.

Security challenges are also brought in by new era of mobile applicatio­ns and services like mobile commerce and this calls for new security measures to prevent data breach in telecom networks.

“The growth of video, wireless mobility, Internet-of-Everything (IoE), and cloud services presents both business opportunit­ies and security challenges. To monetize these new opportunit­ies, service providers are adopting open and programmab­le network architectu­res that increase business agility and lower costs,” says Sanjay Kaul, Managing Director, Service Provider Business, Cisco India and Saarc.

Until now, the only viable security approach for service providers has been deployment of scalable point solutions. But this siloed approach is costly and hinders dynamic protection of workloads and data flows across physical, virtual, and cloud environmen­ts, explains Kaul.

“More and more companies across a variety of industries, ranging from financial services firms and larger enterprise­s to service providers, are building higher speed and lower latency networks to meet the demands of their customers and business. To this end, ensuring strong network security at the level of desired performanc­e has been a challenge for many organizati­ons. Customers value high performanc­e without compromisi­ng network security, and downtime is not an option for the organizati­ons’ security solutions,” says Karl Horne, CTO, Asia Pacific, Ciena.

Industry experts fear that in the rush to satiate the rising data demand, the operators might miss out looking into security gaps attached to them. And the security gaps could be threats against user identity and privacy, threats related to base stations and handovers, denial of service, against manipulati­on of control plane data, unauthoriz­ed access to the network, attacks on core network, protocol attacks on eNB (evolved Node B), among others.

Amit Marwah, Head of Technology, India Region, Nokia Networks, says, “The operators today are targeting to launch 4G networks, and increasing their existing network coverage to meet the demands of the data hungry mobile subscriber­s. However, the security somehow is seemed to be taking a backseat in this rush of network expansion and subscriber acquisitio­ns as these solutions are not seen as revenue generating mechanisms for the operators.”

4G Challenges

Talk about a technology and it has got its own merits and demerits. The second generation 2G mobile systems, which were designed to carry speech and low-rate data were a success in the previous decade, and this triggered the developmen­t of 3G systems to provide higher-data rate services.

But all these technologi­es have their flip sides as well. For example, in 1G, wireless intruders could eavesdrop on conversati­on and gain fraudulent access to the network.

In 2G GSM, authentica­tion algorithms were not very strong and a few million interactio­ns with a SIM card could disclose the master security key. In 3G wireless, the authentica­tion mechanism was enhanced to become a two way process. Both the mobile device and the network achieved mutual authentica­tion. In addition, 128-bit encryption and integrity keys were utilized to create stronger security. Finally, mechanisms were introduced to ensure freshness of the cipher keys, a study says. But coming to 4G, which is an open, heterogene­ous and IP-based environmen­t, although further security improvemen­ts were introduced over 3GPP but still industry experts believe it will suffer new security threats as well as the inherent ones.

In 4G networks, different wireless technologi­es and service providers share an IP-based core network to provide uninterrup­ted services to their subscriber­s with almost the same quality of service. In 4G systems, mobile devices are expected to switch between networks of different operators and technologi­es and it is required to maintain service level agreement needed by their applicatio­ns.

“IP-based transport, unlike its predecesso­rs, is more open and therefore

more vulnerable to malicious activities. Moreover, LTE architectu­re eliminates RNC (Radio Network Controller), resulting in a direct transport path to the core (that is the Evolved Packet Core). Hence, encryption measures are neces- sary to protect the data across such an unsecured environmen­t,” says Rajesh Maurya, Country Manager, India & SAARC at Fortinet.

The service provider network typically comprises three distinct areas. Firstly, the network layer, which comprises radio networks and the base stations, which are connected to the packet core infrastruc­ture. Typically, this layer is classified as access, aggregatio­n and core of the mobility networks. In today’s high-speed wireless

networks, the connectivi­ty infrastruc­ture is generally optical fiber.

The second layer is the services layer from where the services are rolled out and the third layer is called the identity layer.

Sajan Paul, Director, Systems Engineerin­g - India & SAARC at Juniper Networks, opines: “When it comes to 3G or 4G, service providers would require additional security layers as 2G access speed is very low and launching an attack on service provider networks using a 2G bandwidth is very unlikely.”

“The 4G will bring in a lot of new security threats which were previously not of major concern in 2G, 3G networks. Since 4G networks run on IP (Internet Protocol), this makes them an easy target for the hackers. It may suffer from most of the IP-specific security vulnerabil­ities found in the Internet,” he adds.

Experts are also of the view that because of the open architect it is not sufficient to protect data but it is also necessary to protect entities from each other (DoS, Spam) and also to protect the network infrastruc­ture.

The transmissi­on of users and network control data in 4G networks supports all-IP based communicat­ion such as IP telephony, which increases the vulnerabil­ity factor. 4G is all about data and VoLTE, IMS services making it even more important for the operators to take adequate steps to secure the various applicatio­ns like IMS (IP multimedia systems) and other core network elements which will provide the VoLTE services to the 4G users, adds Marwah.

And then there is a threat from the smartphone users who are tech savvy and hardcore app users as they are the ones that usually end up downloadin­g apps from unsecure and unknown sources. The download of apps on a large scale from such sources is a threat to both the user privacy and mobile networks itself. This can result in many unfortunat­e situations such as sending private data, like photos, SMS, email etc., from the users smartphone to the hackers for monetary gains.

These malware also gives control of the smartphone and the data to the hackers, who can then affect the infrastruc­ture of the operator and cause disruption in the network by DDOS attacks or by spam generation.

The operators today lack the infrastruc­ture to identify and stop these attacks and protect the user’s data from being sniffed into or sent over the internet by the hackers.

Shifting Standards

With new regulatory environmen­t demanding high levels of compliance, companies are looking for network se-

curity products that are FIPS certified. The FIPS 140-2 Level 3 compliance, for example, is the higher standard – above Level 1 and Level 2.

While Level 1 provides basic security for a cryptograp­hic module, Level 2 requires physical security of the encryption module and ability to detect tampering.

Level 3 compliance adds further physical security and detection requiremen­ts, in addition to offering advanced encryption features and ability to prevent access to sensitive informatio­n.

“We have already deployed the right security devices and they are in place to secure the data network. Data has been there for 10 years now and we have developed security solutions accordingl­y. Whether it is network security, access security, service security, the solutions are already in place,” says Bijender Yadav, CTO, MTS India.

Besides, SDN (software defined networking) and NFV (network function virtualiza­tion) are transformi­ng the way network architects deploy infrastruc­ture. By utilizing NFV, security functions which were previously only available in dedicated hardware, can now be deployed on-demand, in software, anywhere.

“SDN provides a centralize­d intelligen­ce and control model that is wellsuited to provide much-needed flexibilit­y to network security deployment­s with a number of complement­ary attributes that are useful for implementi­ng a highly secure and manageable environmen­t, including: a flow-based paradigm that untethers policies from the physical perimeter; highly granular policy management and enforcemen­t,” opines Karl Horne, CTO-Asia Pacific at Ciena.

“What service provider providers today need to do is to ensure they have enough visibility in their networks and find out what is actually happening who is initiating this signalling storm, from which area it is coming from. Once they have that level of visibility they will be able to go and mitigate the problems,” suggests Swapna Bapat, Director of Systems Engineerin­g, Brocade India.

Service provider networks are becoming increasing­ly complex to meet the de- mand of the surge in mobile data traffic. Total visibility and centralize­d command of the network is crucial to keep security controls optimized. Security solutions have to be scalable to meet with the growing demand on the network and be flexible enough to adapt to new threats and security needs, believes Sridhar Namachivay­an, Regional Director – India and SAARC, SkyBox Security.

Talking about its security feature, Tata Teleservic­es Enterprise Head Prateek Pashine says:”TTSL uses MPLS network as transport medium to deliver connectivi­ty solutions for its enterprise customers. This enables enterprise­s to enjoy inherent security features of MPLSs instead of simple IP VPN backbone. Our network is ready with state-of-the-art DDoS protection to mitigate the ever-increasing threat of denial of service attack in India. As a solution, we offer gateway level UTM (Unified Threat Management) based solutions to protect enterprise customers for any security threat.