© 2014 Stoke

Securing the LTE Core – the Road to NFV

| Proprietary and Confidential

Dilip Pillaipakam

Vice President, Product Management and Marketing

© 2014 Stoke 2

The LTE Security Framework

S9

S1-C

Internet

S1-U S5/S8

S6A

Gx

Gz/Gy

Other LTE Network

S11

RAN-Core Border

SEG

The border between RAN and Core (S1) requires protection against specific risks to critical infrastructure at that interface

Control Plane Functions- IKE- AAA- Routing

DRA

SBCIMS Core

SGW

MME

CSCF

Internet Border

Policy / Charging Control

SGi

Data Plane Functions- Forwarding- QoS- ACL- Packet Inspection

Device and Application

© 2014 Stoke

LTE Security at the S1 Link – Emerging Trends

3

Challenge Requirements

Stronger Security• 2048 bit key length

• PKI

Signaling Protection - New Threat Vectors

• Protect core - exponential transaction increase

• S1 protocol/state validation

VoLTE Rollout• Low latency transport

• Sub-1 second recovery

Elastic Deployment• Virtualized security gateway on COTS

• SDN integration

Scalable Small Cell Deployments

• Dense session aggregation

• Intelligent load balancing

© 2014 Stoke 4

Use Case: Macro and Small Cell Security

» Unsecured backhaul

» Rapidly increasing throughput

» High tunnel density

» Ultra-low latency

» Directly impacts subscriber QoE

44

MME

SGW

Office

Home

OutdoorMetrocell

Small Cells

4G LTE

EPC

Millions of

Tunnels

MME

SGW

EPC

E2E Latency Budget = 100 ms

VoLTE:Low Latency

Small Packets

High Bandwidth

© 2014 Stoke

Office

Home

OutdoorMetrocell

Small Cells

Use Case: Signaling Overload

» Signaling Overload Threats

» Application initiated

» Compromised eNodeBs

» Natural disasters

» Prioritized Traffic

» Already connected subscribers

» Specific eNodeBs

SGW

4G LTE

EPCMillions of Service Requests MME

Application Update Server

QoE: Prioritize

5

© 2014 Stoke 6

The LTE Security FrameworkvSEG Phase 1

S9

Internet

S5/S8

S6A

Gx

Gz/Gy

Other LTE Network

S11

RAN-Core Border

Control Plane Functions- IKE- AAA- Routing

DRA

SBC

IMS Core

SGW

MME

CSCF

Internet Border

Policy / Charging Control

SGi

Data Plane Functions- Forwarding- QoS- ACL- Inspections

Device and Application

» vSEG on COTS hardware on Linux

» Similar deployment and operational model as today

» Benefits: » Removes restriction of physical

chassis» scale to very large number of line

cards

SEGv-SEG (DP)

v-SEG (CP)

© 2014 Stoke 7

The LTE Security FrameworkvSEG Phase 2

Other LTE Network

SGW

MME

DRA

SBC

CSCF

Internet Border

Policy / Charging Control

Internet

S1-C

S1-U

Internet

V-EPC

RAN-Core Border

v-SEG (DP)

v-SEG (CP)

Security Gateway Cloud

QoS InspectionACLs

IKE AAA Routing

SEG Controller

SDN Controller

» Disaggregate control plane and data plane functions to scale each function independently.

» Can be integrated with Operator's SDN infrastructure

» Benefits » Fully elastic on-demand deployment» Capacity can be added dynamically

by adding more service nodes» Scale some functions

disproportionately

© 2014 Stoke 8

Conclusions

» Each domain of the LTE Security Framework provides protection against specific threats and therefore has unique functional and performance requirements

» S1 Link has stringent performance and latency requirements

» Purpose built platforms will remain the mainstay for next few years

» Virtualization has benefits, but is not the answer for all use cases

| Proprietary and Confidential