securing emerging wireless networks and services - etsi€¦ · securing emerging wireless networks...
TRANSCRIPT
Securing emerging wireless
networks and services
4th ESTI security workshop, 13-14 January 2009 - ETSI,
Sophia Antipolis, France
Ganesh Sundaram, Distinguished Member of Technical Staff
Wireless Advanced Technology Labs, Alcatel-Lucent
10k feet view of this talk
�Capturing the thought process: Multiple dimensions to mobile security
� Networks have evolved
1G → 2G → 3G → 4G
� Applications have evolved
Cellular Voice → Email, VPN → WAP + music + video → Mobile Internet
� Users have evolved
All Rights Reserved © Alcatel-Lucent 2006, #####2 | Presentation Title | Month 2006
Convenient to have a cell phone (early 90’s). Can I afford it?
Need to have a ‘mobile device’ to download all those ‘free apps’
– How do we use our mobile devices?
�Securing the enigma of mobile broadband?
� Secure each dimension based on needs and capabilities
Discussion on changing needs of mobile security and pointers to solutions. Not a Tutorial!!
Discussion on changing needs of mobile security and pointers to solutions. Not a Tutorial!!
Mobile networking evolution
� Early: Mobile access
to the telephony
PSTN
MSC
MSGMSG MSG
PLMN
MSC
INTERNET
V-GW
H-GW
All Rights Reserved © Alcatel-Lucent 2006, #####3 | Presentation Title | Month 2006
to the telephony
network
�Growth: A public land
mobile network
�Now: PLMN plus
mobile access to the
“Internet”
Early networks: Securing access, and networksEarly networks: Securing access, and networks
MSC
MSCMSC MSC
What is 4G?
4G = streamlining
mobile packet switched services
4G = fatter pipes = higher 4G =
4G = Flat IP4G = Mobile
OFDM!
4G = I “see” $$ 4G = Mobil-
izing the Internet
All Rights Reserved © Alcatel-Lucent 2006, #####4 | Presentation Title | Month 2006
servicespipes = higher bandwidth
4G = multiple
deployment options
Next Generation = The entire elephant. Security challenges across multiple layers.
Next Generation = The entire elephant. Security challenges across multiple layers.
Evolution of applications
VPN
Cellular
Voice, SMS
WAP
“Music, Video”
Mobilize the
Internet
All Rights Reserved © Alcatel-Lucent 2006, #####5 | Presentation Title | Month 2006
Operator controlled services
Operator enterprise partnership
s
Walled garden
The “iPhone”
generation
Mobile Applications: Securing this “colorful” evolution; Who is responsible for what?
Mobile Applications: Securing this “colorful” evolution; Who is responsible for what?
Evolution of mobile subscriber
Early days: Convenient!
Hmm. Pay for it?
All Rights Reserved © Alcatel-Lucent 2006, #####6 | Presentation Title | Month 2006
Morning
Infotainment
Productivity
During the day
Evening
Entertainment
Mobile subscriber needs increasing, but is security improving?Mobile subscriber needs increasing, but is security improving?
Changing business models
Multiple Deployment Options. Who owns the
user?
MARKET
All Rights Reserved © Alcatel-Lucent 2006, #####7 | Presentation Title | Month 2006
Browser enabled phones. Who controls the
application?
Free Bandwidth. Who owns the
network?
MARKET
DRIVERS
New business models driving the market. What is the impact on security?
New business models driving the market. What is the impact on security?
Next generation security conundrum
� Multiple security requirements
� Authentication, User Privacy
� Securing service layer
� Securing Applications
� Securing the network
� Securing Devices
Security Requirements
All Rights Reserved © Alcatel-Lucent 2006, #####8 | Presentation Title | Month 2006
� Securing Devices
�Devices are challenged
� power, computing
� cost, form-factor
�Business models are changing
� Deployment models
� Ownership of bandwidth, application
New business models
Device Limitations
Changing landscape: Multiple orthogonal dimensions
Changing landscape: Multiple orthogonal dimensions
Flat IP
• What is Flat IP, and Why?
•Consolidation of “wireless functions at” the edge
•Evolution from existing systems
•Capacity improvements (cross-layer optimization)
•IP aware base stations
•Reduce complexity, ease of management and upgrades
All Rights Reserved © Alcatel-Lucent 2006, #####9 | Presentation Title | Month 2006
• What about security? Securing the cell-site!
•Cryptographic security not physical security
•Means to satisfy cell-site security
• Tamper resistant, secure computing environment
•Secure interfaces
•Protection against intrusion, eavesdropping, DoS, etc
Flat IP: Security not an after-thoughtFlat IP: Security not an after-thought
Flat IP security architecture: Securing access
IP Gateway
Shared secret
Public/privateIP network
Cell-site vault provides:1. Physical security for all session keys maintained by cell site2. Performs ciphering and integrity protection for user and signaling plane 3. Secure tunnels to home agent and AuC/AAA
All Rights Reserved © Alcatel-Lucent 2006, #####10 | Presentation Title | Month 2006
Secure tamper resistant
computing environment
SLP+RLP“FA”
Protocolstack
AAA ck + ikSession
Keys
Protocolstack
SIMrr + signaling
Cell-site vault
Bearer path
Shared secretkey
ik + ck
IPsec
Flat system’s cell site
Secure tunnel
User equipment
inter-cell site
IPSec Gateway
Network layer security
�Network layer security: From CMIP to Simple IP with PMIP
� Security assumptions
Mobility Agent is in secure environment: Node specific keys
Mobility Agent is in insecure environment: User specific keys
� Key bootstrapping problems
Multiple solutions being proposed in standards based on network assisted “single-sign-on”
All Rights Reserved © Alcatel-Lucent 2006, #####11 | Presentation Title | Month 2006
Multiple solutions being proposed in standards based on network assisted “single-sign-on”
�Local breakout
� What? - How do we keep “local traffic local”?
� How? - Multiple solutions under discussion
Example: supported through ‘route optimization’ in mobile IPv6
Is there a network based solution, that is secure and ‘universal’?
IP layer mobility – Evolving towards secure network based solutionsIP layer mobility – Evolving towards secure network based solutions
Securing applications?
�Brave new world of mobile applications – are they secure?
�What is security at the application layer?
� Privacy – e2e privacy especially for mobile-to-mobile applications
New paradigm: Secure identity based authenticated key agreement
– Applies even if users are in two different networks
– Can provide e2e security without risks and responsibilities of key escrow
All Rights Reserved © Alcatel-Lucent 2006, #####12 | Presentation Title | Month 2006
escrow
� Trust – Example: guarantee application is not a virus
Mobile handsets are thin clients, very diverse operating systems
– Challenges: Easier to attack, computationally deprived environment
New paradigm: Network based methods to ‘filter’ applications
– Challenges: How to make this computationally efficient and cost effective?
Mobilizing Internet Applications: Emerging paradigms and new trendsMobilizing Internet Applications: Emerging paradigms and new trends
Other next generation considerations
�Multiple deployment options – Security architecture “evolving”
� Macro cellular
High mobility and outdoor environments
� Micro cellular
Hot spots and coverage holes (low mobility)
� Pico cellular
All Rights Reserved © Alcatel-Lucent 2006, #####13 | Presentation Title | Month 2006
� Pico cellular
Enterprise environments with licensed spectrum
� Femto cellular
Home environments with licensed spectrum
�Threat models and security requirements differ
� May span across “providers”
New deployment options require fresh lookNew deployment options require fresh look
IP services over mobile wireless: New paradigms to launch attacks!
Radio
Network
Controller
Packet Core
Signaling Exhaustion
All Rights Reserved © Alcatel-Lucent 2006, #####14 | Presentation Title | Month 2006
� VPN Users can Consume on Average, 10x the Airtime as Typical Users
Bandwidth Exhaustion
� P2P Users Download 10’s of GB per day, Consuming 30% of Bandwidth
� Email Delivery Devices on Average, cause 10X the Signaling Load as Phones or Aircards Used for Web-browsing
� Infected / Malfunctioning Devices Consume Disproportionate Amounts of Signaling Resources
Mobile DoS: Need new tools!Mobile DoS: Need new tools!
Nextgen devices: A purist’s nightmare vs the ELEGANT engineer’s solution
Not enough battery power
Not enough processing
power
16 OS’s and are too thin
2 words: Mini
Browser!
Free 4G BW with worms on the side
Free applications & viruses to
go!
All Rights Reserved © Alcatel-Lucent 2006, #####15 | Presentation Title | Month 2006
I have a SOLUTION
Food for thought!Food for thought!
Thank You!
All Rights Reserved © Alcatel-Lucent 2006, #####16 | Presentation Title | Month 2006
Ganesh Sundaram
973-739-4489