securing emerging wireless networks and services - etsi€¦ · securing emerging wireless networks...

Securing emerging wireless

networks and services

4th ESTI security workshop, 13-14 January 2009 - ETSI,

Sophia Antipolis, France

Ganesh Sundaram, Distinguished Member of Technical Staff

Wireless Advanced Technology Labs, Alcatel-Lucent

[email protected]

10k feet view of this talk

�Capturing the thought process: Multiple dimensions to mobile security

� Networks have evolved

1G → 2G → 3G → 4G

� Applications have evolved

Cellular Voice → Email, VPN → WAP + music + video → Mobile Internet

� Users have evolved

All Rights Reserved © Alcatel-Lucent 2006, #####2 | Presentation Title | Month 2006

Convenient to have a cell phone (early 90’s). Can I afford it?

Need to have a ‘mobile device’ to download all those ‘free apps’

– How do we use our mobile devices?

�Securing the enigma of mobile broadband?

� Secure each dimension based on needs and capabilities

Discussion on changing needs of mobile security and pointers to solutions. Not a Tutorial!!

Discussion on changing needs of mobile security and pointers to solutions. Not a Tutorial!!

Mobile networking evolution

� Early: Mobile access

to the telephony

PSTN

MSC

MSGMSG MSG

PLMN

MSC

INTERNET

V-GW

H-GW


to the telephony

network

�Growth: A public land

mobile network

�Now: PLMN plus

mobile access to the

“Internet”

Early networks: Securing access, and networksEarly networks: Securing access, and networks

MSC

MSCMSC MSC

What is 4G?

4G = streamlining

mobile packet switched services

4G = fatter pipes = higher 4G =

4G = Flat IP4G = Mobile

OFDM!

4G = I “see” $$ 4G = Mobil-

izing the Internet


servicespipes = higher bandwidth

4G = multiple

deployment options

Next Generation = The entire elephant. Security challenges across multiple layers.

Next Generation = The entire elephant. Security challenges across multiple layers.

Evolution of applications

Email

VPN

Cellular

Voice, SMS

WAP

“Music, Video”

Mobilize the

Internet


Operator controlled services

Operator enterprise partnership

s

Walled garden

The “iPhone”

generation

Mobile Applications: Securing this “colorful” evolution; Who is responsible for what?

Mobile Applications: Securing this “colorful” evolution; Who is responsible for what?

Evolution of mobile subscriber

Early days: Convenient!

Hmm. Pay for it?


Morning

Infotainment

Productivity

During the day

Evening

Entertainment

Mobile subscriber needs increasing, but is security improving?Mobile subscriber needs increasing, but is security improving?

Changing business models

Multiple Deployment Options. Who owns the

user?

MARKET


Browser enabled phones. Who controls the

application?

Free Bandwidth. Who owns the

network?

MARKET

DRIVERS

New business models driving the market. What is the impact on security?

New business models driving the market. What is the impact on security?

Next generation security conundrum

� Multiple security requirements

� Authentication, User Privacy

� Securing service layer

� Securing Applications

� Securing the network

� Securing Devices

Security Requirements


� Securing Devices

�Devices are challenged

� power, computing

� cost, form-factor

�Business models are changing

� Deployment models

� Ownership of bandwidth, application

New business models

Device Limitations

Changing landscape: Multiple orthogonal dimensions

Changing landscape: Multiple orthogonal dimensions

Flat IP

• What is Flat IP, and Why?

•Consolidation of “wireless functions at” the edge

•Evolution from existing systems

•Capacity improvements (cross-layer optimization)

•IP aware base stations

•Reduce complexity, ease of management and upgrades


• What about security? Securing the cell-site!

•Cryptographic security not physical security

•Means to satisfy cell-site security

• Tamper resistant, secure computing environment

•Secure interfaces

•Protection against intrusion, eavesdropping, DoS, etc

Flat IP: Security not an after-thoughtFlat IP: Security not an after-thought

Flat IP security architecture: Securing access

IP Gateway

Shared secret

Public/privateIP network

Cell-site vault provides:1. Physical security for all session keys maintained by cell site2. Performs ciphering and integrity protection for user and signaling plane 3. Secure tunnels to home agent and AuC/AAA


Secure tamper resistant

computing environment

SLP+RLP“FA”

Protocolstack

AAA ck + ikSession

Keys

Protocolstack

SIMrr + signaling

Cell-site vault

Bearer path

Shared secretkey

ik + ck

IPsec

Flat system’s cell site

Secure tunnel

User equipment

inter-cell site

IPSec Gateway

Network layer security

�Network layer security: From CMIP to Simple IP with PMIP

� Security assumptions

Mobility Agent is in secure environment: Node specific keys

Mobility Agent is in insecure environment: User specific keys

� Key bootstrapping problems

Multiple solutions being proposed in standards based on network assisted “single-sign-on”


Multiple solutions being proposed in standards based on network assisted “single-sign-on”

�Local breakout

� What? - How do we keep “local traffic local”?

� How? - Multiple solutions under discussion

Example: supported through ‘route optimization’ in mobile IPv6

Is there a network based solution, that is secure and ‘universal’?

IP layer mobility – Evolving towards secure network based solutionsIP layer mobility – Evolving towards secure network based solutions

Securing applications?

�Brave new world of mobile applications – are they secure?

�What is security at the application layer?

� Privacy – e2e privacy especially for mobile-to-mobile applications

New paradigm: Secure identity based authenticated key agreement

– Applies even if users are in two different networks

– Can provide e2e security without risks and responsibilities of key escrow


escrow

� Trust – Example: guarantee application is not a virus

Mobile handsets are thin clients, very diverse operating systems

– Challenges: Easier to attack, computationally deprived environment

New paradigm: Network based methods to ‘filter’ applications

– Challenges: How to make this computationally efficient and cost effective?

Mobilizing Internet Applications: Emerging paradigms and new trendsMobilizing Internet Applications: Emerging paradigms and new trends

Other next generation considerations

�Multiple deployment options – Security architecture “evolving”

� Macro cellular

High mobility and outdoor environments

� Micro cellular

Hot spots and coverage holes (low mobility)

� Pico cellular


� Pico cellular

Enterprise environments with licensed spectrum

� Femto cellular

Home environments with licensed spectrum

�Threat models and security requirements differ

� May span across “providers”

New deployment options require fresh lookNew deployment options require fresh look

IP services over mobile wireless: New paradigms to launch attacks!

Radio

Network

Controller

Packet Core

Signaling Exhaustion


� VPN Users can Consume on Average, 10x the Airtime as Typical Users

Bandwidth Exhaustion

� P2P Users Download 10’s of GB per day, Consuming 30% of Bandwidth

� Email Delivery Devices on Average, cause 10X the Signaling Load as Phones or Aircards Used for Web-browsing

� Infected / Malfunctioning Devices Consume Disproportionate Amounts of Signaling Resources

Mobile DoS: Need new tools!Mobile DoS: Need new tools!

Nextgen devices: A purist’s nightmare vs the ELEGANT engineer’s solution

Not enough battery power

Not enough processing

power

16 OS’s and are too thin

2 words: Mini

Browser!

Free 4G BW with worms on the side

Free applications & viruses to

go!


I have a SOLUTION

Food for thought!Food for thought!

Thank You!


Ganesh Sundaram

[email protected]

973-739-4489

securing emerging wireless networks and services - etsi€¦ · securing emerging wireless networks...

Documents