Safeguarding mobile devices and wireless network infrastructure in a by gyp13052


									Safeguarding mobile devices and
wireless network infrastructure in
a broadband mobile world
by Frédéric Bastien, John Garrison, Don Keeler, Emily Nichols, and Paul Tse

For nearly two billion GSM, UMTS, and CDMA wireless subscribers                         than 240,000 wireless base stations
around the world, the advent of mobile broadband applications such as                   deployed worldwide. Nortel was also
wireless streaming video and real-time collaborative videoconferenc-                    the industry’s first supplier with wireless
ing is increasing productivity and bringing a rich world of information                 networks operating in all advanced radio
whenever and wherever it is needed. Wireless operators, however, are                    technologies (GSM/GPRS, CDMA
faced with significant challenges in not only protecting mobile devices                  2000 1X, UMTS, and WLAN) and is
from hackers, virus-writers, and others with malicious intent, but also                 the only end-to-end provider of all next-
securing their own network infrastructures against attacks launched                     generation wireless solutions, including
from these mobile devices. Nortel is combining its industry-leading                     HSDPA and 1xEV-DO.
experience across all the major wireless technologies, its broad range                      Nortel also pioneered the Wireless
of security products, and its standards leadership and understanding                    Mesh Network solution that incorpo-
of end-to-end security requirements to design and deliver the security                  rates several security features [such as
solutions that wireless operators will need to meet these challenges.                   implementation of the Robust Security
                                                                                        Network (RSN) as defined in the lat-
Mobile broadband is emerging as the         of hackers, spammers, and virus writ-       est IEEE 802.11i security standard].
new access reality for next-generation      ers. Today, wireless broadband service      This solution extends wireless LAN
communications. Until now, mobile           providers have become increasingly          (WLAN) coverage across a much larger
devices were mostly based on propri-        aware that they must protect not only       area than such traditional hotspots as
etary operating systems, had fairly lim-    their subscribers from such traditional     airports and Internet cafes, and beyond
ited processing capabilities, and lacked    Internet threats as viruses, spam, worms    the conference rooms and kiosks of en-
high-speed access to Internet applica-      and trojans, but also their own infra-      terprise campuses. (For more on Nortel’s
tions. However, in much the same way        structures from offending mobile device     Wireless Mesh Network and its security
that high-speed DSL and cable Internet      behavior that could compromise sub-         architecture, see Issue 2 of the Nortel
access have supercharged wireline op-       scriber data, corrupt billing records, or   Technical Journal, page 20, at www.nor-
erators’ businesses, Universal Mobile       even congest network resources – deny-
Telecommunications System (UMTS),           ing not only data service but also voice    pdf.)
High Speed Downlink Packet Access           service to subscribers, with a consequent       In addition, Nortel offers a broad
(HSDPA), and CDMA 1xEV-DO (evo-             hit to the wireless operator’s revenue      range of layered defense security solu-
lution data optimized) technologies are     line.                                       tions – including firewalls, intrusion
giving wireless operators the bandwidth        Nortel is uniquely positioned to help    detection and intrusion prevention
boost needed to do the same. In fact,       wireless service providers protect their    systems, and secure VPN gateways and
new mobile devices now enjoy mega-          network infrastructures and mobile de-      routers that provide multiple levels of
byte access to the Internet, can store      vices. Nortel offers network infrastruc-    protection across the network (see ar-
gigabytes of information on memory          ture products and professional security     ticles on page 28 and page 37). As well,
cards or embedded memory, have much         services for all of the major wireless      Nortel’s experience in security forensics
stronger processing capabilities, and are   technologies, providing the opportunity     and its protocols expertise enable ef-
running industry open-standard operat-      to integrate security detection, mitiga-    fective solutions to be architected and
ing systems, such as Windows Mobile,        tion, and preventative measures where       designed to protect a wireless operator’s
PalmOS, and Symbian.                        they are most effective in the network.     evolving network. Finally, Nortel’s
   These new capabilities, however,         Nortel, for example, already provides       Global Services organization helps wire-
are bringing mobile devices and com-        mobility applications for more than         less operators protect themselves from
munications increasingly into the sights    300 customer networks – with more           the host of aforementioned threats by

46 Nortel Technical Journal, Issue 3
designing and integrating security seam-      wireless network, it – and by extension,         Ease of mobility between network
lessly into their wireless infrastructures.   the operator’s network infrastructure         environments and the ability to roam
                                              – can be protected by firewalls, anti-         into visited networks means the oper-
Wireless security challenges                  virus, and other in-line security mecha-      ator’s network has to deal with devices
Although many of the underlying se-           nisms deployed in that infrastructure.        that it neither knows nor manages
curity risks are the same as in wireline      However, to increase their usefulness,        – across many different types of mobile
broadband networks, the security threats      mobile devices often have multiple ways       phones and several different operat-
associated with mobile data devices and       of staying “connected,” allowing a single     ing systems (unlike the wireline world
with the wireless network infrastructure      device to be accessible across different      where the Microsoft OS dominates).
elements are more numerous, varied,           environments, including cellular packet       For a wireless service provider, the
and often unique, and they must be ad-        data networks (CDMA 1xEV-DO,                  additional threats resulting from con-
dressed with tailored solutions.              GPRS, EDGE, UMTS), Bluetooth,                 nectivity outside of its control make it
   When a mobile device connects only         WiFi, and mobile-to-mobile connec-            more difficult to protect its subscribers’
through a particular service provider’s       tions.                                        mobile devices, which in turn presents

   Figure 1. Nortel’s wireless gateway hosted security suite

       GSM/UMTS                                    Internet/Intranet                           CDMA

                                          GGSN                                      Home

                             Wireless gateway hosted security suite

                                FW            UF         VPN           IPS          AV           EPC

   Nortel’s hosted security suite is being integrated on               One function of the GGSN and HA is to assign the IP
   Nortel wireless gateway nodes that provide the                   address that will be used by the mobile device. When
   interconnection between wireless networks and the                mobile devices are anchored off the same GGSN node
   Internet/intranet – the Gateway GPRS Support Node                or the same HA node, traffic between mobiles (for
   (GGSN) in GSM/UMTS wireless networks, and the Home               music sharing, for example) can pass directly through
   Agent (HA) in CDMA wireless networks. Because these              that node in peer-to-peer fashion without having to go
   wireless gateways see all the data traffic going between         through the Internet/intranet. The GGSN or HA can
   the mobile devices, in addition to the traffic between           enable direct mobile-to-mobile connection because it
   the mobile devices and the Internet, they are an ideal           knows, or “owns,” the IP addresses of both mobiles, and
   location for hosting the security suite.                         can therefore bypass having to route the traffic
      The hosted security suite includes a stateful firewall        between them through the Internet/intranet.
   (FW), URL filtering (UF), and virtual private network               Unlike security solutions that rely on external nodes
   (VPN). An intrusion protection system (IPS) and                  to provide such functions as anti-virus protection or
   anti-virus (AV) protection are being developed.                  intrusion protection to secure this mobile-to-mobile
   Endpoint compliance (EPC) is a future capability that            traffic – which requires the traffic to be routed out into
   will allow the network to query the mobile terminal to           the wireless operator’s network and back again –
   determine what security software it has in place (such           Nortel’s solution of centralizing an integrated suite of
   as firewalls, up-to-date signatures, etc.) and then make         security services on the gateways protects this traffic
   a decision on whether to grant the mobile device access          more effectively and efficiently, while making it easier
   to the network.                                                  to upgrade or add new security capabilities.

                                                                                                       Nortel Technical Journal, Issue 3   47
challenges when introducing secure              services but also the wireless provider’s       the world’s first mobile phone virus,
value-added and revenue-generating              voice services that share the same scarce       Cabir, started spreading from handset
applications and services to these sub-         radio resources. Such DoS attacks are           to handset in early 2005, hidden in-
scribers.                                       especially worrisome for wireless opera-        side photo or sound messages received
   What’s more, in an environment of            tors since voice services still generate the    through Bluetooth wireless connections.
“always on” high-speed mobile data,             overwhelming majority of their revenue.         A hacker only needs to detect an unse-
undesirable and unsolicited packet                 For example, a mobile device that            cured, open Bluetooth interface in any
traffic, such as common port scans,              connects over WiFi, Bluetooth, or other         device to push a virus or other form of
that is of no great concern in wireline         non-secured means can become infected           malware through it.
networks can consume valuable radio             with a virus or worm, and that infec-              To a large extent, mobile-to-mobile
resources and create denial of service          tion may try to propagate when the              traffic within wireless networks is not
(DoS) conditions on the access network          mobile device reconnects to the wire-           addressable by existing security mecha-
– affecting not only wireless packet data       less service provider’s network. Indeed,        nisms. Traditional firewalls and threat

  Nortel joins forces with Websense to protect mobile users
  from the dangers of the Internet
  Nortel has teamed up with Websense,            tion and filtering for a given user’s data    three URL filtering categories – security
  Inc. to deliver an innovative URL filter-      session. This capability enables different    threats, adult material, and undesirable
  ing and security solution that helps           filters to be applied to different accounts   content. Each category contains content
  protect GSM/UMTS mobile handsets               according to the preferences of the user,     in a variety of subcategories to allow for
  and devices (including computers using         (i.e., allowing certain content for some      flexible and carefully defined policy set-
  GPRS/UMTS PCMCIA memory cards)                 users, but blocking it for others).           tings.
  from unwanted or even malicious content             Websense provides the URL data-              To block threats and unwanted
  from spammers, hackers, and overly             base that is queried by the GGSN. The         content found on high-risk websites,
  aggressive marketers who are increas-          database will return an allowed/disal-        subscribers can request that the operator
  ingly targeting wireless subscribers.          lowed indication to the GGSN, which           automatically restrict or block access,
  Nortel’s initial deployment is targeted for    will then redirect disallowed requests to     which, for example, could be used for
  GSM/UMTS-enabled devices, although             a web page indicating that access has         parents to prevent their children from
  Websense’s solution will work with any         been blocked. To ensure that the URL          viewing inappropriate or dangerous ma-
  device and is independent of the access        database is kept up to date, it receives      terial, such as adult content.
  technology (CDMA, UMTS, LAN, or                automated updates.                                The Websense web filtering and web
  WLAN).                                                                                       security software fully and seamlessly
     Delivering a new level of protection for    A market leader                               supports the wireless access protocol
  mobile devices, this solution combines         Websense’s best-of-breed web filtering        (WAP) and wireless markup language
  Websense’s web security and filtering          and web security solutions have been          (WML) for wireless browsers, along with
  expertise with Nortel’s leadership in end-     deployed with more than 24,000 orga-          their wireline browser counterparts HTTP
  to-end packet networking technology to         nizations worldwide. The company was          and HTML, providing mobile handset
  put more intelligence into the network         recently named the market share leader        users accessing the Internet the same
  and position wireless operators to deliver     in the web filtering software segment of      level of protection that traditional brows-
  secure, reliable next-generation services      the secure content management (SCM)           er-based users already receive from
  and applications to end users globally.        market for the third consecutive year         Websense software.
     Specifically, Websense’s URL filter-        (IDC, October 2004).                              This alliance with Websense is yet
  ing technology is being combined with               The innovative Nortel/Websense URL       another step toward building a complete
  Nortel’s Gateway GPRS Support Node             filtering and security solution not only      integrated security service that Nortel
  (GGSN) platform, which provides the            protects mobile handsets and devices          can deliver to wireless operators. As
  interconnection between GSM/UMTS               from content that could interfere with        Nortel continues to enhance the security
  wireless data networks and external data       voice and data services, but also blocks      service’s suite of capabilities, Nortel will
  packet networks. The GGSN wireless             the download of malicious code. It al-        be able to provide operators with market-
  packet core solution integrates wire-          lows GSM/UMTS wireless operators to           leading security solutions their subscrib-
  less and IP value-added services and           set mobile handset and device Internet        ers need and want.
  enables personalized IP packet inspec-         access policies for subscribers across

48 Nortel Technical Journal, Issue 3
protection systems, for example, can’t
currently be effectively deployed in the
                                             Figure 2. Carrier endpoint compliance – solution elements
mobile-to-mobile subscriber services
path, because the wireless radio links       Access                   Policy                      Policy decision
themselves have special characteristics      requester                enforcement point           point
that do not lend themselves to these                                                                         AAA
typical IP security solutions (for exam-                                   Edge switch                       server
ple, the traffic is tunneled differently).
Based on its broad networking expertise,
Nortel is currently exploring with cus-
tomers a number of innovative solutions
that will address this challenge.
   In addition, malware can infect a
mobile device through the sharing of
removable media, such as Secure Digital
or CompactFlash memory cards, or
through the synchronization of email,
calendars, files, and other applications
with desktop PCs. With malware able
                                                                              Remediation                   Security
to propagate in either direction between                                      server                        policy server
the mobile devices and PCs, cross-con-
tamination can result – with wireless
devices infecting PCs in the network,        Endpoints are a major risk area        either deny or grant access to the
                                             both to users (individual              network based on the device’s
and vice versa.
                                             subscribers or businesses) and to      compliance to the policy controls.
   Malware is also becoming increasing-      carriers. Mobile endpoints have        To enable this control, endpoint
ly problematic as mobile devices acquire     diverse operating systems, are         compliance client software must
multimedia web browsing capabilities         packed with the latest multimedia      be installed on the device, either
beyond just text and static images.          capabilities, and have multiple        through download or at point
                                             intrusion paths aside from the         of sale.
Increasingly, malware can be attached
                                             carrier’s IP access – all of which       As shown in the diagram, access
to short message service (SMS), images,      contribute to increased security       to the network is granted or denied
video, instant messages, and other forms     risks that aren’t addressable from     by an edge switch, such as Nortel’s
of media, making them more suscep-           conventional network-based             Packet Data Serving Node (PDSN)
tible to attacks in much the same way        defenses.                              or Gateway GPRS Support Node
as PC web browsers with multimedia             Effective endpoint compliance        (GGSN), which is also responsible
                                             ensures that devices – such as         for assigning IP addresses and
                                             smartphones, PDAs, laptops, and        routing packets. The information
   Such threats complicate the ability       BlackBerry devices – do not pose a     on which to make the decision is
of the wireless service provider to secure   security threat to either the          obtained from an authorization,
not only its wireless infrastructure but     network or the user. Typically, the    authentication and accounting
also its ability to offer effective hosted   carrier will enforce broad endpoint    (AAA) server, which consults a
                                             compliance policies to protect the     security policy server to determine
security to its subscribers, because, at
                                             network, and apply additional          whether the subscriber meets the
least for now, traditional protection        policies through security policy       security policy control and
mechanisms exist only while connected        controls on individual subscribers     subscription requirements; that is,
to the wireless service provider’s own       and/or subscriber groups based on      to confirm that the endpoint
network. Without this level of protec-       their needs. For example, devices      device has the proper security
tion, wireless operators will find it diffi-   can be inspected to ensure that        configuration and the subscriber
                                             they have various security             has the right to access the
cult to expand on the range of IP-based
                                             features mandated by a corporate       requested information. If it is
services that consumers will trust and       security policy, such as anti-virus    determined the subscriber or
accept.                                      programs, firewalls, intrusion         device does not adhere to network
                                             detection and intrusion prevention     security policies, the edge switch
Nortel’s hosted security suite               systems, passwords, encryption, or     can also interface with a
                                             the proper patch level in the case     remediation server to help the
Nortel is at the forefront of building
                                             of an attack. Based on this            denied devices achieve
a comprehensive hosted security suite        information, the edge switch can       compliance.
that will enable operators to offer their

                                                                                             Nortel Technical Journal, Issue 3   49
customers an integrated set of security    aware of the subscriber’s identity and      ing an authorized user to gain access to
features (including URL filtering and       policies, are responsible for generating    the network. The anti-spoofing policy
intrusion protection services) to pre-     billing information, and are able to act    ensures that packets are sent by the
vent, detect, and combat attacks on        on both Internet-to-mobile and mo-          terminal with the source IP address
their wireless devices.                    bile-to-mobile communications.              originally assigned by the gateway. It
   Expected to be offered by operators        Locating the security suite on the       also ensures that the packet received
as part of a bundled services package,     Nortel GGSN and HA products also            from the Internet does not have a source
hosted security services differ from       takes advantage of their existing secu-     address that coincides with the set of
managed security services in that they     rity mechanisms, including integrated       addresses known to be located on the
are centralized in the operator’s net-     state-aware subscriber firewalls, DoS/       access side, which would normally be
work, rather than being distributed        DDoS prevention, and anti-spoofing           expected to come from a mobile device
at customers’ sites. Centralizing these    protection.                                 and not from the Internet.
services simplifies the operator’s task        A state-aware subscriber firewall             URL and web content filtering con-
of managing security software updates      limits a subscriber’s access based on       trols access to websites based on the
and other such tasks across the wide       local policies applied on a per-sub-        access privileges of the subscribers, and
variety of mobile devices and wireless     scriber basis through IP packet filter-      enables an operator to block website
operating systems that currently popu-     ing mechanisms. Stateful firewalls use       access based on configurable categories
late the wireless space.                   a traffic inspection algorithm to keep       selected by the subscriber. The URL
   Nortel’s hosted security suite          track of the status of each connection      database in Nortel’s solution is provided
(Figure 1) is being designed to incor-     and regulate traffic flows accordingly        by Websense, a leading URL and web
porate a broad spectrum of security        (typically, forward traffic, drop traffic,    content filtering solutions provider (see
features, including:                       or drop and log traffic). Stateful fire-      sidebar on page 48). The major filtering
• customer-visible security measures,      wall traffic inspection rules are based      categories are:
such as anti-virus, anti-spam, URL         on a combination of examining such          • security threats – sites that enable
filtering, and other protection mecha-      attributes as source IP address, destina-   phishing, keylogger, malicious code,
nisms;                                     tion IP address, and TCP/UDP port           spyware, and hacking;
• background security measures,            number.                                     • adult material – sites that are deemed
which look for specific signatures             DoS/DDoS attack prevention uses          pornographic in nature and suitable for
in the headers and run without the         signature detection (verifying that         viewing only by adults; and
knowledge of the user. These measures      there is a properly formed header in        • undesirable content – sites that pro-
include DoS and distributed DoS            the message) to recognize an attack.        mote violence, drug use, gambling, or
(DDoS) prevention, per-user firewall        The goal of DoS/DDoS attacks is             illegal activity, as examples.
protection, and intrusion prevention/      not to gain unauthorized access to              Intrusion prevention systems (IPS) use
detection systems;                         machines or data, but rather to pre-        techniques such as signature detection
• “one-time” security services re-         vent the legitimate users of a service      and, more importantly, anomaly detec-
quested by the user – for example,         from using it. A DoS/DDoS attack            tion to prevent security breaches in the
remote automatic backup/restore of         can come in many forms. Attackers           network arising from hacker activity,
information such as directory lists and    may “flood” a network with large vol-        trojans, protocol exploits, scan attacks,
programs on the mobile device, or          umes of data or deliberately consume        and worms. Sophisticated anomaly de-
handset data reset to restore the device   a scarce or limited resource, such as       tection algorithms help prevent not only
to an earlier backed-up state if it be-    process control blocks or pending net-      the onset of attacks where signatures
comes infected with a virus.               work connections. Attackers may also        are known but also new threats without
   This “peace of mind” hosted securi-     disrupt physical components of the          having to wait for signatures to be devel-
ty suite sits on Nortel’s industry-lead-   network or manipulate data in transit,      oped, by correlating such events as net-
ing wireless gateways – the Gateway        including encrypted data. DoS at-           work scanning activity that can precede
GPRS Support Node (GGSN) in                tacks are launched from a single node       an attack. An IPS based in the network
GSM/UMTS packet networks and               (mobile or otherwise) and continually       provides more effective protection than
the Home Agent (HA) in CDMA net-           ping a server, tying it up and turning it   intrusion protection only at the user de-
works. The GGSN and HA are ideal           into a “zombie” that can’t handle other     vice because there is more information
places to apply such advanced secu-        tasks. DDoS attacks are launched si-        available to detect the anomalous be-
rity services since, unlike standalone     multaneously from many nodes.               havior – while an individual user device
security appliances that would be             Anti-spoofing protection prevents an      can see only what’s hitting it, a network
positioned at peering points, they are     unauthorized person from impersonat-        device can see that same event hitting

50 Nortel Technical Journal, Issue 3
many users in sequence. Moreover, net-         provide strong triple DES (3DES) or             data is not passed between VPNs and
work-based security solutions allow the        AES (Advanced Encryption Standard)              allows the VPNs to manage overlapping
signature and anomaly databases that           encryption. IPsec VPNs enable opera-            address spaces.
characterize the latest security threats       tors to offer cryptographically protected
to be kept current, ensuring that once         delivery of data traffic to the enterprise’s     Advanced security capabilities
a new threat is identified, preventative        network from users’ mobile devices, al-         In addition to developing the operator-
measures can be taken immediately and          lowing medium and small businesses to           hosted security suite to protect mobile
applied across the subscriber population.      benefit from network-based VPN ser-              devices, Nortel is also moving forward
Nortel is partnering with third parties to     vices with management of the VPN and            on a number of innovative technology
provide these IPS capabilities.                authentication of subscribers outsourced        solutions to protect wireless network
   In addition to these security mea-          to the network operator. With the               infrastructure elements from attacks
sures, the Nortel GGSN and HA                  GGSN and HA, each VPN has its own               launched from the mobile devices.
gateways support IPsec VPNs that               routing domain, which ensures that                 As an overall strategy, Nortel advo-

  Mobile IPsec: Secure wireless mobility made simple

  by Ron Pon

  Combining the proven security features       one of the most trusted protocols for se-           Should the VPN tunnel fail, Mobile
  of an IP Security (IPsec) VPN with           cure communications.]                           IPsec includes the capability to transfer
  full mobility, Nortel’s ground-breaking          Mobile IPsec is an ideal complement to      the session to an alternate switch with-
  Mobile IPsec technology offers a new         mobile applications. As users roam from         out requiring the user to log-on and au-
  way to keep IP sessions both secure          network to network, their VPN connection        thenticate again. This capability could be
  and uninterrupted as users roam or           remains intact, providing uninterrupted ac-     used, for example, where an enterprise
  change networks – a critical component       cess to applications and data. Because the      uses different internal and external soft-
  of any online service where private or       VPN session is persistent, users do not         ware requirement sets (SRSs) – rules
  confidential information is exchanged.       have to log-on again to restart their VPN       that define security policy requirements
      Currently delivered on Nortel’s VPN      tunnel. Connectivity for any application is     on the network – to secure its WLAN
  Router portfolio (formerly Contivity),       maintained, enabling multimedia, voice,         access and remote access, respectively.
  Mobile IPsec is unique in the industry       video, email, and file transfer sessions to     It would enable a user session to be
  in that it requires no additional deploy-    remain intact.                                  transferred from the internal SRS to the
  ment of network infrastructure or client         Mobile IPsec, in effect, mobilizes appli-   external SRS when roaming from the
  software, and almost no configuration        cations that may not otherwise work for the     WLAN network to the WWAN network,
  on the part of the administrator. Other      roaming user. In a wireless LAN (WLAN)          as well as allow the user to roam be-
  solutions involve extremely complex          environment, for example, users can roam        tween WLANs connected to different
  deployments of Mobile IP, or overlay so-     between floors or buildings, docking and        internal SRSs across a large campus.
  lutions that require mobility servers and    undocking their notebooks as they switch            Through its innovative application
  additional client-side software, resulting   between wired and wireless networks,            of technology in Mobile IPsec, Nortel
  in higher operating costs, additional ad-    while still keeping their VPN connection        is providing new capabilities that work
  ministration, and lower network perfor-      alive. The persistent IPsec connection en-      toward making our increasingly mobile
  mance. For its innovative application of     sures that a user keeps the same virtual IP     world safe and easy.
  IPsec technology in a mobile setting, the    address even as the physical IP address
  Mobile IPsec development team won a          changes on the notebook.                        Ron Pon is Senior Network Security
  Nortel Technology Award of Excellence,           In a wireless WAN (WWAN) environ-           Architect in the CTO Office, and the
  which recognizes innovations that deliv-     ment, Mobile IPsec enables users to             original inventor of this technology. Ron
  er clear customer value and contribute       maintain the same VPN session as they           also leads Nortel’s participation in the
  to Nortel’s overall industry leadership.     roam between GPRS/EDGE, CDMA,                   Trusted Computing Group, an organiza-
  [IPsec is a set of protocols developed       GSM/UMTS, and other wireless/wireline           tion driving what could well be the next
  by the Internet Engineering Task Force       networks. What’s more, users can main-          revolution in secure computing.
  (IETF) to support the secure exchange        tain their VPN session even when moving
  of packets at the IP layer. It has become    between WLAN and WWAN environments.

                                                                                                           Nortel Technical Journal, Issue 3   51
cates a layered defense approach that is      the ability to overcome unique security      IPsec implementations can be added.
designed to provide multiple levels of        and regulatory complications as voice        For example, a firewall policy that al-
protection as traffic traverses different      and data services converge. For example,     lows mobile-initiated services to access
network layers and domains. (In this          as mobile Voice over IP (VoIP) imple-        the wireless network could be com-
context, “network layers” do not refer        mentations expand, the need to protect       bined with a threat protection system
to the ISO protocol stack layers.) While      the network infrastructure from data-        that is allowed to close the associated
Internet-sourced attacks on mobile            enabled threats increases. Protection        ports on command – providing the
devices, the carrier infrastructure, and      deployments, however, must also take         operator with services flexibility, low
on the Internet/carrier data network          into account the requirements of such        administrative overhead for services
boundary must also be considered in           voice services as emergency 911 calls,       provisioning, and dynamic protection
designing a secure network, they are          where service cannot be denied under         against known (signatured) and zero-
well covered by familiar security solu-       any circumstances, irrespective of associ-   day (anomalous) attacks.
tions deployed at network perimeters          ated threat vectors.                            The third layer of defense is at the
(see article on page 28) and are not dis-        The second layer of defense is at the     application point of presence. Because
cussed in this article, which focuses on      services edge which, because of its posi-    this layer processes only application-
the issues specific to mobility networks.      tion adjacent to the Internet and carrier    specific traffic, security measures are
   The first layer of defense is at the ac-    application layers, is the main threat-      tailored to specific threats. Specific
cess edge layer, where the goal is to pro-    blocking point in the network architec-      authentication and authorization rules,
tect the wireless operator’s network as-      ture for IP-based traffic.                    combined with traffic protection at
sets from offending mobile devices and           Effective protection at the services      the services edge, provide a compre-
software by enforcing security policies       edge requires stateful awareness of all      hensive threat capture and prevention
before network connections are allowed.       subscriber sessions and traffic in order      mechanism. As voice and multimedia
Threat protection at this layer must ef-      to control traffic into and out of the        services converge onto packet-based
fectively contend with high-speed, low-       Internet domain. However, the benefits        networks, they are treated like other
latency, rapid-transaction connections,       that operators receive from the deploy-      data applications, such as email and
as well as with the hundreds of different     ment of public network access in terms       HTTP web browsing. These converged
mobile device types ubiquitously ac-          of lower capital outlays and reduced         services require strict authentication,
cessing the network – each potentially        operating expenses must be balanced          authorization, and traffic protection
having slightly different application-us-     against the increased security exposures     measures (protocol correctness, buffer
age and threat-vector profiles. At the         associated with forgoing the use of          overflow prevention, and distinction
device level, effective threat protection     trusted networks for interfacing to an       between control and content). These
uses Nortel’s endpoint compliance ar-         Internet point of presence. Fortunately,     requirements become more challenging
chitecture paired with various endpoint       not all traffic from the access edge          in a mobile environment where there is
protection capabilities (such as Nortel       crosses the services edge, and also there    movement between network domains
services edge routers’ firewalls, anti-virus   are fewer mobile device types with con-      and between IP addresses, and where
protection, automated OS and applica-         nections crossing the services edge. As      accessibility through roaming networks
tion patching, and device passwords).         a result, carriers have the opportunity      must be maintained.
   Since all traffic in the network passes     to tailor protection profiles to a limited       The fourth layer of defense is a re-
through the access edge, Nortel provides      number of specific services edge device       stricted defense center zone – a private
additional protection within the carrier’s    types, allowing them to focus their secu-    network maintained by the wireless
network by deploying a Nortel firewall         rity defense architecture.                   operator’s security operations center
at the services edge, and by introducing         At this level, deploying a combina-       – where mission-critical services [such
intrusion detection/prevention along          tion of dynamic stateful firewalls and        as home location registers, home sub-
the subscriber services path via Nortel’s     intrusion prevention and intrusion de-       scriber services (HSS), domain name
Threat Protection System (see page 35).       tection systems, such as Nortel’s Threat     system (DNS), and authorization,
Nortel can further enhance access edge        Protection System, along the subscriber      authentication, and accounting (AAA)]
security by engineering network ad-           services path (for anomaly detection)        as well as private and sensitive data are
dress translation (NAT) and endpoint          will protect the carrier’s network against   protected by maintaining separation
compliance strategies into the overall        port scans, worms, trojan horses, virus-     between application and bearer traffic.
network design.                               es, and DoS attacks. To provide a fuller     Host-based intrusion protection at the
   Here, the combination of Nortel’s          defense, NAT, Layer 2 traffic manage-         server level, combined with tight cou-
security expertise and awareness of the       ment services, anti-virus scanning, con-     pling to endpoint compliance strate-
network infrastructure gives operators        tent filtering, anti-spam blocking, and       gies, provide the most effective security

52 Nortel Technical Journal, Issue 3
protection at this level.                        With the growth of wireless broad-
   Using integrated network designs           band services, mobile network operators
and implementations, Nortel’s security        are facing similar security challenges as
solutions for wireless networks can           their wireline counterparts. However,
identify security threats and take ap-        the wireless security threat vectors are
propriate actions to counter the threat.      broader and require specific solutions
By leveraging Nortel’s awareness of the       that cannot be delivered without in-
network, offending devices can be selec-      depth knowledge of wireless network
tively and effectively quarantined. The       architectures and operations.
combination of Nortel’s wireless services        Nortel is leveraging both its security
edge routing products, standard autho-        expertise coming from the enterprise
rization products, and Nortel’s Threat        and wireline businesses and its extensive
Protection System enables threats along       field experience in designing, building,
the subscriber services path to be detect-    and optimizing mobile networks. The
ed, notifications sent to the authentica-      combination of these strengths provides
tion servers, and offending data sessions     a portfolio of security solutions and
redirected and suspended while reme-          services tailored for mobile operators,
dial action is taken by the operator.         encompassing a suite of GGSN- and
                                              PDSN/HA-hosted security services
Infrastructure security:                      to protect wireless end users, a wire-
management plane                              less-specific layered defense strategy
Securing the management plane is also         to protect the network infrastructure
a critical part of an end-to-end security     itself, and baseline security measures to
solution. Network management nodes            protect the management plane of the
contain management policies and data-         wireless network from both internal and
bases that are critical to the operation of   external attacks.
the network.
   To protect this part of the network,       Frédéric Bastien is Product Line
Nortel is working to ensure that its          Manager Leader for GSM/UMTS
wireless products comply with Nortel’s        Systems.
company-wide set of baseline security         John Garrison is Product Line Manager
requirements (see article on page 20).        for CDMA Packet Data Solutions.
These baseline security requirements          Don Keeler is Product Line Manager for
– covering everything from platform           GSM/UMTS Core Network Evolution.
and OS hardening (turning off unused          Emily Nichols is Product Line Manager
services, closing unused ports, etc.), to     for GSM/UMTS System Security.
strong authentication and encryption          Paul Tse is a Practice Advisor in Security
capabilities, and support for a secu-         Professional Services.
rity audit trail – apply to all types of
network-connected devices, including
mobile devices, network infrastruc-
ture elements, and application servers.
For example, platform hardening on
a smartphone may include staying up
to date with security patches and run-
ning a mobile Internet security solu-
tion that includes a firewall, anti-virus,
and intrusion prevention technologies.
Implementing these Nortel baseline
measures significantly reduces the risk of
a security breech for wireless customers,
and demonstrates Nortel’s commitment
to providing secure network solutions.

                                                                                           Nortel Technical Journal, Issue 3   53

To top