4G Security - Fortinet
-
Upload
zahid-ghadialy -
Category
Technology
-
view
12.206 -
download
11
description
Transcript of 4G Security - Fortinet
4G Security
Rainer Baeder Manager Solution Consultant - Fortinet
Agenda
• LTE / 4G Security • Mobile Backhauling • GTP FW • SGi FW • CGN FW • SCTP FW • Diameter FW • VoLTE / IMS Security
• Roaming / Peering • Femtocell Security • Mobile Threats • Cloud Based mobile Malware Detection • Charging / Billing • Network Management
4G Security Overview
INET
OLO
IPX
4G EPC
RAN
IMS Access
(e.g. fixed)
4G EPC
4G EPC
4G EPC
WiFi
Femto Cells
Mobile Backhaul
SGi Internet
Roaming
VoLTE/ IMS
WiFi Offload
VoIP-SIP RTP
EPCore Security
VoIP/ TISPAN
Security Domain B
NDS/IP Security at 3GPP
NE-2a
NE-1a
NE-3a
NE-2b
NE-1b
NE-3b Security Domain A
Insecure Network
Zb
Zb
Zb
Zb
Zb
Zb
TS33.210 / TS33.310
Za
Layered Security
IP Infrastructure
Session C
all Managem
ent
Content and
Application Layer 1 to 3
Layer 4 to 7
Layer 6 to 7
a pure IPSec device does not fit for all attacks
Protocol Stacks – Control Plane
PHY
MAC
RLC
PDPC
RRC
NAS
UE
PHY
MAC
RLC
PDPC
RRC
MME
L1
L2
IP/IPSec
SCTP
S1-AP
L1
L2
IP/IPSec
SCTP
S1-AP
NAS
L1
L2
IP/IPSec
UDP
GTPc
L1
L2
IP/IPSec
UDP
GTPc
L1
L2
IP/IPSec
UDP
GTPc
L1
L2
IP/IPSec
UDP
GTPc
SGW eNodeB PGW
LTE-Uu S1-MME S11 S5
Protocol Stacks – User Plane
PHY
MAC
RLC
PDPC
IP
L4..L7
UE
PHY
MAC
RLC
PDPC
L1
L2
IP/IPSec
GTPu
L1
L2
IP/IPSec
UDP
GTPu
L1
L2
IP/IPSec
UDP
GTPu
L1
L2
IP/IPSec
UDP
GTPu
SGW eNodeB PGW
LTE-Uu S1-U S5
UDP
IP
L1
L2
IP
Hacking GTP – seems not too difficult
Hacking HSS – seems impacting a lot
SCTP Scan & Feedback
EPC Threats for LTE
LTE
HSS
eNodeB
external LTE
eNodeB
MME
LTE Carrier
Roaming Partner
internal/external UMTS
Roaming Partner
S-GW
SGSN NodeB
Risk #1 and #2
Risk #7
Risk #9
Risk #10
Risk #8
Risk #11 IMS
network
NTP
DNS
other Server
DHCP
IP
Risk #5
Risk #6
Risk #4
NMS
GGSN
Risk #7
PDN GW
MME S-GW
Risk #3
external IP/MPLS networks
EPC Threats for LTE
• Threat #1 • Attacks on an IP Level, DOS, DDOS, etc
on the SGi interface • Threat #2
• Overbilling Attacks like in 3G on the SGi interface
• Threat #3 • Attacks on open and insecure IP
interfaces at the access (eNodeB) • Threat #4
• Attacks based on SCTP/Diameter manipulating Database entries
• Threat #5 • Attacks the NMS level manipulating
settings and configurations • Threat #6
• Attacks the IP helping service level manipulating IP settings and base protocols
• Threat #7 • Attacks based on SCTP/GTP from 4G
Roaming Partners • Threat #8
• Attacks based on GTP from 3G Roaming Partners
• Threat #9 • Attacks based on SCTP for
manipulating MME functions • Threat #10
• Attacks based on GTP for manipulating S-GW functions
• Threat #11 • Attacks the IMS level manipulating the
VoLTE – IMS - VoIP network • Threat #12
• Attacks on a higher layers introducing all kind of malware
ORANGE
Predictable Performance for all packet size
§ Fortinet’s Fortigate 800C was the only device to demonstrate anything close to line rate capacity with packet sizes from 1514 bytes all the way down to 64 bytes. In addition, it was the only device to consistently demonstrate latency of less than 10 microseconds
§ The competitors cannot compete with our predictable performance
Latency µs (64 byte packets)
5 12 15 25 36 50 60 75 125 136
278
1.185
The Fortinet LTE Firewall .. covers all threats
GTP FW SCTP FW
Diameter FW SIP FW
SecGW
IPS Malware Detection IPv6
Lowest Delay Highest
Performance Carrier Grade Virtualization
Malware on Mobile Phones
How does Malware get on Mobile Phones ?? *the Vector*
Bluetooth
Applications
USB
SW Updates WLAN email
Internet
LTE USB Sticks
Femtocells
MMS Memory cards
Mobile Malware Detection
• As of April 2014, we have (April 2013-2012-2011) • Number of mobile signatures:
185957 (17987 – 8483 – 1315) +933% – 112% – 545% • Signatures for Java
1823 (429 – 268 – 127) est.+324% – 60% – 23% • Signatures for iPhone
22 (18 – 17 – 17) +22% – 6% – 0 • Signatures for Android
182435 (15352 – 3984 – 47) +1088% – 285% – 8376% • Signatures for BlackBerry
16 (10 – 5 – 4) + 60% – 100% – 25%
Cloud Based - Mobile Malware Detection
• Battery Drain • Security Up-2-Date • Better Tracking and Statistics • Faster Response Time • While Roaming or Traveling
• Can be offered as Service (Paid by User/Usage) • Incl Reporting and Logging
Fortinet Solution Strategy
Access
§ VPN
§ Authentication
§ FW and Protocol Inspection
Core Infrastructure & Backbone
§ Core Services Protection and protocol Inspection: GTP/SCTP/SIP/Diameter
§ CP and UP, IP Blacklisting
§ CGN
DataCenter & Services Platforms
§ Edge/Core/Application Filtering
§ Intrusion Protection and APT
§ Services Availability: DDOS, ADC, WAF, Mail
Core Network & Backbone
Datacenter &
Services
Access Network
Global Management
Platform
SDN/NSX Virtualization Orchestration
Logging, Analytics & Reporting
Multi Platform Policy Object Manager Operations API‘s
Securing CSP Networks
Mobile Network Fixed Line Network
Other SP IMS
LTE/ xCell Secure GW
eNodeeBs
Accelerated IPSec SCTP
Internet PoP
Carrier Grade Nat IPv6 <-> IPv4 IP Blacklisting Botnet identification Gi/SGi
Roaming Partners
VPMN HPMN GTP V1/V2 DIAMETER SIP
Datacenter
IP Backbone
DC Core
DDOS ADC WAF Virtualization Mail
Services Platform Network (WiFi, DHCP, DNS….) Voice Gaming Video Messaging Mail
B2B Network
Multimedia Services
SIP ALG
X-CSCF
IMS VoLTE
DC Edge
Edge Firewall DDOS
Partners, HQ, Campus, Branch…
WIFi
Backbone Mobile
Fix
Others
Backbone
B2B
B2B / MSSP
Cloud Cleanpipe
Partners, HQ, Campus, Branch…
WIFi
CPE
IS Infrastructure
Shops, HQ, Website
Protocol Stack for VoLTE
eNodeB SecGW PDN GW SGW
IPSec
GTP
IPSec
SIP
p-CSCF
IPSec IPSec
IP
UDP
23
Questions