4G Security - Fortinet

23
4G Security Rainer Baeder Manager Solution Consultant - Fortinet

description

Presented by Rainer Baeder Manager Solution Consultant - Fortinet in LTE World Summit 2014

Transcript of 4G Security - Fortinet

Page 1: 4G Security - Fortinet

4G Security

Rainer Baeder Manager Solution Consultant - Fortinet

Page 2: 4G Security - Fortinet

Agenda

• LTE / 4G Security • Mobile Backhauling • GTP FW • SGi FW • CGN FW • SCTP FW • Diameter FW • VoLTE / IMS Security

• Roaming / Peering • Femtocell Security • Mobile Threats • Cloud Based mobile Malware Detection • Charging / Billing • Network Management

Page 3: 4G Security - Fortinet

4G Security Overview

INET

OLO

IPX

4G EPC

RAN

IMS Access

(e.g. fixed)

4G EPC

4G EPC

4G EPC

WiFi

Femto Cells

Mobile Backhaul

SGi Internet

Roaming

VoLTE/ IMS

WiFi Offload

VoIP-SIP RTP

EPCore Security

VoIP/ TISPAN

Page 4: 4G Security - Fortinet

Security Domain B

NDS/IP Security at 3GPP

NE-2a

NE-1a

NE-3a

NE-2b

NE-1b

NE-3b Security Domain A

Insecure Network

Zb

Zb

Zb

Zb

Zb

Zb

TS33.210 / TS33.310

Za

Page 5: 4G Security - Fortinet

Layered Security

IP Infrastructure

Session C

all Managem

ent

Content and

Application Layer 1 to 3

Layer 4 to 7

Layer 6 to 7

a pure IPSec device does not fit for all attacks

Page 6: 4G Security - Fortinet

Protocol Stacks – Control Plane

PHY

MAC

RLC

PDPC

RRC

NAS

UE

PHY

MAC

RLC

PDPC

RRC

MME

L1

L2

IP/IPSec

SCTP

S1-AP

L1

L2

IP/IPSec

SCTP

S1-AP

NAS

L1

L2

IP/IPSec

UDP

GTPc

L1

L2

IP/IPSec

UDP

GTPc

L1

L2

IP/IPSec

UDP

GTPc

L1

L2

IP/IPSec

UDP

GTPc

SGW eNodeB PGW

LTE-Uu S1-MME S11 S5

Page 7: 4G Security - Fortinet

Protocol Stacks – User Plane

PHY

MAC

RLC

PDPC

IP

L4..L7

UE

PHY

MAC

RLC

PDPC

L1

L2

IP/IPSec

GTPu

L1

L2

IP/IPSec

UDP

GTPu

L1

L2

IP/IPSec

UDP

GTPu

L1

L2

IP/IPSec

UDP

GTPu

SGW eNodeB PGW

LTE-Uu S1-U S5

UDP

IP

L1

L2

IP

Page 8: 4G Security - Fortinet

Hacking GTP – seems not too difficult

Page 9: 4G Security - Fortinet

Hacking HSS – seems impacting a lot

Page 10: 4G Security - Fortinet

SCTP Scan & Feedback

Page 11: 4G Security - Fortinet

EPC Threats for LTE

LTE

HSS

eNodeB

external LTE

eNodeB

MME

LTE Carrier

Roaming Partner

internal/external UMTS

Roaming Partner

S-GW

SGSN NodeB

Risk #1 and #2

Risk #7

Risk #9

Risk #10

Risk #8

Risk #11 IMS

network

NTP

DNS

other Server

DHCP

IP

Risk #5

Risk #6

Risk #4

NMS

GGSN

Risk #7

PDN GW

MME S-GW

Risk #3

external IP/MPLS networks

Page 12: 4G Security - Fortinet

EPC Threats for LTE

•  Threat #1 •  Attacks on an IP Level, DOS, DDOS, etc

on the SGi interface •  Threat #2

•  Overbilling Attacks like in 3G on the SGi interface

•  Threat #3 •  Attacks on open and insecure IP

interfaces at the access (eNodeB) •  Threat #4

•  Attacks based on SCTP/Diameter manipulating Database entries

•  Threat #5 •  Attacks the NMS level manipulating

settings and configurations •  Threat #6

•  Attacks the IP helping service level manipulating IP settings and base protocols

•  Threat #7 •  Attacks based on SCTP/GTP from 4G

Roaming Partners •  Threat #8

•  Attacks based on GTP from 3G Roaming Partners

•  Threat #9 •  Attacks based on SCTP for

manipulating MME functions •  Threat #10

•  Attacks based on GTP for manipulating S-GW functions

•  Threat #11 •  Attacks the IMS level manipulating the

VoLTE – IMS - VoIP network •  Threat #12

•  Attacks on a higher layers introducing all kind of malware

Page 13: 4G Security - Fortinet

ORANGE

Page 14: 4G Security - Fortinet

Predictable Performance for all packet size

§  Fortinet’s Fortigate 800C was the only device to demonstrate anything close to line rate capacity with packet sizes from 1514 bytes all the way down to 64 bytes. In addition, it was the only device to consistently demonstrate latency of less than 10 microseconds

§  The competitors cannot compete with our predictable performance

Page 15: 4G Security - Fortinet

Latency µs (64 byte packets)

5 12 15 25 36 50 60 75 125 136

278

1.185

Page 16: 4G Security - Fortinet

The Fortinet LTE Firewall .. covers all threats

GTP FW SCTP FW

Diameter FW SIP FW

SecGW

IPS Malware Detection IPv6

Lowest Delay Highest

Performance Carrier Grade Virtualization

Page 17: 4G Security - Fortinet

Malware on Mobile Phones

How does Malware get on Mobile Phones ?? *the Vector*

Bluetooth

Applications

USB

SW Updates WLAN email

Internet

LTE USB Sticks

Femtocells

MMS Memory cards

Page 18: 4G Security - Fortinet

Mobile Malware Detection

•  As of April 2014, we have (April 2013-2012-2011) •  Number of mobile signatures:

185957 (17987 – 8483 – 1315) +933% – 112% – 545% •  Signatures for Java

1823 (429 – 268 – 127) est.+324% – 60% – 23% •  Signatures for iPhone

22 (18 – 17 – 17) +22% – 6% – 0 •  Signatures for Android

182435 (15352 – 3984 – 47) +1088% – 285% – 8376% •  Signatures for BlackBerry

16 (10 – 5 – 4) + 60% – 100% – 25%

Page 19: 4G Security - Fortinet

Cloud Based - Mobile Malware Detection

• Battery Drain • Security Up-2-Date • Better Tracking and Statistics • Faster Response Time • While Roaming or Traveling

• Can be offered as Service (Paid by User/Usage) •  Incl Reporting and Logging

Page 20: 4G Security - Fortinet

Fortinet Solution Strategy

Access

§  VPN

§  Authentication

§  FW and Protocol Inspection

Core Infrastructure & Backbone

§  Core Services Protection and protocol Inspection: GTP/SCTP/SIP/Diameter

§  CP and UP, IP Blacklisting

§  CGN

DataCenter & Services Platforms

§  Edge/Core/Application Filtering

§  Intrusion Protection and APT

§  Services Availability: DDOS, ADC, WAF, Mail

Core Network & Backbone

Datacenter &

Services

Access Network

Global Management

Platform

SDN/NSX Virtualization Orchestration

Logging, Analytics & Reporting

Multi Platform Policy Object Manager Operations API‘s

Page 21: 4G Security - Fortinet

Securing CSP Networks

Mobile Network Fixed Line Network

Other SP IMS

LTE/ xCell Secure GW

eNodeeBs

Accelerated IPSec SCTP

Internet PoP

Carrier Grade Nat IPv6 <-> IPv4 IP Blacklisting Botnet identification Gi/SGi

Roaming Partners

VPMN HPMN GTP V1/V2 DIAMETER SIP

Datacenter

IP Backbone

DC Core

DDOS ADC WAF Virtualization Mail

Services Platform Network (WiFi, DHCP, DNS….) Voice Gaming Video Messaging Mail

B2B Network

Multimedia Services

SIP ALG

X-CSCF

IMS VoLTE

DC Edge

Edge Firewall DDOS

Partners, HQ, Campus, Branch…

WIFi

Backbone Mobile

Fix

Others

Backbone

B2B

B2B / MSSP

Cloud Cleanpipe

Partners, HQ, Campus, Branch…

WIFi

CPE

IS Infrastructure

Shops, HQ, Website

Page 22: 4G Security - Fortinet

Protocol Stack for VoLTE

eNodeB SecGW PDN GW SGW

IPSec

GTP

IPSec

SIP

p-CSCF

IPSec IPSec

IP

UDP

Page 23: 4G Security - Fortinet

23

Questions