Enterprise

Enterprise Small Cell Security – Opportunity or Threat?

Security ThreatSecurity threats such as cryptolocker, denial of service attacks and interception are increasing concerns to end users, IT managers and network operators alike. We take a look at security threats specific to Enterprise small cells and how vendors are designing their systems with inherent, built-in protection.

What threats are we trying to protect against?

Fundamentally, there are two major goals:

  1. Mobile operators need to meet their regulatory mandate of “Privacy and security” for their subscribers information as it transits through the mobile network.
  2. Enterprises need to be confident that any installed small cell platform is unlikely to pose a threat to their own internal networks. They will expect to see a high level of due diligence that mitigates against security threats.

First, let’s consider the scope and look at areas where small cells in the enterprise can (and can’t) deal with:

  1. Intercepting user traffic is where the user data (or voice call) is seen and recorded by others. End-to-end encryption from the smartphone to the core network or destination website protects against this
  2. Redirecting user traffic. You may think you’ve got a direct connection to a real bank website or call centre, but what if that’s fake and you are passing your confidential log on details to a criminal?
  3. Modifying or discarding communications results mostly in a perceived poor quality service, and can be insidious if you don’t know its happening.
  4. Service interruption can shut down entire businesses if workers inside a building are disconnected for any significant period of time. Again, this is worse if you don’t realise its happening.
Target of attack Intercepting user traffic Redirecting user traffic Modifying or discarding communications Interrupting service, preventing network access
End User Unknown surveillance (wire tapping) to record end user voice and data sessions Hijacking, sending users to spoof sites and/or phone numbers (eg spoof banking call centre) Poor service quality when in-building Unable to conduct business; worse if don’t realise incoming calls aren’t working
Enterprise Monitoring traffic on IT network; Could include non-cellular data   Poor and unreliable service quality when in-building Shut down operations in entire office building
Network Operator   Impacts reputation for service Impacts reputation for service continuity Hacking which affects other parts of network

Different technology topologies

A range of small cell architectures ranges from locating all of the intelligence at the access point through to a completely centralised model. For comparison, we’ve included Wi-Fi and DAS in the table below.

A range of small cell architectures ranges from locating all of the intelligence at the access point through to a completely centralised model. For comparison, we’ve included Wi-Fi and DAS in the table below.

Wi-Fi Standalone Small Cell Enterprise RAN Digital DAS, Distributed Radio Systems Passive DAS
Unencrypted IP with user data Encrypted IP to Small Cell Gateway Encrypted IP to local controller, plus separate IPsec to Small Cell Gateway Proprietary but unencrypted data streams to remote nodes RF using Coax to remote radio antenna
Wi-Fi access point may use IPsec to encrypt traffic to a central gateway, otherwise relies on end-user encryption Potential threats by spoofing a radio access node (protected by certificates) or intercepting the IP backhaul (encrypted with IPsec) Potential threats by spoofing a radio access node (protected by certificates), intercepting IP between central controller and small cells (encrypted with IPsec) Same data as broadcast over the air but in different format and more difficult to decode. Baseband centrally located in secure machine room would be single point of vulnerability Same data as broadcast over the air but more difficult to intercept. Base stations located centrally in secure machine room would be single point of vulnerability.

Case Study: How Spidercloud secure their Enterprise RAN small cells

Art King of Spidercloud shared some thoughts on how they’ve designed in security from the ground up.

First a set of hardware defences, adopting techniques found elsewhere for protecting sensitive electronic devices:

  • Hardware internal fuses are blown and diagnostic interfaces disabled to prevent modification or readback
  • Security certificates are stored in a TPM (Trusted Platform Module) vault, a specially designed hardware chip found in hundreds of millions of laptops, PCs and servers. This prevents attackers compromising IPsec.
  • Tamper resistant screws can be fitted to remote units that require a special screwdriver. Although these are not effective against the most determined criminals, this stops casual interference.
  • Fronthaul between the Radio nodes and the Services Node can be physically separated, using dedicated cabling, or logically using a V-LAN. This avoids any interaction or leakage between the small cell and Enterprise data networks.

Secondly, the software operating system builds on these to add a further protection layer.

  • Code images are signed and must first pass validation before running, preventing malicious code being uploaded to hijack a unit
  • All static data within the central Services Node is encrypted, preventing attackers decoding data from the hard drive.

The 3GPP standards incorporate many features to protect the data path and increase resilience and service continuity:

  • IPSec is used throughout, even where running over private Enterprise IP networks, preserving the privacy of the end user’s payload.
  • Multiple Small Cell and Security Gateways can be installed in the core network for fault tolerance and redundancy, using the 3G Iu-Flex and LTE S1-Flex interfaces. This protects against cable cuts and power outages affecting the data centres.
  • QoS policy controls and DSCP packet marking ensure prioritisation of critical signalling traffic in case of backhaul congestion.
  • Interoperability testing with other vendors to validate standard interfaces are securely implemented

A final step for every installation is a thorough security audit by a specialist third party security expert to confirm best practice has been delivered. Thereafter, regular security and system checks maintain the security defences are at a high threshold.

Summary

Security is an important aspect for every Enterprise IT system, including any in-building wireless solution.

Each of the different in-building architectures has it’s own set of potential weaknesses and risks to address.

Our case study demonstrates how one vendor has designed in security from the outset, ensuring a high level of protection.

 

Our thanks to Art King, Spidercloud, for assistance in preparing this article

Hits : 2900
  • 4

    more

    Residential

    Residential

    A significant number of users continue to report poor mobile coverage in their homes. There will always be areas which are uneconomic for mobile operator to reach. They range from rural areas

    ...
  • 4

    more

    Enterprise

    Enterprise

    The term Enterprise addresses any non-residential in-building including hotels, convention centres, transport hubs, offices, hospitals and retail outlets. It's not just intended for businesses to

    ...
  • 4

    more

    Urban

    Urban

    Urban small cells (sometimes also named metrocells) are compact and discrete mobile phone basestations, unobstrusively located in urban areas. They can be mounted on lampposts, positioned on the

    ...
  • 4

    more

    Rural

    Rural

    A rural small cell is a low power mobile phone base station designed to bring mobile phone service to small pockets of population in remote rural areas. These could be hamlets, small villages or

    ...
Categories
Backhaul Timing and Sync Chipsets Wi-Fi LTE TDD Regional

Popular Categories

Follow us on...

footer-logo

Search