Recent security scares have put the spotlight on whether small cells are robust enough to be used in commercial enterprise office environments. Data privacy, network integrity and wiretapping are all major concerns in this context for both Enterprise CIOs and Operator CTOs.
We spoke with Art King, Director of Enterprise Services & Technologies at Spidercloud, who shared insights into the kind of system engineering used to mitigate and minimize these security risks.
The main three different Enterprise Small Cell deployment architectures
First, let's define the three major Enterprise small cell deployment scenarios:
- Completely Standalone: In some businesses, the Enterprise security teams take a very strong position and insist that the small cell backhaul can never share their existing LAN switches. Completely separate wiring has to be installed, typically with the mobile operator providing their own electricians pulling through new CAT5 Ethernet and installing separate standalone Ethernet switches.
- Shared VLAN: Today's Enterprise class commercial Ethernet switches support multiple V-LANs (Virtual Local Area Networks) which are logically partitioned while sharing the same Ethernet cables. The Enterprise customer owns and configures their Ethernet switches, assigning a dedicated private VLAN for the small cell system. Network operators have developed their own application FAQ's to guide customers on the desired configuration of the VLAN. The Small Cell VLAN is completely empty of IP "Plumbing" services, and the network operator needs to provide basic IP LAN capabilities such as DNS and DHCP, and define their own local IP addressing scheme.
- Inband on Enterprise LAN: This is a very open model, where each small cell/radio node shares the same IP addressing scheme as other enterprise equipment (Printers, Servers, Desktops etc.), connecting back to the network through IPsec tunnels. Typically the Enterprise will have a DMZ (De-Militarised Zone) protected by firewalls where a Services Node/Cluster controller is located. The firewall opens 2-3 ports for the IPSec traffic to connect through from the radio nodes. A separate set of ports is opened to allow the services node to connect externally through to the network operator's core, again encrypted using IPsec. Frequently today, Enterprise Wi-Fi is usually configured in this way, using 802.11x authentication and operating as a closed system.
It's a big bad world out there
One of the more humorous comments about the recent PRISM security scandal was that "you were right to be paranoid". Security professionals are paid to have that mindset every day, and both operators/enterprise security teams act as if they operate in a hostile environment where everyone is trying to break in and disrupt normal service. They want management tools which can detect and handle with any compromises, and architectures which are designed to minimize security loopholes.
Spidercloud have designed their system with this paranoid security mindset, and this has been further tightened up after strict 3rd party security audits in Vodafone labs.
"They [Vodafone] really raised the bar from a security perspective to achieve production grade certification for their networks. It was an extremely long journey to exit the Vodafone labs into a production environment - but we valued working with a major operator who really believes in it, and then insisted taking these new products into production responsibly. The last thing anyone wants to be is on the front page of the Wall Street Journal in a bad way!"
Simple is the new smart approach
SpiderCloud's radio nodes are simple, based on a small cell SoC (System on a Chip), and don't retain an operating system when they are removed from service. This prevents a missing radio node from being hacked into and being compromised. The security certificate (a big long prime number) isn't stored in easily accessible RAM or other readable memory. Instead a TPM (Trusted Platform Module) vault is used as found in corporate laptops and servers – a special cryptoprocessor chip holds the certificate and will respond only to verification requests.
The software load is signed code which is validated before booting up, and only a very few IP services are enabled. All communications with the external controller are encrypted using IPsec and using the certificates issued to the system. This strategy limits the IPSec tunnels to other devices with the correct certificates provisioned in them.
The architecture includes a Services Node which is located onsite, co-ordinating the radio nodes within a building and also providing a range of Enterprise services. Again, this box uses a TPM Vault with signed code, connects over IPSec through a few tightly specified ports. It's remotely configured by the network operator, deliberately a separate task so that the installers never hold the "Keys to the Kingdom" and can't bypass security access.
Spidercloud also did a lot of work to ensure that a rogue employee couldn't "launder" the connections into the Services Node. Many common IP services are disabled, and you can't Telnet via SSH into it – it's not designed for real-time online configuration. Instead, parameters are uploaded/downloaded from the central management system, with only minimal command line functions for simple configuration and factory reset operations.
Local Service Delivery
Art believes that no enterprise is going to take a service natively from a mobile operator directly on to their LAN. It must either be delivered from either within the DMZ or another arbitrated control point. This means the Small Cell can't deliver service itself.
"We've put a lot of thought into what types of services would be appropriate for enterprise and how they would run. We hope that people are thinking this through and taking a conservative approach that also works from both financial and business perspective."
Read more on all aspects of Enterprise Small Cells at SpiderCloud's Enterprise Insider