Securing the Gi/SGi Interface in Mobile Networks · RECOMMENDED PRACTICES Securing the Gi/SGi...

RECOMMENDED PRACTICES

Securing the Gi/SGi Interface in Mobile Networks

Advanced mobile networks are increasingly vulnerable to attacks via the SGi interface, but operators can combat them with a comprehensive set of F5 security tools.

Ryan DavisSenior Product Management Engineer



2

Contents

Introduction 3

The Attack Landscape and How to Respond 4

UE reconnaissance (sweeps) 4

UE compromise (bot net attacks) 6

UE DDoS (billing attacks) 7

Network element reconnaissance (scans) 9

NE compromise (malware) 11

NE DDoS (control storms) 13

Conclusion 14



3

IntroductionThe Gi/SGi interface is rapidly becoming one of the most critical points in the mobile

network for operators to secure. Voice, message, and gateway services were previously

considered the more important points to secure, but these elements were more

conveniently located on an interior portion of the network or on a circuit-switched network.

With mobile data growing and over-the-top (OTT) services expanding, the security of the

customer Internet edge is now increasingly important—especially considering how network

resources are exposed to greater vulnerabilities by facing the general Internet. An effective

Internet edge security posture is required, and that posture needs to be continually

monitored and adjusted as security threats evolve to target consumer devices and service

provider network elements.

Legacy ISP-type service providers have traditionally offered minimal subscriber security in the

past. Mobile networks, on the other hand, have traditionally applied a firm security posture

but have lagged in evolving their security systems with their transport systems. This is true

for a few reasons. First, in an effort to maintain efficient, low cost, and high performing

service delivery, decision-makers have often dismissed the addition of security mechanisms

as too costly. Second, past mobile devices were not as advanced as the smart devices in

today’s marketplace, and thus they posed a minimal threat as an attack tool. Third,

although offering security as a value-added service for consumer devices appeals to

service providers seeking to increase revenue, not many have had success in selling these

services. Security professionals attribute this to a disconnect between a typical customer’s

understanding of the risks posed by existing threats and the ability of service providers and

the industry to inform customers about those threats.

Service providers are finding that customer device security is actually becoming more and

more of a concern. Security attacks on customer devices and compromises on data traffic

may sometimes be considered small nuisances, but in the hyper-scale terms of mobile

networks, these nuisances can become severe and costly problems. Even greater

concerns for service providers are maintaining security throughout their networks and

ensuring service reliability through security. Large distributed denial-of-service (DDoS)

attacks that originate from the exterior and the interior of a mobile network have been

responsible for taking down the services of almost all providers. However, many in the

mobile community may be unaware of these attacks due to a reluctance to disclose them.

As these security issues become serious threats and the network infrastructure attack surface

expands with a convergence of data transfer into packet-switched networks, Gi/SGi security is

now an absolute requirement for business continuity in all service provider networks. The F5

suite of security software solutions, which are delivered on top of the high performance and



4

highly programmable F5® BIG-IP® platforms, include BIG-IP® Advanced Firewall Manager™

(AFM), BIG-IP® Carrier-Grade NAT (CGNAT), BIG-IP® Policy Enforcement Manager™ (PEM),

and BIG-IP® DNS. These security modules, combined with the extensive set of BIG-IP

system capabilities within the platforms, create a flexible and feature-rich, carrier-class

network firewall. This firewall mitigates threats and protects the Gi/SGi interface in advanced

and rapidly evolving mobile networks.

The Attack Landscape and How to RespondThe dominant attacks on the Si/SGi interface today fall into two groups: those that target

user equipment (UE or devices) and those that target the mobile network infrastructure itself

across the Internet edge. This does not mean that an attack on one will not affect the other.

In fact, often the attack on one is discovered via the collateral damage to the other.

Fortunately, the appropriate security solutions and configurations can be combined to

protect the mobile network and its customers.

Attacks on or via user equipment Traditionally, some legacy Internet service providers (ISPs) have mistakenly left the

responsibility of protecting UE to device manufacturers and users. In modern networks,

and especially in mobile networks, this has become a severe problem. Many service

providers now find themselves helpless and suffering serious business damage when their

customers fail to protect themselves.

UE reconnaissance (sweeps)

Any advanced attack begins with reconnaissance. In cyber-security, this is known as

footprinting a network—understanding how it is constructed, much like creating a map of it.

Reconnaissance gives an attacker much more insight into the least costly, fastest, and

quietest way to compromise the network.

User equipment (UE) reconnaissance has traditionally been considered a nuisance, but

its threat has become more serious over the years. Attackers traditionally perform

reconnaissance on a network to find targets and subsequently narrow down the search

to a particular target vulnerability. While many of these attempts are thwarted by stateful

devices without granular security controls, the same attack may achieve a secondary

compromise, exhausting session tables for other stateful devices within the network.



5

The level of concern has especially risen in the context of machine-to-machine and Internet

of Things security discussions. In this new paradigm, the threats are even more pronounced

in that lightweight IP devices are now available on the network, in large quantities, with low

ability to respond to security incidents themselves. These devices may make reconnaissance

easier for an attacker as well as potentially increase the danger of a self-inflicted denial-of-

service (DoS). Many service providers have realized that blocking these low-level

reconnaissance scans increases available capacity in the network due to resources saved

from spurious traffic.

Devices

eNodeB

S/Gi NetworkEPC

Policy Enforcement

Load Balancing

URL Filtering

CGNAT

Legacy Firewall

TCP Optimization

Attacker

MME

SGW PGW

Figure 1: UE reconnaissance can be used to target UE or attack network equipment.

Solution

One potential solution for this type of attack is to deploy a carrier-class network firewall

with specific features such as the Device DoS Protection feature in BIG-IP AFM. This feature

limits the number of connections to and from a single source and destination, or to and

from multiple sources or destinations. It also imposes overall session table limits for itself

and, subsequently, other stateful devices within the mobile network.

Another alternative is to apply geolocation whitelists and blacklists to shrink the Gi/SGi

interface attack surface. With the geolocation feature in BIG-IP AFM, large sections of the

Internet that map to geographic regions or countries can be blocked from initiating any

traffic whatsoever into the network.



6

Devices

MME

SGW PGWeNodeB

S/Gi NetworkEPC

Attacker

Carrier-Class Network Firewall

Third-Party Server

F5 VIPRIONPlatform

Figure 2: UE reconnaissance can be prevented by BIG-IP AFM.

UE compromise (bot net attacks)

The most common type of attack on UE from the SGi interface is malware propagation.

In this attack, various vulnerabilities that are inherent in UE software are used to install

malicious software onto a device. The attacker’s goal may be to eavesdrop on the device to

extract financial or other sensitive information, or to co-opt the device to initiate attacks on

other targets.

Some less progressive mobile providers have previously relied on their Internet edge NAT44

device to prevent some of these attacks. However, all providers are now moving toward

implementing converged NAT and firewall devices, since NAT44 offers no protection for

IPv6 hosts and very little protection for IPv4 hosts against modern attacks. In fact, most

attacks assume the existence of a network address translation (NAT) device in their path.

Devices

eNodeB

S/Gi NetworkEPC

Policy Enforcement

Load Balancing

URL Filtering

CGNAT

Legacy Firewall

TCP Optimization

Attacker

MME

SGW PGWBotnet

Figure 3: UE compromises, like many attacks, can be used to enlist devices in a bot net.



7

Solution

F5s solutions deployed as a carrier-class network firewall will perform stateful L3 and L4

security inspections and provide much more advanced security against UE compromise

than solutions that rely on stateless L3 and L4 access control lists (ACLs), which leave

devices vulnerable to basic attacks. Features within BIG-IP AFM, along with F5 IP

Intelligence Services, deliver these inspections to serve as a stateful carrier-class firewall.

Although UE may still become compromised through user actions that cannot be prevented,

additional capabilities of the combination of BIG-IP AFM and IP Intelligence Services can

prevent or limit harm to the network and further harm to the device. Using these advanced

security features, operators can identify a blacklist of IP addresses associated with attack

command-and-control (C&C) networks to prevent that malicious traffic from communicating

with a device via those C&C networks.

Devices

MME

SGW PGWeNodeB

S/Gi NetworkEPC

Attacker


Third-Party Server

F5 VIPRIONPlatform

Figure 4: BIG-IP AFM can protect devices from UE compromise attacks.

UE DDoS (billing attacks)

Volumetric attacks have traditionally been used to execute DoS and DDoS attacks

against the UE or provider network. This type of attack includes ICMP, UDP, TCP, or

other floods and is usually focused on reducing service to a device or a series of

devices. Some service providers have put solutions in place that limit the network

infrastructure exposure to DoS attacks, but few have yet focused on also protecting

their customers from these attacks. As networks become larger, however, it is

becoming more cost-effective to deploy additional protections to ensure the quality

of user experience.

While flood protection might cover device availability, DDoS attacks are continuing

to evolve and are being repurposed to cause additional harm to service providers’

businesses. Past attacks were relatively crude, but as service providers added general



8

network security functionality plus additional bandwidth capacity, many attackers were

unable to truly accomplish their goals. Unsuccessful attacks were simply added to the

category of general Internet noise.

Unfortunately, many of these attacks are no longer seen as noise; they are being used to

surreptitiously amplify customer bills. In joking, this may be seen as a benefit to the service

provider, but in reality, the consequences can be very damaging to customer relationships

and revenue. A large series of such attacks or even a single enterprise customer attack

can escalate customer service costs, lead to revenue write-offs when the customer cannot

pay, and destroy brand equity due to guilt by association.

Devices

eNodeB

S/Gi NetworkEPC

Policy Enforcement

Load Balancing

URL Filtering

CGNAT

Legacy Firewall

TCP Optimization

Attacker

MME

SGW PGW

Figure 5: UE billing attacks can be costly and irreparably damage customer relationships.

Solution

To defend against this attack, a service provider can deploy specific firewall capabilities that

limit volume based on traffic protocol, port, or application characteristics. Some solutions

can also send alerts when traffic breaches configurable thresholds. Normal traffic speeds

and profiles can be allowed while the solution prevents traffic above a preset threshold,

which reduces the probability of collateral damage when valid traffic is dropped along with

malicious traffic.

The granular Device DoS Protection feature within BIG-IP AFM can be configured to send

alerts or limit traffic reaching the set thresholds. When combined with the Dynamic IP

Blacklisting feature that is also part of BIG-IP AFM, this capability also further reduces traffic

that was blocked but is continually reinitiated by the attacker.



9

Devices

MME

SGW PGWeNodeB

S/Gi NetworkEPC

Attacker


Third-Party Server

F5 VIPRIONPlatform

Figure 6: UE billing attacks can be thwarted by BIG-IP AFM security features.

Infrastructure attacksInfrastructure attacks are becoming more common in mobile networks. This can be

attributed to a convergence of data services into packet switching, as well as the growth in

public and private espionage led by organized crime and sovereign governments. The

modern mobile network has created a lucrative target for these interests, who attack the

network elements while the service provider incurs the cost. The resulting attacks have

grown so considerably that they have been given the rather on-the-nose name of advanced

persistent threats (APTs). The modern mobile network has created a nexus of all these

interests that do battle while the service provider incurs the cost.

Network element reconnaissance (scans)

As with UE reconnaissance, network element (NE) reconnaissance is executed to gain

information for initiating an attack on the network. Limiting or preventing access to network

information will make it more difficult for attackers to achieve their objectives.

So how does an attacker accomplish reconnaissance? There are several attack options,

many of which fall into the categories of sweeps or scans. Attackers sweep large sections

of a network to capture information about all the hosts connected to it.

Once an individual host is located, they use scans to footprint it and determine the particular

hosts to target for further exploitation. Many of these attacks can be executed in stealth

mode, which allows them to be conducted without the knowledge of hosts and networks

with inadequate security measures in place.

When the attacker knows what network elements are available for further attack, he will

initiate a scan on individual UEs or NEs to deduce the operating system and software

versions that are running. This scan gives the attacker the information needed to



10

understand what software is most vulnerable and appropriate to target for further attack.

With explicit knowledge of a service provider network topology that includes routers,

switches, gateways, and so forth, the attacker can now choose a path to compromise

any desired element.

DeviceseNodeB

S/Gi NetworkEPC

Policy Enforcement

Load Balancing

URL Filtering

CGNAT

Legacy Firewall

TCP Optimization

AttackerSwitch

Router

MME

SGW PGW

Figure 7: NE reconnaissance gives attackers insight for future assaults.

Solution

Firewall solutions with the ability to block specific connections and geolocations can

increase security against NE reconnaissance. An effective firewall can recognize that one

source is attempting to access too many resources within the network at once. (It should

be noted, however, that while some interfaces of network equipment might not be routable

from the Internet, other interfaces may be.)

The Dynamic IP Blacklisting feature set within BIG-IP AFM and F5 IP Intelligence Services

can be combined to prevent attackers from sending spurious traffic into the network.

Mobile service providers have found that by simply enabling these features, they have been

able to significantly reduce resource consumption on several elements that were previously

processing sweeps and scans. This solution ultimately prevents a “death by a thousand

cuts” scenario in which very costly mobile capacity is increased merely to account for

malicious traffic.



11

Devices

MME

SGW PGWeNodeB

S/Gi NetworkEPC

AttackerSwitch

Router


Third-Party Server

F5 VIPRIONPlatform

Figure 8: NE reconnaissance attacks can be prevented by an F5 carrier-class network firewall with BIG-IP AFM.

NE compromise (malware)

A network element compromise, while less common, can be the most severe compromise

a mobile network can suffer. The attacker attempts to take over critical network elements

to hold the “keys to the kingdom” and use that control to inflict damage. Many network

elements now use the same operating system or core software across different vendors,

platforms, and versions, making it much easier to target a large number of elements when

a software vulnerability is discovered.

While this type of attack can cover a large spectrum—from operating system to application-

specific attacks—almost all have the same objective, which is to maintain control of specific

network elements to facilitate extortion or espionage and to further expand control if

possible. Security professionals may not be fully aware of the actual number of occurrences

of extortion or espionage resulting from these network attacks due to the embarrassment

that would result from the disclosures, but we do know that it happens. While attacks

against service providers may not be as prolific as those against some enterprise networks,

the fallout can be much more severe for a service provider. Low-profile attacks might be

targeted at collecting consumer financial or other sensitive information, but the most critical

consequences will result from espionage on government or corporate information systems

that run on the same mobile network.



12

DeviceseNodeB

S/Gi NetworkEPC

Policy Enforcement

Load Balancing

URL Filtering

CGNAT

Legacy Firewall

TCP Optimization

AttackerSwitch

Router

MME

SGW PGW

Figure 9: NE compromise attacks can place an entire mobile network at risk.

Solution

The solution to this type of attack is a network firewall that can perform stateful L3 and L4

inspections and use that information to deny dubious traffic from the packet gateway. Even

better is L7 inspection on traffic to any routable interface so that attempts to compromise

that element can be prevented.

The combination of the F5 VIPRION® system and BIG-IP AFM will specifically enable the

carrier-class network firewall to use stateful L3 and L4 inspection to deny traffic from

inappropriate sources and to inappropriate destinations. The F5 solution also enables L7

inspection on traffic to a routable interface that is attempting to compromise the application

software on that element.

Devices

MME

SGW PGWeNodeB

S/Gi NetworkEPC

AttackerSwitch

Router


Third-Party Server

F5 VIPRIONPlatform

Figure 10: Critical network infrastructure can be protected from NE compromise attacks by the F5 carrier-class network firewall.



13

NE DDoS (control storms)

DDoS attacks are now the most commonly experienced attack, although these attacks

may not always be noticed or reported. A DDoS is a modification of the classic DoS attack,

distributed across many different, unwitting hosts that are controlled by the attacker to

carry out the attack. Thus these attacks contain numerous attack objects that increase

state entries in network devices and aggregate traffic payloads for the highest bandwidth

impact. DDoS attacks can disable extremely large throughput devices, resulting in a large

damage radius.

DeviceseNodeB

S/Gi NetworkEPC

Policy Enforcement

Load Balancing

URL Filtering

CGNAT

Legacy Firewall

TCP Optimization

AttackerSwitch

Router

MME

SGW PGW

SGW/PGW

Figure 11: NE DDoS attacks controlled from the Internet but initiated from UE can jeopardize mobile services.

Solution

Service provider strategies for countering DDoS attacks differ. Some mobile service providers

with access to large swaths of inexpensive bandwidth may start by increasing their Internet

edge provisioning to raise the DoS threshold. However, most service providers are not so

fortunate. Other service providers filter for a specific attack farther upstream from the Internet

edge or point of congestion, but this approach can result in very long remediation times, while

the service provider continues to suffer revenue loss due to the attack.

Given the nature of today’s threat landscape, all mobile service providers should deploy a

Gi/SGi firewall device at the Internet edge to ensure the availability of their mobile networks.

When combined with feature-rich F5 security software modules, the extensive capabilities

within the F5 BIG-IP platforms deliver a carrier-class network firewall that can be deployed

as a Gi/SGi firewall. In this critical network footprint, the F5 solution can selectively deny

command-and-control traffic that can harm network resources, while F5 geolocation and IP

Intelligence Services can prevent user equipment from being controlled by an attacker to

become attack hosts.



©2015 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. 0216 GUIDE-SEC-SP-55503900-tech-dc-sgi

Devices

MME

SGW PGWeNodeB

S/Gi NetworkEPC

AttackerSwitch

Router


SGW/PGW

Third-Party Server

F5 VIPRIONPlatform

Figure 12: NE DDoS attacks can no longer be initiated from the Internet when BIG-IP AFM is in place.

ConclusionWhile in the past, some service providers may have mistakenly categorized attacks on

mobile devices as outside the realm of the service provider’s responsibility, most now fully

understand the impact of those attacks on their businesses and realize that they must have

tools to prevent them. Attacks targeting user equipment are now firmly within the scope of

concern. At the same time, service providers’ primary security concern continues to be

protecting all critical network elements.

Compounding the challenge of ensuring end-to-end security for all service delivery is the

blurring line between user equipment attacks and network element attacks. As a result of this

evolution, service providers need to implement a scalable, advanced, and comprehensive

security framework that protects both their networks and customers while providing tools and

capabilities to address new, ever-more-sophisticated threats as they emerge. Implementing a

strong security posture at the SGi interface is now more critical and challenging than ever,

and mobile service providers require extensive, programmable, and highly scalable security

functions to accommodate their rapidly evolving 4G/5G networks in this network footprint.

The extensive capabilities of the BIG-IP platform combine with the breadth of F5 security

software modules and features to enable service providers to deploy an industry-leading

carrier-class network firewall that ensures a strong and comprehensive security posture in

the Gi-LAN network footprint.

Find more information about carrier-grade F5 security solutions at f5.com/solutions/

service-provider.

http://www.f5.com/serviceprovider

http://f5.com/solutions/service-provider

http://f5.com/solutions/service-provider

Date post:	19-Apr-2018
Category:	Documents
Upload:	truongthuan
View:	225 times
Download:	4 times

Securing the Gi/SGi Interface in Mobile Networks · RECOMMENDED PRACTICES Securing the Gi/SGi...

Documents