Cyber-secured 4g/lte

Transcript

www.thalesgroup.com CYBER-SECURED 4G/LTE PMR NETWORKS Guaranteeing mission success with always available and operational network EXECUTIVE SUMMARY The evolution of legacy voice centric PMR networks to 4G/LTE PMR networks is set to deliver safety and operational efficiency improvements to missioncritical organisations. This evolution also opens up the way for new deployment models using dedicated networks, commercial networks or a combination of both. However, open standards and IP technologies, together with the interconnection with other networks, expose 4G/LTE PMR networks to potential cybersecurity threats that can lead to network service outages or compromised data. A mission critical network must always be available; as a result it is fundamental to apply a “security by design” approach when deploying a 4G/LTE PMR network. This white paper examines the cyber security threats to the LTE core network and the subsequent mitigation techniques. The LTE core network transports all LTE PMR services, and is, as a result, considered the most critical component of a 4G/LTE system. The white paper goes on to outline guidelines to designing a cyber-secured LTE core network and provides examples of security architectures and solutions: Common practices to segregate flows of different logical planes should be enhanced with a multi-tier approach where security is enforced orthogonal to the logical planes in isolated and dedicated tiers, Secured interconnection practices with external networks such as the Internet or LTE networks of roaming partners should be enhanced with specific LTE based security practices to protect the home network against malicious and non-malicious attacks, Anti-DDoS best practices to mitigate one the major cybersecurity threats, Guaranteeing the system is cyber-secured 24/7 by deploying a Threat Management Centre that monitors and prevents threats in real time and ensures the latest cyber-secured measures are quickly implemented for maximum 4G/LTE PMR services availability. Thales is a leader in cybersecurity and a key actor in PMR industry for more than 15 years. Thales is uniquely positioned to support mission-critical organisations in securing their 4G/LTE PMR system to guarantee mission-critical broadband services. 2 _ Cyber-secured 4G/LTE PMR networks TABLE OF CONTENTS 1 2 EXECUTIVE SUMMARY 2 4G/LTE PMR NETWORKS: A NEW SECURITY PARADIGM 4 4G/LTE PMR NETWORK: SECURITY BY DESIGN 6 2.1 2.2 2.3 2.4 2.5 3 4 5 Security Enforcement Points Securing LTE Hosting Platforms Securing Interfaces To Backbone Networks Securing Peering With Roaming Partners Thales Security Design Implementation 6 7 8 8 9 PROTECTING AGAINST DDOS ATTACKS 11 3.1 DDoS Attack Trends 3.2 An Hybrid DDoS Protection Architecture 11 12 KEEPING PACE WITH CYBER THREATS 13 4.1 Cyber Security Operations 4.2 Anti-DDoS Operations 13 14 CONCLUSION 15 GLOSSARY 16 Cyber-secured 4G/LTE PMR networks _ 3 1. 4  G/LTE PMR NETWORKS: A NEW SECURITY PARADIGM Mission-critical users (namely Public Safety agencies, Defence Forces, Transportation operators, Energy suppliers and Critical Industries) today need 21st century communications capabilities to confront 21st century threats and missions. It is now a fact that legacy voice-centric PMR (Private Mobile Radio) networks will evolve to 4G/LTE (Long Term Evolution) multimedia-centric networks. With 4G/LTE, mission critical users can access real-time voice, high speed data, instant location and video services. 4G/ LTE also makes it possible to quickly integrate new IP-based applications and sensors tailored to users’ missions. This trend has already started in a number of countries and will continue to grow around the world and within mission-critical organisations in the near future. 4G/LTE PMR systems are based on the commercial 3GPP standard that uses an all-IP architecture. This enables users to benefit more quickly from new capabilities and services. 4G/LTE offers multiple deployment models including dedicated networks, Secured MVNO (Mobile Virtual Network Operators) or a federation of both. Besides, terminals, networks and group communications services are all standardized. Unlike legacy PMR systems that remain “siloed”, 4G/LTE are naturally interoperable. As terminals, networks and group communication services are all standardized, 4G/LTE can interconnect networks of different organisations to enable transparent roaming of mission-critical users between different partners’ networks and interoperable communications between users of different organizations. Control Rooms PMR App Servers Own EPC Own EPC Own LTE RAN DEDICATED MNO A MNO N Own EPC Partner EPC Partner LTE RAN S-MVNO MNO A MNO N Own LTE RAN FEDERATED Figure 1 - 4G/LTE PMR deployment models However, an all-IP architecture also triggers new challenges as it dramatically changes the cybersecurity threat profile of PMR services delivery. The use of open standards and technologies together with the availability of full-featured mobile equipment, expose 4G/LTE PMR infrastructure to new cyber threats with potentially disruptive consequences: service disruption that may endanger lives or service outages in critical operations, data theft or compromised data. Besides, these cyber threats can be non-malicious threats, for example signalling 4 _ Cyber-secured 4G/LTE PMR networks storm, or malicious threats, for example intrusion attempts from a computer installed with specific tools, or DDoS attacks. Mission-critical organisations also have to consider the numerous borders with external networks that may be a source for attacks, namely mobile equipment, radio access network, the Internet, application networks and roaming partner networks (commercial operators and/or other mission-critical organisations). In this context, mission-critical operators must firstly protect the services provided to their end-users by improving the robustness of their infrastructure and protecting core data assets (subscribers database), and secondly, ensure privacy by protecting the communications. Security is not an option for mission-critical networks. It is a fundamental element of the 4G/LTE PMR infrastructure design. • Unauthorized access to Management servers can lead to misconfiguration of critical assets •U  se of protocol vulnerabilities (GTP or SCTP) to attempt service disruption or malicious access • Malicious user attempting access to control core elements from IPX • Misuse of control elements at roaming partner side can lead to unexpected messages or traffic volume (Non malicious threats) • Malicious access to critical core elements (eg: HSS) and data modification (eg: K, charging data) • Malware modifies the configuration of communication gateway • Modification of HSS data can lead to stealing service PARTNER’S CORE NETWORK INFRASTRUCTURE mme • Intrusion attempts leveraging protocols vulnerabilities or open services • Applicative and volume denial of service on gateways PCRF Mobile backhaul network S/PGW nms Signaling attack from rogue device or malware on Base Station) hss mme Mobile backhaul network •E  avesdropping • Data Tampering SGW PCRF LTE MOBILE CORE PGW PMR Application function Internet Use of protocol weaknesses (forged GTP messages) to attempt service disruption Figure 2: 4G/LTE PMR network main cyber threats This white paper explores cybersecurity practices to mitigate threats to the LTE core network (aka Evolved Packet Core or EPC) infrastructure. Cyber-secured 4G/LTE PMR networks _ 5 2. 4  G/LTE PMR NETWORK: SECURITY BY DESIGN Security by design starts with the identification of the 4G/LTE PMR network’s security enforcement points. Once these points and related threats are known, specific actions can be taken. 2.1 Security Enforcement Points Five security enforcement points have been identified to achieve the relevant level of security expected for the 4G/ LTE PMR infrastructure. ROAMING INTERFACES PROTECTION • CTRL Plane S6a and S9 firewalling to protect homed critical assets • USER Plan: S8 traffic inspection CORE EPC SECURITY • Control & Management logical planes segmentation (defence-in-depth) • Data assets protection (subs database, charging database) SECURITY MEDIATION • Log collection from security assets • Optional: Interworking with Security Operation Centre PARTNER’S CORE NETWORK INFRASTRUCTURE mme PCRF Mobile backhaul network S/PGW 5 4 hss mme Mobile backhaul network 2 SGW nms 1 PCRF LTE MOBILE CORE RAN INTERFACE SECURITY • ePC mgmt infrastructure protection from RAN network • CTRL Plane: SCTP (S1-MME) filtering • USER Plane: GTP (S1-U) inspection • Data Confidentiality 3 PGW PMR Application function Internet BACKBONE SIDE SECURITY • Exposure reduction to external networks • User Plane protection Figure 3 - LTE Security Enforcement Points 1 S  ecured hosting platform leveraging the “Defence-in-depth” concept to enhance protection of the LTE core network assets. The essential targets are the protection of the Management plane as well as the Control plane. Depending on the context of use and throughput requirements, User Plane may also be considered in order to protect the User Plane assets and user devices. 2 3 Secured interface to external networks for EPC that provides an architectural framework to limit exposure of the LTE infrastructure to external threat agents (i.e. mobile terminal and packet data networks such as the Internet). 6 _ Cyber-secured 4G/LTE PMR networks 4 S  ecured interfaces to roaming partners to provide protection of IP peering interactions with relevant peering partners (in case of various roaming scenarios). Up to a certain extent, peering partners may be considered as external threat agents. 5 Security Mediation (log management and monitoring) that provides an OSS-level capacity supporting the need to monitor security-relevant activity on the LTE platform through log collection, and aggregation from the various LTE network elements and security building blocks. The following sub-sections detail the cybersecurity measures to mitigate the risks on these enforcement points. 2.2 S  ecuring LTE Hosting Platforms The LTE hosting platform contains the core elements that handle the LTE service. These elements are involved in different logical planes as defined by 3GPP: Management, Control and Data/User logical planes. To guarantee the appropriate level of security for the hosting platform, the security solution must aim at achieving the following objectives: Significantly reduce the attack surface by minimizing the points of exposure to external networks, Implement the “defence-in-depth” principle as per the best practices in terms of multi-tiers domains implementation, Protect sensitive information: the EPC infrastructure hosts information whose disclosure may compromise organisations and user’s privacy, Clear segregation of security planes by using dedicated network interfaces (physical or logical) to ensure that different network planes are used for management, signalling and data connectivity. The purpose of the security design is to protect the critical assets by preventing unfiltered access from an element belonging to the same logical plane. Therefore, in addition to logical planes segregation, relying on VPN (for example using VPRN, Virtual Private Routing Network), a secured EPC infrastructure must be organised in “Security Tiers” orthogonal to 3GPP logical planes. Each tier responds to specific security requirements. Tiers identification helps at segregating the network equipment as per their functions and the information they are handling. The Presentation tier applies to the security requirements at the perimeter of the EPC, and exposed to external or untrusted networks. The Core tier provides security requirements for the core network components inside the border (e.g. a PGW). The Data tier provides security requirements concerning the access, privacy and confidentiality of sensitive data (e.g. HSS). The Mediation tier provides for security requirements with trusted networks. Traffic segregation ensures that communications only occur between network components that need it, and on the contrary, denies communications between components that do not have such need. Stateful firewalls must be used to ensure the required level of segregation between networks while permitting the required level of connectivity. In addition to the filtering function, Intrusion Detection & Prevention function (IDS/IPS) should be enabled at OAM logical plane as detective and corrective defence mechanisms for both network and application targeted attacks. Those systems work at the network layer by inspecting network traffic and keep systems protected from attacks against vulnerable services, data manipulation attacks on applications, privilege escalation on hosts, multiple failed unauthorized logins, and even access to sensitive data. This is extremely important in locations where an attack can lead to anything from a service outage to the actual loss of sensitive data. Cyber-secured 4G/LTE PMR networks _ 7 Pres Mgmt user plane Criticity: major Core Mgmt Criticity: high Criticity: major Data Mgmt Mgmt Traffic control plane mgmt plane Criticity: Medium Mgmt Traffic Med Mgmt Mgmt Traffic Mgmt Traffic Charging DRA MME Crtl Traffic (SIG) Mgmt Traffic Managemt Traffic (OAM) Crtl Traffic (SIG) Crtl Traffic (SIG) eNodeb E2E user traffic (data) SecGW SGW PGW E2E user traffic (data) Presentation Tier Core Tier PCRF HSS Crtl Traffic (SIG) Crtl Traffic (SIG) Data Tier Med Traffic (SIG) Mediation tier One firewall instance as per logical plane to filter traffic and generate security logs Figure 4 - Traffic segregation and defence in depth principles 2.3 S  ecuring interfaces to Backbone networks 2.4 S  ecuring Peering with Roaming Partners Specifically in the PMR context, the protection of the interfaces to external public networks shall be considered. To this end, Thales Cyber secured PMR network solution includes dedicated security functions to protect the LTE infrastructure by: Mitigating threat impacts by reducing the exposure to external networks, Providing Stateful Filtering for session control and guaranteeing traffic is not malicious, Filtering traffic to prevent incoming connection attempts. These security functions are handled by a specific carrier grade UTM (Unified Threat Management) appliance providing traffic firewalling as well as intrusion detection functions. In addition to the pure security feature, Security UTM Data Plane security functions allow logging that aims at providing relevant network activity information in case of investigation. 4G/LTE PMR networks will most probably be interconnected with other 4G/LTE networks, either with commercial operators for improved coverage and capacity and/or with other dedicated 4G/LTE PMR networks from other PMR organisations. 3GPP defines dedicated interfaces to manage roaming between several networks; these interfaces are based on Diameter over SCTP for Control plane (LTE interfaces S6a/S9) and GTP for User plane (LTE interface S8). These interfaces are potential open doors to the external networks. The role of the security infrastructure is to guarantee that these interfaces cannot degrade the security level of the home LTE infrastructure. The secured by design 4G/LTE PMR architecture complements specific Diameter control functions handled at DEA/DRA level by inspecting SCTP streams. This approach guarantees protection from network level to application level. User Plane must also be considered for completing security of the PMR core infrastructure. Actually GTP protocol has not been designed with security functions in mind. For this purpose the security solution shall support specific functions to protect the PMR core network from malformed or forged GTP traffic. That includes control of consistency with 3GPP standards as well as inspection of the GTP packets prior to processing by the gateways. 8 _ Cyber-secured 4G/LTE PMR networks 2.5 T hales Security Design Implementation In order to provide a “Defence in depth” protection, firewalls are positioned at the heart of the infrastructure to validate the flows between security tiers as per the traffic matrix and to ensure the content of the packets do not embed malicious applicative information that would cause unexpected effects on the core elements. For this purpose, Thales security solution leverages the virtual capabilities offered by the UTM (Unified Threat Management) appliance where dedicated virtual firewalling instances filter traffic as per security tier level (Presentation, Core, Data, Mediation) in each logical plane in order to guarantee a strong segregation between core elements. As depicted in the diagram below, five firewalling instances are deployed. Security tiers Defence-in-depth ROAMING CTRL plane Firewall instance + IPsec termination Mgmt Plane NMS mme PCRF Control Plane ROAMING PARTNER INFRA S6a/S9 S8 P/SGW Mgmt Core Tier MME NMS NMS Mgmt Data Tier Mgmt Mediation Tier PCRF HSS Data Tier Charging Mediation Tier MGMT Plane firewall instance + IPS CTRL Plane firewall instance Firewall instance on SGi interface SecGW Backhaul eNB ROAMING USER plane Firewall instance + IPsec termination User Plane DRA/DEA PMR Application function SGW Assumption: SecGW supports GTP inspection and SCTP firewalling PGW Internet Figure 5 - Security Solution Architecture Cyber-secured 4G/LTE PMR networks _ 9 Management Plane Firewall instance •Z  oning of OAM plane to prevent from unauthorized traffic between assets belonging to different tiers •N  etwork activity log (denied rules) for reporting • Intrusion Prevention System to prevent from attack using management protocols CTRL Plane Firewall instance •Z  oning of Control Plane to prevent from unauthorized traffic between assets belonging to different tiers in order to protect critical assets (HSS, PCRF, OCS/ OFCS) •S  CTP traffic firewalling •N  etwork activity log (denied rules) for reporting USER Plane Firewall instance •E  xposure reduction to external networks with restriction of network services (Internet, Application networks) — to ensure only internal connection request and protect UE — to prevent incoming connections requests and therefore protect Evolved Packet Core from backbone attack attempts •N  etwork activity log (denied rules) for reporting ROAMING CTRL Plane Firewall instance • • • • ROAMING USER Plane Firewall instance •E  xposure reduction to Roaming partner infrastructure with restriction of network services • GTP Inspection (S8 traffic) • Peers Authentication (using IPsec) • Encryption of User traffic exchanged with roaming partners (S8 traffic) • Network activity log (denied rules) for reporting Log Collectors •D  edicated log collector servers that aggregate security log information generated by the security appliances. Then, it allows an efficient central point in case of investigation. S  CTP traffic firewalling R  oaming peers authentication (using IPsec) N  etwork activity log (denied rules) for reporting E  ncryption of Control traffic exchanged with roaming partners (S6a and S9 traffic) These virtual instances are hosted in one or more clusters of carrier grade firewall appliances or based on Virtual Machines as per dimensioning requirements simplifying network design and deployment and ensuring carrier-grade level of availability. 10 _ Cyber-secured 4G/LTE PMR networks 3. PROTECTING AGAINST DDOS ATTACKS Since the early 2010s, Distributed Denial of Service (DDoS) attacks have increased exponentially and have become the #1 most costly cybersecurity threats for the on-line industry1, with the public sector constantly being one of the top three targets along with Finance and Telecommunications Service Providers. Providing dedicated detection and mitigation techniques against DDoS is therefore critical to guarantee the availability of 4G/LTE PMR networks against these types of attacks. Mobile operators on the other hand are still considered medium risk targets. Yet, in 2015, 68% of mobile operators declare they have observed DDoS attacks targeting their mobile users or infrastructure, compared to only 36% in 20143. The expansion of LTE network technology and smartphone usage is responsible for this escalation of attacks. 4G/LTE PMR networks should therefore anticipate similar risks and trends. 3.1 DDOS ATTACK TRENDS DDoS attacks can be: Volumetric attacks attempt to consume the available network bandwidth, Protocol attacks go after the connection state tables of network and security equipment such as routers, switches, load balancers, firewalls or IPS/IDS, Application-layer attacks target implementation aspects of an application or service at Layer-7. Volumetric attacks regularly hit the headlines, with volumes now reaching several 100s Gbps. yet this volume increase also hides another less visible trend which is an increase in sophistication, with the majority of attacks being now multi-vector, combining volumetric, protocol and application-layer attacks in a single, coordinated campaign. As illustrated in the figure below2, governments are - and have always been - amongst the highest risk targets when it comes to DDoS attacks. In 2015, government services were targeted and threatened through various campaigns of both “hacktivists” and terror groups responding to political climate. Attacks on government sites are not, however, always politically motivated; many attacks are launched so that attackers improve their “reputation” and/ or publically shame government sites for lacking “adequate security.” Figure 6 - Radware DDoS ring of fire 1 Source Ponemon Institute, Cost of Cyber Crime Studies, 2012 to 2015 2 Source Radware Global Application & Network Security Report 2015-2016 3 Source Arbor Worldwide Infrastructure Security Report 2015 Cyber-secured 4G/LTE PMR networks _ 11 3.2 A  n hybrid DDoS protection architecture network infrastructure against protocol and application-layer attacks, Cloud Protection provides on-demand protection against volumetric attacks that may saturate the Internet pipe. Thales cyber security solution implements this hybrid approach based on Radware DDoS protection technology which provides unique capabilities to detect and mitigate attacks within seconds, including zero-day attacks for which no signature is available. An anti-DDoS solution must protect critical networks and services infrastructures from a multi-facetted DDoS threat. This can be achieved thanks to “Defence-In-depth” principles combining two layers of protection via a hybrid approach: On-Premise Protection provides always-on protection of applications, services and core Security tiers 24x7 DDoS attack monitoring and mitigation Defence-in-depth mme PCRF P/SGW Control Plane ROAMING PARTNER INFRA Anti-DDoS protection for ROAMING interfaces Mgmt Plane Anti-DDoS NMS NMS NMS Mgmt Core Tier Mgmt Data Tier Mgmt Mediation Tier MME PCRF HSS Data Tier Charging Mediation Tier Anti-DDoS protection to applications network SecGW Backhaul eNB User Plane DRA/DEA Anti-DDoS protection for RAN interfaces PMR Application function SGW PGW Internet Anti-DDoS protection for interfaces to public and external networks Figure 7 - Hybrid anti-DDoS solution architecture DDoS protection is primarily deployed at Internet Peering sites, as well as with peering partners, hence protecting both the core network infrastructure and critical services (e.g. DNS) from Internet-generated attacks, which today represent the majority of attacks. Additional protection may be considered on the interconnection points with the backhaul network, in order to detect and mitigate potential attacks originating from both backhaul networks operated by 3rd parties, as well as end-user terminals behind the RAN. 12 _ Cyber-secured 4G/LTE PMR networks Regarding this latter risk, the protection strategy will be highly dependent on the policy related to the supply and management of end-user devices (e.g. consumer smart phones vs. purpose-built terminals) and Operating System (e.g. Android OS with security stack vs. closed OS with dedicated applications). 4. KEEPING PACE WITH CYBER THREATS 4.1 CyBER SECURITy OPERATIONS In order to ensure that the security mechanisms described above are effective and efficient (and consequently that the 4G/LTE PMR services are always available to the mission-critical users), it is recommended to deploy a centralized capability to monitor threats on a 24x7 basis and measure compliance with the security policy over time. A CSOC - Cybersecurity Operations Centre - solution provides a centralized approach for controlling in real-time the security posture of the core infrastructure. It detects alerts and reports against threats, vulnerabilities and potential attacks or misbehaviours on the entire Information System. Two options can be considered: as Managed Security Services in full out-sourced services or hosted in customer’s environment. Security Detect & Respond Anticipate Threat Intelligence Vulnerability Management Security Operations incl. AntiDDoS, Sandboxing, etc. Detect and Analyze Real-Time Incident Detection and Management Support Investigate Log Analysis Forensics and Malware Analysis On-site Investigation Manage Crisis Crisis Management Rapid Response Team Comply Security Policy Deviation Control Log Management Risk Management Figure 8 - Thales Managed Security Services (MSS) complete portfolio Cyber-secured 4G/LTE PMR networks _ 13 Proactive Threat Management The proactive threat management function proactively assesses vulnerabilities on the assets in order to detect impacted systems and zero-day threats. This provides tools to automatically schedule and control the active or passive scans feeding the asset database. Dashboards and reports provide KPIs, detailed results and remediation information to support our customers action plan. Real Time Attack Detection and Security Policy Deviation Monitoring Whatever the infrastructure size and the geographical constraints, the solution collects, aggregates and correlates security events and flows to detect any suspicious or non-compliant activity in a massive amount of security information. This includes: •S  upport for on-going Compliance and Security Policy deviation control through Network Flow and Log analysis. Specific rules are built to trigger the right level of events, •U  nauthorized user behaviours and configuration issues detection and immediate reporting through generic or user-built dashboards and reports. Regulatory Compliance and Forensic Support Regulatory Compliance and Forensic support functions store massive amounts of security related information in usable, lawful compliant formats and supports legal and technical deep security investigations through forensics tools. Threat prevention Visibility and anticipation: the intelligence on cyber-threats Backed by services of the CERT-IST – which Thales operates as a member of FIRST – and the findings of its CSOC, Thales delivers qualified threat intelligence services that are customized to each customer’s context: e-reputation, indicators of compromise (IOC), threats and vulnerabilities evolutions. Risk mitigation: the management of vulnerabilities By integrating cyber-threat intelligence data to its CSOC monitoring process, Thales helps better qualify incidents according to the level of exposure. Ensure compliance Thales services are designed to respond to the strongest requirements, including for Critical Infrastructure Providers. The aim is to be able to bring the right information at the right time to take the most relevant and appropriate decisions. In managed security services, Thales monitors the security of information systems, delivers contextualized information on new threats, and provides our customers the expertise required to quickly solve their incidents. Moreover, Thales delivers the right degree of visibility on risks, security status and business impacts. 4.2 Anti-DDoS operations The Thales CSOC ensures 24x7x365 operations of the anti-DDoS solution with the following services: DDoS threat intelligence to maintain an upto-date view of the DDoS threats relevant to the mission-critical organisation, DDoS attack monitoring to ensure 24x7 monitoring and first-level analysis and qualification of DDoS alerts in interaction with the missioncritical organisation, 14 _ Cyber-secured 4G/LTE PMR networks  DoS attack mitigation to launch and follow-up D mitigation in cooperation with the mission-critical organisation’s security team, including real-time analysis and adaptation of countermeasures to changing attack vectors, DDoS attack reporting to provide monthly reporting on traffic and DDoS attack trends and individual reporting on past attacks, including postmortem analysis and recommendations to improve DDoS protection, DDoS protection change management to manage on-going changes through a structured change management process, and ensure continuous adaptation to the ever-changing customer network and threat landscape. 5. CONCLUSION The evolution from legacy PMR networks to 4G/ LTE networks leads to new paradigms in terms of cybersecurity. Open standards and IP-based approaches expose 4G/LTE PMR networks to potential cyber-attacks that can lead to service outages, data theft and compromised data for mission-critical organisations. Taking strict measures to cyber-protect 4G/LTE PMR networks is critical. To this end, Thales has defined a cybersecurity approach that protects the services offered by 4G/ LTE PMR infrastructure and the critical data hosted in the infrastructure, including both control information and the users’ database. Thales cybersecurity solution is: Modular: security design is adapted to a specific context as per our customer’s environment and requirements Scalable: security design based on distributed firewall instances can scale up as per throughput requirements In addition to a security architecture based on bestof-breed firewalling and anti-DDoS devices, Thales’s LTE cybersecurity solution proposes advanced security managed services for security monitoring. Thales is the only company on the market proposing a global security approach based on network infrastructure protection at the build phase as well as risk prevention, threat detection, mitigation management and, compliance reporting via 24x7 real time security monitoring. Security managed services are complemented with crisis management and remediation services. Managed Security Services as offered by Thales leverage (Computer Emergency Response Team – Industry, Services and Tertiary (CERT-IST) providing operators and mission-critical organisations a knowledge base, alerts and response to incidents, from a simple vulnerability of a network to major computer attacks. In conclusion, our customers benefit from Thales’s cybersecurity expertise: Dramatically reduce risks of impacts in case of cyber-attacks, Anticipate and pre-empt cybersecurity risks with an acute visibility to detect weaknesses, Meet stringent regulatory requirements to protect against cyber-attacks, Deliver secure mission-critical services continuity with a greater level of end-user confidence in the 4G/LTE PMR network, Conserve a trusted reputation by delivering a more secure service. Thales leverages its fully field-tested methodologies and techniques based on 20 years of experience in the deployment and operation of cybersecurity services. Cyber-secured 4G/LTE PMR networks _ 15 GLOSSARY 3GPP CERT-IST CSOC DDoS DNS EPC FIRST GTP HSS IDS IP IPS LTE MME MVNO NTP OCS OFCS PCRF PGW PMR SCTP SGW S-MVNO VPN VPRN Third Generation Partnership Program Computer Emergency Response Team - Industry, Services and Tertiary Cyber Security Operations Centres Distributed Denial of Service Domain Name Server Evolved Packet Core Forum of Incident Response and Security Teams GPRS Tunnelling Protocol Home Subscriber Server Intrusion Detection System Internet Protocol Intrusion Prevention System Long Term Evolution Mobility Management Entity Mobile Virtual Network Operator Network Timing Protocol Online Charging System Offline Charging System Policy Control and Rating Function Packet Data Network Gateway Private Mobile Radio Stream Control Transmission Protocol Serving Gateway Secured-MVNO Virtual Private Network Virtual Private Routing Network 16 _ Cyber-secured 4G/LTE PMR networks twitter.com/thalesgroup linkedin.com/company/thales youtube.com/thethalesgroup Thales ThalesCommunications Optronique SAS& Security 42avenue Louvresses - 92230 Gennevilliers Avenuedes Gay-Lussac - CS 90502 - 78995 - Élancourt Cedex France France Tel: 41 30 30 96 30 70 00 00 Tel +33(0)1 : + 33 (0)1 www.thalesgroup.com www.thalesgroup.com 06/2016 2016 - Crédits : Thales, Shutterstock 11/2015 - © Thales 2015 facebook.com/thalesgroup