Cisco Systems Helps Give Mobile Operators Greater Security in an Increasingly Uncertain World

May 26, 2006

By Jason Deign, News@Cisco

Cisco Systems® is aiming to help mobile operators secure their networks and protect their subscribers from an expanding array of network-borne threats.

Less than a decade ago, threats like distributed denial of service (DDoS) attacks and worm and virus outbreaks, many varieties of which now target mobility, were not a concern for mobile users and operators.

This was because mobile operator networks were isolated, connected to tightly controlled infrastructures like the public switched telephone network (PSTN) and the Signaling System 7 (SS7) network that linked operators and enabled delivery of a single product - mobile voice.

Since then, however, mobile networks have been undergoing a number of transformations.

Traditional voice backbones based on Time Division Multiplexing (TDM) and ATM are being replaced with IP networks that are faster, more flexible and more efficient. Mobile operators can deliver voice as well as hundreds of IP-based services to their subscribers.

As a result, PSTN and SS7 networks are no longer the only ways in and out of a mobile network.

Direct connections to the Internet, roaming exchanges, corporate customers, information services and application providers have proliferated, making mobile networks some of the most accessible and interconnected in the world.

Mobile devices, once limited to simple voice services, have evolved to an astonishing level of sophistication, able to deliver multimedia messaging, Web browsing, network-based games, office applications and virtual private networking to subscribers.

These transformations are just a few of the many that have occurred as mobile operators deploy third-generation (3G) networks, which add rich content and services of the Internet to mobility and extend corporate networks to users roaming the far corners of the globe.

3G networks and services enrich the lives of subscribers and open new markets and revenue to mobile operators. However, they also expose subscribers and operators to new risks.

For example, the proliferating connections to the Internet, roaming exchanges, customers and partners that are critical for the delivery of rich new services also provide a vector through which malicious parties can hack into systems, launch DDoS attacks and propagate malware.

Increasingly powerful and sophisticated 3G mobile devices create a unique concern for mobile operators, for they can serve as both a target and source of many exploits.

Many 3G devices are essentially small form-factor PCs. With the advent of 3G PC cards, millions of laptop computers are now using 3G networks for wide-area broadband services.

Protecting 3G mobile devices from attack, and protecting mobile networks and subscribers from compromised or malicious devices, is a daunting task, especially given that mobile operators can no longer exert complete control over device capabilities or configuration.

A further area of concern is the availability of peer-to-peer applications allowing 3G mobile devices to become a source for potentially huge volumes of data that can overwhelm limited network resources or disrupt the user experience of revenue-generating subscribers.

Addressing these and other risks is critical if mobile operators are to minimize disruptions and meet subscriber expectations for service reliability, data security and privacy.

The key to overcoming them, says Brian Daugherty, security business development manager within the Cisco Systems Global Mobile Vertical team, is to "Manage, monitor and mitigate."

This involves:

• Proactively enforcing policies to manage network access and utilization, while hardening the network and services infrastructure against attack.
• Actively monitoring network and subscriber behavior to assure policy compliance and detect events that may affect the delivery of mobile services.
• Reacting quickly to mitigate attacks using a dynamic, appropriate mix of security devices, tools or strategies.

To help operators, Cisco offers a wide suite of security systems that can be applied to mobile network infrastructures based on Global System for Mobile Communications, Code Division Multiple Access, Wi-Fi or Dual-Mode architectures.

Mobile operators can apply elements of this security suite to harden their IP infrastructure, protect their borders, ensure that subscribers are complying with established policies and prevent worms and viruses from propagating over their networks or disrupting their critical servers and services.

The Cisco suite includes:

• Network Foundation Protection, which integrates security tools and features like Control Plane Policing and Management Plane Protection into Cisco IOS® software to harden the routers and switches that form an operator's IP network.
• Cisco DDoS mitigation, which uses Anomaly Detectors to form baseline profiles for traffic. When there are departures from these baselines, data is re-routed to Anomaly Guards which extract attack code and forward legitimate traffic to its destination.
• Cisco Secure Packet Gateways, which protect the Radio Access Network border by authenticating subscribers and controlling their access to data services, monitoring behavior on a per-subscriber basis and controlling the flow of traffic across network boundaries.
• Cisco Subscriber-Aware Firewalls, which provide protection for the borders with the Internet and corporate networks by matching all traffic arriving from these external networks to a specific mobile subscriber identity.
• Cisco Service Control Engines, which provide operators with visibility and control capabilities in one platform, using deep packet inspection and analysis to generate detailed reports describing subscriber, service and application behavior.
• Cisco Incident Control System (ICS), a collaborative system with Trend Micro that protects against worms and viruses. ICS allows an operator to deploy protective access control lists and attack signatures to multiple mitigation devices within minutes of an outbreak alert.

Few elements of the Cisco mobile security suite are dedicated to a single role. For example, Cisco DDoS Mitigation System is dedicated primarily to mitigation but also features monitoring capabilities.

"Not every element of this security suite is necessary for every operator, nor is it necessary to implement the full suite to deliver a significantly more resilient network and service infrastructure," Daugherty says.

"Rather, each operator can deploy a mix of these solutions based on their individual requirements and deploy them using a phased approach."

Jason Deign is a freelance journalist located in Barcelona, Spain.