This is the second article in our spotlight on the evolution of the SGi/Gi-LAN, a core element in today’s mobile networks.
Faced with an explosion of mobile devices and a shift in traffic patterns from walled-garden networks – where users consume carrier-provided internal applications and services – to one dominated by Internet-based application and services, the SGi/Gi-LAN role as the gateway becomes all the more critical. As we discussed in our first article in a series on virtualizing mobile networks, the move to modernize the SGi/Gi-LAN through virtualization and network functions virtualization (NFV) initiatives offers many opportunities for mobile network operators to consolidate functions for maximum network efficiency.
In this article, we want to shine the spotlight on another challenge within the SGi/Gi-LAN today – that of maintaining security in the face of increasing diversity of devices and applications running on mobile networks, coupled with an explosion in the traffic-carrying capacity.
Security in the Mobile Network
A mobile operator wants a way to secure the applications and the network at the same time. It’s looking at a multifaceted security infrastructure. This has become a big challenge.
As the image below demonstrates, the mobile network has many attack surfaces that need to be protected. Mobile devices and laptops connect to both the mobile network and the Internet, but all of these connections lead back to connectivity in the mobile core. There’s the need to build dynamic security services that can protect against both Internet-facing traffic as well as mobile gateways. The diagram below demonstrates the scale of the challenge.
As we have written about in detail here on SDxCentral.com, the types and scale of threats are ever increasing: Distributed denial-of-service (DDoS) attacks, malware, advanced persistent threats (APTs), and DNS-level of attacks are just a few of the types of threats one might encounter. Many of these can occur on a high-speed mobile network, which requires a multifaceted level of protection. At the same time, service providers need to help protect the devices that are using the network.
The trend toward a converged platform of SGi/Gi-LAN can help in this battle for multidomain security, because many of the IP functions can be consolidated in one area. This is also the area where it is natural to develop new services that require IP packet manipulation, including analytics and policy management that can be applied to improve network security. This also happens to be where subscriber information is managed. Therefore, the S/Gi-LAN is a natural area to implement security functions because of the subscriber management, policy, and IP packet inspection functions.
Evolving Security in the S/Gi-LAN
In the past, security functions within the SGi/Gi-LAN tended to be oriented towards more policy and subscriber plan-centricity (think Policy and Charging Rules Function [PCRF]), rather than Internet-grade, next-generation firewalling or malware-detection. Likewise, most of the packet manipulation involved header-insertion for subscriber-awareness and tracking or carrier-grade NAT (CGNAT) for address-space management.
Today, with the vast majority of traffic being Internet-focused, security capabilities in the SGi/Gi-LAN need to be upgraded to be Internet-grade. This includes application-aware firewalls, continued policy enforcement that is subscriber-aware, URL filtering, DDoS protection, and CGNAT. Beyond this, service providers are looking for malware detection, DNS protection, and APT prevention, as well as mobile subscribers looking to their carriers to protect their mobile devices (and soon IoT devices) from external attacks.
We are seeing a migration by carriers from traditional CGNAT and L4 firewalls to more sophisticated platforms (hardware appliances and virtual appliances within NFV platforms) that were originally developed for large Internet data centers or enterprises and now have been adapted to mobile networks – embracing more subscriber awareness and tweaks to handle mobile traffic and multimedia traffic. These platforms tend to provide Internet-scale performance, given their large data center heritage.
In one case study presented by F5 Networks with an unnamed Tier 1 mobile operator, the operator says it was able to increase scale and improve throughput by 20 percent and reduce power consumption by 80 percent by consolidating security firewalls in a data center in the SGi/Gi-LAN.
This example shows that there are many opportunities for maximizing resources and delivering efficiency by consolidating security services in a data center where Layers 4-7 services are delivered. SGi/Gi-LAN is likely to gather momentum as the place where these services are deployed, as mobile operators leverage the scale and efficiency of running more services out of centralized data centers.