cyber-secured 4g/lte pmr networks - thales · pdf filetable of contents executive summary 2 1...

w w w . t h a l e s g r o u p . c o m

CYBER-SECURED 4G/LTE PMR NETWORKSGuaranteeing mission success with always available and operational network

2 _ Cyber-secured 4G/LTE PMR networks

The evolution of legacy voice centric PMR networks to 4G/LTE PMR networks is set to deliver safety and operational efficiency improvements to mission-critical organisations. This evolution also opens up the way for new deployment models using dedicated networks, commercial networks or a combination of both. However, open standards and IP technologies, together with the interconnection with other networks, expose 4G/LTE PMR networks to potential cybersecurity threats that can lead to network service outages or compromised data. A mission critical network must always be available; as a result it is fundamental to apply a “security by design” approach when deploying a 4G/LTE PMR network.This white paper examines the cyber security threats to the LTE core network and the subsequent mitigation techniques. The LTE core network transports all LTE PMR services, and is, as a result, considered the most critical component of a 4G/LTE system.

EXECUTIVE SUMMARY

The white paper goes on to outline guidelines to designing a cyber-secured LTE core network and provides examples of security architectures and solutions: Common practices to segregate flows of different logical planes should be enhanced with a multi-tier approach where security is enforced orthogonal to the logical planes in isolated and dedicated tiers,

Secured interconnection practices with external networks such as the Internet or LTE networks of roaming partners should be enhanced with specific LTE based security practices to protect the home network against malicious and non-malicious attacks,

Anti-DDoS best practices to mitigate one the major cybersecurity threats,

Guaranteeing the system is cyber-secured 24/7 by deploying a Threat Management Centre that monitors and prevents threats in real time and ensures the latest cyber-secured measures are quickly implemented for maximum 4G/LTE PMR services availability.

Thales is a leader in cybersecurity and a key actor in PMR industry for more than 15 years. Thales is uniquely positioned to support mission-critical organisations in securing their 4G/LTE PMR system to guarantee mission-critical broadband services.

TABLE OF CONTENTS

EXECUTIVE SUMMARY 2

1 4G/LTE PMR NETWORKS: A NEW SECURITY PARADIGM 4

2 4G/LTE PMR NETWORK: SECURITY BY DESIGN 6

2.1 Security Enforcement Points 6

2.2 Securing LTE Hosting Platforms 7

2.3 Securing Interfaces To Backbone Networks 8

2.4 Securing Peering With Roaming Partners 8

2.5 Thales Security Design Implementation 9

3 PROTECTING AGAINST DDOS ATTACKS 11

3.1 DDoS Attack Trends 11

3.2 An Hybrid DDoS Protection Architecture 12

4 KEEPING PACE WITH CYBER THREATS 13

4.1 Cyber Security Operations 13

4.2 Anti-DDoS Operations 14

5 CONCLUSION 15

GLOSSARY 16

Cyber-secured 4G/LTE PMR networks _ 3

Mission-critical users (namely Public Safety agencies, Defence Forces, Transportation operators, Energy suppliers and Critical Industries) today need 21st century communications capabilities to confront 21st century threats and missions. It is now a fact that legacy voice-centric PMR (Private Mobile Radio) networks will evolve to 4G/LTE (Long Term Evolution) multimedia-centric networks. With 4G/LTE, mission critical users can access real-time voice, high speed data, instant location and video services. 4G/LTE also makes it possible to quickly integrate new IP-based applications and sensors tailored to users’ missions. This trend has already started in a number of countries and will continue to grow around the world and within mission-critical organisations in the near future.

However, an all-IP architecture also triggers new challenges as it dramatically changes the cybersecurity threat profile of PMR services delivery. The use of open standards and technologies together with the availability of full-featured mobile equipment, expose 4G/LTE PMR infrastructure to new cyber threats with potentially disruptive consequences: service disruption that may endanger lives or service outages in critical operations, data theft or compromised data. Besides, these cyber threats can be non-malicious threats, for example signalling

1. 4G/LTE PMR NETWORKS: A NEW SECURITY PARADIGM

4G/LTE PMR systems are based on the commercial 3GPP standard that uses an all-IP architecture. This enables users to benefit more quickly from new capabilities and services. 4G/LTE offers multiple deployment models including dedicated networks, Secured MVNO (Mobile Virtual Network Operators) or a federation of both. Besides, terminals, networks and group communications services are all standardized. Unlike legacy PMR systems that remain “siloed”, 4G/LTE are naturally interoperable. As terminals, networks and group communication services are all standardized, 4G/LTE can interconnect networks of different organisations to enable transparent roaming of mission-critical users between different partners’ networks and interoperable communications between users of different organizations.

storm, or malicious threats, for example intrusion attempts from a computer installed with specific tools, or DDoS attacks.Mission-critical organisations also have to consider the numerous borders with external networks that may be a source for attacks, namely mobile equipment, radio access network, the Internet, application networks and roaming partner networks (commercial operators and/or other mission-critical organisations).

Figure 1 - 4G/LTE PMR deployment models

Control Rooms

PMR App Servers

Own EPC Own EPC Own EPC

Own LTE RAN

Own LTE RAN

MNO A

MNO A

MNO N

MNO N

Partner LTE RAN

FEDERATEDS-MVNODEDICATED

Partner EPC



In this context, mission-critical operators must firstly protect the services provided to their end-users by improving the robustness of their infrastructure and protecting core data assets (subscribers database), and secondly, ensure privacy by protecting the communications.

Security is not an option for mission-critical networks. It is a fundamental element of the 4G/LTE PMR infrastructure design.

This white paper explores cybersecurity practices to mitigate threats to the LTE core network (aka Evolved Packet Core or EPC) infrastructure.

Figure 2: 4G/LTE PMR network main cyber threats

hSS

NMS

MME

MME

PARTNER’S CORE NETWORK INFRASTRUCTURE

S/PGW

PGWSGW

PCRF

PCRF

Mobile backhaul network


LTE MOBILE CORE

PMR Application function

Internet

• Use of protocol vulnerabilities (GTP or SCTP) to attempt service disruption or malicious access

• Malicious user attempting access to control core elements from IPX

• Misuse of control elements at roaming partner side can lead to unexpected messages or traffic volume (Non malicious threats)

• Unauthorized access to Management servers can lead to misconfiguration of critical assets

• Intrusion attempts leveraging protocols vulnerabilities or open services

• Applicative and volume denial of service on gateways

• Malicious access to critical core elements (eg: HSS) and data modification (eg: K, charging data)

• Malware modifies the configuration of communication gateway

• Modification of HSS data can lead to stealing service

Signaling attack from rogue device or malware on Base Station)

• Eavesdropping• Data Tampering

Use of protocol weaknesses (forged GTP messages) to attempt service disruption

Security by design starts with the identification of the 4G/LTE PMR network’s security enforcement points. Once these points and related threats are known, specific actions can be taken.

2.1 SECURITy ENFORCEMENT POINTSFive security enforcement points have been identified to achieve the relevant level of security expected for the 4G/LTE PMR infrastructure.

1 Secured hosting platform leveraging the “Defence-in-depth” concept to enhance protection of the LTE core network assets. The essential targets are the protection of the Management plane as well as the Control plane. Depending on the context of use and throughput requirements, User Plane may also be considered in order to protect the User Plane assets and user devices.

2 3 Secured interface to external networks for EPC that provides an architectural framework to limit exposure of the LTE infrastructure to external threat agents (i.e. mobile terminal and packet data networks such as the Internet).

2. 4G/LTE PMR NETWORK: SECURITY BY DESIGN

4 Secured interfaces to roaming partners to provide protection of IP peering interactions with relevant peering partners (in case of various roaming scenarios). Up to a certain extent, peering partners may be considered as external threat agents.

5 Security Mediation (log management and monitoring) that provides an OSS-level capacity supporting the need to monitor security-relevant activity on the LTE platform through log collection, and aggregation from the various LTE network elements and security building blocks.

Figure 3 - LTE Security Enforcement Points

5hSS NMS

MME

MME

PARTNER’S CORE NETWORK INFRASTRUCTURE

S/PGW

PGWSGW

PCRF

PCRF



LTE MOBILE CORE


Internet

ROAMING INTERFACES PROTECTION• CTRL Plane S6a and S9 firewalling to protect

homed critical assets • USER Plan: S8 traffic inspection

CORE EPC SECURITy• Control & Management logical planes segmentation

(defence-in-depth)• Data assets protection (subs database, charging

database)

SECURITy MEDIATION • Log collection from security assets• Optional: Interworking with Security

Operation Centre

RAN INTERFACE SECURITy• ePC mgmt infrastructure protection from RAN network • CTRL Plane: SCTP (S1-MME) filtering• USER Plane: GTP (S1-U) inspection• Data Confidentiality

BACKBONE SIDE SECURITy• Exposure reduction to external networks• User Plane protection

32

4

1



The following sub-sections detail the cybersecurity measures to mitigate the risks on these enforcement points.

2.2 SECURING LTE HOSTING PLATFORMS

The LTE hosting platform contains the core elements that handle the LTE service. These elements are involved in different logical planes as defined by 3GPP: Management, Control and Data/User logical planes. To guarantee the appropriate level of security for the hosting platform, the security solution must aim at achieving the following objectives: Significantly reduce the attack surface by minimizing the points of exposure to external networks,

Implement the “defence-in-depth” principle as per the best practices in terms of multi-tiers domains implementation,

Protect sensitive information: the EPC infrastructure hosts information whose disclosure may compromise organisations and user’s privacy,

Clear segregation of security planes by using dedicated network interfaces (physical or logical) to ensure that different network planes are used for management, signalling and data connectivity.

The purpose of the security design is to protect the critical assets by preventing unfiltered access from an element belonging to the same logical plane. Therefore, in addition to logical planes segregation, relying on VPN (for example using VPRN, Virtual Private Routing Network), a secured EPC infrastructure must be organised in “Security Tiers” orthogonal to 3GPP logical planes. Each tier

responds to specific security requirements. Tiers identification helps at segregating the network equipment as per their functions and the information they are handling. The Presentation tier applies to the security requirements at the perimeter of the EPC, and exposed to external or untrusted networks.

The Core tier provides security requirements for the core network components inside the border (e.g. a PGW).

The Data tier provides security requirements concerning the access, privacy and confidentiality of sensitive data (e.g. HSS).

The Mediation tier provides for security requirements with trusted networks.

Traffic segregation ensures that communications only occur between network components that need it, and on the contrary, denies communications between components that do not have such need. Stateful firewalls must be used to ensure the required level of segregation between networks while permitting the required level of connectivity.In addition to the filtering function, Intrusion Detection & Prevention function (IDS/IPS) should be enabled at OAM logical plane as detective and corrective defence mechanisms for both network and application targeted attacks. Those systems work at the network layer by inspecting network traffic and keep systems protected from attacks against vulnerable services, data manipulation attacks on applications, privilege escalation on hosts, multiple failed unauthorized logins, and even access to sensitive data. This is extremely important in locations where an attack can lead to anything from a service outage to the actual loss of sensitive data.

2.3 SECURING INTERFACES TO BACKBONE NETWORKS

Specifically in the PMR context, the protection of the interfaces to external public networks shall be considered. To this end, Thales Cyber secured PMR network solution includes dedicated security functions to protect the LTE infrastructure by: Mitigating threat impacts by reducing the exposure to external networks,

Providing Stateful Filtering for session control and guaranteeing traffic is not malicious,

Filtering traffic to prevent incoming connection attempts.

These security functions are handled by a specific carrier grade UTM (Unified Threat Management) appliance providing traffic firewalling as well as intrusion detection functions. In addition to the pure security feature, Security UTM Data Plane security functions allow logging that aims at providing relevant network activity information in case of investigation.

2.4 SECURING PEERING WITH ROAMING PARTNERS

4G/LTE PMR networks will most probably be interconnected with other 4G/LTE networks, either with commercial operators for improved coverage and capacity and/or with other dedicated 4G/LTE PMR networks from other PMR organisations.3GPP defines dedicated interfaces to manage roaming between several networks; these interfaces are based on Diameter over SCTP for Control plane (LTE interfaces S6a/S9) and GTP for User plane (LTE interface S8). These interfaces are potential open doors to the external networks. The role of the security infrastructure is to guarantee that these interfaces cannot degrade the security level of the home LTE infrastructure.The secured by design 4G/LTE PMR architecture complements specific Diameter control functions handled at DEA/DRA level by inspecting SCTP streams. This approach guarantees protection from network level to application level. User Plane must also be considered for completing security of the PMR core infrastructure. Actually GTP protocol has not been designed with security functions in mind. For this purpose the security solution shall support specific functions to protect the PMR core network from malformed or forged GTP traffic. That includes control of consistency with 3GPP standards as well as inspection of the GTP packets prior to processing by the gateways.

Figure 4 - Traffic segregation and defence in depth principles

Mediation tierData Tier

DRA MME

PGWSGWSecGWeNodeb

PCRF hSS

Charging

Presentation Tier Core Tier

Mgmt Traffic

Mgmt Traffic Managemt Traffic (OAM)

E2E user traffic (data) E2E user traffic (data)

Crtl Traffic (SIG) Crtl Traffic (SIG)

Crtl Traffic (SIG)Crtl Traffic (SIG)

Crtl Traffic (SIG) Med Traffic (SIG)

Mgmt Traffic Mgmt Traffic Mgmt Traffic

Med MgmtData MgmtCore MgmtPres Mgmt

USE

R PL

AN

EC

ON

TRO

L PL

AN

EM

GM

T

PLA

NE

One firewall instance as per logical plane to filter traffic and generate security logs

CRITICITy: MEDIUM CRITICITy: MAjOR CRITICITy: MAjORCRITICITy: hIGh



2.5 THALES SECURITy DESIGN IMPLEMENTATION

In order to provide a “Defence in depth” protection, firewalls are positioned at the heart of the infrastructure to validate the flows between security tiers as per the traffic matrix and to ensure the content of the packets do not embed malicious applicative information that would cause unexpected effects on the core elements. For this purpose, Thales security solution leverages the virtual capabilities offered by the UTM (Unified Threat Management) appliance where dedicated virtual firewalling instances filter traffic as per security tier level (Presentation, Core, Data, Mediation) in each logical plane in order to guarantee a strong segregation between core elements.As depicted in the diagram below, five firewalling instances are deployed.

Figure 5 - Security Solution Architecture

SecGW

MME

DRA/DEA

NMS

Mgmt Core TierM

gmt P

lane

Con

trol P

lane

Mgmt Data Tier

Data Tier

Mgmt Mediation

Tier

Mediation Tier

NMS NMS

PCRF hSS Charging

Backhaul


Assumption: SecGW supports GTP inspection

and SCTP firewalling

Internet

S6a/S9

S8

eNB

MME

ROAMING PARTNER INFRA

P/SGW

PCRF

Security tiers

Defence-in-depth

ROAMING CTRL plane Firewall instance + IPsec termination

MGMT Plane firewall instance + IPS

CTRL Plane firewall instance

Firewall instance on SGi interface

ROAMING USER plane Firewall instance + IPsec termination

PGWSGWUse

r Pl

ane

Management Plane Firewall instance

• Zoning of OAM plane to prevent from unauthorized traffic between assets belonging to different tiers

• Network activity log (denied rules) for reporting• Intrusion Prevention System to prevent from attack using management protocols

CTRL Plane Firewall instance

• Zoning of Control Plane to prevent from unauthorized traffic between assets belonging to different tiers in order to protect critical assets (HSS, PCRF, OCS/OFCS)

• SCTP traffic firewalling• Network activity log (denied rules) for reporting

USER Plane Firewall instance

• Exposure reduction to external networks with restriction of network services (Internet, Application networks)

— to ensure only internal connection request and protect UE — to prevent incoming connections requests and therefore protect Evolved

Packet Core from backbone attack attempts• Network activity log (denied rules) for reporting

ROAMING CTRL Plane Firewall instance

• SCTP traffic firewalling• Roaming peers authentication (using IPsec)• Network activity log (denied rules) for reporting• Encryption of Control traffic exchanged with roaming partners

(S6a and S9 traffic)

ROAMING USER Plane Firewall instance

• Exposure reduction to Roaming partner infrastructure with restriction of network services

• GTP Inspection (S8 traffic)• Peers Authentication (using IPsec)• Encryption of User traffic exchanged with roaming partners (S8 traffic) • Network activity log (denied rules) for reporting

Log Collectors • Dedicated log collector servers that aggregate security log information generated by the security appliances. Then, it allows an efficient central point in case of investigation.

These virtual instances are hosted in one or more clusters of carrier grade firewall appliances or based on Virtual Machines as per dimensioning requirements simplifying network design and deployment and ensuring carrier-grade level of availability.



3. PROTECTING AGAINST DDOS ATTACKS

Since the early 2010s, Distributed Denial of Service (DDoS) attacks have increased exponentially and have become the #1 most costly cybersecurity threats for the on-line industry1, with the public sector constantly being one of the top three targets along with Finance and Telecommunications Service Providers. Providing dedicated detection and mitigation techniques against DDoS is therefore critical to guarantee the availability of 4G/LTE PMR networks against these types of attacks.

3.1 DDOS ATTACK TRENDSDDoS attacks can be: Volumetric attacks attempt to consume the available network bandwidth,

Protocol attacks go after the connection state tables of network and security equipment such as routers, switches, load balancers, fi rewalls or IPS/IDS,

Application-layer attacks target implementation aspects of an application or service at Layer-7.

Volumetric attacks regularly hit the headlines, with volumes now reaching several 100s Gbps. yet this volume increase also hides another less visible trend which is an increase in sophistication, with the majority of attacks being now multi-vector, combining volumetric, protocol and application-layer attacks in a single, coordinated campaign.As illustrated in the fi gure below2, governments are - and have always been - amongst the highest risk targets when it comes to DDoS attacks. In 2015, government services were targeted and threatened through various campaigns of both “hacktivists” and terror groups responding to political climate. Attacks on government sites are not, however, always politically motivated; many attacks are launched so that attackers improve their “reputation” and/or publically shame government sites for lacking “adequate security.”

Mobile operators on the other hand are still considered medium risk targets. Yet, in 2015, 68% of mobile operators declare they have observed DDoS attacks targeting their mobile users or infrastructure, compared to only 36% in 20143.The expansion of LTE network technology and smartphone usage is responsible for this escalation of attacks. 4G/LTE PMR networks should therefore anticipate similar risks and trends.

Figure 6 - Radware DDoS ring of fi re

1 Source Ponemon Institute, Cost of Cyber Crime Studies, 2012 to 20152 Source Radware Global Application & Network Security Report 2015-20163 Source Arbor Worldwide Infrastructure Security Report 2015

3.2 AN HyBRID DDOS PROTECTION ARCHITECTURE

An anti-DDoS solution must protect critical networks and services infrastructures from a multi-facetted DDoS threat. This can be achieved thanks to “Defence-In-depth” principles combining two layers of protection via a hybrid approach: On-Premise Protection provides always-on protection of applications, services and core

DDoS protection is primarily deployed at Internet Peering sites, as well as with peering partners, hence protecting both the core network infrastructure and critical services (e.g. DNS) from Internet-generated attacks, which today represent the majority of attacks.Additional protection may be considered on the interconnection points with the backhaul network, in order to detect and mitigate potential attacks originating from both backhaul networks operated by 3rd parties, as well as end-user terminals behind the RAN.

network infrastructure against protocol and application-layer attacks,

Cloud Protection provides on-demand protection against volumetric attacks that may saturate the Internet pipe.

Thales cyber security solution implements this hybrid approach based on Radware DDoS protection technology which provides unique capabilities to detect and mitigate attacks within seconds, including zero-day attacks for which no signature is available.

Regarding this latter risk, the protection strategy will be highly dependent on the policy related to the supply and management of end-user devices (e.g. consumer smart phones vs. purpose-built terminals) and Operating System (e.g. Android OS with security stack vs. closed OS with dedicated applications).

Figure 7 - hybrid anti-DDoS solution architecture

SecGW

MME

DRA/DEA

NMS

Mgmt Core TierM

gmt P

lane

Con

trol P

lane

Mgmt Data Tier

Data Tier

Mgmt Mediation

Tier

Mediation Tier

NMS NMS

PCRF hSS Charging

Backhaul


InterneteNB

MME

ROAMING PARTNER INFRA

P/SGW

PCRF

Security tiers 24x7 DDoS attack monitoring and mitigation

Defence-in-depth

Anti-DDoS

Anti-DDoS protection for ROAMING interfaces

Anti-DDoS protection to applications network

Anti-DDoS protection for RAN interfaces

Anti-DDoS protection for interfaces to public and external networks

PGWSGWUse

r Pl

ane



4. KEEPING PACE WITH CYBER THREATS

4.1 CyBER SECURITy OPERATIONS

In order to ensure that the security mechanisms described above are effective and effi cient (and consequently that the 4G/LTE PMR services are always available to the mission-critical users), it is recommended to deploy a centralized capability to monitor threats on a 24x7 basis and measure compliance with the security policy over time.

A CSOC - Cybersecurity Operations Centre - solution provides a centralized approach for controlling in real-time the security posture of the core infrastructure. It detects alerts and reports against threats, vulnerabilities and potential attacks or misbehaviours on the entire Information System. Two options can be considered: as Managed Security Services in full out-sourced services or hosted in customer’s environment.

Figure 8 - Thales Managed Security Services (MSS) complete portfolio

Threat Intelligence Security Policy Deviation Control

Vulnerability Management Log Management

Security Operations incl. AntiDDoS, Sandboxing, etc.

Risk Management

Detect and Analyze Real-Time Incident Detection and Management Support

Investigate Log Analysis Forensics and Malware Analysis On-site Investigation

Manage Crisis Crisis Management Rapid Response Team

SecurityDetect & Respond Comply Anticipate

Proactive Threat Management

The proactive threat management function proactively assesses vulnerabilities on the assets in order to detect impacted systems and zero-day threats. This provides tools to automatically schedule and control the active or passive scans feeding the asset database. Dashboards and reports provide KPIs, detailed results and remediation information to support our customers action plan.

Real Time Attack Detection and Security Policy Deviation Monitoring

Whatever the infrastructure size and the geographical constraints, the solution collects, aggregates and correlates security events and flows to detect any suspicious or non-compliant activity in a massive amount of security information. This includes:• Support for on-going Compliance and Security Policy deviation control through

Network Flow and Log analysis. Specific rules are built to trigger the right level of events,

• Unauthorized user behaviours and configuration issues detection and immediate reporting through generic or user-built dashboards and reports.

Regulatory Compliance and Forensic Support

Regulatory Compliance and Forensic support functions store massive amounts of security related information in usable, lawful compliant formats and supports legal and technical deep security investigations through forensics tools.

Threat prevention Visibility and anticipation: the intelligence on cyber-threats Backed by services of the CERT-IST – which Thales operates as a member of FIRST – and the findings of its CSOC, Thales delivers qualified threat intelligence services that are customized to each customer’s context: e-reputation, indicators of compromise (IOC), threats and vulnerabilities evolutions.

Risk mitigation: the management of vulnerabilities By integrating cyber-threat intelligence data to its CSOC monitoring process, Thales helps better qualify incidents according to the level of exposure.

Ensure compliance Thales services are designed to respond to the strongest requirements, including for Critical Infrastructure Providers. The aim is to be able to bring the right information at the right time to take the most relevant and appropriate decisions.

In managed security services, Thales monitors the security of information systems, delivers contextualized information on new threats, and provides our customers the expertise required to quickly solve their incidents. Moreover, Thales delivers the right degree of visibility on risks, security status and business impacts.

4.2 ANTI-DDOS OPERATIONSThe Thales CSOC ensures 24x7x365 operations of the anti-DDoS solution with the following services: DDoS threat intelligence to maintain an up-to-date view of the DDoS threats relevant to the mission-critical organisation,

DDoS attack monitoring to ensure 24x7 monitoring and first-level analysis and qualification of DDoS alerts in interaction with the mission-critical organisation,

DDoS attack mitigation to launch and follow-up mitigation in cooperation with the mission-critical organisation’s security team, including real-time analysis and adaptation of countermeasures to changing attack vectors,

DDoS attack reporting to provide monthly reporting on traffic and DDoS attack trends and individual reporting on past attacks, including post-mortem analysis and recommendations to improve DDoS protection,

DDoS protection change management to manage on-going changes through a structured change management process, and ensure continuous adaptation to the ever-changing customer network and threat landscape.



5. CONCLUSION

The evolution from legacy PMR networks to 4G/LTE networks leads to new paradigms in terms of cybersecurity. Open standards and IP-based approaches expose 4G/LTE PMR networks to potential cyber-attacks that can lead to service outages, data theft and compromised data for mission-critical organisations. Taking strict measures to cyber-protect 4G/LTE PMR networks is critical.To this end, Thales has defined a cybersecurity approach that protects the services offered by 4G/LTE PMR infrastructure and the critical data hosted in the infrastructure, including both control information and the users’ database. Thales cybersecurity solution is: Modular: security design is adapted to a specific context as per our customer’s environment and requirements

Scalable: security design based on distributed firewall instances can scale up as per throughput requirements

In addition to a security architecture based on best-of-breed firewalling and anti-DDoS devices, Thales’s LTE cybersecurity solution proposes advanced security managed services for security monitoring. Thales is the only company on the market proposing a global security approach based on network infrastructure protection at the build phase as well as risk prevention, threat detection, mitigation management and, compliance reporting via 24x7

real time security monitoring. Security managed services are complemented with crisis management and remediation services.Managed Security Services as offered by Thales leverage (Computer Emergency Response Team – Industry, Services and Tertiary (CERT-IST) providing operators and mission-critical organisations a knowledge base, alerts and response to incidents, from a simple vulnerability of a network to major computer attacks.In conclusion, our customers benefit from Thales’s cybersecurity expertise: Dramatically reduce risks of impacts in case of cyber-attacks,

Anticipate and pre-empt cybersecurity risks with an acute visibility to detect weaknesses,

Meet stringent regulatory requirements to protect against cyber-attacks,

Deliver secure mission-critical services continuity with a greater level of end-user confidence in the 4G/LTE PMR network,

Conserve a trusted reputation by delivering a more secure service.

Thales leverages its fully field-tested methodologies and techniques based on 20 years of experience in the deployment and operation of cybersecurity services.

GLOSSARY

3GPP Third Generation Partnership ProgramCERT-IST Computer Emergency Response Team - Industry, Services and TertiaryCSOC Cyber Security Operations CentresDDoS Distributed Denial of ServiceDNS Domain Name ServerEPC Evolved Packet CoreFIRST Forum of Incident Response and Security TeamsGTP GPRS Tunnelling ProtocolHSS Home Subscriber ServerIDS Intrusion Detection SystemIP Internet ProtocolIPS Intrusion Prevention SystemLTE Long Term EvolutionMME Mobility Management EntityMVNO Mobile Virtual Network OperatorNTP Network Timing ProtocolOCS Online Charging SystemOFCS Offl ine Charging SystemPCRF Policy Control and Rating FunctionPGW Packet Data Network GatewayPMR Private Mobile RadioSCTP Stream Control Transmission ProtocolSGW Serving GatewayS-MVNO Secured-MVNOVPN Virtual Private NetworkVPRN Virtual Private Routing Network


11/2

015

- © Th

ales

201

5 - C

rédi

ts : T

hale

s, S

hutte

rsto

ck

Thales Optronique SAS 2 Avenue Gay-Lussac - CS 90502 - 78995 - Élancourt CedexFranceTel : + 33 (0)1 30 96 70 00www.thalesgroup.com

facebook.com/thalesgroup

twitter.com/thalesgroup

youtube.com/thethalesgroup

linkedin.com/company/thales

06/2

016

2016

Thales Communications & Security4 avenue des Louvresses - 92230 GennevilliersFranceTel: +33(0)1 41 30 30 00www.thalesgroup.com

cyber-secured 4g/lte pmr networks - thales · pdf filetable of contents executive summary 2 1...

Documents