‘small cells’ and the city
DESCRIPTION
My presentation from the Small Cells Global Congress #smallcellsgc, 31st Oct. 2012.TRANSCRIPT
‘Small Cells’ and the City Form factors, deployment and Security aspects
Zahid Ghadialy
Managing Director, eXplanoTech
3g4g.blogspot.com 31/10/2012
Briefly about eXplanoTech
Non-Confidential © eXplanoTech Ltd.
2
Technical Consulting • Requirement Analysis • Project Management • Architecture and Specification • Design, Implementation, Integration &
Deployment • Testing Services (inc. IOT, CAT, Conformance, Field) • Maintenance
Trainings • Technology trainings • Product trainings • Process trainings • Executive trainings • Trainings on integrating cultural aspects in work
Resourcing and Recruitment • Talent acquisition • Executive head hunt • Resourcing of projects • Managed Services • Technology and Business Intelligence domains
The ‘Promised land’
Informa Telecoms & Media expects the small market to experience significant growth over the next few years, reaching 91.9 million small cells by 2016 - Small Cell Market Status, June 2012 via Small Cell Forum
Non-Confidential © eXplanoTech Ltd.
3
Non-Confidential © eXplanoTech Ltd.
4
Picture Source: Small Cells, Femtocells and the LTE Business Model - P. Jarich, Service Director, Current Analysis
I think we should have 3 categories to differentiate the cells: Closed Residential Femtocells, Small Cells and Macro cells
Non-Confidential © eXplanoTech Ltd.
5
Source: Small Cells, Femtocells and the LTE Business Model - P. Jarich, Service Director, Current Analysis
Small Cell Form factors and Deployment
Non-Confidential © eXplanoTech Ltd.
6
Case Study of Telefonica UK (O2), WiFi deployment in London, in time for Olympics, July 2012
6 months to deploy the small cells (WiFi AP’s) – to finish by July 2012
Exhibition road deployment (shown later) – 9 metrocells providing 1Gbps/sq km
400 different planning applications had to be submitted for deploying these small cells on the lamp posts
Backhaul is fibre for one AP and 5GHz WiFi as a backhaul for other AP’s
The Access Points (AP’s) had to be coloured black in some cases to get council approval
3G Metrocells will be deployed by end of 2012 on the same sites as WiFi AP’s.
Non-Confidential © eXplanoTech Ltd.
7
Non-Confidential © eXplanoTech Ltd.
8 Source: Telefonica UK's LTE & Small Cell Trials - Robert Joyce, Chief Radio Engineer, TFUK
Non-Confidential © eXplanoTech Ltd.
9
Source: Telefonica UK's LTE & Small Cell Trials - Robert Joyce, Chief Radio Engineer, TFUK
Non-Confidential © eXplanoTech Ltd.
10
Source: Delivery of Wi-Fi / 3G small cells network into London - Steve Brown, New Technology Trials Manager, TFUK
Non-Confidential © eXplanoTech Ltd.
11 Source: Delivery of Wi-Fi / 3G small cells network into London - Steve Brown, New Technology Trials Manager, TFUK
Non-Confidential © eXplanoTech Ltd.
12
Alcatel-Lucent lightRadio Metro Cell
Source: Alcatel-Lucent
Non-Confidential © eXplanoTech Ltd.
13
Source: Delivery of Wi-Fi / 3G small cells network into London - Steve Brown, New Technology Trials Manager, TFUK
‘Small cells’ deployment challenges
Site Acquisition Location, Planning permission, Rent, Bullet proof, Environment
(wind, ice)
Power Power source should be available 24/7. Deployment on light poles
can have a problem if power switched off centrally
Performance
Backhaul
Health concerns
Visual appearance
Opex.
Based on the discussion in ‘Operator Mindshare session’ on 29/10/2012
Non-Confidential © eXplanoTech Ltd.
14
Non-Confidential © eXplanoTech Ltd.
15 Source: Delivery of Wi-Fi / 3G small cells network into London - Steve Brown, New Technology Trials Manager, TFUK
Small Cell site security
Non-Confidential © eXplanoTech Ltd.
16
Small Cells Threat Analysis - 1
1) Compromise of H(e)NB authentication token by a brute force attack via a weak authentication algorithm.
2) Compromise of H(e)NB authentication token by local physical intrusion.
3) Inserting valid authentication token into a manipulated H(e)NB.
4) User cloning the H(e)NB authentication Token.
5) Man-in-the-middle attacks on H(e)NB first network access.
6) Booting H(e)NB with fraudulent software (“re-flashing”).
7) Fraudulent software update / configuration changes.
8) Physical tampering with H(e)NB.
9) Eavesdropping of the other user’s UTRAN or E-UTRAN user data.
10) Masquerade as other users.
11) Changing of the H(e)NB location without reporting.
12) Software simulation of H(e)NB.
13) Traffic tunnelling between H(e)NBs.
14) Misconfiguration of the firewall in the modem/router.
15) Denial of service attacks against H(e)NB.
16) Denial of service attacks against core network.
17) Compromise of an H(e)NB by exploiting weaknesses of active network services
18) User’s network ID revealed to H(e)NodeB owner
19) Mis-configuration of H(e)NB
20) Mis-configuration of access control list (ACL) or compromise of the access control list
21) Radio resource management tampering
22) Masquerade as a valid H(e)NB
23) Provide radio access service over a CSG
24) H(e)NB announcing incorrect location to the network
25) Manipulation of external time source
26) Environmental/side channel attacks against H(e)NB
27) Attack on OAM and its traffic
28) Threat of H(e)NB connectivity to network access
29) Handover to CSG H(e)NB.
Non-Confidential © eXplanoTech Ltd.
17
Source: 3GPP TR 33.820: Technical Specification Group Service and System Aspects; Security of H(e)NB
Small Cells Threat Analysis - 2
The above threat maybe grouped together as the following:
Compromise of H(e)NB Credentials
1, 2, 4
Physical attacks on a H(e)NB 3, 6, 8, 26
Configuration attacks on a H(e)NB 7, 19, 20
Protocol attacks on a H(e)NB 5, 15, 17, 25, 27, 28
Attacks on the core network, including H(e)NB location-based attacks 11, 12, 13, 14, 16, 24
User Data and identity privacy attacks 9, 10, 18, 22, 23
Attacks on Radio resources and management 21
Non-Confidential © eXplanoTech Ltd.
18
Small Cells Basic Security Issues
Non-Confidential © eXplanoTech Ltd.
19 Source: Securing Femtocell Networks - Natasha Tamaskar, VP, Product Marketing, GENBAND
Small Cells Basic Security Issues IPsec and Security Gateway
Non-Confidential © eXplanoTech Ltd.
20
Source: Securing Femtocell Networks - Natasha Tamaskar, VP, Product Marketing, GENBAND
HSPA HNB and LTE HeNB Architecture
Non-Confidential © eXplanoTech Ltd.
21
Core Networks
Gat
eway
Iu IP Data Uu
(No Encryption) (IPSEC) (Integrity and Ciphering)
RNC + NodeB
Network Architecture with Home NodeB
Core Networks
Gat
eway
S1 IP Data LTE Uu
(Integrity and Ciphering) (IPSEC) (Integrity and Ciphering)
eNodeB
Network Architecture with Home eNodeB
Small Cells Threat Analysis - 2
The above threat maybe grouped together as the following:
Compromise of H(e)NB Credentials
1, 2, 4
Physical attacks on a H(e)NB 3, 6, 8, 26
Configuration attacks on a H(e)NB 7, 19, 20
Protocol attacks on a H(e)NB 5, 15, 17, 25, 27, 28
Attacks on the core network, including H(e)NB location-based attacks 11, 12, 13, 14, 16, 24
User Data and identity privacy attacks 9, 10, 18, 22, 23
Attacks on Radio resources and management 21
Non-Confidential © eXplanoTech Ltd.
22
Physical Threats Vandalism and Natural Disasters
Non-Confidential © eXplanoTech Ltd.
23
Backhaul Security
Non-Confidential © eXplanoTech Ltd.
24
Backhaul Security ACL, Filtering & Verification of source and destination
Non-Confidential © eXplanoTech Ltd.
25
ACL = Access Control Lists
Non-Confidential © eXplanoTech Ltd.
26
Source: Delivery of Wi-Fi / 3G small cells network into London - Steve Brown, New Technology Trials Manager, TFUK
Any Questions?
Source: http://dilbert.com/strips/comic/2000-12-16/
Non-Confidential © eXplanoTech Ltd.
27
Non-Confidential
© eXplanoTech Ltd. 28