The Internet is a radical departure from the controlled and secure radio spectrum that mobile operators use to deliver their voice and data services. Femtocells, however, rely on the Internet for service delivery, which introduces a unique set of security challenges to protect network resources from attack and ensure the privacy of subscribers’ communications.

The openness of the Internet enables new forms of communications, but also unlocks the door for criminals and casual hackers to compromise IP-based communications and service provider networks. No matter what the femtocell architecture is, there are significant risks to network availability and service integrity that mobile operators need to plan for and employ defenses against to prevent or mitigate these threats.

ARCHITECTURES
Femtocells present mobile operators with an opportunity to reduce the total cost of ownership of their voice and data services while improving customer loyalty and unlocking new revenue opportunities. The cost benefits include reducing macro RAN expansion needs for voice and 3G data capacity and lowering backhaul costs by using the subscriber broadband connection. At the same time, mobile operators will improve indoor radio coverage at the subscriber home or business and could enhance their average revenue per user (ARPU) and profitability with new tariffs, pricing plans or femtozone services.

Applicable to CDMA, GSM/UMTS, LTE and WiMAX, femtocells can leverage existing mobile switching centers or Session Initiation Protocol (SIP) core networks, including IP Multimedia Subsystem (IMS) networks. All femtocell architectures use IPsec tunnels to deliver voice, messaging and packet data services to 2G, 3G or 4G handsets connected via a fixed broadband access connection to the Internet or a managed IP network.

At the highest level, there are two architectural models for femtocell access to the service infrastructure:

• Legacy MSC: the femtocell access point tunnels legacy signaling between CDMA/EV-DO or GSM/UMTS/HSPA handsets and the mobile operator’s service network for voice services using circuit-switched mobile switching centers (MSCs)
• SIP-enabled core: uses SIP signaling from femtocell access points supporting 2G or 3G handsets to an operator’s VoIP or IMS core network; this architecture employs convergence servers for voice call continuity (VCC) for roaming between the macro network and the femtocell RAN

Regardless of the architecture, the main components of a femtocell deployment include:

• Femtocell access points (FAPs): customer-premises equipment that connects a mobile device over licensed spectrum wireless air interface to a mobile operator’s network using IP backhaul, typically the Internet
• Multiservice security gateway (MSG): located at the border between the voice services network and the Internet, this network element authenticates FAPs, establishes a Security Association (SA) between FAPs and core network elements and provides encrypted transport of voice and data over the Internet
• Femtocell gateway controller: network equipment that aggregates and controls the decrypted signaling from an MSG to the core legacy network and serves as a proxy to the network and the femtocell (e.g., for GSM/UMTS, a Generic Access Network Controller could fulfill this role); for SIP femtocells, session border controllers (SBCs) or convergence servers would replace this function
• Voice services network: MSC or IMS CSCF equipment that provides voice services, routing and access to interactive applications

Access to walled garden services is the same in both architectural models—the data and control plane traffic is encapsulated in the IPsec tunnel and sent to the mobile data core equipment (e.g., SGSN/GGSN or PDSN). For Internet access there are two models available: one involves using traditional connections at the operator core via the GGSN while the second allows direct access via a local breakout using the subscriber’s broadband connection.

Figure 1. Femtocell architectures.

SECURITY RISKS
In protecting the mobile operator’s network, there are three chief concerns for femtocells: ensuring network and service availability, preventing fraud and service theft and providing subscriber privacy and confidentiality. In assessing these security risks, mobile operators need to look at both the IP layer (for femtocells using legacy signaling or SIP) and the session layer (for SIP-based femtocells only).

Network and service availability attacks: A key concern for operators is to ensure the uptime and availability of their service networks. As the mobile operator is connecting its service network to an IP access network—most likely the public Internet—there are risks of denial of service (DoS) attack and non-malicious overload events.

At layer 3, attacks can be mounted against the IKEv2 signaling—the tunnel establishment control plane that is used for initial establishment of the IPsec tunnel between the FAP and the MSG. These types of attacks can include IKE_SA_INIT flood and IKE_AUTH attacks, which could overload the processing capacity of the MSG and prevent legitimate subscribers from connecting to the network. Also, signaling for voice or data services could be sent from FAPs to upstream core elements (e.g., femtocell gateway controller or SGSN) at a rate that exceeds that element’s processing ability, which could degrade or disrupt service.

At layer 5, there are a variety of attacks that can be mounted that take advantage of the transaction, dialog and session-stateful nature of the SIP protocol used in IMS networks. These attacks can negatively impact the ability of the FAP, CSCF and northbound IMS core elements by overloading processing capability and rendering them incapable of delivering legitimate service. These types of attacks include SIP malformed packets, SIP Invite spoofs and RTP flooding attacks.

There are also non-malicious traffic overload scenarios that could bring about similar results as a DoS attack. The network could be impacted by a high volume of legitimate SIP signaling or IKEv2 tunnel setup traffic from events such as FAPs rebooting after a power outage, misconfigured network devices or mass-calling events due to televoting or emergency situations. Exhaustion of authentication resources or directed attacks against those resources can also cause service failures.

Fraud and service theft: In general, the public Internet will serve as the access network between the mobile operator’s core and the FAPs. Given this, mobile operators need to be concerned about unauthorized access to their services, which consumes resources, detracts from revenue and could impact capital expenditures associated with capacity planning needs. Unauthorized access is possible for both legacy and SIP signaling through a weak AAA implementation or registration flood attacks.An attacker may be able to assume the identity of the FAP by spoofing at multiple layers. However, this is less likely, as the FAP will have a variety of identification information including the Universal Subscriber Identity Module (USIM) or IMSI (International Mobile Subscriber Identity) module and X.509v3 certificates, which are much harder to forge.

Service theft can take the form of obtaining more services than authorized or paid for (i.e., piggybacking on existing session signaling messages with additional media sessions), exploiting early media so sessions are not accounted for and billed and utilizing higher bandwidth codecs than negotiated during the session establishment.

Privacy and confidentiality violations: Mobile operators should also be concerned with subscriber security as the conversations travel over the Internet. Savvy hackers could intercept the signaling or media and use that for malicious means such as identity theft and password phishing. This could result in customer defections, lost revenue, tarnished brands and lawsuits.

Figure 2. Femtocell security risks

NETWORK SECURITY
Fighting these security risks should be addressed at layer 3 as well as layer 5. The multiservice security gateway, which is the first point of contact for the FAP and is the border element that connects the service network to the Internet, should be hardened to protect itself and the core network against layer 3 attacks. Likewise, the P-CSCF or session border controller that is the first signaling hop for SIP femtocells should have the necessary tools to combat layer 5 attacks.

Ensuring uptime and preventing DoS attacks: The first step to prevent attacks that can impact the availability of network is to hide the IP (layer 3) and signaling topologies (layer 5), making it more difficult to attack from the Internet. For SIP, a back-to-back user agent —which terminates and reinitiates signaling—can perform this topology hiding.

Hardware-based packet filtering and access control of incoming signaling—be it IKEv2 or SIP—can prevent denial of service (DoS) attacks on the MSG, SBC and the upstream core network. This filtering must be dynamic and react to endpoint behavior, especially as it may change over time (e.g., after a successful registration or tunnel establishment). This dynamic filtering should automatically isolate attackers and give preference to trusted devices over unknown ones.

Further, rate limiting of SIP signaling messages and code gapping can prevent the overload of upstream elements—femtocell gateway controllers, media gateways, softswitches, application servers and other signaling elements—that could result from mass calling or registration events. Likewise, media bandwidth policing on a per-session basis for SIP can prevent media-based DoS attacks.

Protecting the AAA servers and HLR are key responsibilities of the MSG, which should rate limiting RADIUS/DIAMETER requests to the AAA infrastructure. To help assure availability, the MSG should provide load balancing for multiple AAA servers, including basic primary/secondary servers or round robin methods.

Protecting vs. service theft: The MSG participates in authentication of FAPs to prevent unauthorized access and service theft. IKEv2 employs a 2-factor authentication scheme—to authenticate the endpoint as well as the user’s subscription. Pre-shared secret and X.509v3 certificates can be used for the first factor of authentication, of which the latter is stronger as the shared secret could be compromised. The second authentication factor utilizes EAP (Extensible Authentication Protocol), where the MSG bridges EAP messages from the FAP into RADIUS/DIAMETER messages towards the AAA server.

Other techniques that can mitigate service theft and unauthorized access include employing static access control lists that restrict the destination IP addresses or address ranges that are allowed from FAPs and IMSI whitelisting of FAPs.

For SIP femtocells, bandwidth policing based on session information at the IMS border protects against bandwidth theft and ensures that only authorized sessions receive correct QoS and resource allocation. SBCs can generate call detail records (CDRs) to ensure fair use of resources and accounting. Likewise, session timers can be used to terminate inactive sessions to free up network and system resources, preventing fraudulent and stranded calls

Protection of privacy and confidentiality: The various femtocell architectures have settled on IPsec as the tunnel protocol to bridge the untrusted Internet access network. IPsec is a suite of protocols that has both encryption and authentication mechanisms to ensure subscriber communication confidentiality and integrity. Encrypting the voice and packet data—using algorithms such as AES, DES and 3DES—prior to Internet transport (at the FAP or MSG) hides the actual content from eavesdroppers. IPsec also uses algorithms that ensure integrity of the payload and prevents tampering and replay attacks.

Monitoring and reporting: A security solution is incomplete if it lacks information. A comprehensive solution must provide alarms for attacks and overloads and audit trails to help with attack response and fraud investigation. Likewise, the elements involved must provide secure monitoring and management access to protect tampering or usage from unauthorized personnel.

Femtocells represent a compelling business case for operators, but like all services using IP networks or the Internet, there are elevated risks of security attacks and breaches that an operator must defend against to ensure revenue and customer satisfaction. Even in the case of circuit-switched voice signaling, there are possibilities for layer 3 attacks, and the multiservice security gateway is the first line of defense. As service providers adopt or migrate to a SIP infrastructure for femtocells, the usual array of VoIP security risks exist, and the features that session border controllers employ are designed to mitigate those threats. While the risks are real, there are tools available to enable secure femtocell services and network infrastructures.

Mitchell is director of Wireless Solutions Marketing for Acme Packet and can be reached at kmitchell@acmepacket.com.