The Evolved IP Network features comprehensive, integrated and verified IP transport solutions for network operators. Each solution reduces complexity, accelerates time to market, and provides forward-looking assurances for operators with 5G, IoT, Cloud, virtual networks and programmability in their plans.Regular solution releases mean that network operators are always kept up to date with the latest functionality. Support from Ericsson Global Services speeds up integration and deployment, and keeps networks running smoothly.
All EIN solutions are standards based to facilitate interoperability, especially with existing operator equipment. They are tested and verified, and compatible with Ericsson RAN, Core and Network Management systems.
The MBH solution delivers end-to-end IP connectivity for the Ericsson Radio System - including Baseband, Fronthaul, MINI-LINK and Router 6000 product families. It provides comprehensive, reliable and forward-looking IP infrastructure for all mobile broadband needs, including macro base station and small cell access - and is managed with the Ericsson Network Manager.
The MPBN solution is fully compatible with Ericsson’s native and virtualized Evolved Packet Core, IP Multimedia Subsystem and User Data Management network products and systems. It provides IP infrastructure and security for core network nodes and systems connectivity within and between sites, including the Cloud and Data Centers, and external/peer networks.
RAN Security solution
The RAN Security solution provides protection through authentication and encryption for the Ericsson Radio System and the broader network infrastructure with a Security Gateway platform. The solution protects customer traffic and network infrastructure in an environment of increasingly open access and revenue-threatening security attacks..
The primary EIN solution objectives are to optimize users’ experiences and network operators’ cost efficiencies. A comprehensive, reliable and future-proof solution will not limit operators’ new service offerings, and superior network performance will help to attract and retain new users. EIN meets network operators’ challenges current challenges including managing network complexity, growing capacity requirements and sustaining high performance.
The EIN solution satisfies every IP transport infrastructure requirement from fixed and mobile broadband access networks, through metro/aggregation to core, and connection to external networks. EIN is compatible with Ericsson mobile products and solution offerings from RAN to Core, IMS, charging systems and policy control.
Products used in the solution include the transport components from Ericsson Radio System: MINI-LINK microwave, Router 6000 and Fronthaul 6000 families, complemented with a full suite of network and policy management products. Additionally, the Ericsson Smart Services Router family’s multi-application capabilities, in both native and virtual forms, help to reduce network operator costs through the use of a common platform. The capabilities include network functions such as Evolved Packet Gateway, Broadband Network Gateway, IPsec Gateway, Wi-Fi Gateway and IP/MPLS Site Router. The Ericsson IP Operating System further reduces operational costs and complexity and is used throughout the router portfolio including Virtual Routers.
EIN enables and sustains revenue generation:
EIN provides scalable capacity, to manage escalating broadband demands:
EIN reduces network complexity and associated network costs:
The most important factors when tailoring the best end-to-end solution for each operator are business strategy, legacy infrastructure and future capacity requirements. Talk to Ericsson and see how we can transform your current network to deliver exceptional services to your customers.
The Evolved IP Network solution has been developed with the security needs of Ericsson Radio System, the Core IP Network, and network services as key priorities.
Ericsson Radio Access Network nodes such as radio nodes and radio controllers offer inbuilt security mechanisms to reduce the risk of a security attack toward the mobile network.
The solution includes security mechanisms like node security (node hardening); encryption and authentication of the Operation & Maintenance (O&M) connectivity including authorization hierarchy; logging of events in real-time; and IPsec on the transport interface from the radio nodes. Certificate-based authentication is used between the Radio System nodes and Network Management System (OSS-RC or ENM) when Transport Layer Security (TLS) is used for the O&M communication. Certificate-based authentication is also used between the Radio nodes and the security gateways when IPsec is enabled.
The Radio Access Network Security solution is one component of the Evolved IP Network which integrates a network operator’s end-to-end security needs. This ensures that the radio nodes and security gateways interwork optimally. For certificate management on both Radio System nodes, security gateways and OSS-RC/ENM nodes, the Evolved IP Network solution integrates with and validates the Public Key Infrastructure systems. OSS-RC/ENM has an inbuilt PKI solution that is normally used. Ericsson multi-vendor PKI, ECAS (Ericsson Certificate Administration Server) can be used optionally.
The placement of a radio node dictates the level of node security required. A node should preferably be hardened to inhibit unauthorized access if it is placed in a public area - for example a small cell, or a radio node considered to be located in an untrusted location. Ericsson’s small cells (pico and micro) and new baseband are all delivered hardened from the factory. This means that the operator doesn’t have to close all unused ports or services, but only open those intended to be used. In addition, these radio nodes are protected against malicious software, and only Ericsson’s own signed software can be loaded on them. The architectural design of these nodes follows Ericsson best practice and provides root of trust and trusted anchors. For small cells, often located in public areas, additional considerations have been made in the hardware design to make it difficult and time consuming to physically break into the node.
In addition, the in-built transport functionality in the radio node provide basic packet filtering ability to filter IP packets according to the 5-tuple: source IP address, source port number, destination IP address, destination port number and protocol’.
A security policy for access control can avoid many security incidents. Authentication is required to ensure that only authorized personnel can access the Radio System nodes through management interfaces. Ericsson offers both certificate-based authentication and user account-based (log-in) authentication. Certificate-based authentication is preferred over user account-based authentication and considered more secure. In addition, authentication and encryption of the O&M traffic are recommended and come as standard with Ericsson’s new Baseband.
The combination of node security and O&M security will significantly reduce the risk of unauthorized node access and tampering with radio nodes. The Evolved IP Network solution has validated Ericsson Radio Systems with the Ericsson PKI implementation and other relevant functions such as the Lightweight Directory Access Protocol (LDAP), to provide seamless operation, reducing operational costs.
IPsec is recommended when a cell site is deployed in an untrusted environment or when the transport network is not fully under the network operator’s control. IPsec is also recommended to be used to help authenticate the Radio System. This is important for small cell nodes placed in public locations. These can be accessed and tampered with, and are therefore considered untrusted, despite being connected to a trusted network.
Macro radio nodes on trusted backhaul networks are also facing increased demands for security due to demands from corporate policies, regulatory authorities and the increased criticality of mobile networks.
The use of IPsec dramatically reduces the risk of interception and unwanted injection of data in the mobile system between the radio node and Security Gateway, for LTE direct IPsec tunnels between the eNodeBs are also supported on the X2 interface. IPsec uses authentication, integrity and encryption mechanisms to protect all traffic (user plane, control plane and O&M) and it will ‘hide’ the IP infrastructure of the network operator’s Core and OSS networks. Ericsson offers IPsec as an inbuilt function in Ericsson Radio System cell site nodes and is it’s supported for all radio technologies (GSM, WCDMA and LTE). In-built hardware accelerators are used to maintain network performance when IPsec is enabled.
The Evolved IP Network solution has validated Ericsson Radio System with Ericsson IPsec security gateways and security gateways from partners, to provide our customers the most cost-effective solution and products to protect their Radio Access and Core networks.
Security gateways are devices that terminate IPsec tunnels from radio nodes, thus securing traffic traversing over an untrusted transport network or radio nodes located in an untrusted environment. They can be dedicated IPsec termination devices performing bulk termination of IPsec tunnels, or they can be part of a broader security appliance like a firewall.
The Evolved IP Network solution has validated Ericsson Radio systems with Ericsson IPsec security gateways and security gateways from partners, to provide our customers the most cost-effective solution and products to protect their Radio Access and Core networks.
Ericsson Certificate Administration Server (ECAS) is a new product managing the creation, management, revocation and enrollment of secure certificates generated by the Public Key Infrastructure (PKI). ECAS can be used in a multi-vendor environment and is an alternative solution to the OSS-RC/ENM inbuilt PKI that supports Ericsson Radio System nodes exclusively.
Ericsson Radio System nodes are equipped with real-time security event logging features to keep up to date with the network’s status. With this functionality enabled, identification and detection of unauthorized access will be presented to the operator in real-time, providing the operator an early warning of a potential or on-going attack.
Core IP network security threats and attacks have continuously evolved over recent years in the telecom sector. The transformation of core network applications to IP-based networks increased the security challenges for telecom operators who are required to protect their key network assets: their customers, their services, and the integrity of data in transit.
The Evolved IP Network solution has been developed with the security needs of core network applications and services as key priorities. These needs have driven the solution design regarding perimeter protection using Internet Gateways or firewalls, traffic domain separation in form of VLAN & VPN structure, access control and node hardening recommendations.
The threat landscape has evolved since the migration of mobile core networks to all-IP. Basic node protection with node hardening and packet filtering, and traditional firewall protection with stateful and deep packet inspection are no longer sufficient. New security attacks against services and applications need higher-layer protection using Intrusion Detection and Prevention, Antivirus/Malware and content filtering.
In the absence of an industry standard definition for the terms ‘hardening’ or ‘node hardening’, Ericsson has mandated that all applicable products provide a guideline for hardening performed as part of product integration.
In addition, the IP network elements like switches, routers and servers used in the Evolved IP Network solution provide basic packet filtering ability to filter IP packets according to the 5-tuple: source IP address, source port number, destination IP address, destination port number and protocol’.
A mobile core network includes systems providing different services to end users, and in some cases these systems may be under the control of different operational teams. Each of these systems and services can be considered as separate domains that need to be secured from each other. In some cases, the same system can also provide several services that require traffic separation. For example, the packet core system that provides an internet access service and a VoLTE service.
The Evolved IP Network solution provides guidelines and recommendations to deploy a common secured IP infrastructure for all these different systems and applications. A secured infrastructure based on VPNs ensures network availability and service quality. The number of VPNs in the Evolved IP Network solution represents a reasonable balance between security and ease of use.
Some traffic types also need confidentiality and integrity as well as traffic separation. For such traffic, the Evolved IP Network solution uses IPsec for encryption and end point authentication, as well as VPNs.
The Evolved IP Network solution uses firewalls to ensure stateful packet inspection and traffic filtering. Firewalls are purpose built security appliances that help to protect the perimeter of an operator’s network from outside attacks. In many cases, firewalls are also used by operators to separate different domains within their networks, to protect different systems from unauthorized access or internal attacks.
In addition to stateful packet filtering, firewalls also provide Deep Packet Inspection (DPI) capabilities to protect against the most common application-level attacks. Another use of such DPI capabilities is to inspect GTP or SS7 traffic from roaming partners, to protect against malicious sources.
Carrier Grade NAT (CGNAT) is the capability to translate millions of private IPv4/IPv6 addresses to public IPv4 addresses, for several thousand subscribers with very high throughput. Although CGNAT is not technically a security function, CGNAT hides the internal IP addresses to the external public Internet.
One of the properties of CGNAT called Endpoint-Independent Filtering (EIF) filters out packets not destined for an internal address and port, regardless of the IP address and port of the remote server or peer. Another property of CGNAT is limiting the maximum number of sessions from the same subscriber, thus preventing DDoS attacks.
Network security appliances distinguish themselves as either specialized security appliances designed for a special purpose, or Unified Threat Management (UTM) appliances which combine multiple security features on one platform. UTM appliances aim to achieve security for the entire network from one central point in the network.
UTM systems include multiple security features like virus protection, intrusion detection & prevention system, content screening/filtering and spam protection. In many security appliances, these security features can be added on top of specialized security appliances like firewalls by adding additional licenses and signature databases. However, proper planning is required to look into capacity and performance needs from different security functions, and also the trust relationship between different security functions co-located on the same physical device.
The security appliances validated in the Evolved IP Network solution are also capable of being used as unified threat management systems.
‘DoS attack protection’ generally means mitigation of flooding-type DoS and DDoS attacks. Sometimes it also covers some known OS-specific exploit-type DoS attacks (deep packet inspection takes care of other exploit-type attacks and privilege escalation attacks).
DoS attack protection/mitigation techniques can be grouped as either rate-limiters (session limiters) which mitigate node- or network-flooding attacks, or packet anomaly checks that block known exploit-type DoS attacks.
EIN Test Report: March 2014
EIN Test Report: February 2015
EANTC Test Report on Ericsson Evolved IP Network Solution
EANTC Test Report (2015) on Ericsson Evolved IP Network Solution
Network Synchronization - Technology paper
Mobile Network Security - Technology paper