Securing LTE: It's Worth the Capex
Patrick Donegan, Founder and Principal Analyst, HardenStance
It's good to see the needle finally starting to shift as regards the implementation of security in LTE networks. LTE traffic in the US and Korea today has 3GPP encryption from the end-user device all the way to the eNode B. But from the eNode B back across the IP backhaul into the IP core that traffic unencrypted. The user plane, control plane, management plane: all of it is unencrypted.
3rd Generation Partnership Project (3GPP) identified this as a security flaw many years ago and prescribed IPsec as the fix where operators consider their backhaul networks to be "untrusted" -- or vulnerable to unauthorized intervention -- for LTE.
But whereas operators in the US and South Korea don't yet think of this as a vulnerability that's worth closing off, many of the big European operators are taking a different view and are taking the lead in adopting IPsec as LTE is rolled out.
Deutsche Telekom AG (NYSE: DT) deserves credit for being the world leader in this regard. DT introduced IPsec with its own LTE launch in Germany at 700 MHz, and is now extending the same policy across all its European affiliates. Look under the hood of Everything Everywhere Ltd.'s (EE) LTE network in the UK and you'll find IPsec delivered to all its LTE cell sites. Orange affiliates will do the same (albeit not necessarily to all LTE sites), and other large European operator groups including Telecom Italia (TIM) are headed down that same path.
There's certainly an initial capex hit when deploying IPsec. But many of the fears of a negative impact on network performance and high opex are being allayed by this second wave of European deployments. These typically consist of a single IPsec tunnel being instantiated at the eNode B, and then kept in service permanently, rather than huge volumes of tunnels being dynamically set up and torn down again. They are also showing a minimal impact on latency, allowing operators to keep well within the 20-30 millisecond targets that are key to LTE's core value proposition.
Heavy Reading's forecast is that the proportion of the world's LTE cell sites that support IPsec will grow from 15 percent at the end of 2013 to 35 percent at the end of 2015, and to 53 percent by the end of 2017. We expect growth will be driven by several factors, including:
- the ongoing migration of hacker time and attention from the wireline to the mobile networking environment;
- competitive pressures arising from one operator in a market deploying IPsec, driving competitors to respond;
- the probability of threat incidents arising from operators failing to deploy IPsec and becoming publicized; and
- the growing recognition that lacking near-bulletproof security will be a show-stopper when operators look to drive the next generation of LTE revenue opportunities with major vertical industry partners, such as health insurance providers.
We assume there will still be a sizeable number of LTE operators that are still allowing clear text to transit across their backhaul networks four years from now. But we also expect that a financial analysis of LTE operators four years hence will show a pretty close correlation between support for end-to-end network security and superior financial performance.
This and many other issues will be debated at Light Reading's second annual conference on Mobile Network Security in New York on December 5.
— Patrick Donegan, Senior Analyst, Heavy Reading