From Closed to Open Mobile Networks
Part of the answer could lie with a new category of convergence gateway equipment designed to secure access to operator resources, manage mobility, and enforce user policies across network domains, finds the new Unstrung Insider report Mobile Network Security: The Threat of Convergence & IMS.
The report analyzes the mechanisms used to integrate alternative IP-based access into the mobile packet core and tracks the evolution of today's security-focused gateway products into next-generation "service anchor nodes" capable of extending an operator's services footprint beyond the reach and capability of 2G and 3G cellular networks.
The starting points for this vision of converged networks include the Unlicensed Mobile Access (UMA) TS 43.318 specifications defined in the 3rd Generation Partnership Project (3GPP) , and the wireless local-area network (WLAN) interworking architectures defined in 3GPP specification TS 23.324 and in the pending X.P0028-200 specification in the 3rd Generation Partnership Project 2 (3GPP2) standards organization.
All three specifications have similar high-level architectures and many product requirements in common. This includes per-user IPsec tunnel-terminating gateways; authentication, authorization, and accounting (AAA) infrastructure; and enhanced security services such as firewalls, denial-of-service protection, and intrusion detection systems.
Other mobility-related features, such as fast tunnel setup, the ability to support large numbers of secure tunnels switching rapidly between active and inactive states, and support for terminals "fading" between network types, are also critical requirements driving the need for a new generation of equipment.
Equipment providers targeting this convergence gateway market are doing so from a wide variety of perspectives, backgrounds, and entry points. Some are security specialists, some have a background in routers or the mobile packet core, and some have a session border controller heritage, while others are new startups focused on this opportunity.
UMA, which essentially ports IP-based access into the mobile core using a generic access network controller, is seen as one of the primary entry points. Vendors here include Cisco Systems Inc. (Nasdaq: CSCO), Clavister AB , Netrake Corp. , and Reef Point Systems Inc. , all of which have announced UMA-compatible security gateways – a key component of the generic access network controller.
Others are focused on early WLAN interworking implementations, acting as tunnel terminating gateways and/or AAA server plays. Both Azaire Networks Inc. and Tatara Systems Inc. have had early success here and have won deals with a host of Tier 1 carriers across the globe.
Further down the line, as operators ramp deployment of multi-access services, vendors are targeting full-fledged, IP Multimedia Subsystem (IMS)-capable packet data gateways (PDGs) and packet data interworking function (PDIF) devices. These products, typically scheduled to ship sometime in 2007, are expected to include enhanced mobility management and policy enforcement features. In some cases, security offload from the IMS control layer is also planned, with PDGs/PDIFs taking on encryption and session initiation protocol firewall functions. Vendors here include most of the companies mentioned above, plus new entrants Airvana Inc. , Starent Networks Corp. (Nasdaq: STAR), and possibly Stoke Inc.
Developers of PDGs/PDIFs and UMA security gateways will also have to map to the network-wide security architectures being developed by mobile operators as they move from relatively closed, controlled, and secure voice-centric networks to more open IP-based networks designed for the delivery of data services. Here, core network specifications such as 3G Network Domain Security also come into play (see TS 33.210).
A further requirement is the need to align with mobile network firewall and services-layer security products from providers such as Check Point Software Technologies Ltd. (Nasdaq: CHKP), Fortinet Inc. , Juniper Networks Inc. (NYSE: JNPR), and others.
In the more distant future, convergence gateway providers will compete for a role in the next-generation mobile core network currently under development in the 3GPP's System Architecture Evolution (SAE) group (see TR 23.882). In addition to providing a low-latency packet core for the next generation of mobile radio access systems, SAE identifies support for multi-access network services using a variety of access selection techniques and device types, including multi-radio terminals, as a key objective.
This move to the next-gen packet core puts security/convergence gateway players shoulder-to-shoulder with the mobile infrastructure industry's big guns – Alcatel (NYSE: ALA; Paris: CGEP:PA), Ericsson AB (Nasdaq: ERIC), Huawei Technologies Co. Ltd. , Lucent Technologies Inc. (NYSE: LU), Motorola Inc. (NYSE: MOT), Nokia Corp. (NYSE: NOK), Nortel Networks Ltd. , Siemens AG (NYSE: SI; Frankfurt: SIE), ZTE Corp. (Shenzhen: 000063; Hong Kong: 0763), et al. – which so far have tended to eschew substantial investments in this nascent product segment in favor of partnership strategies.
— Gabriel Brown, Chief Analyst, Unstrung Insider
The report, Mobile Network Security: The Threat of Convergence & IMS, is available as part of an annual subscription (12 monthly issues) to Unstrung Insider, priced at $1,350. Individual reports are available for $900. To subscribe, please visit: www.unstrung.com/insider.