NSN and Juniper today reminded the wireless carrier community that they're bosom buddies by announcing a set of jointly developed propositions for 4G LTE deployments related to key areas such as packet backhaul and mobile network security.
The partners, which have been working together for years, have focused on several critical areas, pulling together multiple Nokia Networks and Juniper Networks Inc. (NYSE: JNPR) products and services to rival the offerings that key competitors such as Alcatel-Lucent (NYSE: ALU), Ericsson AB (Nasdaq: ERIC), and Huawei Technologies Co. Ltd., which all have IP and mobile infrastructure platforms within their product portfolios, can offer.
So, what exactly are NSN and Juniper putting on the table? We asked for details and we got them. Here's a breakdown of the joint technology packages (in italics), as provided to Light Reading by NSN and Juniper following a request for further details.
- NSN and Juniper Networks developed a new mobile backhaul end-to-end Reference Framework to guarantee certified Interworking between Juniper Networks routers [and] NSN Base Stations and Packet Core. Juniper Networks mobile backhaul platforms are integrated into NSN's OSS for fault and performance management. The development includes the integration of NSN NetAct and Juniper Networks JunosSpace for end-to-end radio and backhaul management... and integrated LTE backhaul security. NSN offers professional services that analyze and assess the existing mobile backhaul infrastructure and consult and plan the migration to LTE (and LTE-Advanced ready) mobile backhaul networks with Juniper routers.
Next generation mobile backhaul networks transport traffic from base stations that use common Ethernet/IP uplinks. In this context, control traffic from and to base stations can be misused (DOS attacks), if not scrambled or secured. Hence the mobile backhaul solution has been designed accordingly and assures interworking and performance of IPSec in NSN base stations and Juniper routers. LTE and LTE-Advanced require very accurate synchronization at base stations (for radio resource management, handovers and several new features). The Juniper boundary clock functions in the routers have been developed and certified in order to support NSN clocking clients in base stations. We are developing unique applications for mobile backhaul leveraging a software development kit for Juniper routing platforms to make routers more 'intelligent' and let them to adopt its routing decisions, improving end user experience and link utilizations.
- For radio access security, operators would deploy NSN base stations with built-in IPSec functionality and a Juniper Networks Security Gateway for encryption and firewall functionality. A Certificate Authority Server from NSN is required for base station authentication.
- The NSN Mobile Site Connectivity Solution (MSCS) is a set of recommended Juniper Networks MX and EX [router] products and NSN design guidelines on how to interconnect NSN mobile equipment (radio network controllers, voice core elements, mobile packet core elements) within the same physical site internally using IP/Ethernet technology, as well as externally using IP/MPLS transport networks… The design guidelines include detailed configurations to optimize failover cases and to minimize service impacts. They also help to reduce installation times and accelerate deployment on customer sites.
- The joint solution is build around the Juniper Networks MX Series and solves the issue of both the shortage of public IPv4 addresses using NAT44 as well as the evolution towards IPv6 using both Dual Stack and NAT64.
In its joint proposition, the partners also claimed that their "Radio Access Security solution is the market-leading 3GPP compliant solution." How so, we asked? Here's the response in full (including the claims to being unique in the market, etc.):
- 3GPP release 10 (frozen in 2011, coming to commercial network elements now), requires IPSec encryption between an LTE eNodeB and the core network when the operator considers the transport network between them to be 'untrusted.' (See 3GPP specifications TS 33.210, TS 33.310 and TS 33.401.)
Authentication using Public Key Infrastructure (PKI) should be used when implementing IPSec, based on Internet Key Exchange Version 2 (IKEv2). PKI-based authentication of eNodeBs should be via a vendor CA certificate that is pre-installed into the operator's central Registration Authority/Certificate Authority (RA/CA). Two-way authentication is completed by using Certificate Management Protocol Version 2 (CMPv2) to manage a replacement of the original vendor certificate of a trusted eNodeB with a new operator certificate.
The NSN radio access security solution is fully compliant with these 3GPP release 10 requirements. The solution provides full IPSec protection of control plane, user and management plane leveraging the NSN Flexi Multiradio BTS with inbuilt IPSec client and Juniper Networks SRX terminating IPSec tunnels at core. Although this is mainly related to LTE networks, we see more and more operators leveraging the same solution to protect 2G and 3G networks as well.
In addition the solution has the following beyond-3GPP security capabilities:
- NSN CA functionality is specifically developed to be scalable for mobile telecommunications and is not based on an over-stretched enterprise solution.
- The solution is load and stress tested in a carrier-grade environment to validate real-world traffic sizing and planning.
- NSN eNodeBs get the vendor base station certificates installed during the production process, not manually during installation.
- Our procedure for LTE security is fully automated, saving 25 percent of implementation costs and enabling 25 percent faster roll out/ time to market than a manual process. Operator certificates and eNodeB configuration parameters can be automatically downloaded at initial power-on and first attach to the network supporting truly self organizing networks. We are the only vendor offering an end-to-end IPSec and CA solution that can meet this 3GPP requirement. - Leveraging both IPSec and the firewall capabilities of the Juniper Networks SRX Series allows protection of both the mobile core and customer data.
- New Geo-redundant Certificate Authority (PKI) system increases the availability of the security solution to a carrier grade 99.999 percent.
- NSN Certificate Authority is fully integrated into NSN NetAct supporting SNMPv2c and SNMPv3 profile/messages for generic integration for security and certificate lifecycle management.
- Security configuration via NetAct uniquely means IPSec and VPN tunnels can be easily configured from one point with all domains supported – Radio, Core, Transport, including Juniper Networks Security Gateways.
- Flexi Zone Micro and Flexi Zone Pico fully support the same IPSec authentication and encryption. - NSN is the only vendor that has an end-to-end security solution developed and tested for interoperability in a secure multivendor environment, as proven by commercial references.
Although IPSec is mandatory to ensure security and privacy between eNodeB and core network, it is not sufficient to secure the mobile network. The risk of malicious traffic emanating from the LTE RAN is increasing rapidly. The Juniper Networks' Mobile Threat Center report of March 2013 shows that there are now more than 500 third-party app stores around the world containing malicious apps. So in addition to IPsec, stateful firewalling of the mobile protocols is required to ensure that compromised nodes, or attackers positioned elsewhere, are prevented from interfering with the mission-critical control messages. Hence, at every point where S1 interfaces are terminated in the core network, operators need to consider comprehensive end-to-end security with much the same suite of firewall, IDS/IPS and enhanced threat detection capabilities that they have always needed on the Gi.
Well, we did ask.
So, how does this position the NSN and Juniper combination in the market? Heavy Reading senior analyst Patrick Donegan, a specialist in mobile network security, noted: "Still today, there aren’t any vendors out there that are true leaders in both cellular and IP networking, so there’s no doubt that, on paper, the partnership of NSN and Juniper with their respective core competencies is compelling."
But... "everything rests on the execution. NSN and Juniper's relationship has gone through multiple iterations over many years in the quest for the optimal balance between collaboration and competition. They appear to have carved out some distinctive areas where they should be able to go to market successfully now, and without butting up against one another. In the case of mobile network security they are particularly well positioned to lead the market. But let's see how they go."
Let's see indeed!
— Ray Le Maistre, Editor-in-Chief, Light Reading