Andy Huckridge

Protecting the Mobile Security Gateway (MSG)

For quite some time, the security market has not been the hottest – outside of Enterprise that is. Now though, there are certainly murmurs in the industry that things are changing and a new, Mobile Security Market is beginning to take off and will be worth $14.4B by 2017. Traditional security messages are mostly non-relevant for the Mobile security market and very often it’s not about securing the traffic – but more about securing the transport and the interfaces. Security in Mobile seems to be a different beast than Enterprise – right? Well not quite so fast…

With the newer open source operating systems like Android and several others on the horizon such as MeeGo, it’s much easier to create Malware and have dormant functionality inside the vast amounts of freely available apps – and the existing security company’s seem to have the beginnings of a grip on this area. But what about the new security threat of attacking the actual networks themselves? We saw the recent investment in Stoke by Samsung Venture’s mirror the Cisco acquisition of Starent in 2009 for $2.9 billion. Things are beginning to move in the right direction to protect the underlying networks themselves – to protect the UNI/NNI interfaces and to protect typically what are hundreds or thousands of backhaul links.

There’s even a new Mobile security conference

Mobile Network Security Strategies: New Threats, New Opportunities. Wednesday, November 28, 2012 | The Marriott Marquis | New York City, NY:

• Operator attitudes toward different types of security threat and threat mitigation solutions
• AT&T’s strategy for protecting the mobile network and AT&T’s mobile customers
• Threat detection and mitigation in the mobile network
• Analysis of next-gen mobile security gateways options
• Securing the cloud for mobile operators
• The role of the cloud in mobile network security
• Threat Detection & Mitigation in the Mobile Network
• Securing the Cloud for Mobile Operators
• View on Next Gen Mobile Security Gateways
• CTIA’s Cybersecurity Working Group (CSWG) – Protecting The Mobile Network

A new market is born

It’s very likely that a new market is forming here, or at least there will be an opportunity to sell existing solutions in to the new space, based on pre-existing functionality and benefits from products that already exist today. Let’s take a look at one such applicable product from VSS Monitoring – the Protector series and what it does to assist a MSG installation:

The Protector series of Inline Tool Load Balancers are intelligent, hardware-based traffic redirection devices designed to actively tap inline networks for forwarding to inline monitoring or security tools. Active Load Balancers are fundamental tools necessary for delivering complete total, network-wide visibility for inline network security and monitoring tools. Using these devices as part of a Network Packet Broker layer offers users a centralized view of the network. They provide intelligent traffic processing including packet and flow level control of what each monitor tool receives.

Protector provides a never before seen level of security, availability, and redundancy when deploying inline monitoring tools, as well as the flexibility of aggregation, speed conversion, load balancing, grooming, and powered-down state (using PowerSafe™). The active inline tool load balancers allow for 10M to 10 GigE network traffic redirection, traffic capture, active inline monitoring, and passive monitoring. When used for active inline monitoring, tool Bypass is also available. These hybrid devices offer maximum deployment flexibility.

Who provides the MSG and what does it do?

According to a Heavy Reading report entitled “Next-Generation Mobile Security Gateways for 3G & 4G Networks“, Huawei, Juniper and Cisco all have comprehensive solutions, but there are other innovative players out there such as Stoke (mentioned above). Cisco provides a few products, the 7600 WSG and the ASR 5000 Security Gateway based on the prior Starent product line. Stoke provides the SSX-3000 Session Exchange. Radisys are also getting in on the act with their LTE Security Gateway, which secures next generation mobile networks.

Conclusions

The mobile security market is growing in leaps-and-bounds. The existing vendors are becoming aware of shortcomings in how their products work – or don’t work. They need to be accepting of being placed in line with other security tools and to be able to work at line speeds as user data traffic expands to fit pipe throughput. Adding an in-line tool balancer in front of your Mobile network security tool makes sense for many good reasons:

• Not least of which is that you now have an independent High-availability / High resiliency security solution – operators like that. Add in a way to extend the life of older, reduced speed security tools – and you get a pay off from day one
• Second you have a way to overcome the issues with not being able to process traffic at line rate – just load balance and add another tool. Security tools rarely, if ever process at line-rates
• Third, it makes maintenance, accessibility and the future need to add more and different security tools in series with the traffic much easier – you don’t need to take your network down anymore to add in a new functional element – just include it in series as your needs progress and the threat landscape develops. Create a new type of mobile security architecture – something VSS calls “Defence in layers“.
• Fourth, for NEMs – speed up your operator PoC cycles by allowing the operator to benefit from the right environment whereby they can perform trials and acceptance tests on live traffic with a minimum of disruption to live service