Network Transformation Increases Risks
Advancements such as the all-IP evolved packet core have opened mobile networks, devices, and customers to a host of sophisticated threats. Now, innovations including small cells, VoLTE, and VoWiFi, combined with the business imperative to deliver services rapidly, necessitate securing critical network-edge interfaces such as:
● Gi/SGi: LTE interface to the Packet Data Network (PDN), from threats from subscribers and the public Internet
● S1: LTE base station and core network interface, from the LTE backhaul traffic and access network
● SWu: serving gateway to user equipment, from VoWiFi traffic to the evolved packet data gateway (ePDG)
● S8: interface to other mobile service provider networks
New IP-based elements of your mobile network are exposed to all manner of IPbased attacks. Cyberattackers are well funded and motivated to compromise mobile networks.
Until now, a best-in-class approach to security services has been the industry standard for protecting mobile infrastructure. These manual methods, however, have proven to be unintegrated and inefficient. Ultimately, network performance, user experience, and time to market are all impeded.
A new approach to security is required to protect against IP-based threats, one that helps protect data flows and workloads with a consistent security policy for physical and virtualized infrastructures. It should include not only Cisco carrier-class threat defense services, but also tightly integrated additional services, such as DDoS mitigation.
Cisco threat-centric security for mobile service providers is available both as a physical appliance and for virtual deployments.
Our vision for mobile service providers is a next-generation Gi/SGi Firewall solution. The Cisco Firepower 9300 and Cisco Firepower 4100 Series security appliances are threatcentric solutions purpose-built for demanding mobile operator deployments. They support superior threat defense, tight integration, end-to-end automation, and enhanced agility.
These appliances come with industry-leading next-generation firewall application control and next-generation IPS (NGIPS) capabilities validated by independent third-party testing. They consolidate multiple security services on a single platform for improved threat visibility and security service orchestration.
Figure 1. Highly Sophisticated and Well-Funded Threats from the Internet Are Putting Pressure at the Gi/SGi Interface. If They Corrupt a Single Data Flow, They Can Access and Take Down Your Entire EPC
With Cisco’s approach, service providers protect both themselves and their customers with scalable, intelligent, and adaptive threat-centric security.
Adaptable Security for Any Scenario
The Cisco Firepower NGFWs are built to evolve with your network. They are software-defined networking (SDN) ready for orchestrating security services in next-generation networks.
Gi/SGi Firewall capabilities include:
● NEBS compliant options
● Stateful firewall:
◦ Comprehensive Layer 3 and 4 infrastructure protection
◦ Carrier-grade NAT
◦ General Packet Radio Service (GPRS) Tunneling Protocol version 2 (GTPv2) inspection
◦ Stream Control Transmission Protocol (SCTP) inspection
◦ Diameter application inspection
● Ability to cluster up to 5 Cisco Firepower 9300 chassis or up to 16 Cisco Firepower 4100 Series chassis to scale performance to more than 1 Tbps
The carrier-grade platforms offer 10, 40, and 100 Gigabit Ethernet interfaces*. Third-party DDoS applications available.
Figure 2. Through the Strategic Placement of the Cisco Firepower, You Can Inspect Each Critical Data Flow and Secure all Physical or IP-Based Elements of Your EPC
● Integrate best-in-class security services on a single platform
● Close gaps and improve efficiency with end-to-end automation
● Enhance agility with high scalability and performance across physical and virtual infrastructures
Partnership for 3 Italia
Ericsson and Cisco will deliver their state-of-the-art-router technology with a highly scalable, consolidated platform that enables personalized services for both fixed and mobile users. The proposed architecture for 3 Italia also includes Cisco Firepower 9300, a security appliance that protects the mobile packet core to improve both performance and service stability.
Contact your Cisco sales representative for more information. Find out more at http://www.cisco.com/c/en/us/solutions/service-provider/service-provider-security-solutions/index.html.