telecom study notes

Adaptive Modulation and Coding: modulation and code rates are changed adaptively, depending on channel conditions (typically, based on SNR reported by UEs)

• Automatic Repeat reQuest (ARQ): Errors are detected and requests for retransmission of erroneous data are sent
• Forward Error Correction (FEC): Data are encoded using an error-correcting code (ECC) prior to transmission. The additional information (redundancy) added by the code is used by the receiver to recover the original data at the expense of lower data rate (e.g., 1/2, 2/3, 5/6, etc).
• Hybrid automatic repeat-request (HARQ): ARQ and FEC are combined; packets with errors that cannot be corrected but only detected are retransmitted, otherwise only error correction is applied.

MIMO:

BF is used for low SNR

Spatial Multiplexing is used for high SNR

Open loop MIMO: no feedback from receiver, good for high speed of mobile device

Closed loop MIMO: feedback from receiver, can be used for specific UE. robust for low speed of mobile device

Fading:

• Slow fading (shadow): caused by major obstructions within the propagation environment (coherence time is larger than the delay of the channel)
• Fast fading (multipath; small-scale): small movements of a mobile or obstacle and media changes. (coherence time is smaller than the delay)

(FDD and TDD) for up link and down link

for multiple users (and CSMA collision detection)

compared with FDM, OFDM saves bandwidth

cyclic prefix: a repetition of data used to fix interference

for LTE: 

UE: mobile terminal (with sim card) and terminal equipment

• MT: radio interface and wireless network access and data transmission in general. Therefore, it supports the following features:

1. Transmission and reception of data and signalling over the radio interface.
2. Authentication and registration to the UMTS network.
3. Management (including creation, de-activation and modification) of PDP (Packet Data Protocol) contexts on request from a TE.
4. Session control.
5. Support of radio mobility functions, such as the handover.

• TE: the part the end-user has access to, as it supports all the functions related to user applications and interfaces. It contains the following features:

1. Control of application-related hardware functions, such as speaker, microphones, video cameras, displays, etc.
2. Support of user applications and services, such as email client, Web-browsing client, instant-messaging client, etc.
3. Support of application-related protocol and session-management functions (for IMS-based applications, this includes protocol stacks like SIP, SDP and RTP).

types of messaging

1. email
email to SMTP server (forward) to receiver's SMTP server to POP3 server (store) to receiver

2. paging

Paging typically involves a caller dialing a telephone number associated with the intended recipient of the page. Once connected to the paging terminal, the person sending the page can enter a message that will be sent to the pager. When the message is complete, the paging terminal converts the message into a pager code and sends it to a series of transmitters to which it is connected. These transmitters then send out the message as a radio signal throughout the entire coverage area. Every pager within this area on the particular frequency will receive the message, but only the pager with the proper code (the intended recipient) will be alerted. In essence, the pager works much like an FM receiver.

3. SMS

4. EMS

enhanced SMS, can send sounds, animations and pictures

5. MMS

6. instant messaging

7. HDML Notifications

alerts

two channels: the push channel and the pull channel. On packet-switched networks, all data transmissions are treated the same, allowing for push delivery of information, regardless of the size. Circuit-switched networks, on the other hand, use SMS to deliver asynchronous messages, preventing the HDML gateway from delivering messages that exceed the SMS message size limits. In all cases, the push channel is meant for delivering time sensitive material, using only alert or cache operations. The pull channel is better suited for data that is not critical, and for preloading content into the microbrowser.

Once an alert is sent to the HDML gateway, it is queued for delivery. The length of time it spends in the gateway's queue depends on the following information:

• For all push notifications and for pull notifications on packet-switched networks, the gateway will attempt to deliver the message immediately. If the destination phone is unavailable, the gateway will keep the message in its queue and reattempt to deliver it periodically. If the message TTL is exceeded, it will be removed from the queue.
• For pull notifications on circuit-switched networks, the message will remain in the queue until the destination phone opens up a circuit. At this time, the message will be sent to the user for viewing. If the message TTL is exceeded, it will be removed from the queue.

HDML notifications provide a powerful way to push content to wireless users. In North America, where HDML is still widely used, these notifications are often the only option available for push services. However, because HDML notifications are a proprietary messaging technology developed by Openwave, they are only supported in Openwave microbrowsers. As HDML gateways are replaced by WAP gateways, and HDML handsets are replaced by WAP handsets, HDML notifications will gradually give way to WAP Push for push messaging capabilities.

8. WAP push

 

• Push Initiator (PI). The PI is an application that pushes the content and delivery instructions to the Push Proxy Gateway (PPG). It typically runs on a standard Web server and communicates with the PPG using the Push Access Protocol (PAP).
• Push Proxy Gateway (PPG). The PPG does most of the work in the push framework. Its main responsibility is delivering push content to the WAP client. In doing so, it may have to translate the client address into a format understood by the wireless carrier. The PPG is also the location where messages are stored when they cannot be immediately delivered to the client. It also maintains the status of each message, allowing the PI to cancel, replace, and request the current status of a message. The PPG uses the Push Over-the-Air (OTA) Protocol to deliver push content over a wireless network.
  To send a WAP Push message, the PI must have two sets of information about the destination: the domain of the PPG and the client address. An arbitrary text string, such as an email address, can be used to identify the client. The PPG is then responsible for translating the string into a format that is understood by the mobile network.
• WAP client. The WAP client is typically a wireless device that contains a WAP microbrowser capable of receiving WAP Push content. This is where the user is able to view the content that was pushed from the PPG using the Push OTA Protocol.

9. application to application messaging

This client application communicates directly back to the messaging server, without going through a gateway from the wireless carrier. This eliminates the requirement of having to communicate with SMSC or MMSC servers. Instead, the client application communicates directly to the messaging server—hence the name application-to-application messaging.

The vendor can choose the communication protocols to use, along with the compression techniques and security features. It is recommended that you select a solution that has addressed all of these issues and that has created a solution that is well suited for wireless communication networks. This involves using a suitable protocol, such as the User Datagram Protocol (UDP), that provides built-in message compression and integrated security, including data encryption and user authentication.

Interesting: sniffing packets

add a hub so that we can see the packets of the entire network

SMS

The SMC (Short Message Center) is the entity which does the job of store and forward of messages to and from the mobile station. The SME (Short Message Entity) which can be located in the fixed network or a mobile station, receives and sends short messages.

The SMS GWMS (SMS gateway MSC) is a gateway MSC that can also receive short messages. The gateway MSC is a mobile network抯 point of contact with other networks. On receiving the short message from the short message center, GMSC uses the SS7 network to interrogate the current position of the mobile station form the HLR, the home location register.

HLR is the main database in a mobile network. It holds information of the subscription profile of the mobile and also about the routing information for the subscriber, i.e. the area (covered by a MSC) where the mobile is currently situated. The GMSC is thus able to pass on the message to the correct MSC.

MSC (Mobile Switching Center) is the entity in a GSM network which does the job of switching connections between mobile stations or between mobile stations and the fixed network.

A VLR (Visitor Location Register) corresponds to each MSC and contains temporary information about the mobile, information like mobile identification and the cell (or a group of cells) where the mobile is currently situated. Using information form the VLR the MSC is able to switch the information (short message) to the corresponding BSS (Base Station System, BSC + BTSs), which transmits the short message to the mobile. The BSS consists of transceivers, which send and receive information over the air interface, to and from the mobile station. This information is passed over the signaling channels so the mobile can receive messages even if a voice or data call is going on.

Next Generation Fire Wall

• Identify applications, not ports. Identify the application, irrespective of protocol, encryption, or evasive tactic and use the identity as the basis for all security policies.

• Identify users, not IP addresses. Employ user and group information from enterprise directories for visibility, policy creation, reporting, and forensic investigation—no matter where the user is located.

• Block threats in real-time. Protect against the entire lifecycle of an attack including dangerous applications, vulnerabilities, malware, high-risk URLs, and a wide array of malicious files and content.

• Simplify policy management. Safely and securely enable applications with easy-to-use graphical tools and a unified policy editor.

• Enable a logical perimeter. Secure all users, including traveling or telecommuting users, with consistent security that extends from the physical to the logical perimeter.

• Deliver multi-gigabit throughput. Combining purpose-built hardware and software to enable low-latency, multi-gigabit performance with all services enabled.

App-ID: Classifying All Applications, All Ports, All the Time

Accurate traffic classification is the heart of any firewall, with the result becoming the basis of the security policy. Traditional firewalls classify traffic by port and protocol, which, at one point, was a satisfactory mechanism for securing the network. Today, applications can easily bypass a port-based firewall; hopping ports, using SSL and SSH, sneaking across port 80, or using non-standard ports. App-ID addresses the traffic classification visibility limitations that plague traditional firewalls by applying multiple classification mechanisms to the traffic stream, as soon as the firewall sees it, to determine the exact identity of applications traversing the network.

Unlike add-on offerings that rely solely on IPS-style signatures, implemented after port-based classification, every App-ID automatically uses up to four different traffic classification mechanisms to identify the application. App-ID continually monitors the application state, re-classifying the traffic and identifying the different functions that are being used. The security policy determines how to treat the application: block, allow, or securely enable (scan for, and block embedded threats, inspect for unauthorized file transfer and data patterns, or shape using QoS).

User-ID: Enabling Applications by Users and Groups

Traditionally, security policies were applied based on IP addresses, but the increasingly dynamic nature of users and computing means that IP addresses alone have become ineffective as a mechanism for monitoring and controlling user activity. User-ID allows organizations to extend user- or group-based application enablement polices across Microsoft Windows, Apple Mac OS X, Apple iOS, and Linux users.

User information can be harvested from enterprise directories (Microsoft Active Directory, eDirectory, and Open LDAP) and terminal services offerings (Citrix and Microsoft Terminal Services) while integration with Microsoft Exchange, a Captive Portal, and an XML API enable organizations to extend policy to Apple Mac OS X, Apple iOS, and UNIX users that typically reside outside of the domain.

Content-ID: Protecting Allowed Traffic

Many of today’s applications provide significant benefit, but are also being used as a delivery tool for modern malware and threats. Content-ID, in conjunction with App-ID, provides administrators with a two-pronged solution to protecting the network. After App-ID is used to identify and block unwanted applications, administrators can then securely enable allowed applications by blocking vulnerability exploits, modern malware, viruses, botnets, and other malware from propagating across the network, all regardless of port, protocol, or method of evasion. Rounding out the control elements that Content-ID offers is a comprehensive URL database to control web surfing and data-filtering features.

The Ultra-Secure Network Architecture

The diagram below represents the base-level ultra-secure network architecture, which meets all regulatory requirements and limits the likelihood of information being obtained as long as all of the architectural components are properly managed, maintained and monitored. Although it employs a number of layers of security implemented through a variety of security measures, no system can provide absolute protection of your information. Only through constant vigilance can the system be properly secured.

Multiplication and Management are Key

Ultra-secure architecture relies on multiple network and application firewalls. This reduces the threat from application-based attacks such as injections, buffer overflows and other application-focused attacks often undetected or even handled by traditional network firewalls.

Also, the architecture uses two DMZs: one is available to the Internet (public) and the other is private. The servers in the public DMZ contain only application user-interface logic without any application processing logic. The servers in the private DMZ contain the actual application processing logic and links to internal systems for additional processing capabilities. Also, notice that the servers in the public DMZ are isolated from the systems with the application logic in the private DMZ. This allows the organization to make more defined rules for accessing the application logic so that application-based attacks do not work.

The ultra-secure architecture also uses two internal LANs: the internal LAN containing the employee-accessible servers and systems that do not store sensitive information and a secure LAN containing servers with encrypted information that could be used for identity theft or other frauds (credit card numbers, checking account numbers, check images, etc.). Finally, default ports for HTTP and HTTPS (tcp/80 and tcp/443) are used in the public DMZ and non-standard tcp and udp ports are used for all other connections to necessary services. This reduces the possibility of outside attackers accidentally identifying information assets through standard port injection attacks.

All components are maintained via a complete management and monitoring system implemented in a protected management LAN. This consists of intrusion detection/prevention system(s), Domain Name Services, Kerberos servers, time server(s) and system log (syslog) server(s). All of these servers are also firewalled from the DMZs and the secure LAN to allow for better control and protection. Users of your Web applications can process through the private DMZ or process through the public DMZ, depending on the applications.

Ultra-Secure Architecture Security Configuration

The following are the foundational architecture components for protecting the various systems, but the configuration, interaction and management of these components are what secure and monitor the architecture.

Intrusion-Detection System(s)
Ultra-secure architecture implements both network-based and host-based intrusion-detection system(s), and the key is implementing and properly managing and monitoring them. At a minimum, a network-based intrusion-detection system (NIDS) monitors all critical subnets in the DMZs and secure LAN. This will allow for the detection of any network-based attacks or unexpected network traffic anomalies. Additional NIDSs can be placed on other network segments, but this may result in significant amounts of tuning to minimize false positive alerts and other issues, since this network is not strictly controlled.

In addition to the NIDS, a host-based intrusion-detection system (HIDS) is implemented on all servers in the DMZs, all servers in the secure LAN and any servers that process sensitive information in the internal LAN. These HIDSs will detect file changes, brute force attacks or other attacks focused on a specific server. All of the NIDSs and HIDSs send information back to an intrusion-detection console system in the management LAN for tracking and monitoring.

Time Server
An often overlooked but important server is a time server that ensures the proper functioning and analysis of information stored in the Syslog server(s). Determining what time standard to use on your network is vital. For large, international organizations, all network infrastructure devices such as routers, switches, firewalls, servers, etc., usually use Universal Coordinated Time (UTC), which is the same as Greenwich Mean Time. A single, consistent time zone and time-keeping method for all devices becomes critical when diagnosing or identifying an attack that may be occurring against multiple devices in different parts of the network. Using UTC allows all
events to be shown in the same timeframe without having to perform time zone conversions.

System Log Server(s)
These often overlooked servers capture system log (syslog) information from all infrastructure devices such as firewalls, routers, switches, servers and other critical operation systems.

Syslog servers can be implemented in pairs; however, because these devices collect a large volume of information, coordinating that volume between two servers can create a problem. Therefore, organizations typically have only a 1U server attached to a large Network-Attached Storage (NAS) through a storage area network (SAN) device so that a large amount of storage is available. All critical devices must be transmitting their syslog information to the server for recording and further analysis. These critical systems should be logging as many successful and failed events as possible. Only then can a complete picture of events be maintained for analysis and diagnostic purposes.

Firewalls
The configuration of the network and application firewalls is critical. Rules must be configured to restrict and control both inbound and outbound communications. For example, the network firewall in the public DMZ would be configured for only inbound and outbound tcp 80 and 443 traffic to the respective IP addresses of the HTTP or HTTPS servers. All other ports and protocols would be closed, as they are not needed. Between the public DMZ and the private DMZ, in the example only port 62134 should be open to restrict communication to the IP addresses of the servers involved. Between the private DMZ and the internal LAN, only ports required to communicate to the various servers should be open and restricted to the specific IP addresses of those servers. Likewise, only the port necessary to gain access to the SQL server should be open and restricted to only that IP address for the firewall between the internal LAN and the secure LAN.

The application firewalls must be configured to correspond to the various Web-based applications being executed. Unlike their network firewall brethren, specific rule recommendations are difficult, if not impossible, to make for these devices because of the wide variety of application protocols and implementations. However, in general terms, all attacks that involve misuse of the various application protocols should be blocked.

Domain Name Service (DNS) Servers
These servers are purely for internal use only. Any external requests for DNS should be forwarded to your Internet service provider’s (ISP) DNS servers for resolution or further forwarding.

Because of the threats to DNS servers, it is always preferable to use your ISP’s DNS servers for your public DNS. While this can create timing issues with DNS changes, once an eCommerce system has been implemented and placed into production, DNS changes are typically rare.

Secure LAN Server(s) 
Servers located in the secure LAN provide their own level of security by storing only encrypted information. But this is just part of the story. The key to securing servers in the secure LAN is employing the “roach motel” concept: Information flows in, is encrypted and stored, but it does not flow out without an act of God.

In addition, an extremely limited number of system and network administration and application processes have access to these servers and the secure LAN. Application processes with access to these servers are restricted and monitored to ensure that only appropriate information flows are processed.

When approved, information is decrypted for processing needs. Those outflows are severely restricted, documented in detail, restricted by firewalls, and monitored and approved by management.

Kerberos Servers
These servers are the final key in creating an ultra-secure architecture. If you are not familiar with Kerberos, you should learn about it as soon as possible, as it will likely become vital to the overall security of your network. To work properly, Kerberos servers must be implemented in pairs for redundancy. According to the Massachusetts Institute of Technology (MIT) Kerberos Web site, Kerberos "uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. After a client and server have used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity as they go about their business"

All servers used in the application process should use Kerberos to authenticate to one another. In addition, if possible, every individual application transaction session should generate its own Kerberos keys so that sessions are individually secured and encrypted.

Using Kerberos servers minimizes the possibility of man-in-the-middle attacks, packet sniffing and session hijacking, and it provides that extra level of security by encrypting all communications between systems. So, even if an attacker finds some way into the internal network, all communication is secured and encrypted.

Enhancements to the Ultra-Secure Architecture

A number of enhancements would increase the level of security given by the base-level ultra-secure application architecture. These enhancements, which add even more security layers to the basic ultra-secure architecture, could be implemented by companies with a greater concern for security.

Use of Multiple Subnets
The use of multiple IP subnets with the management LAN has already been referred to. However, multiple IP subnets could be used in each of the other four discrete networks as well. Each of the DMZs could have its own IP subnets that do not reflect any other internally used subnets (i.e., if the 10.x.x.x subnet is used internally and the 192.168.x.x subnet is used for the management LAN, the DMZs should use IP addresses in the 172.16-31.x.x subnet). The secure LAN should also have its own IP subnet that does not reflect any other internally used subnet.

While the use of multiple IP subnets will increase the amount of routing and the complexity of your network architecture, it also significantly reduces the likelihood that an attacker can readily gain access to systems and allows you to better implement and fine-tune your network monitoring activities.

The use of multiple IP subnets in conjunction with some of the other enhancements mentioned here will even further your security posture.

Use of Virtual Local Area Networks (VLAN)
VLANs logically segregate network traffic and can be used as part of your security program to segregate traffic based on the risk presented.

In the ultra secure architecture, VLANs can be created for operational control and for monitoring and segregating Internet-originated traffic and transactions from internal traffic. VLAN1, the default VLAN for most switches, is recommended for the operational control and monitoring function. Only network, system and security administration personnel should have access to this VLAN. VLAN1 should use only static IP addressing, which should not reflect the IP addressing scheme used by any other network. Since most servers come with dual network interface cards (NIC), one of these NICs can be configured to use only VLAN1. This allows for the server to be monitored and controlled over a secure network to which only network and system administration personnel have access.

Other VLANs can be established for Voice over IP (VoIP), ultra-secure architecture network traffic, internal LAN traffic, and secure wireless and unsecured wireless, among other things. The key to good VLAN implementations is to rigorously plan for your VLANs based on security, risk, network traffic, quality of service (Quest) and other considerations. However, a good VLAN plan leads to a flexible, reliable and secure networking environment.

VLANs have received a lot of press regarding the ways they can be circumvented through various attacks. All of these attacks are based on misconfigurations of the VLAN. Properly configured with the appropriate access control lists (ACL), VLANs can be a secure part of a network’s security posture.

Use of Virtual Machine (VM) Technology
This is a relatively new approach to improving your security posture, and it can provide some interesting possibilities.

The most widely know commercial VM software solution is VMware from EMC2, but Microsoft also offers a solution through VirtualPC. Other virtualization solutions are available for Linux platforms from Sourceforge and other open sources.

Briefly, VM introduces the ability to run multiple, logical, discrete operating systems (OS) on a single physical computer system or a cluster of computer systems. VMware can run on Windows or Linux hosts (GSX), or it can provide its own host environment for its Enterprise solution (ESX). Interestingly, some VMware users running in the Linux environment report that Windows VMs actually run faster than their native counterparts do on similar systems.

To enhance the ultra-secure architecture, VM would allow the HIDS to drop and reboot a server at will. If an HIDS indicates that a server has become corrupted or tampered with, the HIDS can be configured to automatically reboot the server. At the same time, a second hot swappable image can be running on the same physical system that takes over for the corrupted system. The rebooted system restarts from a known uncorrupted image and is then placed back in service. As a result, should an attacker corrupt the server, any rootkits or other unauthorized software is automatically wiped out because the server always reboots from a clean, known image.

Syslog/IDS/IPS Correlation Engine
The final potential enhancement to the ultra-secure architecture is the implementation of a syslog/IDS/IPS correlation engine application. As the name implies, these systems look for patterns in all syslog information and alert information (from IDS/IPS and SNMP information) that could indicate an attack or a network anomaly that should be investigated. Because of the complexity involved in setting appropriate rules for such correlation engines, this is not a task for the faint of heart and requires a significant amount of planning and monitoring of information to develop feasible rules. However, once implemented, these systems can significantly reduce the amount of alerts and other “chaff” so that network and security administration personnel can focus on more likely threats and anomalies versus all the possible alerts and anomalies that occur in a normal network.

Ultra-secure network architecture is unavoidably complex, as its complexity creates security. McGladrey’s technology risk management team has extensive experience in assessing, developing and maintaining sound internal controls for clients in a variety of industries, and can help your organization comply with ever-changing information security and privacy regulations.

the future of network