Enhancing frontline security with DPI for radio access networks (RAN)

Christine Lorenz portrait

By Christine Lorenz
Published on: 15.08.2022

A mobile network enables wireless communications through radio waves transmitted via macro and small cells. From their earliest commercial deployment in the 1990s to the rapidly proliferating modern 5G networks, mobile networks have revolutionized remote and wireless communications by delivering ubiquitous connectivity with unprecedented speeds and latencies.

Radio access networks (RAN) are at the forefront of the advancements seen in the mobile connectivity space. While backhaul and backbone technologies play an essential role in passing bulk traffic from cell sites to the core network, it is the RAN that ensures seamless and reliable connectivity to roaming devices at up to 35 kilometers or more. It is also the RAN, made up of antennas, remote radio units, and baseband units, that are in charge of managing traffic at the last mile, deciding access, routing, and security implementations for every incoming voice call and data packet.

An easy target for cyberattacks

Radio access networks are as susceptible to network threats as any other part of a mobile network, and arguably more so. As the least obscure part of the network, RAN make an easy target for cybercriminals and saboteurs. They are an easy point of attack for physical tampering – from stealing batteries and radio equipment to launching frequency jamming attacks and misusing signaling messaging. As more cell sites dot towns and cities, perpetrators find themselves in close proximity of their targets, making these attack attempts virtually effortless. The deployment of small cells for network densification in recent years has also rapidly increased the physical attack surface of RAN. Femtocells and picocells, for example, are connected over third-party ADSL or FTTH connections that themselves may be poorly secured or controlled by parties not acting in the best interest of the operator.

As with any other network, securing Radio Access Networks requires network visibility and network intelligence. Advanced DPI engines such as R&S®PACE 2 and R&S®vPACE by ipoque, provide real-time deep insights into packet flows on IP networks. DPI software equips mobile operators and network security vendors with traffic visibility that helps them to monitor and secure a RAN. This allows operators to stay ahead of a range of security threats afflicting RAN.

Danger on the tower

Man-in-the-middle attacks, for example, take place when an attacker intercepts and alters messages between a sender and a receiver, while both parties think they are authentically communicating with each other. Rogue cell nodes are often used to initiate these attacks. Another form of attack is the distributed denial-of-service (DDoS) attack. In this type of attack, a server, an application, or a network function is flooded with traffic in a way that renders it dysfunctional. To do this, a number of devices called botnets simultaneously hit network infrastructure to overload it. DDoS attacks can hit RAN by flooding the antenna with decoy messages, overloading the radio unit with meaningless radio signals or by sending the BBU nonsensical digital signals.

Both man-in-the-middle and DDoS attacks reveal themselves through sudden volume and frequency changes in traffic patterns, covering traffic flows in both the user and control plane. Such cues, provided in real time by R&S®PACE 2 and R&S®vPACE, enable network operators to take the necessary steps to fight back and secure the network immediately.

Injection of malware into a mobile network with the aim of corrupting its servers, stealing data and using network resources is another security threat that is carried out via RAN. User devices infected by such malware in the form of viruses, bots and trojans can be used to infect operator servers or launch unauthorized actions such as sending premium-rated SMSs, to the detriment of the user device and also network capacity. Equipped with a vast library that contains weekly updated signatures of malicious and suspicious traffic patterns, both R&S®PACE 2 and R&S®vPACE can help RAN firewalls to identify and block such malware, even for encrypted traffic flows, before they penetrate deeper into the network.

New architectures, new threats

Virtualized RAN (vRAN) and the configuration of virtualized network functions (VNFs) introduce threats commonly associated with infrastructure sharing and lateral movement of traffic between virtual machines and containers. Open firewall ports or infected VM images for example, can result in attacks such as VM Sprawl, malware and ransomware. Such vulnerabilities are exacerbated in Cloud RAN (C‑RAN) deployments where security loopholes in the data center, the cloud, containers or open source applications can lead to major impairment in network performance, potential data breaches and loss of valuable data. Examples of such attacks are worms in malicious container images, rootkits and application code errors. In these scenarios, our VPP DPI engine R&S®vPACE, which is optimized for cloud computing environments, can be used to identify traffic irregularities including disparities in speed, latency, jitter, and packet loss across unlimited packet flows at very high speeds for continuous and highly reliable tracking of malicious activity.

The implementation of Open RAN (O-RAN), which introduces vulnerabilities inherent in multi-vendor architectures such as poorly configured or unsecured APIs and differentiated, sometimes conflicting access and user rights, compounds threats from vRAN and C-RAN. By flagging suspicious hosts, addresses and applications based on traffic abnormalities and real-time identification of risk traffic sources, DPI software can be used to implement stricter authentication rules for O-RAN, including zero-trust policies which limit the perimeter within which threats can play out. This includes protection against adversarial machine learning (ML) attacks which aim to trick ML systems by providing deceptive inputs. While the best defenses against such attacks involve using ML itself to make systems resistant to adversarial attacks ex-ante, DPI can help to spot anomalies in traffic patterns and data packet payloads that may be indicative of such deceptive input.

Granular network monitoring

As networks grow, so do their security complexities. 5G for instance, despite containing user traffic in isolated network slices, may still experience highly contagious attacks due to shared VNFs. Such flaws can lead to the evolution of newer and more elusive attacks on networks. Granular and highly accurate network insights by DPI are, therefore, needed to form the fundamental intelligence layer capable of monitoring, reporting and securing every packet traversing RAN, delivering the best defense for every cell site out there.

Christine Lorenz portrait

Christine Lorenz

Contact me on LinkedIn

Christine is DPI marketing expert at ipoque, joining the company in 2013. With her background in marketing communications, she is passionate about making people aware of the capabilities of traffic analytics and DPI use cases. Christine is a lover of Vietnamese food and spends most of her spare time running and cycling, exploring nature and the outdoors.

ipoque blog - discover the latest news and trends in IP network analytics

Sign up for the ipoque newsletter

Stay informed about the latest advances and trends in
deep packet inspection and network traffic visibility