Security cannot be an after thought. Years before we commercially deployed the first scalable small cell system, we addressed any security concerns with mobile operators AND enterprise IT teams.
Security must be an integrated part of the design process. Just “adding security on later” can be impossible where a software technique has a dependency on hardware subsystems that were not designed into the system.
SpiderCloud’s small cell system consists of Radio Nodes (RN) small cells and a Services Node (SN). The SN provides central configuration, able to control over 100 self-organizing and multi-access 3G/4G and 4G/4G RNs. The Radio Nodes securely connect over enterprise-Ethernet Local Area Network (LAN) and/or a Virtual LAN (VLAN) to the SN. The SN then originates a single secure connection to Security Gateway infrastructure at the edge of the mobile operator’s core network over high speed IP transport.
Think of the SN as a “black box” that implements 3GPP standard encryption between the UE’s and it’s RNs, and IP/IPSec between it’s SN and the Security Gateway(s) at the perimeter of the mobile operator’s core network. Besides 3GPP defined Kasumi and Snow 3G air link protocols used between UEs and E-RAN, we have also implemented IETF defined family of IPSec protocols used to connect the E-RAN to the mobile core.
The fundamental security design assumption made early on was the scalable small cell system could operate in an untrusted environment with non-telecom employees having physical access to it. Therefore, the system should not be vulnerable to physical or local/remote digital attacks.
Working from the ground up, the system hardware incorporates both tamper resistance and secure repositories that anchor secure software elements:
- All the normal disabling/fuse blowing (manufacturing/diagnostic interfaces - JTAG) is done to many of the critical semiconductors. This prevents abuse of development and manufacturing test equipment to exploit them.
- All hardware can make use of tamper resistant screws to make sure that only a special screwdriver they possess can open the SN. Tamper detection, with operator action choice, is available.
- TPM vault on all hardware to store PKI certificates. TPM vaults are used extensively to protect PKI private keys from export from the hardware. This is critical to maintain trust that attackers cannot quietly develop eavesdropping capabilities by compromising IPSec security.
- IPSec hardware acceleration is performed in the SN and not in its general purpose processor.
- Encryption of all data at rest in SN storage prevents any attacker from recovering data from the SSD drive.
- The craft interface on the SN is scope-limited to be a bootstrap mechanism that is remotely disabled after commissioning a SpiderCloud system.
Building upon these hardware features, the system OS leverages them to protect itself and the privacy and integrity of the traffic flows between the UE’s and the mobile core.
- SpiderCloud’s hardware will only load signed code images that must successfully validate against the PKI key resident in the RN or SN TPM vault.
- All PKI certificate public/private keys are secured from export via storage in TPM.
- Support is available to use default factory provisioned certs or operator certificates.
- OSCP or CRL methods are available to determine revocation status of the certificates in the hardware.
The small cell system Radio Node (RN) is a very sophisticated part of the overall system and has a broad range of protections built into it.
- An RN has no resident operating system and fetches it, at power up, from the SN. Stolen RN’s don’t have an operating system, thus they cannot do anything.
- The SN and RN mutually authenticate each other as part of building their IPSec connection. This is a protective measure that prevents a man-in-the-middle attack. RN’s operating system is signed and must validate against the hardware during boot process or it will not load.
- There is no craft interface on an RN. It only has an Ethernet port on it that expects to be connected to a PoE+ port on an enterprise LAN/VLAN.
In SpiderCloud’s system, IPSec and 3GPP features for path protection and integrity are key to insure service availability and subscriber data privacy.
- IPSec is utilized between SN and its RNs, and between SN and Security Gateway (SeGW). Even when private transport is being utilized by an operator, IPSec is used to preserve privacy of subscriber payload.
- An SN can connect to multiple SeGW for fault tolerance – UMTS Iu-Flex & LTE S1-Flex. These SeGW can also be geo-redundant to protect from cable cuts and power problems that can affect data centers.
- Extensive QoS policy controls over all backhaul access inside the IPSec path and DSCP marking for MPLS CoS handling enable the SN to protect critical traffic when the backhaul experiences congestion.
Security auditing is the final step in insuring that the system is capable of operating delivering both confidentiality and integrity of subscriber traffic traversing the system.
- System has been, and is consistently audited, and penetration tested routinely by a third party specialist security vendor as part of QA processes. Any issues found are remediated.
- System is routinely audited/explored by our mobile operator’s technology security team as part of due diligence.
- SpiderCloud’s OEM partners have conducted further audits to make sure they can safely promote SpiderCloud as part of their solutions portfolio.
- System hardware and RAN protocol use standards to connect to both UE’s over air link and the mobile core via Security Gateway. This means SpiderCloud has done a significant amount of IOT with UE’s (of many varieties), SeGW, Iuh, and EPC vendors.
“Bolt-on” security is an after thought. Security can NEVER be an after thought. SpiderCloud’s scalable small cell system makes use of a “built in security” approach in its system design, from the get-go. Without the underlying investment in systems hardware features, the software security would have no foundation to build upon.
- Art King, SpiderCloud Wireless, Director of Enterprise Services & Technologies
Almost 20 months ago the world’s largest RAN company proclaimed the arrival of the Ericsson small cell, except for it was, and is, a DAS (distributed antenna system). Since then, many of the world’s largest DAS vendors have followed suit and have started to position existing distributed antenna systems or Wi-Fi as “small cells.” Why is that you may ask?
Very simply, this is “marketing 101” sort of speak. If you’re late to market, or if you do not have a competitive product, you mirror the momentum marketing messages and re-position existing product lines to gain or retain the interest of your customers, Wall Street and media.
Last week I got a ‘chuckle’ when I read an industry blog written by a DAS infrastructure vendor’s marketing strategist, positioning DAS as “the original small cell”, and today’s small cells as a capacity supplement, only while describing “four viable small cell paths for wireless operators…”. Except, of the four deployment options, the “right” answer for three of the scenarios was DAS. Seriously?
Yes, seriously. And furthermore, the author proclaimed to know the definition of a small cell by defining it so that an antenna could be a small cell. Coverage does not constitute access to needed capacity.
The Small Cell Forum defines a small cell as “an umbrella term for operator-controlled, low-powered radio access nodes” and “small cells can be based on ‘femtocell technology’ – i.e. the collection of standards, software, open interfaces, chips and know-how that have powered the growth of femtocells.” Thus, small cells are nothing like “spatially separated antenna nodes connected to a common source via a transport medium that provides wireless service within a geographic area or structure.” (…gotta love Wikipedia).
Why the urgency to position DAS as a Small Cell, or to deposition small cells vs. DAS? Very simply, DAS as we knew it is D.E.A.D.
D is for DAS (or Duck)
“If it looks like a duck and smells like a duck, it’s a duck.” Distributed Antenna Systems is just that. An antenna connected to Coax, Fiber or other special cabling that requires cable pulls through the risers, and racks and racks of equipment in the basement or the telco closet. See our DAS review blog for details, and if you have time, read a 100-page DAS installation manual or the 10-page long price list with necessary equipment to power the “small cell” antenna.
E is for End of Life
Yes, the DAS market will continue to grow as predicted by leading analyst firms. No right-minded person would dispute that. However, DAS as we knew it last year or the year before, is done and over with. Why are 100s of system integrators working hard to get up-to-speed on small cells, and how to install them? Mobile operators, enterprise, venue or building owner customers do not care if it’s DAS, Wi-Fi and/or small cells that are fixing their problem with in-building coverage and capacity. They just want the problem fixed, and for the business case (payback) to work. Long-gone are the days of 7-10 year payback periods, or securing rights to a location, only to charge-back Opex fees to mobile operators, even after they have deployed their own $150k baseband. Easy to install single or multi-operator Small Cells and Small Cell systems over Ethernet, with pay-back periods measured in weeks or months, made the old DAS obsolete. Yes, there I said it. Obsolete. But, there’s reason to celebrate.
A is for Acknowledgement
Because of the rise in tide for small cell vendors, DAS and RAN vendors alike went back to the drawing board to simplify single operator and multi-operator DAS systems, making them easier and cheaper to deploy. Is this enough? Time will tell, but for now, the in-building coverage and capacity market is smoking hot and the DAS vendors do not want to be pushed outside in the cold. Big venues and buildings need any and all spectrum and capacity. The pragmatic solution, where DAS already exists, is to supplement with Wi-Fi and Small Cells. After all, adding LTE DAS is just like adding an entire new DAS system installation at $4-6 a square foot.
D is for Demarcation
New DAS systems find their place where old DAS once were deployed, but in competition with scalable small cell systems that add capacity wherever a small cell is mounted. Whereas DAS systems for big venues and buildings would deploy capacity for 40 sectors with hundreds of special antenna pulls, a small cell system could easily add 200 sectors of 3G/4G capacity for 25% of the cost, as compared to DAS (not counting yearly Opex which is closer to 50-100x difference). The DAS business case makes good sense for 1m-10M square feet. Below a million, the business case now favors small cell systems.
At PCIA’s Wireless Infrastructure conference, Alan Tantillo, national director for development and siting policy at T-Mobile USA, pointed out on a panel that “It is not cost-effective to put in a neutral host DAS system.” See RCR Wireless’s article and video from the panel.
It’s a brave new world out there, and the winners are the end-customers. Mobile operators, enterprise, building and venue customers are the beneficiaries of free-market competition where the best solution deployed in the shortest amount of time, for best price – wins!
Let’s not confuse the customers. If they want a duck, they’ll buy one.
Following a successful launch in June 2014, Telcel and América Móvil was kind enough to let us share the news at Informa’s LTE LatAm event taking place in Rio de Janeiro, Brazil this week -- where SpiderCloud’s own Amit Jain is speaking.
This is a significant announcement for SpiderCloud and our business partners. And, unlike Ericsson - is not a “pilot” in a single building (“Ericsson Radio Dot installed at commercial building…”).
Small Cell systems have already been deployed and “turned on” for dozens of enterprise customers, with hundreds more planned. Gerardo Aguirre, director of network engineering with Telcel places the importance of this commercial rollout into context:
“Our largest customers in Mexico demand and expect a superior mobile network experience at all times. With SpiderCloud as our go-to in-building network solution, Mexico’s business, education and government customers are experiencing the leading edge of in-building mobility as part of our continued commitment to deliver a superior mobile experience.”
Together with our business partners in the region (Cisco, NEC and one more major player), we will work with Telcel and América Móvil to bring in-building services to major metropolitan areas in South America.
SpiderCloud is fast becoming the recognized leader for scalable small cell systems. According to Infonetics (March 2015), “SpiderCloud leads the enterprise small cell market as a result of an early focus on the medium-to-large enterprise segment, followed by Alcatel-Lucent.”
SpiderCloud’s system has been deployed by leading operators such as: América Móvil, Verizon, Vodafone UK, Netherlands, EE in United Kingdom (Cisco), Telcel in Mexico, Avea in Turkey (NEC), Warid Telecom in Pakistan, and several more undisclosed operators.
Why SpiderCloud? We continue to innovate, and the dual-band 3G/LTE and LTE/LTE system with 200 Sectors is the industry’s most flexible and scalable small cell system. Last month we announced the additions of Beacons, Carrier Aggregation use of flexible spectrum bandwidth, and support for Multiple Operators – all part of the same easy-to-deploy over Cat/5/6 Ethernet system (see news) The innovations will help drive down the carrier’s total cost of ownership for large, scalable, indoor small cell deployments.
Another significant move, announced in Barcelona at MWC’15, was Cisco’s news that the #1 enterprise systems provider will resell SpiderCloud’s portfolio (USC 8000 Series). We also developed a radio “snap on” attachment for Cisco’s existing Aironet 3600/3700 Wi-Fi access points (the most popular enterprise Wi-Fi in the world), thus integrating radio access with existing Wi-Fi infrastructure – giving Cisco the ability to target all of its existing Wi-Fi deployments with a simple 3G/4G radio upgrade, thus driving more customer adoption for mobile operators worldwide.
SpiderCloud’s technology is the only small cell system that’s successfully competing, innovating and winning against Ericsson and Huawei for large-scale in-building coverage and capacity solutions -- sold to mobile operators. With our partners, it’s now pedal to the metal. Catch up if you can, or give us a call to partner.
At Mobile World Congress (#MWC15), Cisco today announced commercial availability of its new Universal Small Cell (USC) 8000 Series designed for large enterprises and venues. This solution is the result of collaboration between Cisco and SpiderCloud Wireless, and will be offered to Cisco’s enterprise customers and channel partners. The global agreement includes Cisco reselling SpiderCloud’s entire small cell portfolio under the USC 8000 Series brand. In addition, SpiderCloud will develop custom small cell technology for Cisco to include 3G and 4G radio modules into the Aironet 3600/3700 Wi-Fi access points.
This is indeed big news! Scott Morrison, VP/GM for Cisco's Small Cell Technology Group summarized it nicely:
“Partnering with SpiderCloud, Cisco now has an unsurpassed and complete end-to-end small cell and Wi-Fi solution for mobile operators and their enterprise customers. Working with Vodafone enables us to give enterprise customers a complete, high-quality mobile experience in every building, helping them transform the role of mobility in their business.”
So, look out Ericsson and Huawei, as products in the new small cell portfolio are available immediately, including Cisco's USC 8088 Controller which provides real-time coordination and distributed SON capability for up to 100-sector LTE/3G radios, enough to effectively cover the largest of enterprise customers and buildings. Vodafone is the first service provider to have its enterprise customers benefit from the global agreement.
“Working with Cisco and SpiderCloud, we will be able to offer our enterprise customers a highly flexible small cell system that can be deployed rapidly and cost-effectively to enhance the quality of the mobile and Wi-Fi coverage our customers rely on to run their businesses."
- Matt Beal, Director of Innovation and Architecture, Vodafone Group.
As our CEO (Mike Gallagher) puts it, this is a "market changer! "Our partnership with Cisco will speed up small cell deployments to benefit large enterprise customers worldwide."
The beneficiaries of this global agreement are mobile operators who are serious about providing mobile in-building coverage, capacity and managed services to enterprise customers and venue owners. With Cisco’s existing enterprise customers and channel partners, mobile operators now have access to a complete end-to-end small cell and Wi-Fi solution, and access to a new enterprise customer base.
At #MWC15, we are showcasing how enterprise customers benefit from a scalable small cell system.
- Improved Performance for Coverage and Capacity
- Carrier Aggregation: New Dual-band radio nodes, designed to offer simultaneous 3G/LTE service or dual-carrier LTE service, are software upgradeable to support Carrier Aggregation with peak rates up to 300 Mbps.
- Pre and Post Installation Capabilities
- Radio Nodes with Integrated Bluetooth Low Energy (BLE) beacon, improve an already easy installation process, improve inventory management, and ease post-installation system maintenance, driving down the carrier’s total cost of ownership for large, scalable indoor small cell deployments. Radio Nodes with integrated Bluetooth beacons works in conjunction with SpiderCloud’s award-winning E-RAN iOS and Android app.
- New Managed Services Opportunities
- Virtualized functions and hosted services on the Services Node. SpiderCloud will demonstrate enterprise-specific content filtering and group/individual policy examples with Intel Security. These policies make it possible for enterprise IT to deploy a high-capacity LTE system without compromising its acceptable use policies.
- New Radio Node with Low Energy Bluetooth beacons opens the door for localization and context services within large enterprise offices, malls and venues.
- Multi-Operator Support
- New dual-band LTE Radio Nodes can be shared by two operators via a software upgrade. Dual-band LTE radios support 5, 10, 15 and 20 MHz channels, with peak rates of 150 Mbps per band, and VoLTE. Operators will have option to share their dual-band SpiderCloud LTE system with partner operators (multi-operator RAN), while maintaining strict separation of traffic and services, through a software upgrade.
See and read more about fast innovations and small cell installations on our newly refreshed web site www.spidercloud.com
Today, SpiderCloud's partner NEC also announced that Avea in Turkey is rolling out a scalable small cell system with solutions from NEC and Spidercloud. And most recently, SpiderCloud with Emtel, announced that Warid Telecom in Pakistan is bringing 4G to its customers.
With our partners, we will continue to innovate and bring scalable small cell systems, with access to cloud-enabled services, to our customers. We are indeed at the "Edge of Innovation" - this year's theme at Mobile World Congress in Barcelona.