Madhusanka Liyanage

SDN and NFV integration in generalized mobile network architecture

The main drivers for the mobile core network evolution is to serve the future challenges and set the way to 5G networks with need for high capacity and low latency. Different technologies such as Network Functions Virtualization (NFV) and Software Defined Networking (SDN) are being considered to address the future needs of 5G networks. However, future applications such as Internet of Things (IoT), video services and others still unveiled will have different requirements, which emphasize the need for the dynamic scalability of the network functionality. The means for efficient network resource operability seems to be even more important than the future network element costs. This paper provides the analysis of different technologies such as SDN and NFV that offer different architectural options to address the needs of 5G networks. The options under consideration in this paper may differ mainly in the extent of what SDN principles are applied to mobile specific functions or to transport network functions only.

Securing the control channel of software-defined mobile networks

Software-Defined Mobile Networks (SDMNs) are becoming popular as the next generation of telecommunication networks due to the enhanced performance, flexibility and scalability. In this paper, we study the new security challenges of the control channel of SDMNs and propose a novel secure control channel architecture based on Host Identity Protocol (HIP). IPsec tunneling and security gateways are widely used in todays mobile networks. The proposed architecture utilized these technologies to protect the control channel of SDMNs. We implement the proposed architecture in a testbed and analyze the security features. Moreover, we measure the performance penalty of security of proposed architecture and analyze its ability to protect the control channel from various IP (Internet Protocol) based attacks.

Secured VPN Models for LTE Backhaul Networks

The Long Term Evolution (LTE) architecture proposes a flat all-IP backhaul network. 3rd Generation Partnership Project (3GPP) specified new security and traffic transport requirements of new LTE backhaul network. However, existing LTE backhaul traffic architectures are incapable of achieving these security requirements. In this paper, we propose two secured Virtual Private Network (VPN) architectures for LTE backhaul. Both architectures are layer 3 Internet Protocol security (IPsec) VPNs which are built using Internet Key exchange version 2 (IKEv2) and Host Identity Protocol (HIP). They are capable of fulfilling 3GPP security requirements such as user authentication, user authorization, payload encryption, privacy protection and IP based attack prevention. We study various IP based attacks on LTE backhaul and our proposed architectures can protect the backhaul network from them.

Software Defined Mobile Networks - SDMN: Beyond LTE Network Architecture

This book describes the concept of a Software Defined Mobile Network (SDMN), which will impact the network architecture of current LTE (3GPP) networks. SDN will also open up new opportunities for traffic, resource and mobility management, as well as impose new challenges on network security. Therefore, the book addresses the main affected areas such as traffic, resource and mobility management, virtualized traffics transportation, network management, network security and techno economic concepts. Moreover, a complete introduction to SDN and SDMN concepts. Furthermore, the reader will be introduced to cutting-edge knowledge in areas such as network virtualization, as well as SDN concepts relevant to next generation mobile networks. Finally, by the end of the book the reader will be familiar with the feasibility and opportunities of SDMN concepts, and will be able to evaluate the limits of performance and scalability of these new technologies while applying them to mobile broadb and networks.

Security for Future Software Defined Mobile Networks

5G constitutes the next revolution in mobile communications. It is expected to deliver ultra-fast, ultra-reliable network access supporting a massive increase of data traffic and connected nodes. Different technologies are emerging to address the requirements of future mobile networks, such as Software Defined Networking (SDN), Network Function Virtualization (NFV) and cloud computing concepts. In this paper, we introduce the security challenges these new technologies are facing, inherent to the new telecommunication paradigm. We also present a multitier approach to secure Software Defined Mobile Network (SDMN) by tackling security at different levels to protect the network itself and its users. First, we secure the communication channels between network elements by leveraging Host Identity Protocol (HIP) and IPSec tunnelling. Then, we restrict the unwanted access to the mobile backhaul network with policy based communications. It also protects the backhaul devices from source address spoofing and Denial of Service (DoS) attacks. Finally, we leverage Software Defined Monitoring (SDM) and data collection to detect, prevent and react to security threats.

Securing virtual private LAN service by efficient key management

Virtual private local area network service VPLS is a layer 2 service provider-provisioned virtual private network service. Security is one of the key system requirements of a VPLS because it delivers the frames via an untrusted network. Several VPLS architectures are proposed during the recent years. However, many of them do not provide a sufficient level of security. On the other hand, the existing secure VPLS architectures are also suffering from the scalability issues, and they are infeasible to implement in large scale networks.

Opportunities and Challenges of Software-Defined Mobile Networks in Network Security

Software-defined mobile network (SDMN) architecture integrates software-defined networks, network functions virtualization, and cloud computing principles in mobile networking environments to transform rigid and disparate legacy mobile networks into scalable and dynamic ecosystems. However, because SDMN architecture separates the control and data planes, it will significantly change the way security is managed and applied for mobile networks. In this article, the authors discuss the security challenges, vulnerabilities, and opportunities that need to be investigated and addressed for future SDMNs. It also highlights how common security threats in IP networks such as the Internet are now applicable in new open and IP-based SDMNs.

A scalable and secure VPLS architecture for provider provisioned networks

Virtual Private LAN Service (VPLS) is a Layer 2 Virtual Private Network (VPN) service. Internet Engineering Task Force (IETF) defined the essential system requirements of a VPLS network. Among them, Security is a key requirement as a VPLS delivers the customer data frames via untrusted public networks. However, the existing secure VPLS architectures are suffering from scalability issues and they are infeasible to implement in large scale networks. In this paper, we propose a novel VPLS architecture based on Host Identity Protocol (HIP). It includes a new session key based security mechanism which provides the scalability both in forwarding and security planes. Initial simulations verify that the proposed architecture reduces the key storage in a VPLS node, the total key storage in the network and the number of encryption per broadcast frame than other secure VPLS architectures. Additionally, our proposal provides an efficient broadcast mechanism and comparably higher degree of security features than other existing VPLS proposals.

Secure Virtual Private LAN Services: An overview with performance evaluation

Virtual Private LAN Services (VPLS) is a widely utilized Layer 2 (L2) Virtual Private Network (VPN) architecture in industrial networks. In the last few years, VPLS networks gained an immense popularity as an ideal network architecture to interconnect industrial legacy SCADA (Supervisory Control and Data Acquisition) and process control devices over a shared network. However, legacy VPLS architectures are highly vulnerable to security threats which are initiated at the insecure shared network segment. Thus, secure VPLS architectures are becoming popular among industrial enterprises. In this article, we provide an overview of existing secure VPLS architectures with a performance evaluation. We evaluate the performance penalty of security on throughput, latency and jitter in a real world testbed. From these experiments, we seek to highlight the drawbacks of existing secure VPLS architectures after implementing them in a real networking environment. Moreover, we try to underscore future research questions that will help to improve the performance of secure VPLS networks.

Secure hierarchical Virtual Private LAN Services for provider provisioned networks

Virtual Private LAN Service (VPLS) is a widely used Layer 2 (L2) Virtual Private Network (VPN) service. Initially, VPLS architectures were proposed as flat architectures. They were used only for small and medium scale networks due to the lack of scalability. Hierarchical VPLS architectures are proposed to overcome these scalability issues. On the other hand, the security is an indispensable factor of a VPLS since it delivers the private user frames via an untrusted public network. However, the existing hierarchical architectures unable to provide a sufficient level of security for a VPLS network. In this paper, we propose a novel hierarchical VPLS architecture based on Host Identity Protocol (HIP). It provides a secure VPLS network by delivering vital security features such as authentication, confidentiality, integrity, availability, secure control protocol and robustness to the known attacks. The simulations verify that our proposal provides the control, forwarding and security plane scalability by reducing the number of tunnels in the network as well as the number of keys stored at a node and the network. Finally, the simulation results confirm that the control protocol of the proposed architecture is protected from IP based attacks.