3G is the third generation mobile communication technology, which refers to the cellular mobile communication technology that supports high-speed data transmission. There are currently four standards for 3G: CDMA2000, WCDMA, TD-SCDMA, and WiMAX. The support of the three major domestic operators is as follows:
Telecom: CDMA2000, up to 3.1Mbps;
Mobile: TD-SCDMA, 2.8Mbps;
Unicom: WCDMA, up to 7.2Mbps.
Enterprise users such as banks cannot meet the needs of flexible deployment of off-bank ATMs and mobile outlets in the traditional wired mode, mainly because they do not have long-term fixed locations, cannot be flexibly deployed due to geographical and wired network constraints, and the business volume is also small. Lease dedicated lines The cost is too high, and there is a demand for high-speed wireless, and 3G wireless deployment is the best solution at present.
With the continuous popularization of 3G network services, operators have launched 3G VPDN (Virtual Private Dial-Network) services in response to the needs of enterprise users for “3G mobile private network”, namely: virtual private dial-up network based on 3G wireless access mode It uses the L2TP tunnel transmission protocol to build a virtual dedicated channel that is not disturbed by the outside world on the existing dial-up network, so as to achieve access to enterprise intranet resources in a manner similar to using a wired private network.
Data communication equipment manufacturers have also launched 3G routers in time to adapt to this application trend of industrial users, and enterprise networks have entered the era of 3G networking.
When there are many financial and government outlets, and industrial users who have a large number of off-line ATM access, remote township access and mobile network access requirements, they also focus on 3G access, and carry out enterprise data communication based on 3G networks. The security of these industries has become the biggest obstacle to the large-scale application of 3G networks in these industries that require high data security.
3G Network Data Communication Application Overview
3G-based data communication applications have the following networking modes:
1. Access the internet
Figure 1 Access the internet
The 3G router is configured with the 3G module, using the public APN name, user name and password to access the Internet network through the operator’s wireless base station, and configure the NAT address translation function. E-mail, instant communication, network download and other resources.
2. Internet + VPN tunnel
Figure 2 Internte +VPN tunnel
The 3G router is equipped with a 3G module, using the public APN name, user name and password, to access the Internet network through the operator’s wireless base station, and directly communicate with the Internet after configuring NAT address translation for data streams that need to access public network resources. For the data flow that needs to access the private network resources of the headquarters (such as: company VOIP voice phone, video conference system, internal office OA system, etc.), direct communication is performed through the IPSEC VPN encrypted tunnel established by the 3G router and the headquarters router.
3. 3G VPDN private network
Figure 3 3G VPDN private network
As shown in the figure above, in order to ensure the business security requirements of the 3G access network of major enterprise customers, the operator can provide users with a dedicated line APN (Access Point Name) transmission method, provide users with a dedicated access point name, and provide user names and passwords. , IMSI’s multiple security authentication function. The LNS connects the equipment (routers, VPN equipment) at the user’s headquarters with the operator’s network through a dedicated line. The 3G routers of the branch outlets are equipped with 3G modules, and use the dedicated APN name, user name and password applied by the enterprise to access the 3G network. The operator uses the APN to access the 3G network After determining that the user is an enterprise private network user by name or user name and password, the LAC device will trigger the L2TP authentication negotiation with the LNS device on the client side, and finally the LNS device will assign a private IP address to the 3G router of the branch network to realize communication with the branch network. It communicates with the private line of the headquarters private network.
Based on the 3G VPDN private network, which is the main model promoted by the operators for the industry users, this article will focus on analyzing the security deployment of the 3G VPDN private network application.
Introduction to 3G Wireless Security
The characteristic of wireless communication itself is that it is easy to be accessed by legitimate users and easily stolen by potential illegal users. Therefore, security issues are always closely related to mobile communication networks.
In view of the security problems existing in wireless communication, the 3G system has been optimized as follows:
1. Two-way authentication is realized. It not only provides the authentication of the base station to the MS, but also provides the authentication of the MS to the base station, which can effectively prevent the attack of the fake base station.
2. Provides integrity protection of access link signaling data.
3. The key length is increased to 128 bits, and the algorithm is improved.
4. 3GPP access link data encryption is extended to the Radio Access Controller (RNC).
5. The security mechanism of 3G is also scalable, providing security protection measures for the introduction of new services in the future.
6. 3G can provide users with security visibility operation, users can check their own security mode and security level at any time.
7. In terms of key length, encryption algorithm selection, authentication mechanism and data integrity inspection, the security performance of 3G is far superior to 2G.
However, these security mechanisms of 3G are only limited to the wireless part. For the wireless enterprise network based on 3G access, the security of the wireless part is far from enough. It is necessary to ensure the security of data during the entire transmission process, that is, the end-to-end safety.
Discussion on Security Deployment of 3G Router Access
With the development of 3G data communication applications, professional data communication manufacturers in the industry have launched 3G security routers, which can well solve the problem of 3G network data security transmission. The following is an analysis of the application of 3G security routers in financial off-line ATMs as an example.
Figure 4 3G access
As shown in the figure above, the financial out-of-bank ATM network uses a 3G router to wirelessly access the 3G wireless network, and connects to the financial primary or secondary network aggregation router through the operator’s 3G wireless base station and IP core network. network or secondary network business visits.
According to the application mode, 3G access security deployment is based on the following considerations:
Access authentication security
It is required to provide a multi-identity authentication binding function based on user name, password, and IMSI (international mobile subscriber identity, international mobile subscriber identity) when logging in to a 3G network to ensure the uniqueness of the access user and prevent illegal users from using the 3G network. Access to the user’s private network.
In order to ensure the privacy of user services, the solution must be required to provide end-to-end private dedicated channels from the 3G routers of the outlets to the first-level or second-level network aggregation routers in the financial and government industries, so as to ensure the privacy of the network services during the transmission process of the operator’s network. sex.
End-to-end secure encryption
In order to further ensure the security of network business data in the transmission process of operators’ 3G wireless network and IP core network, and prevent hackers from intercepting sensitive data in financial and government industries by other illegal means, it is required that security solutions must provide network 3G routers to financial, government and other industries. End-to-end encryption security of industry-level or second-level network aggregation routers. Especially in information-sensitive industries such as finance and government, this encryption security needs the support of the encryption algorithm of the State Secret Office to ensure the high confidentiality of national information security.
Figure 5 3G access security deployment
3G router security access solution
Figure 6 3G secure access solution
As shown in the figure above, the 3G secure access deployment solution of the network points, respectively, through proprietary APN+ binding access authentication, L2TP private tunnel, and IPSEC security encryption technology to achieve access authentication, end-to-end privacy, end-to-end security during 3G deployment. The security principles of end-to-end secure encryption are as follows:
Proprietary APN + binding access authentication
When deploying 3G wireless access to a network, it is necessary to first apply to the operator for the assigned private network APN (Access Point Name, which is similar to the industry-specific 3G wireless local area network, to ensure that after the network is connected to the 3G network, it can only access the industry-specific network. Guaranteed to not be able to communicate with other networks). The network is accessed by a 3G router, and the operator will send the user’s IMSI information (IMSI is the number that uniquely identifies a mobile user in the operator’s network, consisting of 15 digits and stored in the SIM card), the account and password of the terminal user. It is pre-configured on the carrier authentication server. When the 3G router of the branch initiates a wireless connection, only users with valid binding information are allowed to access the 3G private network after passing the AAA authentication of the user name and password, preventing illegal SIM card users from dialing into the user’s 3G private network.
In addition, the PIN code protection function of the SIM card can be further set through the 3G router. Only by knowing the PIN code of the SIM card can the 3G dial-up be triggered, preventing illegal users from performing illegal operations after obtaining the user’s SIM card and ensuring the safety of the SIM card.
L2TP+IPSEC VPN private tunnel
In order to ensure the privacy of the data services of 3G access points transmitted in the operator’s IP core network, the user applies to the operator for the 3G VPDN service of the enterprise group user, the virtual private dial-up network service based on the 3G wireless access method, which is a Using the secure L2TP tunnel transmission protocol, a virtual private channel that is not disturbed by the outside world can be constructed on the existing dial-up network, so as to securely access the resources of the enterprise intranet.
Operators will provide L2TP LAC-side routers and supporting AAA servers for industry users’ 3G VPDN services. A router is used as the LNS side of L2TP in the first-level network or the second-level network convergence layer of financial and government industries, and an AAA server is deployed. The LAC router is mainly responsible for the access authentication of 3G users, and establishes an L2TP tunnel with the private LNS of the enterprise to which the user belongs. The AAA server converged by the primary network or secondary network in the financial and government industries mainly stores the user name and password required by the branch router to establish a connection. The format of the user name is [email protected], where the string before @ can be defined by the client, and the string after @ is the domain name. The operator’s AAA server confirms the user’s access authority through the domain name. The user name and password of the carrier AAA server and the enterprise AAA server must be the same.
The L2TP private tunnel establishment process is as follows:
After the network router completes the APN authentication for the access user through the 3G network, the router initiates PPP dial-up to send an authentication request to the LAC.
The LAC forwards the authentication request to the operator LAC AAA server.
The AAA server will reply the authentication result and return the LNS address, VPDN tunnel attribute and other information to which the user belongs.
The LAC sends an L2TP tunnel establishment request to the returned LNS address, and the tunnel is successfully established (the authentication request for establishing the tunnel is optional).
The LNS re-authenticates the user name and password of the network router (the re-authentication of the network router by the LNS is optional).
The establishment of the L2TP tunnel is complete. The dial-up interface corresponding to the router of the network is Up, and normal private tunnel communication is established.
If the network initiates traffic that can trigger the IPSEC VPN, the IPSEC VPN tunnel establishment process starts. The network router and the LNS initiate an IPSEC VPN connection request.
Figure 7 Encrypted tunnel establishment process
IPSEC secure encryption
Figure 8 IPSEC security encryption
For the end-to-end security encryption principle, as mentioned above, 3G technology has its own encryption verification technology, but the 3G encryption verification technology is only for the wireless part, and in the IP core network part, the L2TP tunnel from LAC to LNS is Without encryption, the data is transmitted in clear text. From the LAC to the network, it may also pass through the operator’s IP network. In order to achieve end-to-end encrypted transmission, it is necessary to use IPSEC between the branch and the headquarters router to achieve end-to-end encryption, as shown in Figure 8:
IPSEC ensures the secure transmission of data through AH and ESP protocols:
Privacy: User’s sensitive data is transmitted in encrypted form
Integrity: Verify the received data to determine whether the data has been tampered with
Authenticity: Verify the data source and determine that the data comes from the real sender
Anti-replay: Prevents attacks by malicious users by repeatedly sending captured packets, i.e. old or duplicate packets are rejected by the receiver.
According to IPSEC VPN technical requirements, the supported encryption algorithms mainly include: DES, DES, AES128, AES192, AES256, etc. The required HASH algorithms are MD5 and SHA. In addition, equipment manufacturers with commercial cryptographic product qualifications issued by the State Commercial Cryptography Administration Office, in addition to common encryption algorithms, can also provide support for 3G access by users in the financial and government industries that comply with the State Secrets Office encryption algorithm, and comply with the national secret code. The IPSEC VPN technical specification requires routers to be designed, which can further ensure national information security.
3G technology announced that the enterprise network has entered the era of wireless networking, and more perfect network security is conducive to the real large-scale application of wireless enterprise networks based on 3G access. Today, when information security has become a national strategy, how to maintain a commensurate and controllable security mechanism with the continuous development of communication technology will also be a topic of continuous discussion. It is believed that under the promotion of the government and domestic national enterprises, insisting that the Chinese people build their own security network and firmly grasp the initiative in the information security competition, 3G networks will flourish in enterprise data communication applications.
Zhang Qi. “Security Challenges in the 3G Era”, 2009.03
Peng Ning. “On 3G Authentication and Key Agreement Protocol”, 2009.02
Xiang Xiaofeng, Yu Chaohui. “Research on VPDN Implementation Scheme Based on GPRS”, Mobile Communications 2009 (24)
National Commercial Password Management Office. “Security Router Product Password Testing Guidelines”, 2009.06
Vijav Bollapragada, Mohamed Khalid. IPSec VPN Design, 2006.05