SDN-driven telco networks call for pervasive network visibility

As threats increase and become more sophisticated, and as network architectures change with SDN and virtualization, the need for visibility increases - particularly in large carrier networks.

GTP Tunneling

GPRS Tunneling Protocol (GTP) is often used to carry mobile data across networks, and includes control plane and user data plane traffic. Currently, many analytic and security tool vendors have a built-in feature to correlate GTP, the user plane, with the control plane inside GPRS tunnels. But in the process, each analytic tool hides its insight from the other analytic tools—and it’s this subscriber and service layer insight that is needed. As such, the operational efficiency of the service provider decreases thanks to the increased cost of reduced tool processing throughput—which also reduces the effectiveness of security tools. 

Visibility into subscriber activity requires the ability to understand the stateful nature of GTP traffic and correlate subscriber-specific sessions in order to gain an accurate view of the subscriber’s activities. Once this is achieved, the traffic can be intelligently sorted to optimize flows based on what the tools need to see, so the applications used to secure, monitor, and analyze the infrastructure see only what is relevant to them.

From there, tools designed specifically to identify suspicious activity can do their job—without having to sift through petabytes of irrelevant data—so that they can quickly stop criminals in their tracks. 


Another tactic for ensuring network security involves the creation of a whitelist. Mobile carriers can create custom whitelists of specific subscribers using their IMSI (International Mobile Subscriber Identity). 

For example, if a service provider needs to identify security threats from an individual subscriber or device, they need to focus on specific subscribers or devices that present a security threat to the network. They also need to remove malicious traffic from the network, or deny it access to the network. Since security tools rarely run at line-rate speeds, any capability that reduces the amount of traffic flowing through the tools provides for a smaller and more cost-effective security capability, giving the operator the ability to do more with less.

Whitelists can be created to identify security threats to (or from) a specific subscriber. This results in a clear operational advantage by reducing operational costs and freeing up network capacity. Meanwhile, subscriber devices and associated malicious traffic can be blocked from the network altogether.

Whitelisting and GTP correlation can also be used to treat devices, applications or subscriber groups with a perceived higher security threat profile—such as a specific vendor and their associated devices and apps that may be lacking built-in security screening capabilities—differently. This way, traffic can be grouped with low-threat traffic being treated differently than high-threat traffic. This preserves the processing throughput of security tools, decreasing the cost for processed traffic, which yields a competitive advantage against other competing carriers within a region.

Pervasive network visibility is critical

As threats increase and become more sophisticated, and as network architectures change with SDN and virtualization, the need for visibility increases—particularly in large carrier networks. 

As SDN becomes more pervasive, the need for traffic-based visibility solutions in such an environment, along with increased correlation of traffic with controller policies and state, will need to become an integral part of the SDN solution. Further, the dynamic nature of the network, compute and storage, will drive the need for delivering traffic pervasively across all segments of the network to a centralized set of tools responsible for the monitoring and correlation of performance, security analysis, and user experience. 

This calls for a new approach to securing the network all together—one that shifts from perimeter-centric prevention to a model more focused on detecting breaches by providing consistent access to relevant data from physical and virtualized systems. Such a model will dramatically shorten the timeframe between breach and detection, helping operators to ensure consistent, secure service to their customers.


Latest Updates

Pipeline Memberships>

Subscribe to our YouTube Channel