Do we still need Gi Firewall for 3G/UMTS/HSPA network ?
Hi all, in most of the existing 2G/2.5G mobile PS-core (Packet Switch) networks have Gi segment (interface between GGSN & IP Router/firewall). Due to the IP address constraint, operator usually do NAT on the Gi firewall to NAT the private IP to public IP in the past. Looking at the traffic pattern and user access behaviour, does it make sense to have firewall between the GGSN & Public Internet if the public IP addresses are sufficient to cater for mobile subscribers? Especially with 3G/UMTS/HSPA or even LTE in the future. Please share your thought and thanks in advance :) Regards, Steven Lee
On Thu, 9 Apr 2009, Lee, Steven (NSG Malaysia) wrote:
Hi all, in most of the existing 2G/2.5G mobile PS-core (Packet Switch) networks have Gi segment (interface between GGSN & IP Router/firewall). Due to the IP address constraint, operator usually do NAT on the Gi firewall to NAT the private IP to public IP in the past. Looking at the traffic pattern and user access behaviour, does it make sense to have firewall between the GGSN & Public Internet if the public IP addresses are sufficient to cater for mobile subscribers? Especially with 3G/UMTS/HSPA or even LTE in the future.
The only reason I see to have a FW on Gi would be to have a stateful device to stop scanning from the Internet towards the mobile devices (I don't know how much SYNs you see on a /16 nowadays, it used to be quite a lot). I know mobile operators who have been operating with public IPs to all customers without FW for a lot of years. Todays GGSN and other devices should handle it, even though they didn't do it well 5+ years back. -- Mikael Abrahamsson email: swmike@swm.pp.se
On Apr 10, 2009, at 12:17 AM, Mikael Abrahamsson wrote:
Todays GGSN and other devices should handle it, even though they didn't do it well 5+ years back.
There's a lot of legacy (and not-so-legacy) gear out there with weak IP stacks; beyond that, the relevant BCPs like iACLs should be deployed to protect the GGSN, et. al. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@cisco.com> // +852.9133.2844 mobile Our dreams are still big; it's just the future that got small. -- Jason Scott
On Apr 9, 2009, at 11:48 PM, Lee, Steven (NSG Malaysia) wrote:
Please share your thought and thanks in advance :)
No, IMHO. Most broadband operators don't insert firewalls inline in front of their subscribers, and wireless broadband is no different. The infrastructure itself must be protected via iACLs, the various vendor-specific control-plane protection mechanisms, and so forth, but inserting additional state in the middle of everything doesn't buy anything, and introduces additional constraints and concerns. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@cisco.com> // +852.9133.2844 mobile Our dreams are still big; it's just the future that got small. -- Jason Scott
Roland Dobbins wrote:
On Apr 9, 2009, at 11:48 PM, Lee, Steven (NSG Malaysia) wrote:
Please share your thought and thanks in advance :)
No, IMHO. Most broadband operators don't insert firewalls inline in front of their subscribers, and wireless broadband is no different.
Some operators put firewalls to NAT their subscribers into smaller IP address pools (I have put some for a particular one).
The infrastructure itself must be protected via iACLs, the various vendor-specific control-plane protection mechanisms, and so forth, but inserting additional state in the middle of everything doesn't buy anything, and introduces additional constraints and concerns.
Yes.
On Thursday 09 April 2009 16:48:32 Lee, Steven (NSG Malaysia) wrote:
Hi all, in most of the existing 2G/2.5G mobile PS-core (Packet Switch) networks have Gi segment (interface between GGSN & IP Router/firewall). Due to the IP address constraint, operator usually do NAT on the Gi firewall to NAT the private IP to public IP in the past. Looking at the traffic pattern and user access behaviour, does it make sense to have firewall between the GGSN & Public Internet if the public IP addresses are sufficient to cater for mobile subscribers? Especially with 3G/UMTS/HSPA or even LTE in the future.
Please share your thought and thanks in advance :)
Regards, Steven Lee I would think that, however you are providing IP addresses, any ingress point to a GSM core network ought to be carefully policed on security grounds. Especially if you have IMS or SIP-based services or intend to deploy them.
On Apr 10, 2009, at 12:21 AM, Alexander Harrowell wrote:
I would think that, however you are providing IP addresses, any ingress point to a GSM core network ought to be carefully policed on security grounds.
Sure. But stateful firewalls aren't required to protect that infrastructure, stateless ACLs in hardware will work quite well. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@cisco.com> // +852.9133.2844 mobile Our dreams are still big; it's just the future that got small. -- Jason Scott
Hello Steven, There seems to be an underlying assumption to your question - that a firewall exists for Gi traffic only because of the NAT requirement. This is not necessarily a safe assumption to make. The NAT functionality may be needed to conserve IP space but does not take away from the importance of protecting the network infrastructure from both the outside world as well as from the mobiles themselves. There are caveats to putting firewalls in the Gi path that you have to consider - such as session count limits and how they play with lots of small-sized packets. (as you may know, not all mobile applications are well-behaved). Miguel On Thu, Apr 9, 2009 at 11:48 AM, Lee, Steven (NSG Malaysia) < kin-wei.lee@hp.com> wrote:
Hi all, in most of the existing 2G/2.5G mobile PS-core (Packet Switch) networks have Gi segment (interface between GGSN & IP Router/firewall). Due to the IP address constraint, operator usually do NAT on the Gi firewall to NAT the private IP to public IP in the past. Looking at the traffic pattern and user access behaviour, does it make sense to have firewall between the GGSN & Public Internet if the public IP addresses are sufficient to cater for mobile subscribers? Especially with 3G/UMTS/HSPA or even LTE in the future.
Please share your thought and thanks in advance :)
Regards, Steven Lee
-- -- Miguel de Leon Dimayuga "For we walk by faith, not by sight."
On shared media like radio access, every unwanted packet means less performance you will get out of the network. This can be done by NAT, stateful filtering with public IPs or stateless filtering with public IPs; the advantage of doing NAT is making it easier for the end-point software to know that (two ways: noticing your local IP address is from RFC1918 space, or connecting to a server that tells your IP in order to compare it to the local address). As such, GPRS, EDGE, EVDO, HSPA, LTE and Mobile WiMAX services have good reasons to use NAT, and most do. Rubens On Thu, Apr 9, 2009 at 12:48 PM, Lee, Steven (NSG Malaysia) <kin-wei.lee@hp.com> wrote:
Hi all, in most of the existing 2G/2.5G mobile PS-core (Packet Switch) networks have Gi segment (interface between GGSN & IP Router/firewall). Due to the IP address constraint, operator usually do NAT on the Gi firewall to NAT the private IP to public IP in the past. Looking at the traffic pattern and user access behaviour, does it make sense to have firewall between the GGSN & Public Internet if the public IP addresses are sufficient to cater for mobile subscribers? Especially with 3G/UMTS/HSPA or even LTE in the future.
Please share your thought and thanks in advance :)
Regards, Steven Lee
participants (7)
-
Alexander Harrowell -
Eugeniu Patrascu -
Lee, Steven (NSG Malaysia) -
Mikael Abrahamsson -
Mike Dimayuga -
Roland Dobbins -
Rubens Kuhl