By now, most people have seen and heard the biggest developments from the annual AfricaCom trade show in Cape Town. For a few days every November, the continent is front and centre in the wonderful world of wireless and other hi-tech circles. As I have alluded to in previous Industry Insights, LTE (long-term evolution) mobile technology has captured everyone's imagination with its promises of continuous, ubiquitous high-capacity downloading/uploading from the airwaves. And I have considered that the state of security has taken a back seat for the roll-out, in some cases. But this cannot continue to be the case.
Electronic security is at an all-time high in the minds of wireless subscribers the world over - but none more so than in Africa, perhaps the most unplugged telecoms market of them all. In the age of WikiLeaks and the Edward Snowden/NSA scandal, no one can take security lightly.
While some may consider wireless security a necessary evil, others do not consider it at all - until it's too late and an 'event' occurs. Like the plumbing, no one takes notice until there's a backup, and then it hits the fan. Perhaps the most critical part of any LTE microwave backhaul security apparatus, access control can help prevent security breaches before they even have a chance to happen.
Access control
With access control of the LTE microwave backhaul, unauthorised personnel are prevented from logging onto the network administration. This sounds like a simple sign-on procedure, not unlike today's familiar Windows PC and Apple Macintosh laptop password protections. And in one admin-beneficial way it is - I'll come back to that later.
In every other important way, though, a strongly secured access control is the LTE operator's best friend for backhaul. It all begins with reliable, standardised technology in the form of Radius clients and AAA domains. Radius is the acronym for 'Remote Authentication Dial In User Service'. It has been in use since the early 1990s - a good hint being that its name contains a reference to the method of Internet access when AOL was the online king.
AAA is not the rating on the city's bonds or what the public health department thinks of the sanitary conditions at an eatery. AAA is the acronym for the 'authentication, authorisation and accounting' protocol that secured systems use to communicate to a domain to - well - authenticate, authorise and account for their users.
Radius client
With Radius, not only are outside hackers and other backhaul abusers prevented from logging onto the microwave radio network, but also insiders are restricted to that level of functionality they have been previously authorised to execute.
Users can only access management functions of the radio for which they have been granted permission in advance. This solution also protects against novice or new employees from stumbling around the network or perhaps being a little too curious about the equipment they operate.
Therefore, a properly deployed security solution for an LTE backhaul network will include the capability for microwave radios to support integrated Radius capability.
While some may consider wireless security a necessary evil, others do not consider it at all.
In addition, with an integrated Radius client onboard the radio, user accounts can be created and updated for the entire network - not just for individual radios. This is a great advantage in that access privileges for former employees can be quickly revoked universally across the network on their terminations, closing the window quickly on any potential malicious mischief disgruntled ex-workers may be tempted to commit.
This user permissions capability may be built into an existing IT infrastructure so that a centralised site such as a network operations centre (NOC) can serve as the hub of radio activity - the same way a distant, inscrutable corporate helpdesk manages PC user accounts.
This will virtually eliminate manual maintenance of user accounts on large numbers of radios. However, for those black swan sightings of a network outage, access control changes can still be enabled: if Radius is unavailable for any reason, a fallback position allows cached credentials to be used to log in. Also, if Radius is not accessible for extended periods, local user accounts may be used.
AAA domain
Just as it takes two to tango, an access control security solution for LTE microwave backhaul requires dual action. On the radio side, a Radius client does its part. On the network side, an AAA domain is necessary to complete the solution.
An AAA domain is what enables global microwave network access changes in conjunction with Radius capability, making it simple to administer user network access. For example, with the network administrator making changes to the Radius client, a user profile can be removed from the AAA domain, which removes all access to all radios on the network simultaneously. Overall, Radius capability and centralised AAA domain offer support for user authentication to track all authorised and unauthorised user activity and points of entry.
Another important benefit of having Radius securing an LTE microwave backhaul is its capability to protect logins. Radius prompts users to create login passwords with at least one letter and one number from eight to 32 characters for added password complexity. And if the network administrator so desires, it can also support special character requirements such as underscore or asterisk and uppercase and lowercase letters.
In these ways, Radius capability increases password complexity to prevent "dictionary" attacks that break security, by guessing logical alphanumeric password combinations based on people's propensity to pick passwords that follow predictable patterns.
Also, Radius capability helps protect against security exploits such as "mechanised" attacks, where an unauthorised user programs a computer to try a random combination of usernames and passwords on a rapid basis, in an attempt to find a valid login.
If too many invalid combinations are attempted in a given period, through use of AAA domain capability via Radius protocol, users not already logged in will be locked out from trying to log in for a specified period. Network admins can determine the number of logins that can be attempted in a given timeframe before users are locked out for a given interval. Thus, microwave network administrators can enforce hard-to-guess username/password policies.
Mission: critical
So it is critical that only authorised personnel log into the administration of microwave networks, with their basic procedures and screens seeming not dissimilar from the typical Windows or Macintosh machine.
Strongly secured access control can harden the GUI backend of LTE backhaul dialogue boxes for usernames and passwords.
Together, integrated Radius and centralised AAA domain capabilities for remote authentication, authorisation and accounting will provide that extra level of wireless security for LTE microwave backhaul. By verifying user identities before granting them access to the network, operators will take more control of the entire mobile environment, assuring their subscribers the best possible user experience.
Share