No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Networking Requirements

Networking Requirements

On a 3G network, access authentication and data encryption mechanisms are available on the control and user planes from the UE to the RNC, and therefore, data transmission is secured. On an LTE network, although access authentication and data encryption mechanisms still work from the UE to the EPC, S1-U, on the user plane, has only authentication mechanisms but no encryption mechanisms. Therefore, compared with the 3G network, the LET network requires additional security devices to eliminate security risks.

In the LTE IPSec solution, an IPSec tunnel is set up between the eNodeB and the security gateway (the FW, also referred to as the SeMG in LTE) to encrypt S1 data streams, preventing user data from being intruded on the IP-RAN and thereby ensuring the security of the LTE network. Generally, the FW is attached to both sides of a router in the EPC in off-path mode and serves as the IPSec gateway for the eNodeB to access the MME and S-GW. Two FWs are deployed in hot standby mode to improve the network availability. Figure 9-2 shows the network topology.

Figure 9-2  Network topology for off-path deployment of the FW

In the LTE IPSec solution, traffic on the eNodeB includes S1 traffic, X2 traffic, and OM traffic and PKI traffic for communication with the NMS. Considering the security and real-time performance, the carrier has different requirements for the processing of different types of traffic:

  • S1 traffic

    The S1 traffic is classified into user plane (S1 UP) traffic for voices and control plane (S1 CP) traffic for signaling. This traffic requires high security and therefore is transmitted over the IPSec tunnel.

  • X2 traffic

    The X2 traffic is burst traffic and does not require high security. This traffic can be either encrypted or not encrypted. In the present case, the X2 traffic is not IPSec-encrypted because the IPSec tunnel encapsulation increases its transmission delay.

  • OM traffic

    Network devices, including the eNodeB and FW are managed by the OM server in a centralized manner. This management traffic does not require protection of the IPSec tunnel. For example, a small jitter is required for the clock synchronization between the NTP server of the OMC and the eNodeB, and therefore, IPSec encryption is inappropriate.

  • PKI traffic

    The PKI server issues certificates to the eNodeB and the IPSec gateway. When the eNodeB and the IPSec gateway establish an IPSec tunnel, they exchange certificates to verify the identity of each other. This traffic does not require IPSec protection either. It is sent by the eNodeB directly to the PKI server.

Figure 9-3 shows the transmission paths of different traffic

Figure 9-3  Transmission of different eNodeB traffic in the LTE IPSec solution

Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16912

Downloads: 726

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next