How O2 secured its network for the iPhone

When it comes to Apple’s iPhone, the following clichés must certainly ring true for network operators trying to support the iconic, bandwidth-hungry device: too much of a good thing; the devil is in the details; and perhaps above all: careful what you wish for, you just might get it.

Led largely by the iPhone – the first device to make mobile browsing palatable, while also introducing a whole new world of traffic-consuming “apps” – today’s connected devices pose considerable challenges for network operators. Most of the attention goes to the network itself, both the need for upgrades to the radio interfaces that let users jump on the network at 3G and soon 4G speeds, as well as various aspects of the mobile transport network itself, including backhaul to and from cell towers and the emerging converged packet core.

Yet such devices present a major challenge in another crucial area as well, one which, if it were to go untended, could result in even more dire consequences than a few dropped calls and a “there’s a map for that” ad campaign – namely, security.

Smart phones like the iPhone, emerging Android devices or even standbys like Blackberry or Windows Mobile devices, pose unique security challenges for mobile operators. For starters, they have helped introduce true IP data networking into the mobile realm, which brings with it all the security challenges wireline carriers face, including hacker tomfoolery, virus and Trojan threats and attempts to overwhelm the network with denial of service attacks, to name just a few. Mobile IP security also brings with it new levels of real-time network and user authentication, bread-and-butter firewall protection and other new types of security platforms and practices.

For network operators, such concerns are hardly new, mobile operators included. But the massive mobile data onslaught unleashed by the iPhone and other new devices has significantly raised the stakes. More users draw the interest of hackers, as mobile data networks become a more visible threat target. Meanwhile, the pure number of IP connections that must be secured in any individual user session, let alone cumulatively across tens of thousands simultaneous connections, puts the security issues on a whole different scale. Finally, there are straightforward customer experience concerns: as users become more accustomed to not only surfing the Web and checking email via the mobile Web, but conducting mission critical business and sending passwords and credit card numbers over mobile networks, a high-profile security problem would be even more of a pr disaster than a network outage or mere congestion.

With that in mind, we had the chance to talk with O2 about how it is securing its mobile data network, including at a high level what its security infrastructure looks like today, and what it believes it needs to do to keep up with the rapid growth of mobile broadband services.

The iPhone Effect

As with AT&T and the iPhone here in the U.S., O2’s iPhone experience has been a win some, lose some proposition. For two years – or until this fall when Orange and later Vodafone joined it in offering the iPhone in the U.K. – O2 had exclusive rights to distribute the iPhone in the United Kingdom.

Like AT&T, O2 had both great success with the iPhone, including an 18-fold growth in data traffic, as well as some high-profile bumps, including customer complaints about network congestion. At one point, England’s regulatory body, Ofcom, even chided O2 on holes in its coverage, forcing the company to issue a press apology for the network problems. At the end of last year, O2 said it was rushing in an investment of $48 million in its mobile network, including 200 extra mobile stations, to ease data congestion problems in London, in particular.

Throwing more base stations at a network congestion problem helps solve the raw bandwidth shortfall. But the explosion of data traffic posed just as large a challenge for O2’s network security team. While network operators are always circumspect when talking about security platforms and procedures, O2 was willing to share a bit about their efforts to keep their network secure in the face of the iPhone data explosion.

“The problem that we were seeing is that the iPhone took off like no other device before it,” said Ian Waggot, head of technical security at O2. While Waggot’s team had in the past reinforced the O2 network to support secure email and light browsing on smartphones like RIM’s Blackberry devices, the iPhone represented an altogether different challenge. For starters, thousands of iPhone apps access and use the network in a multitude of new ways , Waggot said, such as accessing streaming media or extremely interactive applications, like map navigation. And those apps opened up many more simultaneous IP sessions that any device before it.

“The age-old security problems of viruses and attacks – we’re not seeing a great deal of that [with the iPhone],” Waggot said. “Mainly what we’re seeing as a problem is because the iPhone generates so many [unique, simultaneous] sessions. For instance, Google Maps, all by itself, could generate 24 different sessions. It is very challenging for our firewalls and NAT [network address translation] systems to deal with that.”

To help enable and secure those connections, O2 uses a security platform and network firewall from Crossbeam Systems. That platform essentially “protects customer handsets from threats coming from the Internet while also protecting our mobile data environment and infrastructure,” Waggot said.

O2 had originally been using the Crossbeam platform for another one of its capabilities – its ability to consolidate multiple security services into a single hardware chassis. But when its mobile data traffic started to explode, O2 decided to use Crossbeam as its mission critical firewall platform as well, running firewall software from CheckPoint on Crossbeam’s X-Series hardware and switching platform. The combination of the Checkpoint firewall software and Crossbeam’s traffic management capabilities enabled O2 to deliver the high numbers of network address translations necessary to keep up with the data sessions being generated by the iPhone, Waggot said. All told, the platform can handle six million simultaneous sessions across O2’s network and smart device customer base.

Now that it feels secure in running the Checkpoint firewall on the Crossbeam hardware, O2 is also considering moving additional security software applications – including intrusion detection software from IBM and a database and application system from Imperva (dealing with payment card security)on the Crossbeam chassis as well. Although O2’s Waggot likes the simplified management of running all that software on a single piece of virtualized Crossbeam hardware, not surprisingly he wants to sort out his overall data security architecture first, stressing the need to guarantee high-availability – while also safely securing – all these mission-critical systems.

The scaling challenges faced by mobile operators like O2 require something more than specialized security appliances, according to Jim Freeze, Crossbeam’s CMO. While such appliances – which typically run a single security application on a closed, purpose-built piece of hardware – are all the rage in enterprise security circles because they are easy to deploy and administer, mobile data networks need something with more processing power that can also handle rapidly scaling data requirements.

“You’d be surprised when you walk into a high-end network data center these days how often you see boxes sitting on top of boxes of network appliances,” Freeze said. Crossbeam’s value proposition is to be able to consolidate all those distinct boxes – at as much as a 50 to 1 rate – into a single, bladed hardware chassis that also includes layer 2/3 switching, load balancing and deep packet inspection capabilities to keep the inline security software from slowing down overall network performance.

All told, the Crossbeam platform today can be used to deploy firewall, intrusion detection, secure Web gateways, Web application firewalls and secure mail gateways from vendors including CheckPoint, Sourcefire, Trend Micro, WebSense and OptiNet, with additional vendor partnerships coming soon, Freeze said. The hardware runs that security software inline on the mobile network, in a completely self-contained segment, with multiple 1G or 10G interfaces in and out of the chassis.

In addition to competing with specialized security appliance vendors, Crossbeam – particularly for large public networks – competes with IP switch vendors like Cisco or Juniper, which typically aim to consolidate those same security services right into their switches. That’s an appealing idea for network operators, but the choice comes down to buying an all-in-one solution as part of a monolithic IP switch purchase or looking for a more best-of-breed approach. Regardless of which direction mobile carriers go with their vendor choice, the technology requirements remain the same as data traffic continues to explode, said Crossbeam’s Freeze.

“What wireless carriers will ultimately need is guaranteed application performance capabilities, tremendous throughput in the range of multiple ten gigs, super low latency and the ability to support tens of millions of simultaneous connections, with hundreds of thousands of new connections opening up per second,” Freeze said. “New devices like the iPhone are great for the carriers, but they also represent a great new challenge for the network as well.”