GPRS security as a QoS in the telecommunication industry case of Vodafone Egypt

The changes taking place in the world today are largely due to the developments and evolution in a number of industries; one of which is information and communication technology. Focusing on communications solutions with an emphasis on business applications, it is obvious to claim that business applications that are being deployed with 2.5G wireless networks fall into two general categories: (a) horizontal applications “mobile office” such as electronic mailing, voice communications, Internet access, short messaging and personal information management (PIM) tools and (b) vertical applications “sales force automation”(SFA) and field force automation (FFA), fleet management, government communications and public safety, telemetry and remote monitoring, point-of-sale as well as financial services. The new generation of wireless devices being introduced to the market for 2.5G global system for mobile communications (GSM) and general packet radio service (GPRS) services is designed to support these applications, with features ranging from small standard keyboards to high resolutions rich colored screens. The impressive growth of cellular mobile telephony as well as the number of Internet users promises an exciting potential for a market that combines both innovations. The general packet radio service (GPRS) is a new non-voice value-added service that allows information to be sent and received across a mobile telephone network. Users of GPRS benefit from shorter access time and higher data rates. It is important to note that the standard GPRS network itself does not offer a reasonably secure solution for providing mobile access to a corporate local area network (LAN). Although, the air interface ciphering and the GPRS authentication process are secured, the IP traffic is unencrypted all the way from the serving GPRS support node (SGSN) to the corporate LAN gateway. The most feasible solution for secure remote connections would be to use an end-to-end virtual private network (VPN) solution from the mobile station (MS) to the corporate LAN gateway where the traffic is encrypted for the whole connection and the user can slip to the Internet from the nearest access point. It is important to separate the user traffic from the control traffic to guarantee high level of security with a minor impact on quality of service (QoS) which means providing consistent and predictable data delivery service that can lead to customer application requirement satisfaction. However, to achieve that security has to be looked at as the key player in the new GSM data networks when deploying GPRS. This chapter demonstrates the case of Vodafone Egypt, one of the mobile operators, in deploying GPRS networks while focusing on exploring the business opportunities and motivating factors to implement GPRS. Moreover, the chapter proposes solutions on how to create secure connections over GPRS networks while proposing a security policy for Vodafone Egypt. Introduction Wireless communications have entered an extraordinary new era and more is expected to be realized in the few years to come. The new transformations provide new opportunities for organizations to increase its productivity, efficiency and effectiveness; create strategic differentiation in highly fierce and competitive marketplaces; and enable better and more customized communications and support to customers and vendors. The evolution of wireless communications is occurring against a backdrop of economic uncertainty, decision-making processes that are taking place in a crisis management mode of operation, increased competition on all fronts and one that brings competition from all corners of the world in a fast growing digital economy with the forces and drivers of the information and communication technology evolution such as the Internet and the World Wide Web. Moreover, technology ads to the challenges and opportunities faced by societies around the world at both local and global levels. The power and efficiency of being remotely located from the office and having a conversation or a dialog with a customer while reading and responding to an electronic mail from another customer and using a wireless handheld device. The competitive implications are enormous and evolving all the time with regard to being able to instantly alerting field personnel to different developments and having mobile field staff update central databases in real time modality. Envision the ability to rely on a wireless voice and data network in a crisis or maintain continuous wireless voice and data communications channels with various vendors and customers. Today, these capabilities and more are prevailing and are already being successfully deployed by some of the world’s most innovative and competitive organizations. These different evolutionary developments are made possible by technology giants such as wireless carriers known as second-and-a-half generation (2.5G) services which represent a major evolutionary step towards third-generation (3G) services that will provide additional capabilities such as streaming audio and video to meet future evolving communication needs. This chapter addresses wireless strategies and demonstrates how 2.5G wireless services are already delivering solutions to today’s business communications challenges and how IT managers, functional area vice presidents and chief technology officers (CTOs) should consider their wireless strategies today. Many leading edge organizations have recognized that they do not need to wait for future 3G services. They have already discovered the key to a number of benefits and 1 The chapter is based on a research conducted by Mohammed M M El Sayed in 2002 as part of fulfilling his Master of Science requirements for a degree in business information technology from Middlesex University in the UK. advantages of 2.5G wireless communications in addressing many of its most pressing business issues such as; (a) driving down costs and inefficiencies, (b) increasing competitive differentiation, (c) leveraging IT investments, and (d) creating flexibility and mobility. With respect to costs and inefficiencies; the amount of time list when officers and employees in general are out of the office or commuting can be transformed into productive and useful time when employees have constant voice and messaging access to each other and wireless access to key corporate local area network applications. Additionally, increasing the efficiency and speed of communications, information sharing, and decision making can drive additional cost down and hence the result is a more effective business model that can be used by various organizations (www.idc.com). As for competitive differentiation; wireless communication can increase the quality and depth of customer interaction by allowing faster response rate and time and respectively contributing to the overall customer satisfaction and retention rate from an organizational perspective. With respect to leveraging IT investment; wireless accessibility can increase the utilization of existing IT investments by making essential applications available from remote locations where the problem of time and distance are gradually disappearing from daily operations. Finally, creating flexibility and mobility could be a major function of secured wireless communications by allowing non-stop access to mobile personnel and applications with wireless mobility creating inherent geographic distribution capabilities for disaster readiness and crisis response and management. The chapter focuses on the case of Vodafone Egypt, a subsidiary of the world’s GSM leader Vodafone Group (UK) which also owns 60% of Vodafone Egypt and other share holders include Egyptian, British and French companies (www.vodafone.com.eg). Vodafone Egypt is one of two mobile operators in Egypt. It services started in November 1998. The company mission is to provide customer-driven, innovative, world-class communication profitably and to be the employer of first choice in Egypt. Vodafone Egypt is a mobile centric and a customer-driven company with a very special and focused interest in the latest GSM and communication technologies such as (a) high speed circuit switched data (HSCSD) which enables GSM subscribers to connect to the Internet at a speed comparable to that of traditional land network (34K); (b) general packet radio service (GPRS) which enables the GSM to connect to the Internet at higher speeds approaching (110K) and (c) third generation mobiles which enables GSM subscribers to have enhanced mobile experience with real time multimedia tools, features and applications. Telecommunications in Egypt It is important to note that since 1999 and until the end of the second quarter of 2003 a number of achievements in the quest of building the nation’s telecommunications infrastructure were realized. This includes the liberalization of the telecommunications sector by providing private-sector companies with new licenses for mobile telephones, payphones, Internet, data networks and portal services; the establishment of the Telecommunications Regulatory Authority (TRA) for licensing telecommunications services and for the drafting of a unified telecommunications act; continuous collaboration between the government and the private sector for the development and policy setting of the sector; partially modernizing the core backbone of the network; restructuring the tariffs of the sector; increasing the number of available land lines. Moreover, the Internet was introduced to Egypt in 1993 with 2000 users (Kamel, 1998a). Within the context of the market in Egypt, its use developed from being used solely by the government and academic institutions to becoming more of a standardized search and communication tool used by everyone from the government to academic institutions to individual users, to companies and other commercial organizations, to hospitals and medical centers. The Internet use is constantly being encouraged by the government and by private investors who establish their own Internet service providers. The Internet was first introduced to Egypt by the Egyptian Universities Network of the Supreme Council of Egyptian Universities. In 1994, as an attempt to diffuse the Internet usage among the society, the Cabinet of Egypt Information and Decision Support Center (IDSC) and the Regional Information Technology and Software Engineering Center (RITSEC) provided free Internet access on a trail basis to the public, private, government and nongovernment organizations to entice the users to venture into the new technology. This was done with the financial support of the government of Egypt, in an attempt to aid in the global exposure of the local market and to pave the way for the commercialization of the Internet services. The free access formula was accredited for contributing to the boost in the rate of growth of Internet users, especially within small and medium sized enterprises and industry and sector professionals (Kamel, 1998b). In 1996, the government replaced its free Internet access policy with an open access policy and Internet services for the commercial domain were privatized, and 12 Internet service providers started their operation. Today, there are around 50 ISPs serving over 2.2 million Internet users (Fahmi, 2003). Most of the Internet usage in Egypt is for business information gathering (Loch, Straub and Kamel, 2000). It is fair to say that Egypt tops the index of bandwidth with a score of 2.11 (American Chamber of Commerce in Egypt Report, 2002). In January 2002, the government of Egypt launched a new initiative through it ministry of communications and information technology providing free nationwide access to the Internet to all citizens of the country. This has created a larger demand for connectivity and had also an impact on the streets of Egypt with the establishment of Internet cyber-cafes reflecting a sign that there is a strong market demand for the Internet in Egypt. However, it is important to note that to-date it is not clear how the impact of the free Internet model has really affected in the growth of the number of Internet users (Palmgren, 2003). The Internet evolution in Egypt demonstrated the active role played by the government. With the privatization of the Internet in 1996, the role of the government did not come to an end. The government still provides strong support for the ISPs in the form of upgrading the infrastructure to enable them to offer better connection speeds to their users as well as providing them with technical support in the administration of their servers. In addition to the hardware and infrastructure, the Internet market is witnessing a growth in the software market with more web programmers being trained and more web design companies being established encouraging commercial users to utilize the web as a business development engine (Loch, Straub and Kamel, 2003). General Packet Radio Service – An Overview The rapid development and growth of the mobile industry coupled with the increasing number of Internet users promises many potentials in the near future for a massive global market that combines both innovations and technologies leading to an extensive demand for wireless data services in the future. Users in general will be looking for highperformance wireless Internet access. However, existing cellular data services do not fulfill the needs of different users and providers. From a user’s perspective, data rates are too slow and the connection setup takes too long and is rather complicated. Moreover, the service is too expensive exceeding the amount that could be afforded by the general citizen, let alone in developing nations such as in the case of Egypt. From a technical perspective, the drawbacks could be explored from the fact that the current wireless data services are based on circuit switched radio transmission where in the case of heavy traffic such as the Internet traffic this leads to highly inefficient case of resource utilization because under that framework a complete traffic channel is allocated for every single user for the entire duration of the call. Therefore, whenever traffic is high and congested, packet switched bearer services perform better results than in the case of traffic channels and that is because the channel will only be allocated when needed and released right after the transmission of the packets allowing the concept of a multi-user sharing the same physical channel (Faccin, Hsu, Koodli, Le and Purnadi, 1999). In order to address such inefficiencies, two cellular packet data technologies have been developed to date; (a) cellular digital packet data (CDPD) and (b) general packet radio service (GPRS). GPRS is a new bearer service for GSM that greatly improves and simplifies wireless access to packet data networks such as the Internet. It applies a packet radio principle to transfer user data packets in an efficient way between GSM mobile stations and external packet data networks. Packets can be directly routed from the GPRS mobile stations to packet switched networks. It is important to note that networks based on the Internet protocol (IP) such as the Internet and private and corporate intranets and X.25 networks are supported in the current version of GPRS. Users of GPRS benefit from shorter access times and higher data rates. In conventional GSM, the connection set up takes several seconds and rates for data transmission are restricted to 9.6K bits per second. GPRS in practice offers session establishment times below one second and ISDN-like data rates up to several 10K bits per second. Moreover, GPRS packet transmission offers more user friendly billing than that offered by circuit switched services. In circuit switched services, billing is based on the duration of the connection which is unsuitable for applications with heavy traffic. Respectively, the user has to pay for the entire airtime even for idle periods when no packets were sent (e.g. when the reader browses a website). However, with packet switched services, billing is only based on the amount of transmitted data. GPRS has a number of unique features that could be described as follows (a) speed, (b) immediacy; and (c) new and better application. In terms of speed, GPRS theoretically could go up in terms of speed to 171.2 kbps using all 8 time slots at the same time which is about 3 times as fast as data transmission speeds possible over today’s fixed telecommunications network and 10 times as fast as current circuit switched data services on GSM networks. Therefore, by allowing information to be transmitted more quickly and more efficiently across the mobile network GPRS will be a relatively less costly mobile data service compared to SMS and circuit switched data. With respect to immediacy, GPRS facilitates instant connections subject to radio coverage and no dial-up modem connection will be required. Immediacy is important for applications such as remote credit card authorization avoiding holding customers for long periods at the counters. With respect to new and better applications, GPRS facilitates many Internet applications that were hindered with speed and message length and that includes web browsing and chatting over the mobile network as well as file transfer, home automation through remote access and controlling in-house appliances and machines. The World Wide Web is becoming the primary communications interface-people access the Internet for entertainment and information acquisition and knowledge dissemination, the intranet for accessing company information and connecting with colleagues and the extranet for accessing customers, suppliers and partners in the supply chain. All the entities mentioned above are derivatives of the World Wide Web that aim at connecting different communities of interest together. Additionally, there is trend and an encouragement away from storing information locally on personal computers but rather remotely on the Internet. Therefore, web browsing is becoming a vital application for GPRS because it uses the same protocol, GPRS can be seen as a sub-network of the Internet with GPRS capable mobile phones being viewed as mobile hosts. In that sense, each GPRS terminal can potentially have its own IP address and will be addressed accordingly just like the URLs and the World Wide Web (www.mobilegprs.com). GPRS Importance and Usage for Business In today’s business environment, business communications solutions is being delivered using 2.5G and business applications that are being deployed both horizontal and vertical will be better served with the new generation of wireless devices being introduced to the market for 2.5G GSM/GPRS services that are designed to support these applications with features ranging from small standard keyboards to high-resolution and rich color screens. The applications include: sales force automation, field force automation, fleet management, government communications and public safety, telemetry and remote monitoring, point of sale, customized solutions and financial services. In general it is important to note that there is no doubt that GPRS will increase GSM mobile operators revenues as they are expected to capitalize on the newly introduced portfolio of new services and applications (www.strategyanalytics.com). Quality of Service (QoS) The concept of quality of service reflects the provision of consistent and predictable data delivery service, in other words attempting strongly to satisfy customer application requirements. Quality of service (QoS) is the ability of a network element (e.g. an application, a host or a router) to have some level of assurance that its traffic and service requirements can be satisfied to the maximum capacity. It is important to note that for QoS to be enabled there need to be a cooperation of all network players from top to bottom as well as every network element from end-to-end. QoS is there to manage bandwidth according to application demands and network management settings. Respectively, QoS is to guarantee high quality of service requires resources allocation to individual data streams. QoS is important to assure customer satisfaction and continuous growth of the network. The Internet Protocol (IP) and the architecture of the Internet itself is based on the simple concept that data grams with sources and destinations addresses can traverse a network of (IP) routers independently without the help of their sender(s) or receiver(s). The Internet was historically built on the concept of a dumb network with smart agents at either end (sender and receiver). However, for such simplicity IP provided only a few services. Reliability was not maximized because there was no guarantees that the delivery of data at the other end, it was more or less a best effort service. Such a problem was relatively controlled with applications such as electronic mail, web browsing, and files transfer, however new applications such as audio and video streaming demand high data throughput capacity such as bandwidth and have low-latency requirements when used in two-way communications such as conferencing and telephony. In that respect, QoS can offer some services and benefits that can render the service of data and other forms of content sent delivered quicker and in better form. QoS can offer a range of services and benefits to applications, enterprises and service providers. In terms of benefits to applications and with the increasing use of the Internet and the World Wide Web in business development, there is a growing need for QoS technologies to provide the tools for IT managers to deliver mission critical business over the public network and to ensure that they are delivered with the maximum level of quality. In terms of benefits for enterprises, applications are getting more demanding and mission-critical applications deployed over IP networks increasingly require quality, reliability and continuous assurances. In that sense, QoS technologies allow IT managers to (a) manage jitter sensitive applications such as audio and video playbacks, (b) manage delay-sensitive traffic such as real-time voice and (c) control loss in times of inevitable congestions. As for the benefits to the service providers, with the industry increasingly aware of the issues of quality and the outsourcing trends of network services to service providers there is an opportunity to excel on the grounds of quality and try to attract growing enterprise businesses since QoS will allow service providers to offer new and more services such as real-time traffic support creating additional revenue generation streams (www.3gpp.org). QoS addresses heavily the issue of security since it is an integral element of quality service delivery (www.ietf.org). The new GSM data network should be addressing the issue of quality and security as a critical element for its operability. Respectively, security issues should be well addressed when deploying GPRS in GSM networks. GPRS Security The threats to GPRS are very different from the circuit switched GSM. For GSM security problems are limited and not many hackers can crack the obscurity SS7 protocol. However, this is not the case with GPRS which is exposed to a lot more intruders because of the IP based backbone. Intruders to GPRS can be people or organizations that attempt to breach the confidentiality, integrity and availability if not defraud users. The GPRS backbone is implemented on IP networks, which means that the routing and access control issues have to be carefully considered when implementing the network. IP is a connectionless and stateless protocol that was designed to connect friendly and cooperative users on an unreliable network. At the time of its development, IP security was not the most important factor and it is factual that it is quite difficult to create adequate security solutions to an already implemented protocol. The major security weaknesses in basic IP are that IP packets are readable to anyone having access to an intermediate router. IP packets from one node to another also tend to follow the best route so that the potential intruder has most likely access to all IP packets between all communicating nodes. In that respect, IPSec has been developed to solve the security weaknesses of IP by protecting both integrity and confidentiality of the IP packet without changing the interface of IP. IPSec is also invisible to upper layer protocols however its drawbacks can be seen in increased protocol processing cost and the overhead traffic it creates. When GPRS is implemented it is important that the security is taken care of because users both private individuals and corporations can feel more safe and use the different services that the operators offer where some of which might require high security measures such as financial transactions, transfer of medical information and exchange of personal electronic mail messages. Confidentiality, Integrity and Authentication (CIA) are 3 different services that computer and network security should handle properly. Moreover, it is important to have strict control for who should have access control with denial-of-service for unauthorized users. Network Elements under Threat The network elements can be divided into 2 different types based on the fact whether they use GPRS transport protocol (GTP) or not. It is important to note that MS is the most vulnerable part of the GPRS network and its security depends mainly on the skills and capacities of the owner which makes MS an interesting and vulnerable target for different hackers. The operating system of MS – TE is usually designed to be operating in secure environments which leave the node insecure in an open environment regardless the skills and precautions of the user. This deficiency in security could lead to anything including operating system crash or unauthorized access to confidential security. All routes leading to the backbone can be used to attack the GGSN which unwraps the GTP envelops and can be used to tunnel rogue packets. Lawful Interception Gateway (LIG) and Charging Gateway (CG) could also be attacked. IP nodes such as Network Management Station (NMS) is another target for attack by trying to bypass the GGSN firewall and Domain Name Server (DNS) which could be attacked if a successful attack is on the Disk Operating System (DOS) could disable the DNS then the network could be severely crippled (ETSI TS 121 133, 1999). Types of Information to be Protected Within the network environment, there is a variety of information that needs to be protected and they relate to different stakeholders associated with the network management and operation and that includes; (a) user data transmitted by different individuals (both subscribers and roaming users) on the GPRS network which is mainly the responsibility of the operators; (b) charging information reflecting the tickets that the charging system generates which should be also protected. They are generated by GSN devices and collected by GC and should be reliable and secure. Their integrity and confidentiality is vital because it is based on the volume of data so that users should be protected from needless data which are not initiated by the user however come from external networks such as the Internet; (c) customer information which should be located in a secured database where HLR should be located in the NSS segment of the network and VLR databases should be integrated with SGSN devices and (d) technical information of the GPRS network where the configuration and management related has to be well protected. Types of Potential Hackers There is a wide variety of potential hackers to different types of networks and that includes internal as well as external hackers. One the one hand externally intruders could include crackers, subscribers, subcontractors, and associates. On the other hand internally intruders reflect the staff of the organization across different levels. Security Threats to GPRS Cell phones are faced with the same problems of personal computers that are connected to a network that is accessing the Internet. Intruders to a cell phone or a personal computer or a terminal can modify, insert or delete an application or data stored in the terminal which is comparable to a virus attack. Moreover, the SIM card is also vulnerable to the integrity of the data just like the terminal. Access to both could be done locally or remotely. This could be done through a modality of ways including (a) stolen terminal and SIM card, (b) borrowed terminal and SIM, (c) data manipulation, (d) confidentiality and authentication of user data, (e) cloned SIM card, and (f) non-type approved terminals and defective equipment. The significant point of attack between the MS and the SGSN is actually the radio interface between the terminal and the BSS. Such threats can be separated in 4 different ways; (a) unauthorized access to data, (b) threats of integrity, (c) denial of service attack and (d) unauthorized access to services. Respectively, there are a number of technical security solutions against the threats presented to GPRS and that includes (a) encryption, (b) authentication, (c) firewalls, (d) routing, (e) IP addressing, (f) secure protocols, and (g) frequent back-ups. Case of Vodafone Egypt There are a number of forces that made Vodafone Egypt go for deploying GPRS as its new data service in an attempt to gain a competitive advantage in the mobile network market in Egypt. The objective was to improve the service and lower the cost and hence, as in any industry, the quality of service (QoS) was critical to keep current customers or attract new customers. The competitive forces model shows how any firm can handle the external threats and opportunities (?). From Vodafone Egypt’s perspective, there was a number of threats that motivated the firm to deploy GPRS against the 5 forces model which could be demonstrated as follows (a) Vodafone Egypt main competitor MobiNil was planning to deploy GPRS by the end of the 2 quarter of 2003, (b) threats of another operator planned to be launched around the same period offering GPRS services as well was increasing, (c) Egypt being a tourist destination receiving an increasing number of tourists every year leading to an increasing number of roamers which could be a major revenue vehicle for the firm, (d) having to handle local competition from free internet service providers and wireless application protocol enablers by demonstrating the advantages of GPRS services and (e) keeping the pressure on other technology providers and third party application providers by promoting a unique service and becoming its leader in the marketplace. Vodafone Egypt is facing some vital technological and economic decisions and changes to be taken and properly implemented. Vodafone, the parent company is the largest mobile operator worldwide comprising 28 operators of which 16 operators are Vodafone owned with more than 50% shareholding and Vodafone Egypt is one of them. It is important to note that the telecommunications sector at large is undergoing dramatic and major changes due to new entrants as operators for 3G networks or information technology giants such as IBM, Sun Microsystems and Microsoft which are continuously addressing telecommunications applications and tools as a valuable platform for their information technology products and services. Due to the introduction of the new 3G networks which started with GPRS and other services are envisioned in the near future, it is probably a must that organization, maintenance and management of networks will be soon changing. In that respect, Vodafone is in a period of transition from being a full voice service provider towards becoming an enabler for 3G services some of them might be provided by third parties. Such transition and the changes to be introduced should well put on its focus the security issue and how to properly handle it. From a Vodafone perspective security includes operational, technical and customer elements. The firm’s objective making sure the availability and quality of Vodafone mobile communication services and applications against attacks causing malfunction of service or loss of service quality. Figure 1 demonstrates Vodafone Egypt security target areas which include availability, quality and reliability of Vodafone interfaces to other business partners; the firm’s data and information assets protection as well as that of its wide customer base in addition to the protection of the intellectual property of the firm, its financial investments and brand; finally the ability to monitor and invoice all events and customers and also the ability to deny access and retain control over all assets that are part of its network. Figure 1 –Vodafone security target areas Proposed Security Solution With a mission to provide optimal quality service for its customers Vodafone Egypt is always striving to improve its different systems and provide better solutions for its customers. In terms of security there are a number of alternatives and following is an option that could be well considered since it helps realize the objectives of the organization especially while embarking on a full-fledged implementation using GPRS. It is important to note that the proposed security solutions realizes the conditions of the market in Egypt as well as puts into consideration and environmental framework of the Vodafone itself as an organization. First, it is important to define the security policy issue which reflects a set of rules and practices that specify and regulate how a system or an organization provides security services to protect its vital resources irrespective of the type of such resource. This is usually followed by the need to inform different users, staff and managers of their obligations for protecting technology, information and other vital and sensitive organizational resources. However, it is vital that the policy itself identifies the mechanisms through which these requirements are to be met. Moreover, there is a need to identify what exactly is to be protected (determination of assets) and what are the identified and known versus potential threats. Severity is scaled in the range from [0] to [5] where [0] is the least and [5] is the highest and in that respect the risk factor is an element and a product of both scaled-probability ([0] to [5]) and severity and the results usually range between [0] and [25]. The risk factor is believed to be between [0] and [5] this reflects a low risk margin, [6] to [10] Vodafone Services and applications Network