Introduction to RAN and Why It Is Critical to Mobile Network Security
RAN Security Series: Part 1 of 4
The Gate We Forgot to Guard
When people talk about mobile network security, the conversation almost always gravitates toward the core network. Firewalls, signaling protection, fraud systems, hardened data centers, all critical, all necessary. However, there is another part of the network that quietly sits in public spaces, exposed by design, and trusted by billions of devices every day: the Radio Access Network (RAN).
The RAN is the front door of the mobile network. Every call, message, and data session passes through it before reaching the core. If the core is the castle, the RAN is the gate, and historically, it hasn’t received the same level of security attention.
Understanding Radio Access Network (RAN) Environment
The RAN refers to the mobile network components that interconnect User Equipment (UE) such as smartphones, with the core network. In the different mobile generations (e.g, 2G,3G,4G and 5G) have different network architecture not excluding RAN, thus the components may differ from one generation to another.
In 2G and 3G networks RAN is composed of Basestation transceiver (BTS) in case of 2G, NodeB in case of 3G both have in common the Radio Network Component (RNC). In 4G (LTE), the architecture changed and RNC is not part of the architecture and the primary RAN component is the eNodeB, which acts as the base station. The eNodeBs are deployed across rooftops, towers, and lampposts, making them physically distributed and publicly accessible. They manage the radio interface and coordinate communication between mobile devices and the network. In this blogpost we will project the concepts of RAN on the 4G generation.
Before diving deeper, it’s helpful to visualize the main building blocks of the RAN and how they relate to each other.
Beyond the RAN, the core network which is viewed as the brain of the network comes in place. Similar to RAN, each generation has its own architecture with different protocols, interfaces and procedures. For example, in 4G the Evolved Packet Core (EPC) functions have the following responsibilities and functionalities:
- User authentication
- IP address assignment
- Traffic routing
- Billing
- Policy enforcement
The RAN connects to the EPC through defined interfaces to provide seamless mobile connectivity. As it can be concluded that maintaining availability and robustness of RAN is crucial to ensure network stability. Moreover, privacy is crucial to protect UE from different attacks.
Why RAN Security Is Often Overlooked!
To understand why RAN security has historically received less attention, it helps to look at where security investments are typically concentrated within the mobile network.
Most major security controls are deployed deep in the core: encrypted backhaul, hardened data centers, firewalls, signaling firewalls, and fraud detection systems. This makes sense, a compromise at the core can impact millions of users.
However, attackers don’t need to breach the castle if they can manipulate the gate.
The RAN acts as the front door of the mobile network. It is:
- Dispersed and physically reachable
- Radio-exposed by design
- Highly dependent on control-plane signaling
On the radio interface, which is the main interface in RAN, it provides a set of functionalities that allow UEs to establish connection with the network, handover, etc.. The disruption and exploitation of the radio interface and its signaling procedures, subscribers can lose service, privacy, and trust, even when the core remains fully secured.
In the next blogpost in this series we will explore the different types of threats that can occur in RAN, the impact of the threats to emphasize why RAN is a critical component of a mobile network and not just a relay between the UE and the network.
Writer: Wessam Deif Allah | Telecom Security Lead
Editor: Heba Osama | Senior Research Operations Specialist