Expeto xCore delivers important security and EPC features.
Home > Communication Service Provider Solutions > Dell Private Wireless > Dell Private Wireless with Airspan and Expeto > 4G Private Wireless Solutions > Solution Guides > Reference Architecture Guide: Dell Private Wireless with Airspan and Expeto > Key features of the Expeto xCore
Expeto xCore delivers important security and EPC features.
Network security is inherent to 4G LTE standards (as defined by 3GPP).
In a Private RAN scenario, the data packets are protected, encrypted, and authenticated end-to-end, from a UE device to the Expeto xCore in the following ways:
In a Public/Private RAN scenario, Expeto xRouter creates an IPsec tunnel to securely route traffic to the Expeto xCore.
Egress into the Corporate Business Network would typically enter via a protected "Trusted Business Partner"-type Demilitarized Zone (DMZ) network with all the expected perimeter and cybersecurity controls that any other external network would go through.
The result is that all the enterprise data is fully protected in a private mobile network from the device right to the PGW component of the Expeto xCore which is the egress into the Corporate TCP/IP network.
Since the customer controls the device SIM and network elements (Expeto xCore), only customer devices (SIMs) are allowed to attach to the network by confirming the SIM in each IoT device is unchanged.
The security protocols used between Expeto platform components include:
The following table lists recommended security measures:
Security measure | Description |
Implement Standard IT Security | Expeto recommends and expects customers to implement standard IT security practices for preventing and detecting threats such as:
|
Enhance Default Behavior with Defense-in-Depth | The Expeto Platform allows control of default behavior to improve the security posture of the entire network and system:
In addition to the default security profile, the following additional "defense in depth" measures can also be implemented:
|
Protect the Backhaul Connection | We recommend additional protection for the backhaul network connection between the eNodeB and the Expeto xCore. IP traffic managed by GTP and Stream Control Transmission Protocol (SCTP) tunneling protocols should be protected and encrypted. This can be established using a variety of methods from software encryption/tunneling to hardware encryption devices. The endpoint within the customer network (typically in a business/partner DMZ) is referred to as the Security Gateway.
|
Enforce Multi-Factor Authentication (MFA) | Confirming that the connecting device is authenticated and is an enterprise asset can be accomplished by mapping the IMEI and IMSI number to the device in conjunction with any local device user authentication that the enterprise security policy enforces. The basic elements of MFA include:
|
Expeto xCore features include: