A spate of news reports have revealed just how vulnerable corporations and government organizations are to security breaches and the theft of sensitive data leaked or stolen from employees’ personal devices. In 2014, a warning issued by the Indian Air Force sent alarms among security establishments. It was reported that smart-phones were routing positioning and other user-data to servers in China. 
Although organizations firewall data accessed by employees on their own laptops and smartphones devices while on the premises, they cannot protect the data when employees use their personal devices at home or in public spaces when they connect to public networks (see Figure 1 below). That’s because public networks are vulnerable to data spoofing and malicious attacks.
While the traditional response has been to ban the use of personal devices for work, some organizations provide “hardened” versions of the operating-systems for employee-owned devices. However, these solutions still don’t allow for traffic monitoring and filtering when the device is connected to a public network.
Figure 1. Closed office networks are open networks off campus.
Organization provided devices connect to in-Premise WiFi networks when used on-campus. Outside of campuses, they use the public operator network where the organization can’t monitor traffic.
The rise of private mobile virtual networks
The need for secure traffic monitoring and filtering is a good reason for using a cloud-based radio access network (C-RAN) and solutions based on evolved packet core (EPC) that route mobile traffic through in-house monitored and controlled internet infrastructure, as shown in Figure 2 below.
While the cost of having private mobile network infrastructure was dismissed in the past as prohibitively expensive, the explosion of cloud-based telecom infrastructure has made such private mobile virtual networks (PMVNs) a viable option. These networks work in tandem with public mobile network infrastructure, where access control and traffic redirection is performed to move secure traffic to private infrastructure.
Figure 2. Using C-RAN and vEPC-based systems to secure personal devices
[In Blue] Organization provided devices use in-premise (C-RAN) LTE network provided by Operator where all traffic is firewalled and filtered.
[In Red] Off-Campus, the devices connect to the public operator network, which diverts back traffic to the Organization’s own core-network where traffic can be monitored and filtered.
Architecture for private mobile virtual networks
The PMVN is realized by using small-cell radio access units to provide LTE coverage on the premises. These small cells are connected to virtual EPCs over an IP-Link. The EPC can be hosted on-premise in a private cloud and connected to the internet through the organization’s firewall.
The packet data network gateway (P-GW) and domain name system (DNS) servers of the PMVN are registered with the P-GW of the public mobile network.
When the employee moves off the organization’s premises, their device will attach to the private mobile network over the public wireless LTE network. However, the device will have an access point name (APN) with the PMVN’s private DNS server address and default gateway. This way the data gets routed through the PMVNs own private network, allowing the organization to monitor and filter data from the employee’s device. This ensures the organization can constantly monitor data traffic, both on and off its premises.
The case for C-RAN
C-RAN is a virtualized LTE radio access network coupled with a virtualized EPC core network that sits behind the organization’s internet firewall. The C-RAN can be hosted on standard Intel x86 servers, which form the core of most organizations’ private-cloud and IT infrastructure. The C-RAN connects to the radio units over IP and Ethernet.
The C-RAN solution helps PMVNs and organizations save money as it runs on an organization’s private-cloud infrastructure, without requiring specialized baseband-unit hardware that is generally required for small cells and other distributed-antenna system solutions. Alternatively, the PMVN can host the C-RAN in its own secure datacenter if the organization is not willing to invest in its own dedicated private-cloud infrastructure.
Government and military organizations have long been aware of the dangers of sensitive information leaking out. Private research organizations are also now waking up to the problem and looking towards private networks, which are now made possible by Private Virtual Operators using innovations like C-RAN.
■ “Xiaomi phones steal user data and send it to remote servers in China, warns Indian Air Force” FirstPost, Oct. 24, 2014 tech.firstpost.com/news-analysis/xiaomi-phones-steal-user-data-and-send-it-to-remote-servers-in-china-warns-indian-air-force-238673.html
■ “4G LTE-PMN have now released their 4G LTE EPC software and its agnostic eNodeB capability” Private Mobile Networks http://www.privatemobilenetworks.com/solutions/4g-lte/
■ “VPMN – Virtual Private Mobile Network Towards Mobility-as-a-Service” citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.227.7401&rep=rep1&type=pdf