Cisco Cisco 3G Wireless WAN High-Speed WAN Interface Card
© 2014 Cisco and/or its affiliates All rights reserved. This document is Cisco Public Information. Page 4 of 23
SIM Security Guide for ISR and CGR with Verizon Wireless 4G LTE
ISR LTE Security Lock Overview
Cisco Integrated Services Routers (ISRs) run Cisco IOS (Internetworking Operating System) software. IOS provides
robust enterprise-grade features, including LTE fully integrated physically and as a network interface capable of NAT,
firewall, IPS, multiple routing protocols, and many tunneling/VPN options.
IOS provides multiple methods of authorization and authentication to network services. In addition to securing
administrative access to the ISR itself, VPN, participation in routing protocols, and to services per user, IOS provides
the ability to password-protect access to LTE. The latter is done by using a PIN for the LTE SIM. The LTE SIM lock
feature operates similarly to the earlier 3G SIM lock feature.
SIM Security Method of Use
The basic steps to use ISR LTE SIM lock is as follows:
robust enterprise-grade features, including LTE fully integrated physically and as a network interface capable of NAT,
firewall, IPS, multiple routing protocols, and many tunneling/VPN options.
IOS provides multiple methods of authorization and authentication to network services. In addition to securing
administrative access to the ISR itself, VPN, participation in routing protocols, and to services per user, IOS provides
the ability to password-protect access to LTE. The latter is done by using a PIN for the LTE SIM. The LTE SIM lock
feature operates similarly to the earlier 3G SIM lock feature.
SIM Security Method of Use
The basic steps to use ISR LTE SIM lock is as follows:
-
Lock the SIM with the default PIN (from Verizon, this is 1111)
-
Change the PIN for the SIM (IOS enable mode).
-
These steps can be done on the ISR in which the SIM will be used, or in any device capable of locking/setting
the PIN.
the PIN.
-
Configure the PIN on the ISR (IOS config mode, under the cellular controller).
If a locked SIM is removed and inserted into another device, and the device is not configured with the correct PIN for
that SIM, an LTE connection will not be made. If 4 LTE connection attempts are made from an LTE device without the
correct PIN for that SIM, the SIM will become blocked. The only way to unblock a SIM is by resetting the PIN and
unblocking the SIM. This requires a separate password (PUK) provided by Verizon Wireless and specific to that SIM.
ISR LTE SIM Use Cases
SIM security can be used any time a level of security is required for attaching to a network via LTE. Below are a few
examples of where SIM lock may be used:
examples of where SIM lock may be used:
-
The SIM is not provisioned with an ISR, but sent separately for insertion at a remote site. In case the SIM is
lost or taken and inserted into another device, it will not attach to the network. This offers some security
against large bills (due to unauthorized use) and against unauthorized access to a private network.
lost or taken and inserted into another device, it will not attach to the network. This offers some security
against large bills (due to unauthorized use) and against unauthorized access to a private network.
-
The SIM and ISR are provisioned together and the enabled ISR is delivered by a 3
rd
party service to a remote
site. In case the SIM is removed and used in another device, or the ISR powered on and devices placed
behind it, the SIM lock offers some security against large bills (due to unauthorized use) and against
unauthorized access to a private network.
behind it, the SIM lock offers some security against large bills (due to unauthorized use) and against
unauthorized access to a private network.
-
An ISR is installed at a remote site, and the SIM is removed and reused in another device, or the entire SR is
taken and powered up with devices placed behind it, the SIM lock offers some security against large bills (due
to unauthorized use) and against unauthorized access to a private network.
taken and powered up with devices placed behind it, the SIM lock offers some security against large bills (due
to unauthorized use) and against unauthorized access to a private network.
Other ISR security mechanisms exist to mitigate the cases above, and can be used along with SIM lock.
-
Password protection for: ISR admin access, EZVPN connection, per-user access to any or specific
addresses, routing protocol peer authentication, Ethernet port access (802.1X), GPS geo-fencing (operation
outside of certain GPS coordinates), etc.
addresses, routing protocol peer authentication, Ethernet port access (802.1X), GPS geo-fencing (operation
outside of certain GPS coordinates), etc.
-
Although these help protect against unauthorized use of the ISR, only the SIM lock mitigates unauthorized
use of the SIM itself.
use of the SIM itself.