Celona delivers a highly secure, cloud-native hardware & software stack required to deploy and operate private 4G & 5G networks. The Celona solution delivers a multi-layered security architecture focused on end-user, back-end and application security employing secure access controls, logical isolation and adherence to state-of-the-art physical and cyber security standards.
Celona private network telemetry data collected and sent to the cloud management is documented and shared with customers. Data that is sent to the cloud is encrypted end to end over TLS. Penetration testing of all the Celona product components – Access Point, Edge, Orchestrator – is performed regularly by an independent third-party and Celona has implemented strict and documented controls restricting who can access data through mechanisms such as digital certificates, password policies, two-factor authentication and audit trails. For application security, Celona performs a range of vigorous tests intended to identify vulnerabilities such as SQL injection, cross-site scripting and more.
Celona’s solution architecture provides all components required to bring a secure private mobile network to life:
Celona 4G and 5G Access Points - Specifically engineered for indoor and outdoor 4G/5G enterprise use cases and operating environments, Celona Access Points (APs) deliver pervasive coverage, interference-free access, and unmatched wireless performance. Easy to deploy, Celona APs are managed and monitored through Celona’s cloud-based Orchestrator platform as part of a complete private 4G/5G turnkey solution.
Celona Edge OS - Edge OS is a scalable and resilient cloud-native network operating system that provides resolute data plane, control plane and spectrum management services for private cellular networks. The Celona Edge OS powers Edge Node appliances, which are combined into a three-node Edge Cluster for highly available and redundant private 4G/5G network operations.
Celona Orchestrator - Orchestrator is a cloud-based network administration platform that centrally coordinates the deployment, management, and operation of the Celona 5G LAN solution. This includes configuration and optimization of network elements, subscriber management, and defining and automating the enforcement of QoS policies for individual applications and devices.
Celona Orchestrator is a micro-services-based web application running in AWS within a two-tier dedicated AWS Virtual Private Cloud (VPC) with strict access controls.
Amazon Web Services (AWS)
Celona Orchestrator’s backend infrastructure is hosted in Amazon Web Services (AWS) availability zones and regions that meet the following standards:
SOC 1, Attestation Standard Section 801 (formerly SSAE 16)
SOC 2 / SOC 3, Attestation Standard Section 101
Data centers that house the infrastructure feature state-of-the-art physical & cyber security with reliable designs and strict access policies.
Amazon Virtual Private Cloud (VPC)
Celona Orchestrator further leverages Amazon VPC with a provisioning construct that creates a logically isolated section within AWS. VPC provides complete control over virtual networking environment including IP address range selection and control, subnets, configuration of routing tables, and network gateways.
All resources other than load balancers are deployed on private subnets in the VPC.
Encryption
Data in transit is encrypted over Transport Layer Security (TLS 1.3).
Any AWS data stores used (S3, EBS) are encrypted by a key provided by the AWS Key Management Service which uses AWS CloudHSM.
All external connections to the Orchestrator connect to the application using SSL over port 443 and using certificate based authentication.
Celona Edge and Access Points (APs) strictly enforce server certificate validation and all Edge(s) and APs are authenticated with the device’s client certificates.
Secure Access Controls
Access to backend servers is strictly controlled by role-based access via multi factor authentication (MFA)
Access logs are maintained and monitored for unauthorized system access. Celona personnel have access to the AWS account only on a strictly as-needed basis with identity access management controls, logging, and periodic (quarterly) reviews.
Celona continually reviews its security and strengthens its protections to implement additional measures where appeopriate. We have enhanced the Orchestrator Security with AWS Web Application Firewall to protect against web attacks.
We use automated security tools such as Qualys and SonarQube on a periodic basis and address issues in accordance with our security policies.
We run periodic scanning against Orchestrator. Any vulnerability found is triaged as a low, medium, or high priority issue. High priority issues are immediately rolled into our development sprint and updates are pushed out as soon as verification is completed.
Celona’s developers have access to non-production environments, while a smaller subset of users (DevOps) have access to production environments. Production and non-production environments are not shared.
We allow customers to control access to Celona Orchestrator using the principle of least privilege. Customers can limit access to the minimal level that will accomplish the purpose of the access: for instance, as part of technical support delivery.
Two Factor Authentication (2FA) is enabled for Celona engineers accessing the production environment. Access to Celona’s production environment is via a VPN tunnel using secure certificates and an MFA token and is restricted to only certain Celona personnel who have been granted access to the VPN tunnel. Finally, Celona personnel access our servers via an SSH key and not a manually entered password.
All access to backend production servers is logged by the VPN server and the server authentication logs. Access to the Orchestrator by Celona personnel is also logged.
Only individuals with a business need to access the Celona Edge & APs have access. This means that select Celona support engineers have access to Celona Edge and AP devices for delivery of support, maintenance, and software updates. Celona notifies Customers prior to making any software updates to on-premise components.
Celona Orchestrator supports role-based access with the following user roles:
Admin - complete read and write privileges for all monitoring and management workflows in Orchestrator
Observer - read-only access to Orchestrator
Installer - Certified Professional Installer user with:
read access to AP Inventory
read access to AP Details
read and write access to their own user profile to set up CPI certificate credentials
read and write access to AP antenna parameters to set and attest the location (Latitude/Longitude) of the AP
Device Manager
read-only access to Orchestrator, similar to the Observer role
read-only access to device inventory and device details page
QR code download for eSIMs
Device (SIM) lifecycle management including activation, assignment, deactivation, and naming of the devices
Orchestrator also supports User administration and Identity management via Single sign-on (SSO), using the customer's Identity Provider (IdP).
For customers that do not use Single-sign-on (SSO) the default password policy enforced for user accounts on Orchestrator is –
Must be 6-16 characters long
Must contain at least one uppercase letter
Must contain at least one lowercase letter
Must contain at least one number
Must contain at least one special character ($@!%*?&)
Celona collects only metadata and performance metrics from client devices, APs and Celona Edge clusters. Celona Edge is the sole collection point of all metadata.
Metadata is aggregated and sent to the Orchestrator database. The metadata is used to provide customers insight into the operation and performance of the Celona private LTE/5G networks and the devices connecting to this network. Here is the list of data types that are processed:
Data Type | Description |
Protocol Stats | Set of stats describing performance details of various networking protocols |
Flow Stats | Statistics per flow: Src/dest IP, src/dest port, number of packets/bytes, session duration |
Device Stats | Client device info: IMSI, ICCID, IP address, IMEI |
Network Metrics (RAN) | Access point info – uptime, reboots, model, IP address RF stats for clients and APs: SNR, packet loss, noise floor, channel, channel width & utilization CPU & memory utilization of APs Clients associated to APs |
Edge Health metrics | CPU & memory utilization of Edge Health stats of various Edge services |
Protocols | Metrics |
TCP / IP | Byte / packet counts, Round Trip time (RTT), retransmission error rate, timeouts, SYN/ACK relationships, sequence number timings, src/dest IP, src/dest port, DSCP tags |
UDP | Byte counts, src/dest IP, src/dest port |
We process and store IP address, IMSI, ICCID and IMEI associated with SIM and client devices. We do not store packets or payload information. Strong encryption of in-transit data from on premise Celona Edge clusters to the cloud-hosted Orchestrator is achieved using TLS communications.
As highlighted above, Celona’s solution architecture for private 4G & 5G networks takes advantage of a secure cloud-native platform implementation. Combined with the always-on and device-level authorization of client devices with Celona SIM cards, centralized encryption of wireless client traffic with Celona Edge and role-based network access policies enabled by Celona’s unique MicroSlicing™ technology, Celona private mobile networks are designed to enable the highest levels of enterprise wireless security.
Copyright 2023 Celona, Inc. All rights reserved. Celona reserves the right to change, modify, transfer, or otherwise revise this publication without notice. This document does not constitute an agreement between Celona and any third party and does not bind Celona to any obligations.