Mobile Wireless Data Networks (hereinafter “MWDN”) and Wireless Local Area Networks (hereinafter “WLAN”) provide for wireless data services, however, both networks were designed for differing communication objectives.
MWDN's were designed to provide data communications and services to mobile devices (hereinafter “MD”) such as smartphones, mobile broadband data modem cards, etc. MWDN's generally cover large geographical areas (e.g. cities, regions, etc.) permitting mobile devices to remain connected with a Mobile Service Network (hereinafter “MSN”) and/or the Internet while the devices move within the coverage area.
WLAN's were designed as a wireless extension of a Local Area Network (hereinafter “LAN”) of an enterprise so that fixed-line-connected equipment (e.g. computers, fax machines, etc.) can wirelessly access an Enterprise Service Network (hereinafter “ESN”) and the Internet, while the equipment is within the enterprise environment. For purposes of clarity, an enterprise network with a WLAN extension is defined as a Fixed Wireless Data Network (hereinafter “FWDN”).
FIG. 1 illustrates a prior art implementation of the interconnection between an MWDN and an FWDN. Both the MWDN 220 and the FWDN 120 are independent from a network deployment and operation point-of-view, although the Radio Frequency (hereinafter “RF”) coverage of the MWDN 220 and the FWDN 120 may overlap in their service areas. In other words, the MWDN 220 and the FWDN 120 are two different layers of physical networks, and thus are operationally independent from each other. The RF interface of the MWDN 220 uses a licensed spectrum, while the RF interface of the FWDN 120 uses an unlicensed spectrum.
The MWDN 220 further comprises at least a Mobile Network Gateway (hereinafter “MNG”) 224, a Wide Area Network (hereinafter “WAN”) 225, and one or more Base Stations (hereinafter “BS”) 226. An MD 221 connects to a BS 226 via an RF interface 223. The wireless carrier's MSN 201 connects with the WAN 225 via the MNG 224 over a Backbone Network Link (hereinafter “BNL”) 251 to provide mobile data services to the MD 221. The WAN 225 connects with the Internet 901 via the MNG 224 and BNL 252 to provide Internet access to the MD 221. The FWDN 120 comprises at least a Firewall Router (hereinafter “FWR”) 124, a LAN 125, and one or more WLAN Access Points (hereinafter “AP”) 126. A computer 121 connects to the AP 126 via an RF interface 122. The enterprise's ESN 101 connects with the LAN 125 via the BNL 151 to provide enterprise data services to the computer 121. The FWR 124 connects with the Internet 901 via the BNL 152 to provide Internet access to the computer 121. Both the WAN 225 and the LAN 125 further comprise additional Network Elements (hereinafter “NE”) providing various services and functions. From a user data service point-of-view, the MWDN 220 and the FWDN 120 work in different ways. For example, the MWDN 220 employs Internet Protocol (hereinafter “IP”) tunneling technologies, whereas the FWDN 120 employs IP routing.
Within the MWDN 220, the MNG 224 is the anchor point for data service connections with the MD 221. In other words, the MD 121 relies on the MNG 224 to reach the MSN 201 for private services and the Internet for public services. It is understood to one skilled in the art that MD 221 may refer to one or more devices. The MNG 224 assigns and manages the IP address of the MD 221. One or more IP tunnels are built between the MNG 224 and the MD 221 to provide point-to-point IP connections, while the BS 226 provides the RF connectivity. When the MD 221 travels within the MWDN 220, the IP tunnel switches from one BS to another BS without losing anchoring to the MNG 224. The MNG 224 can also serve as a firewall to the Internet and may use Network Address Port Translation (hereinafter “NAPT”) technology to hide the MD's 221 private IP address from public networks (e.g., Internet). This further improves data security against hackers from the Internet.
Within the FWDN 120, the FWR 124 and the AP 126 act as routers with different functions. The LAN 125 operates with Ethernet. The RF interface between the AP 126 and user devices, such as a computer 121, is a wireless extension of the Ethernet LAN 125. The Computer 121 acquires IP addresses from the ESN 101. The FWR 124 and the AP 126 decide how to route user data (e.g., computer data) to and from external networks (e.g., Internet) based on the user device's IP address. The Computer 121 obtains data services from the ESN 101 without involvement from the FWR 124. The FWR 124 uses NAPT technology to hide the private IP address of the computer 121 from the Internet and improves data security against hackers from the Internet.
The MWDN 220 and the FWDN 120 have been independent from a user data connection point-of-view until the introduction of Smart Mobile Devices (hereinafter “SMD”).
FIG. 2A illustrates an embodiment of a network deployment model used by most wireless carriers and enterprises to provide wireless data services to SMD(s) as the current state of the art. In this model, the MWDN 220 works independent from the FWDN 120. However, the same SMD 140 can appear at, for example, location 240, in MWDN 220 or location 242 in FWDN 120 at different times due to mobility of the SMD. Both networks have the capability to authenticate the SMD 140 and grant the device the right of access to the networks, respectively or simultaneously, depending on the RF conditions that the SMD 140 experiences. Therefore, the two networks provide the SMD 140 with access to the MSN 201, the Internet 901, and the ESN 101 depending on the location of the SMD 140.
In one embodiment, the SMD 140 is a multi-functional mobile device having at least one RF interface to the MWDN 220 and at least one RF interface to the FWDN 120. The SMD 140 supports a number of software applications useful for multi-tasking of functions and services on the SMD. One skilled in the art can appreciate that an SMD includes, but is not limited to, smart phones, tablet computers, netbooks, eReaders, or any other mobile device capable of communication with both an FWDN and an MWDN.
The SMD 140 can access both the MSN 201 and the Internet 901, through the RF interface 223, when the SMD 140 travels within the RF coverage of the MWDN 220 (e.g., location 240). In this case, the SMD 140 uses the IP tunnel 211 to reach the MNG 224 which, in turn, communicates with the MSN 201 via the BNL 251 for mobile data services and with the Internet 901 via the BNL 252 for mobile internet access.
In another embodiment, when the SMD 140 moves into location 242, the SMD 140 uses both the RF interface 223A and the RF interface 122 to access the MSN 201 and the Internet 901. In such a scenario, the SMD 140 is within an overlapped RF coverage area between both the MWDN 220 and the FWDN 120. In this case, the SMD 140 at location 242 uses the IP tunnel 212 to receive mobile data services provided by the MSN 201 (via the MNG 224 and the BNL 251.) The SMD's 140 access to the Internet 901 is received through the IP route 111 provided by the AP 126, the LAN 125 and the FWR 124.
FIG. 2B illustrates an alternative embodiment of a network deployment model used by most wireless carriers and enterprises as the current state of the art. This embodiment illustrates an example of user data connections when the RF coverage of the MWDN 220 does not overlap with the RF coverage of the FWDN 120, for example the basement of an office building in the FWDN. In this case, when an SMD 140 travels within the MWDN 220 (e.g., Location 240), the SMD 140 accesses the MSN 201 and the Internet 901 via an IP tunnel 211 established between the MNG 224 and the SMD 140 over the BS 226 and the WAN 225. After the SMD 140 travels into the FWDN 120 and stays at a location where only the RF coverage of FWDN 120 exists, for example location 243 in the illustration of this figure, the SMD 140 loses IP tunnel connection 221 with the MSG 224 and, consequently loses the ongoing mobile data services from the MSN 201 and the Internet 901, due to the loss of RF connection between the MWDN 220 and the SMD 140 at Location 243. In order to re-gain the mobile data connections, the SMD 140 at Location 243 uses the FWDN 120 to access the Internet 901 through the FWDN 120 via a new IP route 111. However, the FWDN 120 cannot connect directly to the MSN 201. Therefore, the SMD 140 cannot access the MSN 201 through the FWDN 120 for the mobile data services offered by the MWDN operator. This becomes an issue if 1) the RF coverage of the MWDN 220 does not overlap with the RF coverage of the FWDN 120; or 2) the SMD 140 automatically shuts down its RF interface to the MWDN 220 when the SMD 140 connected with the FWDN 120 (e.g., RF interface 122) due to any design considerations.
An exemplary solution to the problem is to introduce a security gateway (hereinafter “SeGW”) into the MWDN. As such, FIG. 3 illustrates an embodiment of a network architecture where an MWDN 220 and an FWDN 120 are bridged through a SeGW 302 to provide mobile data service over the FWDN 120. In this architecture, the SeGW 302 serves as an end point of an IP security (hereinafter “IPsec”) tunnel 218. The IPsec tunnel 218 interconnects the SeGW 302 to the SMD 140 while traveling within the coverage area of the FWDN 120 (e.g., Location 244). The interconnection further travels through the FWDN 120 and the Internet 901 (via the BNL 152 and the BNL 153.) After the IPsec tunnel 218 is established, the SeGW 302 launches an IP tunnel 219 to the MNG 224. The cascaded IPsec tunnel 218 and IP tunnel 219 allow the MNG 224 to serve as the sole gateway between the SMD 140 and both the Internet 901 (via the BNL 252) and the MSN 201 (via the BNL 251).
In this embodiment, the MNG 224 assigns and manages the SMDs 140 IP addresses for access to both the Internet 901 and the MSN 210 (whether connecting via the MWDN 220 or the FWDN 120.) When the SMD 140 travels between each of the two data networks, the MNG 224 switches the IP tunnels between the SMD 140 and the MNG 224 without changing the SMDs 140 IP addresses whether the SMD 140 travels into Location 240 or Location 244. Thus, the SMDs 140 mobility is hidden from the MSN 201. Therefore, the SMD 140 maintains IP session continuity with the MSN 201 and/or the Internet 901. In one embodiment, the mobile traffic includes the network control-plane (signaling data), which is highly sensitive data. Therefore, the control-plane should be protected against potential security threats from the Internet 901. The purpose of the IPsec 218 is to protect against such threats.
The MWDN and the FWDN are standardized by multiple international standards bodies such as:                The Third Generation Partnership Project (hereinafter “3GPP”) is a European telecommunication standards body within the European Telecommunications Standards Institute (hereinafter “ETSI”). 3GPP has led the development of mobile communication standards targeted at international markets. The first data-only mobile network is called the 3GPP Long Term Evolution (hereinafter “LTE”), initially released in 3GPP Release 8. LTE has been well accepted by mobile operators throughout the world and has been commercially deployed in the U.S. and other countries.        The Institute of Electrical and Electronics Engineering (hereinafter “IEEE”) is an international professional association, which has led the development of WLAN communication standards. The well accepted IEEE 802.11 WLAN standard has led to Wi-Fi networks throughout the world. In much of the world, the terms Wi-Fi, WLAN, and IEEE 802.11 have become synonymous with each other.        
FIG. 4A illustrates an embodiment of a 3GPP LTE-based MWDN interworked with an IEEE WLAN-based FWDN. The LTE 220 network consists of at least an Evolved Node Bs (hereinafter “eNB”) 226A, a Servicing Gateway (hereinafter “S-GW”) 412, a Packet Data Network Gateway (hereinafter “P-GW”) 202A, a Mobility Management Entity (hereinafter “MME”) 411 and mobile equipment (hereinafter “UE”) 140A. To provide interworking with a WLAN 120, the 3GPP LTE 220 network architecture includes an Evolved Packet Data Gateway (hereinafter “ePDG”) 302A. In order to simplify references to network elements, the 3GPP has defined a name for each interface between a pair of network elements. For example, the interface between the P-GW 202A and the ePDG 302A is S2b, the interface between the eNB 226A and the MME 411 is S1-MME, etc. Each interface comprises the control-plane (the network signaling data) and/or user-plane (the subscriber data) depending on the nature of the interface.
A UE is an SMD or mobile station such as a smartphone. The UE 140A provides mobile data services to a user according to the service contract signed with a Public Land Mobile Network (hereinafter “PLMN”) operator, i.e. wireless carrier. The UE 140A has a radio receiver and transmitter for communications with the PLMN. The UE 140A usually includes multiple radio receivers and transmitters in order to support multiple mobile air interface standards. Such standards include the LTE-Uu interface for LTE access and the IEEE 802.11 (i.e., Wi-Fi) interface for non-3GPP (WLAN) access.
The eNB 226A is the BS that provides air interface LTE-Uu to the UE 140A. The eNB 226A also communicates with both the MME 411 over the S1-MME interface and the S-GW 412 over the S1-U interface. The LTE-Uu passes both the user-plane and the control-plane between the UE 140A and the eNB 226A. The eNB 226A and the UE 140A use data encryption to cipher data traveling through the LTE-Uu. On the network side, only Non-Access Stratum Messages (hereinafter “NAS”) (i.e. the control-plane) exchanged over the S1-MME interface are encrypted. The user-plane exchanged over the S1-U interface is unencrypted. The S1-MME interface only carries the control-plane information while the S1-U interface only carries the user-plane information.
The S-GW 412 tunnels the UE 140A user-plane data from the eNB 226A to the P-GW 202A. The S-GW 412 also acts as a UE mobility anchor point. The S-GW 412 communicates with eNB 226A over the S1-U interface. The S1-U interface utilizes a “GPRS Tunneling Protocol-User-Plane” (hereinafter “GTP-U”). GPRS stands for Generic Packet Radio Service, which was standardized by the ETSI as the legacy Second Generation (hereinafter “2G”) mobile network technology. The S-GW 412 switches the GTP-U tunnel from one eNB to the other in order to maintain an uninterrupted data connection with the UE 140A when the UE 140A performs an inter-eNB handover. The S-GW 412 communicates with the P-GW 202A over the S5 interface, which consists of both a user-plane and a control-plane. The S5 interface utilizes the GTP-U protocol for its user-plane, while utilizing a “GPRS Tunneling Protocol-Control-Plane” (hereinafter “GTP-C”) for its control-plane. The S-GW 412 also acts as the anchor point for other 3GPP network elements, such as a Serving GPRS Support Node, in order to communicate with other 3GPP networks.
The P-GW 202A is the MNG that provides connectivity between the UE 140A and an external Packet Data Network (hereinafter “PDN”), such as 1) the MSN 201 of the wireless carrier or 2) the Internet 901. The UE 140A may connect to multiple PDNs through the same P-GW 202A. Each PDN can be identified by an Access Point Name (hereinafter “APN”). The P-GW 202A acts as the GTP-U tunnel termination point for the delivery of the UE 140A user traffic. The P-GW 202A also manages the IP address of the UE 140A data connection to a PDN. The UE's 140A IP address may come out of an IP Address Pool held by either the P-GW 202A or the PDN. The P-GW 202A performs policy enforcement, packet filtering, charging support, and lawful interception. It is often customary for the MSN 210 to be located within a PLMN.
The MME 411 provides mobility management for any UE connections in the LTE network 220. The MME 411 communicates with the eNB over the S1-MME interface. Further, the MME 411 communicates with the S-GW 412 over the S11 interface. Both interfaces belong to the LTE network control-plane. The MME 411 maintains a database of mobile location tracking information as a means of limiting the MME's 412 paging area. When the UE 140A moves from one cell to another, the cell tower's identification and the tracking area's identification are recorded into the database. The MME 411 is responsible for choosing the S-GW 412 for the UE 140A at both the initial attachments as well as during the inter S-GW handover. The MME 411 interfaces with a Home Registration Sub-System (hereinafter “HSS”) 413 over the S6a interface. The HSS 413 maintains the UE 140A identification information, access authentication and encryption keys.
The HSS 413 is a database of UE subscription information. Similar subscription information is maintained in a Subscriber Identification Module (hereinafter “SIM”) residing inside the UE. Both the HSS 413 and the SIM (not shown) have the same root encryption key for user identification, service authentication and user data encryption.
The ePDG 302A is the SeGW that provides LTE and non-3GPP network interconnections. The ePDG 302A communicates with the P-GW 202A over the S2b interface. Further, the ePDG 302A communicates with a “3GPP Authentication, Authorization and Accounting” (hereinafter “3GPP AAA”) 525 server over the SWm interface. As the SeGW, the ePDG 302A provides termination of the IPsec tunnel built between the UE 140A and the ePDG 302A through the FWDN 120 over the SWn interface when the UE 140A travels into the RF coverage of the FWDN 120. The P-GW 202A serves as the anchor point for the point-to-point IP connectivity between the UE 140A and the P-GW 202A. The P-GW 202A serves as the anchor point whether the UE 140A is connected: 1) to the P-GW 202A over the LTE-Uu air interface of the LTE network; or 2) the Wi-Fi air interface of the FWDN 120.
The 3GPP AAA 525 server is designed to interface with the ePDG 302A, over the SWm interface, as a means of providing Authentication, Authorization and Accounting (hereinafter “AAA”) services to the UE 140A in order to establish the SWn interface (e.g., IPsec tunnel). The 3GPP AAA 525 server exchanges user profile information with the HSS 413 over the SWx interface. This exchange ensures that the AAA service can be provided under the same user profile, stored in the HSS 413, no matter which network the UE 140A connects.
As illustrated in FIG. 4A, when the UE 140A moves from the LTE-based MWDN 220 to the WLAN-based FWDN 120, but before it connects with the P-GW 202A over the S2b interface, the UE 140A has to build the SWn connection with the ePDG 302A. As an exemplary embodiment, and according to 3GPP standards, a process of building the SWn connection is described as follows:                1. The UE140A gains access to the FWDN 120, (i.e. enters the Wi-Fi access network and acquires a local IP address from an ESN 101) assuming the UE 140A has permission and has been locally authenticated (i.e. by the enterprise network.)        2. The UE 140A acquires the ePDG's 302A IP address through the FWDN 120. Alternatively, the IP address is pre-programmed into the UE 140A. Knowledge of the IP address allows the UE 140A access to the ePDG 302A from the FWDN 120. The UE 140A contacts the ePDG 302A, through a FWR 124 of the FWDN 120, by using an “Internet Key Exchange Protocol—Version 2” (hereinafter “IKEv2”) protocol for non-3GPP access authentication.        3. After the IKEv2 authentication request is received, the ePDG 302A reaches the 3GPP AAA 525 server over the SWm interface.        4. The 3GPP AAA 525 server uses an “Extensible Authentication Protocol-Authentication and Key Agreement” (hereinafter “EAP-AKA”) and the user profile information, obtained from the HSS 413 over the SWx interface, to perform mutual authentication with the UE 140A.        5. Next, both the ePDG 302A and the UE 140A obtain valid encryption keys to build a secure association between them. Finally the IPsec tunnel is built as a part of the SWn interface. The tunnel goes through the AP 126, the LAN 125, and the FWR 124 all from within the FWDN 120. The tunnel is used to deliver both the user-plane and control-plane data between the UE 140A and the MWDN 220.        
FIG. 4B illustrates an embodiment of a representative LTE network as an interface to an ePDG. The LTE network 402 at least comprises a P-GW 411, an S-GW 412, an HSS 413, an MME 414, and an eNB 415. External to the LTE Network 402 is an ePDG 302A, a 3GPP AAA 525 Server, a UE 140A, a PDN 401, and the Internet 901. The LTE Network 402 further comprises a plurality of interfaces connecting the internal and/or external components (e.g., SGi, S5, S11, S1U, S1-MME, S6a, SWx, S2b, LTE-Uu, etc.) The LTE is a data-only mobile network providing packet data services to mobile devices. Each interface may carry control-plane and/or user-plane depending on the specifications from the 3GPP standards. For example, the S2b interface carries both the control-plane and the user-plane information. The S6a interface only carries the control-plane data. The S5 interface transports both the control-plane and the user-plane data. Like the S2b interface, the control-plane of the S5 interface uses GTP-C while its user-plane complies with the GTP-U protocol. The P-GW 411 and the S-GW 412 use the control-plane (in GTP-C) to exchange signaling information in order to set up the user-plane (in GTP-U) of the S5 interface.
Each interface used for connecting a pair of network elements has a name defined by the standards. An instance of a network interface implies a copy of a defined interface which has all the features and capability of the original interface standard. For example, an instance of the S5 interface is a copy of the 3GPP standard S5 interface defined for a given pair of P-GW 411 and S-GW 412 network elements.
FIG. 4B further illustrates an embodiment of an S2b interface as defined by the 3GPP. The S2b interface 430 consists of the control-plane and the user-plane. The control-plane uses the GTP-C protocol while the user-plane uses the GTP-U protocol. After the SWn connection is built, the ePDG 302A reaches out to the P-GW 411 over the control-plane (GTP-C) of the S2b interface to set up the user-plane context. The ePDG 302A further constructs the GTP-U tunnel to transport the network user-plane data between the ePDG 302A and the P-GW 411. According to the 3GPP standards, GTP-U and GTP-C tunnels can be transported on top of any IP connections using a User Datagram Protocol (hereinafter “UDP”), which is one of the core members of the Internet Protocol (IP) Suite used by the Internet 901. L1 standards for the physical layer of a network interface. L2 standards for the data link layer of the network interface. The main function of the L2 is to facilitate the interconnection between the IP layer and the physical layer (L1) of the network interface.
FIG. 4C further illustrates an embodiment of an MWDN and an FWDN and IP tunnel connections connecting one or more of the network elements. The MWDN 220, which is an LTE-based network, comprises a plurality of components such as a P-GW 202A, an S-GW 412, an eNB 226A, and an ePDG 302A. The FWDN 120, which is a WLAN-based network, comprises a plurality of components such as an FWR 124, an AP 126, and an LAN 125. External to both networks is an UE 140A, an MSN 201 and the Internet 901. The UE 140A can travel between the MWDN 220 and the FWDN 120, and can connect with one or both of the networks over LTE-Uu interface and/or Wi-Fi interface depending on the location of the UE between the networks and the availability of the LTE-Uu and Wi-Fi interfaces.
Further, a plurality of interfaces connects each of the internal and external network elements together. There is also an IP tunnel 417 between the UE 140A and the P-GW 202A, via the S-GW (S5 interface), and an IP tunnel 418 via the ePDG (S2b interface cascaded with the SWn interface). The P-GW 202A switches or maintains both the S5 and S2b interfaces for the IP connections between the P-GW 202A and the UE 140A to allow for IP session continuity as the UE 140A moves between the MWDN 220 and the FWDN 120. Depending on the capability of the UE 140A and the RF coverage of the MWDN 220 and the FWDN 120, the P-GW 202A may use one or both of the IP tunnels to provide services to the UE 140A.
The 3GPP standards define two variations of protocol stacks for both the S5 and S2b interface. The first variation uses GTP, as illustrated in FIG. 4B. The second variation uses a “Proxy Mobile IP Protocol—Version 6” stack (hereinafter “PMIPv6”) or dual stacks PMIPv4/v6 (hereinafter “DSMIPv6”), developed by the Internet Engineering Task Force (hereinafter “IETF”). The PMIPv6 or DSMIPv6 is intended for trusted non-3GPP network interworking, e.g. CDMA2000 EV-DO (Code Division Multiple Access 2000 Evolution, Data Only) networks. For untrusted non-3GPP interworking (e.g. WLAN Wi-Fi networks), the choice of the S2b interface protocol is determined by the infrastructure of the LTE network. For the sake of clarity of description hereafter, GTP is chosen as an example.
The standardized LTE/non-3GPP interworking architecture may provide IP session continuity whether a UE is connected with a P-GW over the LTE-based MWDN or the WLAN-based FWDN. However, there are several shortcomings such as:                1. It is not always be possible for an FWR to allow pass-through of an IPsec tunnel, within an SWn interface, from a UE to an ePDG. This assumes the FWR is resident in an FWDN and the ePDG is resident in an MWDN. For example, in an enterprise environment, the FWR is a part of the corporate security gateway system. The general IT policy of an enterprise may not allow IPsec tunneling through a corporate firewall, out of a computer, to outside networks such as the Internet. Such IT policies would also disallow such tunneling from a mobile device within the enterprise campus (e.g., WLAN). In this case, establishment of a SWn connection between a mobile device and an ePDG becomes impossible. Therefore, the interworking between the LTE and the WLAN networks becomes hindered.        2. When a mobile device is behind an enterprise FWR (i.e., connected with the enterprise WLAN) the IT manager of the FWDN may not have control over the MWDN connection of the mobile device while inside the enterprise. For example, the mobile device's connection 417 to the Internet, via the LTE network MWDN 220 through the BNL 252, bypasses the corporate FWR 124 thus providing an unprotected backdoor from the Internet 901 into the corporate enterprise LAN 125 through the mobile device UE 140A even though the corporation LAN 125 is protected by the FWR 124 for the internet access over the BNL 152.        3. A dual-access (e.g., LTE and Wi-Fi) tablet or laptop computer with access to external networks from within a LAN environment creates inconsistent IT management policy and/or policy enforcement. For example, the FWR 124 of the LAN 125 may impose content filtering on the traffic from the device to/from the Internet to comply with corporate IT policy and/or government regulations. Compliance will break if the device accesses the Internet through the LTE-Uu interface and the IP connection 417 of the MWDN 220 rather than through corporate Wi-Fi connection of the FWDN 120.        4. A possible solution to the above problem is to force the mobile device to disengage the IP tunnel 417 between the device and the P-GW over the LTE-Uu interface as soon as the device enters the FWDN. Consequently, the device is forced to take only the FWDN-ePDG-P-GW route (e.g., IP tunnel 418) for Internet access. The downside to this approach is reliance that the device or the user will take the expected action. Additionally, MWDN bandwidth is wasted delivering Internet-bound device traffic, and the UE 140A may lose the capability to directly access ESN 101 for enterprise IT services simultaneously.        5. Another potential solution to the above problem is to allow the device Internet access as usual by sending the connection through the FWDN without relying on an ePDG. For example, the UE 140A accesses the Internet through the corporate firewall FWR 124 and the BNL 152 like any corporate computer does. While this approach may save MWDN bandwidth, the MWDN operator loses traffic routing management capability. Such management capabilities allow for potential content-based value-added services (e.g., mobile behavior analytics, etc.)        6. If the P-GW acts as an anchor point for all IP traffic flowing from a mobile device, the device must use an IPsec tunnel (e.g., SWn interface) for mobile data security and 3GPP standards compliance. Given the large number of mobile devices within an enterprise campus, costs of the IPsec tunnel on the FWDN must be considered. Consequently, both the MWDN operator and the FWDN owner (the enterprise) expect increased costs due to the overhead introduced by the SWn interface as described above.        
The present invention provides one or more solutions to the above-described shortcomings of the 3GPP standardized MWDN-FWDN interconnections.