Telecom Security Foundations for 5G and Future Edge Networks

According to the industry reports globally 5G deployments will reach 1B+ 5G connections in 2022 and will reach 4.87B+ connections by 2027 combined with the fact from 6.5GB per subscriber average consumption with reach 15GB in 2022. This is a scale of networks world has not seen before and risk of not knowing what we are going to manage is greater than any value which will come from the technology advancements ,this is why we have seen growing Investments by Telcos in Security Infrastructure where at least 82% of Telco’s with 5G are having a substantial Security Infrastructure to Protect it .

Based on Dell Technologies long legacy in security solutions and projects done with Telecom customers we believe that software abstraction of network makes it possible to offer security as a service for any tenant or enterprise. However, that said key challenges exist because security is still considered as a built-in feature of product with less focus on its visibility, management and compliance. Therefore till now Cloud projects relied strongly on independent security test companies for validating a product including port scanning, penetration testing, and man-in-the-middle attacks.

The hurricane of new “things” connect to the network will increase network vulnerability. Thus, security is one of the key concerns when CSPs roll out their 5G and IoT services.

Security requirements and challenges will be wider in 5G than in previous generations, reflecting the far broader range of potential use cases and potential threats. Further contributing factors will come from the way 5G meets the need for higher speeds/lower latency combined with power efficiency needs, a wider variety of actors and device types and more use of the cloud and virtualization.

5G will be built upon network slicing and the “network of networks” concept. Any security measures must take both this and edge computing requirements into account.

Security Challenges in 5G

The following are generic issues that hinder the consolidation of secure IoT ecosystems:

  • Very large attack surface
  • Limited devices resources
  • Complex ecosystem
  • Fragmentation of standards and regulations
  • Insecure programming

There is no one-size-fits-all solution to address all the security challeng­es. To adequately protect from security breaches, a multi-layer, end-to-end framework is recommended that takes into account all connected devices, along with the applications they run and the net­works they use to transmit information. The framework should be built on emerging best practices. Several security layers (network, service, application, and endpoint/device) independent of each other may be combined in order to realize the overall system security. Associating the requirements to the respective security layers helps to avoid confusion and to better derive potential solutions.

The main security requirements to secure the upcoming IoT/5G services fall under the following main categories:

  • Identity Access Management and Authentication
  • Communication Security
  • Data Security (Confidentiality, Integrity, Availability)

5G Multi Layer Security Framework

These security requirements should be distributed over the below security layers:

  • Network Layer Security: This layer can be split in two parts: network access (part of the control plane) and network application (user plane). Different types of access, i.e. 3GPP (5G, LTE-M, NB-IoT, etc.)  or non 3GPP (WIFI, Zigbee, etc.) can be considered.

Under the umbrella of 3GPP, 5G/IoT will benefit from all the security and privacy mobile features, such as support for user identity confidentiality, entity authentication, confidentiality, signaling protection and data encryptions.

Although 3GPP defines several key security methodologies into its specification, CSPs still need to do the provisioning and configuration.

  • Service layer security: Services can be split into those that are defined by 3GPP, i.e. 3GPP services and services that are provided by service providers/third parties. As such, service layer mechanisms are defined within the domain of the service provider and cover aspects such as service authentication, confidentiality, integrity protection and privacy.
  • Application layer security: Service providers implement their services by providing applications to their subscribers. In addition to the security provided by the service layer, each application may implement additional and/or different security mechanisms. These could cover security mechanisms such as end-to-end data encryption and integrity protection.
  • Device or Endpoint security: Certain devices are required to implement security mechanisms in order to make sure only authorized users have access to device resources and in order to make sure that assets such as the device identifier cannot be manipulated. Those mechanisms are covered within the device security layer. In addition, aspects such as provisioning the UE with service or network access subscriptions, device theft, device integrity and grouping of devices (e.g. for bulk authentication and management) are covered.

The security requirements should be defined per use case, but at the end it follows the CIA triad (Confidentiality, Integrity, Availability), the below are different use cases for connected cars with the required security profile level

Network Slicing Security Requirements

Network slicing also raises the possibility of a range of scenarios that any security mechanisms must take into account.

These are listed by 3GPP SA3 as:

  • Network function sharing.
  • Access network sharing.
  • Access from less trusted networks.
  • Coexistence within a network slice with 3rd parties’ network functions.
  • Coexistence between network slices with different security assurance requirements.
  • Simultaneous UE connections to multiple network slices.
  • Simultaneous UE connections through different access technologies.
  • Possible deployment scenarios and trust relationship between the network operator and the service provider, e.g. third party application server.”

The nature of slicing leads to a range of specific security requirements. 3GPP SA3 identifies these as:

  • Security isolation of network slices.
  • Security mechanism of each slice.
  • Security on UEs’ access to slices.
  • Security on sensitive network elements.
  • Security on management of slicing.
  • Security on interacting with third party.
  • Virtualization security.

Network slices are intended to be independent and autonomous, which seems to imply security policies and configurations that differ according to functional needs of the slice. However rather than being a logical entity, a slice is a logical mapping of a set of functions. Some of those functions will be shared with another slice. Therefore, you cannot simply apply a security policy to a slice. Instead, what’s really important is the access control, authorization and authentication between individual virtualized functions. As a result, each virtualized function requires its own authentication mechanism to be able to mutually authenticate other functions that it communicates with that are on the same slice.

Edge Security Requirements

For the applications located on the MEC nodes, adequate security should be built into the MEC platform to provide secure platform services such as applications on-boarding, lifecycle management, etc.

Moreover, the distribution of NFs all over the network:

  • Increases attack surface as now more locations, and instances of NFs, new components (e.g. MANO) are included in the network.
  • Security enforcement and management becomes complex because now we need to monitor large number of security touch points.
Source: GSMA NEST

Recommended approach to address the increased attack surface and security management complexity is to implement security controls also at the edge of the network and extensively rely on the security automation driven by analytics.  This could be done by deploying a dedicated security gateway or service chained virtualized security functions at each edge location.

The main objectives of the Security Functions at the edge cloud should:

  1. Protect the network services: Edge is the first point of entry for the traffic. Hence placing security controls at the edge is highly important.
  2. Protect the MEC node platform
  3. Provide edge-based security services to the customers

Following attributes makes a security function desirable for hosting in the edge:

  1. Localized traffic analysis: SFs that can act locally without requiring the information about other part of the network
  2. Resource intensive security functions: Maximum capacity for some SF is not very high because of extensive compute or I/O handling required. Such SFs shall be distributed to ensure that the traffic remains with the capacity. This criterion is more relevant for SFs processing data plane traffic e.g. anti-virus, malware detection, DPI, cryptographic computations (particularly public KPI), etc.

Based on the above criteria, following Network Functions are preferred for the deployment in the edge to secure your networks and enable security as a service including

  • Access Control Lists
  • Stateful firewalls
  • Next-generation firewalls
  • Deep packet inspection
  • Web applications firewalls
  • Malware detection
  • analytics

Published by

Saad Sheikh

I am a Senior Architect with a passion to architect and deliver solutions addressing business adoption of the Cloud and Automation/Orchestration covering both Telco and IT Applications industry. My work in carrier Digital transformation involve Architecting and deploying Platforms for both Telco and IT Applications including Clouds both Open stack and container platforms, carrier grade NFV ,SDN and Infra Networking , DevOps CI/CD , Orchestration both NFVO and E2E SO , Edge and 5G platforms for both Consumer and Enterprise business. On DevOps side i am deeply interested in TaaS platforms and journey towards unified clouds including transition strategy for successful migration to the Cloud Please write to me on snasrullah@swedtel.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s