Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile Security //

Cellular Network

12/28/2018
09:15 AM
Alex Pavlovic
Alex Pavlovic
News Analysis-Security Now
50%
50%

5G Network Security Needs a Comprehensive Approach in 2019

As the first 5G rollouts are anticipated to start in 2019, service providers need to take a more holistic and comprehensive approach to securing these new networks and the businesses and customers using them.

As rollouts of 5G networks get underway in 2019, the technology will affect three very diverse areas: enhanced mobile broadband for consumers; massive machine-type communications for billions of Internet of Things devices and systems; and ultra-reliable, low latency communications for mission-critical applications.

Within these three areas, the range and effect of possible security threats is wide: from a breakdown of communications and massive service outages, to unauthorized access of sensitive and private data.

All of these can lead businesses to losses and worse -- putting people's lives and property at risk.

Major standards organizations, including 3GPP and ITU, view 5G security in a holistic manner, with frameworks encompassing all aspects. One vital element of the 5G security architecture is the transport network domain. With more infrastructure owners and increased complexity of trust relationships, this network needs more comprehensive security.

Network slicing will effectively multiply these concerns across many individual slices.

A proper 5G transport domain security approach must protect the network infrastructure and ensure confidentiality, integrity and availability of communications flows across all network planes: user, control, data and management planes.

These approaches must also support diverse mobile generations that will continue to coexist and many distributed, hybrid -- virtualized and physical -- domains that need to be dynamically interconnected.

For service providers who lease their transport from wholesale providers, protecting traffic between the radio access network (RAN), the core network and their multi-cloud environment becomes even more vital.

Security gateways to the rescueHistorically, security of transport in mobile environments has been effectively addressed by deploying high-end routers at centralized locations as security gateways (SeGWs).

This approach ensures:

  • Authentication: Affirmation that communication elements are truly who they claim they are
  • Integrity and confidentiality of communications: By encrypting communications flows in an end-to-end (or in a more precise, point-to-point) manner using the highest cryptographic standards available

Internet Protocol Security (IPsec) has been used extensively to protect all communications between the RAN and core.

In the RAN, encrypted sessions start at RAN base stations or nearby cell/aggregation routers. At the centralized location, these encrypted sessions are terminated by a large-scale IP router: a dedicated SeGW, which also provides all required interconnectivity.

In this chart, the solution based on SeGWs can also work in 5G to address all types of RAN base stations: macrocells, small cells, and fixed-wireless access. Non-3GPP access -- carrier WiFi -- can be integrated to the 5G core in a similar manner through Non-3GPP Interworking Function (N3IWF).

The deployment of SeGWs is done in conjunction with Public Key Infrastructure Certification Authority (PKI CA) -- a software-based system that ensures the authentication of access elements, provides for authorized and secure exchange of encryption keys, and manages the whole solution from a security viewpoint.

5G specification also brings a new authentication scheme and opens the scope of research to monitor developments in quantum cryptography. (See How Quantum Physics Will Protect Against Quantum-Busting Encryption.)

It's important to add that security has also become a consideration at the optical transport level, resulting in Layer 1 encryption techniques as part of an overall defense-in-depth strategy.

New generation of transportReal-time encryption of communications flows add a "processing tax" in the form of reduced throughput (lower than line rate) and increased end-to-end latency. This may not pose a great challenge for broadband services, where high speed is generally much more important than low latency -- such as video streaming. However, to "qualify" for the 5G era, SeGWs need to ensure low latency for services where it's critical (such as uRLLC) or an essential part of a user experience, for example, gaming. They also need to support distributed architectures and hybrid deployment.

The progress made with the latest generation of routers -- from the underlying processors with extreme processing power and intelligence, to new product architectures and high-density, high-speed interface cards -- allows SeGWs to:

  • Handle large number of IPsec sessions (hundreds of thousands per system)
  • Achieve high-aggregate throughput rates (up to hundreds of Gbps per system)
  • Add very little latency

In addition, great progress has been made with virtualized implementations (vSeGW), running in x86 environments.

However, not all vendor implementations are the same, and interoperability test results -- where they exist -- are not shared publicly.

Where does this leave you?Service providers transitioning to 5G should include 5G transport domain security in their overall 5G tests and trials.

Security of the transport network, like overall 5G security, should be a forethought, not an afterthought. The stakes are much higher in 5G, and only a 5G transport network that can address all 5G requirements -- including security -- will safely take you into the 5G era.

Related posts:

Alex Pavlovic is a senior product marketing manager for IP and Optical Networks at Nokia, where he focuses on Nokia Anyhaul -- the mobile transport portfolio for the 5G era (and Nokia IP Anyhaul in particular).

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Considerations for Seamless CCPA Compliance
Anurag Kahol, CTO, Bitglass,  7/2/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12421
PUBLISHED: 2020-07-09
When performing add-on updates, certificate chains terminating in non-built-in-roots were rejected (even if they were legitimately added by an administrator.) This could have caused add-ons to become out-of-date silently without notification to the user. This vulnerability affects Firefox ESR < 6...
CVE-2020-12422
PUBLISHED: 2020-07-09
In non-standard configurations, a JPEG image created by JavaScript could have caused an internal variable to overflow, resulting in an out of bounds write, memory corruption, and a potentially exploitable crash. This vulnerability affects Firefox < 78.
CVE-2020-12423
PUBLISHED: 2020-07-09
When the Windows DLL "webauthn.dll" was missing from the Operating System, and a malicious one was placed in a folder in the user's %PATH%, Firefox may have loaded the DLL, leading to arbitrary code execution. *Note: This issue only affects the Windows operating system; other operating sys...
CVE-2020-12425
PUBLISHED: 2020-07-09
Due to confusion processing a hyphen character in Date.parse(), a one-byte out of bounds read could have occurred, leading to potential information disclosure. This vulnerability affects Firefox < 78.
CVE-2020-12426
PUBLISHED: 2020-07-09
Mozilla developers and community members reported memory safety bugs present in Firefox 77. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 78.