Building Secure 5G Networks on Distributed Telco...

1 © Nokia Solutions and Networks 2017 Public

Building Secure 5G Networks on Distributed Telco Clouds

2017-03-13

Peter Schneider, Nokia Bell Labs NAACS Security

2 © Nokia Solutions and Networks 2017

• Mobile network security – example LTE

• 5G security: requirements, vision

• From 4G to 5G mobile networks:

• Network architecture change

• Impact on the security architecture

• NFV/SDN/5G-security research activities and results

• Network slicing security

• Summary and conclusion

Abbreviations at the end

Agenda

Public


A 4G Mobile Network (LTE)

Public

InterneteNB Evolved Node BHSS Home Subscriber ServerIMS IP Multimedia SubsystemMME Mobility Management Entity

PCRF Policy and ChargingRules Function

PDN Packet Data NetworkSEG Security Gateway

eNB

Radio Access

Network

Cell

eNB

Cell

Firewall

ServingGateway

PDNGateway

SEG

IMS

Application

Servers

MME

HSS

PCRF

Core

Network


4G Security as Specified by 3GPP

PCRF

eNB

PDN-GW Internet

IMS,Application

ServersMME

Backhaullink

security

Core interfacesecurity

HSSAuC

K

UEUSIM

K

User Identity Privacy

More security aspects: Mobility (key separation in handovers), Home eNB, Relay Node, non-3GPP access, dual connectivity (LTE, LTE/WiFi), proximity services (incl. device-to-device communication), security assurance methods, …

Secure Environment

VoLTE/IMS security

ServingGateway

PDNGateway

Non access stratumsignaling security

Authentication and Key Agreement

KASME

KASME

Accessstratumsecurity

KeNB

KeNB

SEG

AuC Authentication CenterK Key

PDCP Packet Data Convergence ProtocolUSIM Universal Subscriber Identity Module

Cryptoalgorithms

MAC

RLC

PDCP

PHY

RRC IP

Public


• Traffic separation (e.g. separate user/control/management traffic)

• Perimeter security (traffic filtering at all interconnection points to external networks or hosts)

• Traffic filtering between (internal) network zones

• Cryptographic traffic protection (in addition to 3GPP-specified crypto)

• Secure operation and maintenance (O&M)

• Secure operation of IP network services/protocols

• Reactive security (monitoring, analytics attack/anomaly detection)

Non-Standardized Network Security Measures

Public


• threat and risk analysis per network element

• network element security architecture

• secure coding

• hardening

• security testing

• security audit

• security vulnerability monitoring

• patching process

➢Mostly done in a proprietary way, e.g. Nokia’s “DFSEC Process”(3GPP only specifies security requirements and “security assurance methods” for some network elements)

Network Element Security

Public


Specific 5G Security Requirements: Example NGMN Alliance

NGMN Alliance 5G Whitepaper, Version 1.0, 17-February-2015:“enhanced performance is expected to be provided along ... with the capability to, among others, ensure security and trust, identity, and privacy”

NGMN Next Generation Mobile Network

➢ Substantial security requirements!

“Specific security design for use cases which require extremely low latency (including the latency of initiating communications)”

“Improve resilience and availability of the network against signalling based threats, including overload”

“Improve system robustness against smart jamming attacks”

”Improve security of 5G small cell nodes”

”provide better secrecy than 4G”

Public


5G Security Vision

Supremebuilt-in security

Automation

Flexible securitymechanisms

Increased robustness

against cyber attacks

Enhanced privacy

Alternative identification

and authentication

procedures

Holistic security

orchestration and

management

Security assurance

User plane encryption

and integrity protection

optional to use

Optimize security mechanisms

for individual applications

Self-adaptive, intelligent

security controls

5G Security

Public


A Mobile Core Network in the Telco Cloud

Public

MME

ServingGateway

HSS

PDNGateway

PCRF

IMS

Servers

Core

Network

SEG

Firewall

“Boxes interconnected by cables”

VNFs running on NFV infrastructure in a telco cloud

Telco Cloud


A Mobile Network with Virtualized Core

Public

Telco cloud

Internet

Cell

eNBCell

eNB


A 5G Mobile Network with Virtualized Core and RAN

Public

Implemented on distributed telco clouds

Edge CloudCell

Central cloudCell

Cell

Internet


A 5G Mobile Network with Virtualized Core and RAN

Public

Implemented on distributed telco clouds with SDN based transport

Edge CloudCell

Central cloudCell

Cell

Internet


Elements of a 5G Security Architecture

Public

Edge Cloud

Central cloudCell

Subscriber/device identifiers/ credentials

Hardware security modules

Security negotiation, key hierarchyEnhanced control plane robustness

Enhanced subscriber privacy

Crypto algorithmsPhysical layer

securityJamming protection

Authentication/authorization, key agreement

NFV/SDN security

Network slicingsecurity

Security assurance for NFV environments

Security management and orchestration

Self-adaptive, intelligent security controls


• “Secure Networking for a DATa Center Cloud in Europe”

• Multinational project in Europe

• Funded by national agencies

Another Example: The SENDATE Project

Security isa focus topic

and motivator!

Source: SENDATE ConsortiumPublic


Example Activity:Security

Management for Distributed Data

Centers and Virtualized

Environments

Source: SENDATE Consortium


• “The 5G PPP will deliver solutions, architectures, technologies and standards for the ubiquitous next generation communication infrastructures of the coming decade.”

5G PPP

From https://5g-ppp.eu/

• 5G-ENSURE: ENablers for Network and System SecUrity andREsilience A project dedicated to 5G security

• 5G NORMA: A NOvel Radio Multiservice adaptive network Architecture for the 5G era Combining architecture and security work

Public

17 © Nokia Solutions and Networks 2017 Public Source: 5G NORMA Consortium


5G NORMA Security

5G NORMA Feature Related Security

NFV environments for core and RAN functions

NFV security (for central and distributed NFV environments)

Software Defined Mobile Network Control (SDMC)

SDN security, specialized for SDMC

Mobile network multi-tenancy Tenant isolation, network slicing security

Multi-service awareness Flexible security approach,e.g. choice of crypto-algorithms

Adaptive allocation of functions,joint optimization of RAN and core

Flexible security approach, e.g. support for flexible allocation of security functions

Public


• Separation of VNFs provided by the virtualization layer (logical separation)• Optional physical separation of VNFs – at a cost• Traffic separation by dedicated virtual switches, VLANs and wide area VPNs

Public

Securing a Network Implemented in an NFV Environment

• Cryptographic protection of traffic and of data on storage

• Sound, robust implementations of the virtualization layer (e.g. hypervisor) and the overall cloud platform software, integrity (trust) assurance

• Sound, robust, security aware implementation of the VNFs

• Perimeter security and network internal traffic filtering by virtual firewalls • Logically or even physically separated security zones

• Reactive security (monitoring, analytics attack/anomaly detection)

• Secure operation and maintenance, secure operation of IP services (e.g. DNS)


Securing an SDN-based Network

Public

SDN Controller

Application

Control Network

SDN SwitchSDN Switch

Fire-wall

Cryptographic protection

Sound authentication and

authorization conceptsSecure SDN controller

Robust implementation,

overload control

Virtualized/Cloud

Environment

SecureVirtualized/

Cloud En-vironment

Application

ApplicationCryptographic protection

SDN SwitchRobust implementation,

overload control

SDN SwitchSDN Switch

SDN Switch


Mobile Guard Interacting with De-composed Gateways

Public

S-GW U

Mobile Guard

Virtualized/Cloud Environment

P-GW U

S-GW App P-GW App

GW control

Probe

IP Service Network

Sanitizing Server

Detect malware activity

Isolate infected terminal

X


SDN Security: Challenges versus Opportunities

Public

Challenge Opportunity

Separation for-warding/control

increased attack surface (but good protection mechanisms exist)

(basis for other opportunities)

Centralized control

successful attacks have huge impact

unify security policies, adapt them automatically & consistently

Controllers in clouds

various threats, like attacks via hypervisor vulnerabilities

use elasticity of resources to overcome DoS attacks

Agile and finegranular control

increases complexity, is a source of errors, may be abused

facilitates security solutions that need to execute such control

Network pro-grammability

abuse of control functions, exploiting vulnerabilities, compromising controllers

facilitates efficient deployment of security solutions running as applications on controllers


Starting Point for a Slicing Example: A Mobile Network with a Virtualized Core

Public

Telco cloud

Internet

Cell


A Mobile Network with Two Core Network Slices

Public

Slices share a common RAN

Telco cloud

Internet

Cell

Dedicated radio resources may be allocated for each slice.

Example: Several slices for mobile Internet access with differentiated QoE(gold/silver/bronze).

Network/slice A

Network/slice B

Common parts


A Mobile Network with Two RAN/Core Network Slices

Public

Edge Cloud

Internet

Central cloud

Cell

Cell

Cell

Slices share a common RAN infrastructure plus some RAN functions

Different slices for differentuse cases, e.g.

• Mobile Internet access• Mission critical IoT• Massive IoT


A Mobile Network with Two RAN/Core Network Slices, Separated Cells

Public

Fixed radio interface resources per slice

Internet

Edge Cloud

Central cloud

Cell

CellCell

Cell

CellCell

Cell

CellCell

Slice A – Industry Vertical X

Slice B – Industry Vertical Y

Common parts – Network Operator


End-to-end Network Slices - Multiple Networks in a Shared Infrastructure

Public

Logical separation in the shared infrastructure, dedicated radio resources

Internet

Cell

CellCell

Edge Cloud

Central cloudCell

CellCell

Cell

CellCell


Slice Isolation Issues – Shared Telco Cloud Provider

➢ Relies on a secure telco cloud - security measures as discussed

An industry vertical renting/operating a slice needs to trust the telco cloud provider (typically the mobile network operator):• Correct assignment of NFV infrastructure resources

• Isolation against other slices

• No malicious traffic interception or meta data collection by the telco cloud provider

Isolation in the cloud by NFV mechanisms


Slice Isolation Issues – Shared Transport Infrastructure

➢ SDN security threats must be mitigated, as discussed

Trust in a transport infrastructure provider is less critical:

• transport resource assignment easy to monitor

• security isolation via cryptographic traffic protection

Isolation in the transport by VPNs created via SDN


• individual security mechanisms per slice

• different security assurance levels per slice

• sensitive information maintained within a slice

• specific authentication procedures involving vertical and mobile network operator

• authorization to use a specific slice

Other Slicing Security Aspects (1/2)

Public


• Specific attacks:

- DoS attacks on “small” slices

- Malicious message routing between different slices

- Attacks on interfaces to common network parts (vertical mobile network operator)

- Attacks on management interfaces provided for verticals to manage their slices

- Attacks via inter-slice interfaces

- Attacks on slicing-specific procedures• Slice selection, slicing-specific authentication and authorization, Slice

management

➢Mitigation by “traditional” means – with room for improvement

Other Slicing Security Aspects (2/2)

Public


Strong impact on the security architecture• Securing the NFV infrastructure + the VNFs

• Transferring network security measures into the telco cloud –physical separation is much less applicable than in 4G

Public

Summary: Building Secure 5G Networks on Distributed Telco Clouds

In 5G, there is a substantial change in the network architecture:

• NFV and SDN support highly dynamic networking

• Network slicing supports multi-tenancy

We can build secure 5G networks, but it isn’t a no-brainer


Some Abbreviations

3GPP 3.Generation Partnership Project

AS Access Stratum

ASME Access Security Management Entity

AuC Authentication Centre

DNS Domain Name Service

eNB Evolved Node B

HSS Home Subscriber Server

IMS IP Multimedia Subsystem

IoT Internet of Things

IP Internet Protocol

K Key

LTE Long Term Evolution

MAC Medium Access Control

MME Mobility Management Entity

NAS Non Access Stratum

NFV Network Function Virtualization

PCRF Policy and Charging Rules Function

PDCP Packet Data Convergence Protocol

PDN Packet Data Network

PHY Physical Layer

RLC Radio Link Control

RRC Radio Resource Control

SEG Security Gateway

SDN Software Defined Networking

USIM Universal Subscriber Identity Module

VNF Virtual Network Function

Public

Building Secure 5G Networks on Distributed Telco...

Documents

Transcript of Building Secure 5G Networks on Distributed Telco...