What kinds of vulnerabilities do you need to worry about as you move to standalone 5G? And how can you safeguard your network to protect against them? HPE recently explored these questions with Mobile World Live in a new technical paper.
As communication service providers (CSPs) migrate to 5G standalone (SA) architectures, they can do some amazing new things: carve out virtual network slices tuned to the applications running on them, elastically scale resources with demand, reassemble cloud-native infrastructure components at will, and much more. At the same time, more complex 5G networks could open the door to something more sinister: new security threats.
Fortunately, even as 5G SA architectures change the threat landscape, they bring new capabilities to help CSPs protect their services and customers.
“The bad guys love it whenever there is a new field of battle,” says Mark Little, senior manager with GSMA Intelligence. “There will be new attack vectors that experts won’t have even thought about, so there has to be an expectation that the black hats will find holes. But the strategic move to open and transparent networks, and the security innovations that potentially enables, should put the good guys in a position to fight back.”
What kinds of vulnerabilities do you need to worry about as you move to standalone 5G? And how can you safeguard your network to protect against them? HPE recently explored these questions with Mobile World Live in the technical paper 5G Security, Openness, and Trust Considerations.
Here are some of the highlights.
Core networks in the crosshairs
The good news is that 5G SA architectures bring more capacity and connectivity, to more places, than ever before. The bad news: connectivity is a two-way street. New 5G applications and devices could potentially act as an entry points for hackers and other malicious actors.
5G core networks in particular—the nerve center of your network, where you collect vast amounts of user information and control access to services—present an attractive target. Core networks have always offered a treasure trove for bad actors seeking to execute sabotage or espionage attacks. But, 5G adds new wrinkles to worry about.
- More devices and traffic. With the introduction of advanced 5G edge and Internet of Things (IoT) services, plus higher-capacity radio networks, you can expect a huge increase in the connections and traffic traversing core networks. Spotting suspicious behavior in this ocean of information just got more challenging.
- More dynamic services. Along those lines, 5G networks and services can generate so much data, so quickly, that the window to detect anomalies and respond to them gets much shorter.
- More vendors. One of the biggest benefits of 5G is your ability to use standards-aligned equipment from any vendor, instead of getting locked into one network supplier’s ecosystem. At the same time, some governments worry that third-party telco equipment could be used as a vector for state-sponsored or corporate espionage.
Bottom line, 5G raises new questions about network security that you probably haven’t had to consider before. Fortunately, it also brings greatly expanded visibility and mature security models from the world of IT to help you meet the challenge.
More openness = More visibility
The biggest 5G security advantages derive from the shift to more open, standards-aligned architectures. It can sound counterintuitive, but a more open network is actually easier to secure. In legacy architectures, proprietary core network functions (NFs) were basically “black boxes” provided by network equipment suppliers. They did the job, but CSPs themselves had little ability to see or understand what was happening inside them. In open 5G SA architectures, you retain total visibility into your environment.
Just as important, 5G SA architectures employ cloud-native strategies from the world of IT to let you segment your network in more granular ways. Network slicing, for example, adds new virtual barriers between services. Even if an attack successfully targets resources in one slice, it can’t reach others. That segmentation extends down to individual NF and application components, which now run as containerized microservices, using the techniques that the big web companies (Google, Amazon, and the like) use in their mass-scale cloud applications. Here again, even if an attacker successfully breaches one part of an application, other parts remain isolated.
Principles of 5G security
It’s important to recognize that, while a 5G SA architecture can enable stronger security, you could still be vulnerable if it’s not implemented effectively. Protect services, customers, and data with HPE’s reimagined core #networks for #5G, providing end-to-end transparency, constantly monitored #cloudnative microservices, support for multiple vendors in a SDE, CI/CD pipelines, #siliconrootoftrust – and more #HPETelco Openness and transparency. You should be able to monitor, verify, mitigate, and act on threats at all levels of the architecture, including network elements, work processes, and vendors. In particular, you should retain full visibility into and control over NF changes.
- Elimination of black boxes. Instead of using monolithic services, every part of your network should be disaggregated into containerized microservices that communicate over open interfaces. This way, you can closely monitor every component of every NF to quickly identify attempts to leak data or disrupt performance.
- Support for continuous change. Drawing from the world of IT, your network should employ continuous integration/continuous delivery (CI/CD) pipelines that facilitate “DevOps” ways of working. This will not only let you continuously update your network more easily, it means you now have multiple integrity checks built into your workflow to spot anomalies in software upgrades and patches.
- Multi-vendor support. If you lose confidence in a vendor supplying equipment for your network, for any reason, a properly designed 5G architecture will allow you to quickly replace that NF with another vendor’s.
- Common security control. Effective 5G architectures separate network function data from the subscriber or service data those functions are processing, using a shared data environment (SDE). Using the same model, you should be able to control all data centrally, making it easier to monitor and secure.
- Silicon root of trust. 5G network equipment should include embedded cryptographic firmware. Every time a server boots, it should verify that its startup processes match a known good configuration, and have not been tampered with somewhere in the supply chain.
Protect your 5G network
If it sounds like we’ve put a lot of thought into the security implications of 5G SA architectures, we have. In fact, we made sure to address every single one of these principles in developing our new, cloud-native HPE 5G Core Stack.
We’ve completely reimagined core networks for 5G, providing end-to-end transparency, cloud-native microservices that can be constantly monitored, support for multiple vendors in a SDE, CI/CD pipelines, silicon root of trust, and more. We’re working to ensure that you can continually inspect and verify every part of your 5G core network to protect your services, customers, and data.
For more details on how you can build a more secure 5G network, download the technical paper now.
Meet HPE Telco Blogger, Mark Syrett.
Mark is the security officer and 5G security architect for Communication and Media Solutions at HPE, and has over 25 years of experience in the telecom industry. Mark is responsible for the secure development lifecycle, security best practices and security in DevOps used during product development. He leads the security threat, architectural and design reviews, and is responsible for defining the architectural runway and architectural vision for security for 5G core products. Mark also currently represents Hewlett Packard Enterprise in the security group of 3GPP - SA3.
Telco Industry Marketing
Hewlett Packard Enterprise
twitter.com/HPE_Telco
linkedin.com/company/hewlett-packard-enterprise
hpe.com/solutions
