Securing 5G Mobile Networks Built on Distributed Telco · PDF fileSecuring 5G Mobile Networks Built on Distributed Telco Clouds ... for individual applications ... Securing 5G Mobile

1 © Nokia Solutions and Networks 2017 Public

Securing 5G Mobile Networks Built on Distributed Telco Clouds

2017-06-15

Peter Schneider, Nokia Bell Labs

2 © Nokia Solutions and Networks 2017

• The goal: 5G security high level vision

• The Baseline: Mobile network security today

• Virtualized, programmable, sliced mobile networks

• Elements of a 5G security architecture

- Secure SDN

- Secure NFV

- Secure Slicing

• Yes, we can!

This presentation uses results of work that has been carried outin the H2020-ICT-2014-2 Project 5G NORMA (https://5gnorma.5g-ppp.eu/)

Outline

Public

https://5gnorma.5g-ppp.eu/


5G Security Vision

Supremebuilt-in security

Automation

Flexible securitymechanisms

Increased robustness

against cyber attacks

Enhanced privacy

Alternative identification

and authentication

procedures

Holistic security

orchestration and

management

Security assurance

User plane encryption

and integrity protection

optional to use

Optimize security mechanisms

for individual applications

Self-adaptive, intelligent

security controls

5G Security

Public


Layers of Mobile Network Security as of Today

Public

PCRF

eNB

PDN-GW Internet

IMS,Application

Servers

MME

Backhaul

link

security

Core interface

security

HSSAuC

K

UEUSIM

K

User Identity Privacy

Secure Environment

VoLTE/IMS security

ServingGateway

PDNGateway

Non access stratum

signaling security

Authentication and Key Agreement

KASME

KASME

Access

stratum

security

KeNB

KeNB

SEG

Non-standardized network security measures

3GPP-specified security architecture

Network element security measures

InternetDemilitarized Zone Inner Network

Outer

Perimeter

Firewall

Inner

Perimeter

Firewall


A Mobile Core Network in the Telco Cloud

Public

MME

ServingGateway

HSS

PDNGateway

PCRF

IMS

Servers

Core

Network

SEG

Firewall

“Boxes interconnected by cables”

VNFs running on NFV infrastructure in a telco cloud

Telco Cloud


A 5G Mobile Network with Virtualized Core and RAN

Public

Implemented on distributed telco clouds with SDN-based transport

Edge CloudCell

Central cloudCell

Cell

Internet


Elements of a 5G Security Architecture

Public

Edge Cloud

Central cloudCell

Subscriber/device identifiers/ credentials

Hardware security modules

Security negotiation, key hierarchyEnhanced control plane robustness

Enhanced subscriber privacy

Crypto algorithmsPhysical layer

securityJamming protection

Authentication/authorization, key agreement

NFV/SDN security

Network slicingsecurity

Security assurance for NFV environments

Security management and orchestration

Self-adaptive, intelligent security controls


Securing an SDN-based Network

Public

SDN Controller

Application

Control Network

SDN SwitchSDN Switch

Fire-wall

Cryptographic protection

Sound authentication and

authorization conceptsSecure SDN controller

Robust implementation,

overload control

Virtualized/Cloud

Environment

SecureVirtualized/

Cloud En-vironment

Application

ApplicationCryptographic protection

SDN SwitchRobust implementation,

overload control

SDN SwitchSDN Switch

SDN Switch


• Separation of VNFs provided by the virtualization layer (logical separation)• Optional physical separation of VNFs – at a cost• Traffic separation by dedicated virtual switches, VLANs and wide area VPNs

Public

Securing a Network Implemented in an NFV Environment

• Sound, robust implementations of the virtualization layer (e.g. hypervisor) and the overall cloud platform software

• Sound, robust, security aware implementation of the VNFs• Integrity (trust) assurance for both platform and VNFs

• Perimeter security and network internal traffic filtering by virtual firewalls • Logically or even physically separated security zones

• Cryptographic protection of traffic and of data on storage

• Secure Operation&Maintenance • Reactive security measures


• Slicing a mobile network: creating partitions inside the mobile network

- Different flavors: core network slices, RAN slices, e2e slices

- Common infrastructure (NFV infrastructure, SDN-based transport)

- Tailored slices for specific services (eMBB, V2X, mIoT)

- Multiple slice instances to be rented by multiple verticals (?)

• Resource Isolation

- Resources dedicated to one slice cannot be consumed by another slice.

• Security isolation

- Data/traffic cannot be intercepted/faked by entities of another slice.

• Isolation: Resource Isolation + Security Isolation.

➢The crucial security aspect in network slicing!

Slicing and Isolation

Public


A Mobile Network with Two Core Network Slices

Public

Slices share a common RAN

Telco cloud

Internet

Cell Slice A

Slice B

Common parts

Scheduling Resource Blocks (RBs) on the radio interface:


A Mobile Network with Two RAN/Core Network Slices

Public

Edge Cloud

Internet

Central cloud

Cell

Cell

Cell

Slices share a common RAN infrastructure plus some RAN functions


A Mobile Network with Two RAN/Core Network Slices, Separated Cells

Public

Fixed radio interface resources per slice

Internet

Edge Cloud

Central cloud

Cell

CellCell

Cell

CellCell

Cell

CellCell

Slice A: eMBB

Slice B: V2X

Common parts


Slice Isolation Issues in the Shared Telco Cloud

An industry vertical renting/operating a slice needs to trust the telco cloud provider (typically the mobile network operator):• Correct assignment of NFV infrastructure resources

• Isolation against other slices

• No traffic interception or meta data collection by the telco cloud provider

Isolation between slices in the cloud by NFV mechanisms

➢ Relies on a secure telco cloud - security measures as discussed

➢ Option: Usage of vertical-owned infrastructure

➢ Investigated in 5G PPP project 5G NORMA (work in progress)

Option: Security isolation via over-the-top security


Vertical – Private 5G Network

A Fully Isolated Private 5G IoT Network Owned by a Vertical

Public

Internet

Edge CloudCentral Cloud

5G Radio - eMBB

eMBB Devices

Mobile Network Operator – Public 5G Network

eMBB subscriptions

IoT sub-scriptions5G Radio – IoT

IoT Devices IoT-DN5G network


Public eMBB Service in a Private Network: MOCN-like Solution

Public

Internet


Vertical – Private 5G Network5G Radio –IoT + eMBB

5G Radio - eMBB

IoT Devices

eMBB Devices


IoT sub-scriptions

eMBB subscriptions

IoT-DN5G network

AS-key

MOCN support

AS: Access Stratum MOCN: Multi-Operator Core Network


Internet


Vertical – Private 5G Network5G Radio –IoT + eMBB

5G Radio - eMBB

IoT Devices

eMBB Devices


IoT sub-scriptions

eMBB subscriptions

5G network

Public eMBB Service in a Private Network: Slicing Solution

AS-key

Two RAN slices

PDCP(crypto-layer)

IoT-DN


Strong impact on the security architecture

• Securing the NFV infrastructure + the VNFs

• Transferring network security measures into the telco cloud –physical separation is much less likely than in 4G

Public

Summary: Securing 5G Mobile Networks Built on Distributed Telco Clouds

In 5G, there is a substantial change in the network architecture:

• NFV and SDN support highly dynamic networking

• Network slicing supports multi-tenancy

We can secure 5G networks built on distributed telco clouds- but we must work for it!


Backup

Public


Security for NFV-Based Products (Example Nokia)

Public

Nokia Networks Product Security Policy

Nokia Networks Product Security

Policy

Technical issues

Nokia Networks Product Privacy Policy

Nokia Networks Product Privacy Baseline

Secure Coding

Guidelines

Hardening Guideline

Security Testing

Guideline

CryptoGuideline

Virtualization Security Guideline

Nokia Networks Product Security Baseline

Product Privacy Process Guideline

Documents

Securing 5G Mobile Networks Built on Distributed Telco · PDF fileSecuring 5G Mobile Networks Built on Distributed Telco Clouds ... for individual applications ... Securing 5G Mobile