7
Securing 5G Private Mobile Networks WHITE PAPER

Securing 5G Private Mobile Networks - Fortinet

  • Upload
    others

  • View
    15

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Securing 5G Private Mobile Networks - Fortinet

Securing 5G Private Mobile Networks

WHITE PAPER

Page 2: Securing 5G Private Mobile Networks - Fortinet

WHITE PAPER | Securing 5G Private Mobile Networks

2

Enterprises across many industries are looking to 5G technology and services as a key enabler for digital transformation and innovation.

Non-public mobile networks, aka private mobile networks, promise the benefits of 5G technology tailored for enterprise-specific needs, use cases, privacy, management, and control.

Research indicates that private mobile networks spending will experience continuous growth. ABI Research recently estimated that spending on 5G private and shared enterprise networks will surpass spending on public mobile networks in about 15 years.1

It is clear that private mobile networks are among 5G’s critical use cases and therefore need to become important offerings from mobile network operators (MNOs), especially as enterprises and industries move forward with digital innovation and Industry 4.0.

The legal and practical ability of enterprises to build their own 5G private networks, independently of public 5G infrastructure and services, is both a threat and an opportunity for MNOs:

n A threat of potential revenue loss and growth slowdown if lacking a comprehensive private 5G network offering.

n An opportunity to create real 5G competitive differentiation alongside a revenue and growth engine with a complete, private 5G network offering and ecosystem to support it.

As private mobile networks are built, they will fuel new use cases, drive innovation and efficiency, and become one of the major connectivity technologies for Industry 4.0. Cybersecurity must be top of mind for both enterprises and MNOs to ensure the availability, continuity, privacy, and integrity of the network, its services, its applications, its data, and its ecosystem partners.

Private Mobile Architectures and Cybersecurity 5G private networks can be implemented under two principal architecture families, each with a direct impact on cybersecurity risks, ownership, and solutions. MNO-independent and MNO-dependent architectures differ in their level of dependency in public 5G infrastructure, the physical location of their components, and possible ownership and management, as outlined in Diagram 1 below.

Diagram 1: 5G private network components and relationship to public 5G network resources.

Private Mobile Network Architecture Family

MNO Independent MNO Dependent

No Sharing Public 5G RAN Sharing

Public 5G RAN and Control Plane Sharing

Public 5G Full Sharing (End-to-End Slicing)

Component

Radio Access Network (RAN)

Control Plane (CP)

Data Plane (UPF)

Multi-access Edge Compute (MEC)

Private 5G network component physically isolated from public 5G network Private 5G network component logically isolated from public 5G network

The level of dependency on public 5G network resources has a considerable impact, both for an enterprise and MNO, on factors such as complexity, agility, and control. However, these impacts may be different for enterprises and MNOs and have a role to play in the choice of the appropriate private network architecture to be implemented, in addition to the deployment’s specific use-case requirements.

Page 3: Securing 5G Private Mobile Networks - Fortinet

WHITE PAPER | Securing 5G Private Mobile Networks

3

5G Private Networks’ Cybersecurity Risk and Solutions There are multiple architectures for deploying private mobile networks, which vary based on the enterprise/industry requirements and use cases, along with spectrum regulations and allocation per country. Each architecture introduces cybersecurity risks that must be minimized by the MNO or the enterprise, or by both.

Regardless of the architecture, ensuring the security of a 5G private mobile network should be considered critical for both the enterprise and the MNO. The below table summarizes Fortinet security solutions for private 5G mobile networks—including security objectives and main services. Fortinet solutions deliver protection and service integrity, privacy, availability, and continuity in the face of possible cyberattacks and risks.

Diagram 2: Major private networks architectural considerations beyond use-case requirements.

Security Platform

Form Factor

Objective Security Platform Services

FortiGate Physical (PNF)

Virtual (VNF)

Secure private RAN (gNB) to core communications

n gNB authentication

n gNB to core VPN termination

n User plane (GTP-U) deep inspection threat protection

n SCTP firewalling

n L4-L7 firewall for core protection

Protect against IoT signaling storms in the private network

n Tunnels and sessions rate limitation on N3 in conjunction to N4 monitoring

n Block unauthorized sessions on N3

n Block reconnection storms

Protect private network against PDN/internet-originated threats

n IPS and antivirus services

n L4-L7 firewall for PDN/internet threat protection

n URL filtering and application protocol

n Bot mitigation

Private network to PDN address connectivity

n IPv4 - IPv6 Network Address Translation

Page 4: Securing 5G Private Mobile Networks - Fortinet

WHITE PAPER | Securing 5G Private Mobile Networks

4

As depicted in Diagram 1, a fully MNO-independent and secured private network will self-contain all the required RAN, control plane, data plane, and MEC components at the enterprise premises. The 5G spectrum used can be licensed/unlicensed or use the MNO’s licensed 5G spectrum in cases that the private network is built and operated/managed by the operator.

Based on the private network services and implemented use cases, connectivity to packet data networks and the internet for enterprise data center, partners and contractor systems/applications, public cloud connectivity, lawful interception, and other interworking may be required.

MNO-independent Private Mobile Network ArchitectureIn this option, there are no relationships whatsoever between the private and the public 5G networks. Such a deployment can be built and managed by the enterprise, the MNO, a mobile technology vendor, or a combination of each. However, the complexity and potential lack of technical know-how will exclude, in most cases, implementation by the enterprise itself.

Diagram 3: MNO-independent and secured 5G private network architecture.

Security Platform

Form Factor

Objective Security Platform Services

FortiWeb Physical (PNF)Virtual (VNF)Container (CNF)

Secure against MEC application-level threats and attacks

n OWASP Top 10 application attacks mitigationn Known threat and zero-day attack protectionn Bot mitigationn ML for false positives minimizationn Protocol validation

Private network API protection against: API attacks, misbehaviour, misconfigurationProtect private network signaling plane API exposure to external application functions (AF)

n Native support for HTTP/2n OpenAPI 3.0 verificationn JSON protocol conformance, limits, and schema validationn XML protocol conformance, limits, schema validation, external entities, SOAPn WebSocket support: signature enforcement on WebSocket connections, frame and message limits, extensions disablementn API Gateway: API key management, access rate limits and control

Table 1: Fortinet security platforms and services for 5G private networks.

Page 5: Securing 5G Private Mobile Networks - Fortinet

WHITE PAPER | Securing 5G Private Mobile Networks

5

In a Fortinet solution, security is implemented on-premises via FortiGate and FortiWeb to safeguard:

n Private RAN-to-core isolation and possible attack mitigation. Although in this architecture all the private network components are completely isolated for the public 5G network, an infected UE or an internal threat must be accounted for as possible risks. (In some countries, the law dictates that even a private 5G RAN must provide access to the public 5G network. Although not depicted in this architecture, this situation would require private to public 5G network connectivity, and demands complete security isolation between private and public RAN-to-core virtual private networks [VPNs] for both control and user planes.)

n Security against UE/IoT-originated threats, such as signaling storms, infected/malfunctioning devices, and Internet-of-Things (IoT) bot protection.

n When external public data network (PDN) connectivity is required, next-generation firewall (NGFW) services are enforced to protect against known and unknown PDN/internet-originated threats.

n Application-level protection is provided for IoT and application ecosystem in the private network MEC and elsewhere.

n API security is provided for the MEC and external application programming interface (API)-based applications and third-party integration

Security can be implemented and managed by the enterprise itself, a partner, or by the MNO as part of a private mobile network delivered as a managed service.

MNO-dependent Private Mobile Network ArchitecturesIn this family, architectures differ based on the amount of public 5G resources required, as previously outlined in Diagram 1. These architectures are most likely to be deployed by the operator and co-managed with the customer. The following describes some of the possible architectures within this category.

RAN sharing private mobile network architecture

In this architecture, RAN (gNBs located within the enterprise premise) is shared between the private and public 5G networks via the implementation of slicing at the RAN. This includes:

n Private slice, where all the private network UE/IoT devices’ control and data plane traffic remains within the private network and is served by the private network’s components

n Public slice, where the public network UE/IoT devices’ control and data plane traffic leaves the enterprise premise and is served by the MNO’s public 5G network

As in all architectures, external PDN connectivity to the private network and MEC is likely to be required.

Diagram 4: RAN sharing 5G private network architecture.

Page 6: Securing 5G Private Mobile Networks - Fortinet

WHITE PAPER | Securing 5G Private Mobile Networks

6

On top of the security implementation described in the MNO-independent architecture, special attention must be given to the isolation and deep packet inspection of the private and public control and data plane VPNs so as to safeguard against attacks on the private networks originating from the public RAN slice, and to avoid possible data leaks.

In Fortinet solutions, the FortiGate and FortiWeb are deployed at the enterprise premises and provide the required security visibility and control as outlined in Table 1.

RAN and control plane sharing architecture

In this architecture, RAN (at the enterprise premise) and control plane are delivered via the MNO’s public network and logically separated from the public RAN and control plane via a dedicated private slice. This enables the enterprise’s data to be maintained within the enterprise and isolated from the public MNO network.

There is a need to secure the control plane functions’ interaction with the private network components such as the UPF and any external application function (AF). This is achieved by the MNO’s deployment of the FortiGate platform in its core cloud as shown in Diagram 5 below. The multitenancy support of the FortiGate allows for the implementation of RAN to core security for multiple private RAN and control plane slices with a single FortiGate VNF/PNF.

It is worth noting that because the control plane functions’ are performed in the public network, they may expose some of the enterprise sensitive data, such as UE/IoT device information, which is stored in the MNO’s public network core (in the UDM). Therefore, control and confidentiality must be ensured by the MNO in this architecture.

Data plane function and MEC are on enterprise premise enabling use cases and applications requiring ultralow latency.

End-to-end slicing private mobile network architecture

In this architecture, the enterprise’s private mobile network is a logical one provided by the means of an end-to-end network slice (or multiple slices) on top of the public 5G infrastructure. Only the gNB is deployed at the enterprise premise to serve local UE/IoT devices. MEC and UPF are provided as close as possible to the enterprise, and even within the enterprise, to enable low-latency applications and use cases.

Diagram 5: RAN and control plane sharing 5G private network architecture.

Page 7: Securing 5G Private Mobile Networks - Fortinet

WHITE PAPER | Securing 5G Private Mobile Networks

Copyright © 2021 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

www.fortinet.com

June 28, 2021 9:12 AM

771877-A-0-EN

Diagram 6: 5G private network architecture with end-to-end slicing.

1 ABI Research, 2020.

As the 5G private network is logically delivered on top of a publicly shared 5G network, control and data planes and any API interworking with MEC-based/external AFs should be visible and secured. (In Fortinet solutions, this is handled via FortiGate and FortiWeb.) This is critical to ensure the private network security and the security of the shared public 5G network. From a security perspective, this architecture can be considered as a “mirror image” to the MNO-independent architecture—with the MNO having the highest responsibility to secure its private 5G mobile network offering.

SummaryPrivate 5G networks are a clear early use case for 5G, but their growth will be hampered without the right security. To gain market share and revenue, MNOs must provide a set of flexible and secure architectures and services to meet different industries’ demand for private 5G.

With a common set of security solutions applicable to a wide range of architectures and use cases, Fortinet solutions enable MNOs to meet the security requirements that are key to enterprises—either as part of a 5G private network offering or on top as a set of managed security services.


Deployment Guide: Securing the Public Cloud with Fortinet · Securing the Public Cloud with Fortinet Introduction Fast deployment, reduced costs, and efficient use of resources; these

Deployment Guide: Securing the Public Cloud with Fortinet · Securing the Public Cloud with Fortinet Introduction Fast deployment, reduced costs, and efficient use of resources; these

Documents
Fortinet Maintenance Renewal and Purchase New Fortinet ......Fortinet Maintenance Renewal and Purchase New Fortinet Products IFB # MDM0031039332 4 SECTION 1 — BACKGROUND 1.1 Background

Fortinet Maintenance Renewal and Purchase New Fortinet ......Fortinet Maintenance Renewal and Purchase New Fortinet Products IFB # MDM0031039332 4 SECTION 1 — BACKGROUND 1.1 Background

Documents
Fortinet Guide

Fortinet Guide

Documents
Examen Fortinet

Examen Fortinet

Documents
Securing 5G Through Cyber-Telecom Identity Federation

Securing 5G Through Cyber-Telecom Identity Federation

Documents
Sb securing-industrial-control-systems-with-fortinet

Sb securing-industrial-control-systems-with-fortinet

Engineering
Apresentação fortinet

Apresentação fortinet

Technology
Fortinet Product Life Cycle Information - ERC · Fortinet Product Life Cycle Information Fortinet suggests that customers familiarize themselves with the Fortinet Product Life Cycle

Fortinet Product Life Cycle Information - ERC · Fortinet Product Life Cycle Information Fortinet suggests that customers familiarize themselves with the Fortinet Product Life Cycle

Documents
Fortinet Extends Advanced Security for Alibaba Cloud€¦ · The Security Fabric offers deep, multilayer protection and operational benefits for securing web applications over Alibaba

Fortinet Extends Advanced Security for Alibaba Cloud€¦ · The Security Fabric offers deep, multilayer protection and operational benefits for securing web applications over Alibaba

Documents
5G Security Survey - Fortinet · 5G Security Use Case Priorities: Trial vs. Commercial Launch Before commercial deployments began, 5G security pilot tr ial activity focused on two

5G Security Survey - Fortinet · 5G Security Use Case Priorities: Trial vs. Commercial Launch Before commercial deployments began, 5G security pilot tr ial activity focused on two

Documents
Fortinet and Vyatta · PDF file2 deployment guide: fortinet and vyatta fortinet security and centrify overview

Fortinet and Vyatta · PDF file2 deployment guide: fortinet and vyatta fortinet security and centrify overview

Documents
Securing 5G Mobile Networks Built on Distributed Telco · PDF fileSecuring 5G Mobile Networks Built on Distributed Telco Clouds ... for individual applications ... Securing 5G Mobile

Securing 5G Mobile Networks Built on Distributed Telco · PDF fileSecuring 5G Mobile Networks Built on Distributed Telco Clouds ... for individual applications ... Securing 5G Mobile

Documents
KT 5G IT Edge Cloudeventcheckin.co.kr/fortinet/361security2019/images/T2_04.pdf · 2019-10-21 · 2 5G IT Edge Cloud 3 5G IT Edge Cloud : Use-cases 4 5G IT Edge Cloud : 3 Strengths

KT 5G IT Edge Cloudeventcheckin.co.kr/fortinet/361security2019/images/T2_04.pdf · 2019-10-21 · 2 5G IT Edge Cloud 3 5G IT Edge Cloud : Use-cases 4 5G IT Edge Cloud : 3 Strengths

Documents
1 Fortinet Confidential September 5, 2015 Fortinet An Introduction

1 Fortinet Confidential September 5, 2015 Fortinet An Introduction

Documents
Securing 4G 5G and Beyond - fortinet.com...3 WHITE PAPER: SECURING 4G, 5G AND BEYOND SECURING THE INVISIBLE NETWORK The advent of 5G will extend ‘digital connectedness’ to almost

Securing 4G 5G and Beyond - fortinet.com...3 WHITE PAPER: SECURING 4G, 5G AND BEYOND SECURING THE INVISIBLE NETWORK The advent of 5G will extend ‘digital connectedness’ to almost

Documents
Securing OT in the Face of IIoT and 5G

Securing OT in the Face of IIoT and 5G

Documents
Fortinet Exam

Fortinet Exam

Documents
First Principles White paper for Securing 5G · 5G’s expansion of the attack surface, the distinctly new architecture and capabilities of 5G networks give operators opportunities

First Principles White paper for Securing 5G · 5G’s expansion of the attack surface, the distinctly new architecture and capabilities of 5G networks give operators opportunities

Documents
Fortinet Messages.pdf

Fortinet Messages.pdf

Documents
Fortinet FortiGate 100D - MicroAge · Fortinet FortiCare support offerings provide comprehensive global support for all Fortinet products and services. You can rest assured your Fortinet

Fortinet FortiGate 100D - MicroAge · Fortinet FortiCare support offerings provide comprehensive global support for all Fortinet products and services. You can rest assured your Fortinet

Documents
Securing 5G and Evolving Architectures

Securing 5G and Evolving Architectures

Documents
Fortinet broch

Fortinet broch

Technology
1 © Copyright 2013 Fortinet Inc. All rights reserved. Fortinet @ Data Connectors Securing the Elastic Data Centre Rafi Wanounou – Systems Engineering Manager

1 © Copyright 2013 Fortinet Inc. All rights reserved. Fortinet @ Data Connectors Securing the Elastic Data Centre Rafi Wanounou – Systems Engineering Manager

Documents
An analysis of the security needs of the 5G marketsimalliance.org/wp-content/uploads/2016/02/SIMalliance_5GWhite... · An analysis of the security needs of the 5G market Securing

An analysis of the security needs of the 5G marketsimalliance.org/wp-content/uploads/2016/02/SIMalliance_5GWhite... · An analysis of the security needs of the 5G market Securing

Documents
Securing Future Internet and 5G using Customer Edge ...isyou.info/jowua/papers/jowua-v11n3-5.pdf · Keywords: Customer Edge Switching, CES, DNSCrypt, DNSSEC, 5G, Future Internet 1

Securing Future Internet and 5G using Customer Edge ...isyou.info/jowua/papers/jowua-v11n3-5.pdf · Keywords: Customer Edge Switching, CES, DNSCrypt, DNSSEC, 5G, Future Internet 1

Documents
Securing the IoT Ecosystem - Fortinet

Securing the IoT Ecosystem - Fortinet

Documents
Fortinet FCNSP

Fortinet FCNSP

Documents
Fortinet presentacion

Fortinet presentacion

Documents
Securing your IOT - PIKOMpikom.org.my/2014/Alvin_Fortinet.pdfThe Fortinet Network Security Expert (NSE) is a new, 8-level certification program designed for technical professionals

Securing your IOT - PIKOMpikom.org.my/2014/Alvin_Fortinet.pdfThe Fortinet Network Security Expert (NSE) is a new, 8-level certification program designed for technical professionals

Documents
Kania Securing Our 5G Future - s3.us-east-1.amazonaws.com

Kania Securing Our 5G Future - s3.us-east-1.amazonaws.com

Documents