building secure 5g networks on distributed telco...
TRANSCRIPT
1 © Nokia Solutions and Networks 2017 Public
Building Secure 5G Networks on Distributed Telco Clouds
2017-03-13
Peter Schneider, Nokia Bell Labs NAACS Security
2 © Nokia Solutions and Networks 2017
• Mobile network security – example LTE
• 5G security: requirements, vision
• From 4G to 5G mobile networks:
• Network architecture change
• Impact on the security architecture
• NFV/SDN/5G-security research activities and results
• Network slicing security
• Summary and conclusion
Abbreviations at the end
Agenda
Public
3 © Nokia Solutions and Networks 2017
A 4G Mobile Network (LTE)
Public
InterneteNB Evolved Node BHSS Home Subscriber ServerIMS IP Multimedia SubsystemMME Mobility Management Entity
PCRF Policy and ChargingRules Function
PDN Packet Data NetworkSEG Security Gateway
eNB
Radio Access
Network
Cell
eNB
Cell
Firewall
ServingGateway
PDNGateway
SEG
IMS
Application
Servers
MME
HSS
PCRF
Core
Network
4 © Nokia Solutions and Networks 2017
4G Security as Specified by 3GPP
PCRF
eNB
PDN-GW Internet
IMS,Application
ServersMME
Backhaullink
security
Core interfacesecurity
HSSAuC
K
UEUSIM
K
User Identity Privacy
More security aspects: Mobility (key separation in handovers), Home eNB, Relay Node, non-3GPP access, dual connectivity (LTE, LTE/WiFi), proximity services (incl. device-to-device communication), security assurance methods, …
Secure Environment
VoLTE/IMS security
ServingGateway
PDNGateway
Non access stratumsignaling security
Authentication and Key Agreement
KASME
KASME
Accessstratumsecurity
KeNB
KeNB
SEG
AuC Authentication CenterK Key
PDCP Packet Data Convergence ProtocolUSIM Universal Subscriber Identity Module
Cryptoalgorithms
MAC
RLC
PDCP
PHY
RRC IP
Public
5 © Nokia Solutions and Networks 2017
• Traffic separation (e.g. separate user/control/management traffic)
• Perimeter security (traffic filtering at all interconnection points to external networks or hosts)
• Traffic filtering between (internal) network zones
• Cryptographic traffic protection (in addition to 3GPP-specified crypto)
• Secure operation and maintenance (O&M)
• Secure operation of IP network services/protocols
• Reactive security (monitoring, analytics attack/anomaly detection)
Non-Standardized Network Security Measures
Public
6 © Nokia Solutions and Networks 2017
• threat and risk analysis per network element
• network element security architecture
• secure coding
• hardening
• security testing
• security audit
• security vulnerability monitoring
• patching process
➢Mostly done in a proprietary way, e.g. Nokia’s “DFSEC Process”(3GPP only specifies security requirements and “security assurance methods” for some network elements)
Network Element Security
Public
7 © Nokia Solutions and Networks 2017
Specific 5G Security Requirements: Example NGMN Alliance
NGMN Alliance 5G Whitepaper, Version 1.0, 17-February-2015:“enhanced performance is expected to be provided along ... with the capability to, among others, ensure security and trust, identity, and privacy”
NGMN Next Generation Mobile Network
➢ Substantial security requirements!
“Specific security design for use cases which require extremely low latency (including the latency of initiating communications)”
“Improve resilience and availability of the network against signalling based threats, including overload”
“Improve system robustness against smart jamming attacks”
”Improve security of 5G small cell nodes”
”provide better secrecy than 4G”
Public
8 © Nokia Solutions and Networks 2017
5G Security Vision
Supremebuilt-in security
Automation
Flexible securitymechanisms
Increased robustness
against cyber attacks
Enhanced privacy
Alternative identification
and authentication
procedures
Holistic security
orchestration and
management
Security assurance
User plane encryption
and integrity protection
optional to use
Optimize security mechanisms
for individual applications
Self-adaptive, intelligent
security controls
5G Security
Public
9 © Nokia Solutions and Networks 2017
A Mobile Core Network in the Telco Cloud
Public
MME
ServingGateway
HSS
PDNGateway
PCRF
IMS
Servers
Core
Network
SEG
Firewall
“Boxes interconnected by cables”
VNFs running on NFV infrastructure in a telco cloud
Telco Cloud
10 © Nokia Solutions and Networks 2017
A Mobile Network with Virtualized Core
Public
Telco cloud
Internet
Cell
eNBCell
eNB
11 © Nokia Solutions and Networks 2017
A 5G Mobile Network with Virtualized Core and RAN
Public
Implemented on distributed telco clouds
Edge CloudCell
Central cloudCell
Cell
Internet
12 © Nokia Solutions and Networks 2017
A 5G Mobile Network with Virtualized Core and RAN
Public
Implemented on distributed telco clouds with SDN based transport
Edge CloudCell
Central cloudCell
Cell
Internet
13 © Nokia Solutions and Networks 2017
Elements of a 5G Security Architecture
Public
Edge Cloud
Central cloudCell
Subscriber/device identifiers/ credentials
Hardware security modules
Security negotiation, key hierarchyEnhanced control plane robustness
Enhanced subscriber privacy
Crypto algorithmsPhysical layer
securityJamming protection
Authentication/authorization, key agreement
NFV/SDN security
Network slicingsecurity
Security assurance for NFV environments
Security management and orchestration
Self-adaptive, intelligent security controls
14 © Nokia Solutions and Networks 2017
• “Secure Networking for a DATa Center Cloud in Europe”
• Multinational project in Europe
• Funded by national agencies
Another Example: The SENDATE Project
Security isa focus topic
and motivator!
Source: SENDATE ConsortiumPublic
15 © Nokia Solutions and Networks 2017 Public
Example Activity:Security
Management for Distributed Data
Centers and Virtualized
Environments
Source: SENDATE Consortium
16 © Nokia Solutions and Networks 2017
• “The 5G PPP will deliver solutions, architectures, technologies and standards for the ubiquitous next generation communication infrastructures of the coming decade.”
5G PPP
From https://5g-ppp.eu/
• 5G-ENSURE: ENablers for Network and System SecUrity andREsilience A project dedicated to 5G security
• 5G NORMA: A NOvel Radio Multiservice adaptive network Architecture for the 5G era Combining architecture and security work
Public
17 © Nokia Solutions and Networks 2017 Public Source: 5G NORMA Consortium
18 © Nokia Solutions and Networks 2017
5G NORMA Security
5G NORMA Feature Related Security
NFV environments for core and RAN functions
NFV security (for central and distributed NFV environments)
Software Defined Mobile Network Control (SDMC)
SDN security, specialized for SDMC
Mobile network multi-tenancy Tenant isolation, network slicing security
Multi-service awareness Flexible security approach,e.g. choice of crypto-algorithms
Adaptive allocation of functions,joint optimization of RAN and core
Flexible security approach, e.g. support for flexible allocation of security functions
Public
19 © Nokia Solutions and Networks 2017
• Separation of VNFs provided by the virtualization layer (logical separation)• Optional physical separation of VNFs – at a cost• Traffic separation by dedicated virtual switches, VLANs and wide area VPNs
Public
Securing a Network Implemented in an NFV Environment
• Cryptographic protection of traffic and of data on storage
• Sound, robust implementations of the virtualization layer (e.g. hypervisor) and the overall cloud platform software, integrity (trust) assurance
• Sound, robust, security aware implementation of the VNFs
• Perimeter security and network internal traffic filtering by virtual firewalls • Logically or even physically separated security zones
• Reactive security (monitoring, analytics attack/anomaly detection)
• Secure operation and maintenance, secure operation of IP services (e.g. DNS)
20 © Nokia Solutions and Networks 2017
Securing an SDN-based Network
Public
SDN Controller
Application
Control Network
SDN SwitchSDN Switch
Fire-wall
Cryptographic protection
Sound authentication and
authorization conceptsSecure SDN controller
Robust implementation,
overload control
Virtualized/Cloud
Environment
SecureVirtualized/
Cloud En-vironment
Application
ApplicationCryptographic protection
SDN SwitchRobust implementation,
overload control
SDN SwitchSDN Switch
SDN Switch
21 © Nokia Solutions and Networks 2017
Mobile Guard Interacting with De-composed Gateways
Public
S-GW U
Mobile Guard
Virtualized/Cloud Environment
P-GW U
S-GW App P-GW App
GW control
Probe
IP Service Network
Sanitizing Server
Detect malware activity
Isolate infected terminal
X
22 © Nokia Solutions and Networks 2017
SDN Security: Challenges versus Opportunities
Public
Challenge Opportunity
Separation for-warding/control
increased attack surface (but good protection mechanisms exist)
(basis for other opportunities)
Centralized control
successful attacks have huge impact
unify security policies, adapt them automatically & consistently
Controllers in clouds
various threats, like attacks via hypervisor vulnerabilities
use elasticity of resources to overcome DoS attacks
Agile and finegranular control
increases complexity, is a source of errors, may be abused
facilitates security solutions that need to execute such control
Network pro-grammability
abuse of control functions, exploiting vulnerabilities, compromising controllers
facilitates efficient deployment of security solutions running as applications on controllers
23 © Nokia Solutions and Networks 2017
Starting Point for a Slicing Example: A Mobile Network with a Virtualized Core
Public
Telco cloud
Internet
Cell
24 © Nokia Solutions and Networks 2017
A Mobile Network with Two Core Network Slices
Public
Slices share a common RAN
Telco cloud
Internet
Cell
Dedicated radio resources may be allocated for each slice.
Example: Several slices for mobile Internet access with differentiated QoE(gold/silver/bronze).
Network/slice A
Network/slice B
Common parts
25 © Nokia Solutions and Networks 2017
A Mobile Network with Two RAN/Core Network Slices
Public
Edge Cloud
Internet
Central cloud
Cell
Cell
Cell
Slices share a common RAN infrastructure plus some RAN functions
Different slices for differentuse cases, e.g.
• Mobile Internet access• Mission critical IoT• Massive IoT
26 © Nokia Solutions and Networks 2017
A Mobile Network with Two RAN/Core Network Slices, Separated Cells
Public
Fixed radio interface resources per slice
Internet
Edge Cloud
Central cloud
Cell
CellCell
Cell
CellCell
Cell
CellCell
Slice A – Industry Vertical X
Slice B – Industry Vertical Y
Common parts – Network Operator
27 © Nokia Solutions and Networks 2017
End-to-end Network Slices - Multiple Networks in a Shared Infrastructure
Public
Logical separation in the shared infrastructure, dedicated radio resources
Internet
Cell
CellCell
Edge Cloud
Central cloudCell
CellCell
Cell
CellCell
28 © Nokia Solutions and Networks 2017 Public
Slice Isolation Issues – Shared Telco Cloud Provider
➢ Relies on a secure telco cloud - security measures as discussed
An industry vertical renting/operating a slice needs to trust the telco cloud provider (typically the mobile network operator):• Correct assignment of NFV infrastructure resources
• Isolation against other slices
• No malicious traffic interception or meta data collection by the telco cloud provider
Isolation in the cloud by NFV mechanisms
29 © Nokia Solutions and Networks 2017 Public
Slice Isolation Issues – Shared Transport Infrastructure
➢ SDN security threats must be mitigated, as discussed
Trust in a transport infrastructure provider is less critical:
• transport resource assignment easy to monitor
• security isolation via cryptographic traffic protection
Isolation in the transport by VPNs created via SDN
30 © Nokia Solutions and Networks 2017
• individual security mechanisms per slice
• different security assurance levels per slice
• sensitive information maintained within a slice
• specific authentication procedures involving vertical and mobile network operator
• authorization to use a specific slice
Other Slicing Security Aspects (1/2)
Public
31 © Nokia Solutions and Networks 2017
• Specific attacks:
- DoS attacks on “small” slices
- Malicious message routing between different slices
- Attacks on interfaces to common network parts (vertical mobile network operator)
- Attacks on management interfaces provided for verticals to manage their slices
- Attacks via inter-slice interfaces
- Attacks on slicing-specific procedures• Slice selection, slicing-specific authentication and authorization, Slice
management
➢Mitigation by “traditional” means – with room for improvement
Other Slicing Security Aspects (2/2)
Public
32 © Nokia Solutions and Networks 2017
Strong impact on the security architecture• Securing the NFV infrastructure + the VNFs
• Transferring network security measures into the telco cloud –physical separation is much less applicable than in 4G
Public
Summary: Building Secure 5G Networks on Distributed Telco Clouds
In 5G, there is a substantial change in the network architecture:
• NFV and SDN support highly dynamic networking
• Network slicing supports multi-tenancy
We can build secure 5G networks, but it isn’t a no-brainer
33 © Nokia Solutions and Networks 2017
Some Abbreviations
3GPP 3.Generation Partnership Project
AS Access Stratum
ASME Access Security Management Entity
AuC Authentication Centre
DNS Domain Name Service
eNB Evolved Node B
HSS Home Subscriber Server
IMS IP Multimedia Subsystem
IoT Internet of Things
IP Internet Protocol
K Key
LTE Long Term Evolution
MAC Medium Access Control
MME Mobility Management Entity
NAS Non Access Stratum
NFV Network Function Virtualization
PCRF Policy and Charging Rules Function
PDCP Packet Data Convergence Protocol
PDN Packet Data Network
PHY Physical Layer
RLC Radio Link Control
RRC Radio Resource Control
SEG Security Gateway
SDN Software Defined Networking
USIM Universal Subscriber Identity Module
VNF Virtual Network Function
Public