Securing 5G Mobile Networks Built on Distributed Telco · PDF fileSecuring 5G Mobile Networks...
Transcript of Securing 5G Mobile Networks Built on Distributed Telco · PDF fileSecuring 5G Mobile Networks...
1 © Nokia Solutions and Networks 2017 Public
Securing 5G Mobile Networks Built on Distributed Telco Clouds
2017-06-15
Peter Schneider, Nokia Bell Labs
2 © Nokia Solutions and Networks 2017
• The goal: 5G security high level vision
• The Baseline: Mobile network security today
• Virtualized, programmable, sliced mobile networks
• Elements of a 5G security architecture
- Secure SDN
- Secure NFV
- Secure Slicing
• Yes, we can!
This presentation uses results of work that has been carried outin the H2020-ICT-2014-2 Project 5G NORMA (https://5gnorma.5g-ppp.eu/)
Outline
Public
3 © Nokia Solutions and Networks 2017
5G Security Vision
Supremebuilt-in security
Automation
Flexible securitymechanisms
Increased robustness
against cyber attacks
Enhanced privacy
Alternative identification
and authentication
procedures
Holistic security
orchestration and
management
Security assurance
User plane encryption
and integrity protection
optional to use
Optimize security mechanisms
for individual applications
Self-adaptive, intelligent
security controls
5G Security
Public
4 © Nokia Solutions and Networks 2017
Layers of Mobile Network Security as of Today
Public
PCRF
eNB
PDN-GW Internet
IMS,Application
Servers
MME
Backhaul
link
security
Core interface
security
HSSAuC
K
UEUSIM
K
User Identity Privacy
Secure Environment
VoLTE/IMS security
ServingGateway
PDNGateway
Non access stratum
signaling security
Authentication and Key Agreement
KASME
KASME
Access
stratum
security
KeNB
KeNB
SEG
Non-standardized network security measures
3GPP-specified security architecture
Network element security measures
InternetDemilitarized Zone Inner Network
Outer
Perimeter
Firewall
Inner
Perimeter
Firewall
5 © Nokia Solutions and Networks 2017
A Mobile Core Network in the Telco Cloud
Public
MME
ServingGateway
HSS
PDNGateway
PCRF
IMS
Servers
Core
Network
SEG
Firewall
“Boxes interconnected by cables”
VNFs running on NFV infrastructure in a telco cloud
Telco Cloud
6 © Nokia Solutions and Networks 2017
A 5G Mobile Network with Virtualized Core and RAN
Public
Implemented on distributed telco clouds with SDN-based transport
Edge CloudCell
Central cloudCell
Cell
Internet
7 © Nokia Solutions and Networks 2017
Elements of a 5G Security Architecture
Public
Edge Cloud
Central cloudCell
Subscriber/device identifiers/ credentials
Hardware security modules
Security negotiation, key hierarchyEnhanced control plane robustness
Enhanced subscriber privacy
Crypto algorithmsPhysical layer
securityJamming protection
Authentication/authorization, key agreement
NFV/SDN security
Network slicingsecurity
Security assurance for NFV environments
Security management and orchestration
Self-adaptive, intelligent security controls
8 © Nokia Solutions and Networks 2017
Securing an SDN-based Network
Public
SDN Controller
Application
Control Network
SDN SwitchSDN Switch
Fire-wall
Cryptographic protection
Sound authentication and
authorization conceptsSecure SDN controller
Robust implementation,
overload control
Virtualized/Cloud
Environment
SecureVirtualized/
Cloud En-vironment
Application
ApplicationCryptographic protection
SDN SwitchRobust implementation,
overload control
SDN SwitchSDN Switch
SDN Switch
9 © Nokia Solutions and Networks 2017
• Separation of VNFs provided by the virtualization layer (logical separation)• Optional physical separation of VNFs – at a cost• Traffic separation by dedicated virtual switches, VLANs and wide area VPNs
Public
Securing a Network Implemented in an NFV Environment
• Sound, robust implementations of the virtualization layer (e.g. hypervisor) and the overall cloud platform software
• Sound, robust, security aware implementation of the VNFs• Integrity (trust) assurance for both platform and VNFs
• Perimeter security and network internal traffic filtering by virtual firewalls • Logically or even physically separated security zones
• Cryptographic protection of traffic and of data on storage
• Secure Operation&Maintenance • Reactive security measures
10 © Nokia Solutions and Networks 2017
• Slicing a mobile network: creating partitions inside the mobile network
- Different flavors: core network slices, RAN slices, e2e slices
- Common infrastructure (NFV infrastructure, SDN-based transport)
- Tailored slices for specific services (eMBB, V2X, mIoT)
- Multiple slice instances to be rented by multiple verticals (?)
• Resource Isolation
- Resources dedicated to one slice cannot be consumed by another slice.
• Security isolation
- Data/traffic cannot be intercepted/faked by entities of another slice.
• Isolation: Resource Isolation + Security Isolation.
➢The crucial security aspect in network slicing!
Slicing and Isolation
Public
11 © Nokia Solutions and Networks 2017
A Mobile Network with Two Core Network Slices
Public
Slices share a common RAN
Telco cloud
Internet
Cell Slice A
Slice B
Common parts
Scheduling Resource Blocks (RBs) on the radio interface:
12 © Nokia Solutions and Networks 2017
A Mobile Network with Two RAN/Core Network Slices
Public
Edge Cloud
Internet
Central cloud
Cell
Cell
Cell
Slices share a common RAN infrastructure plus some RAN functions
13 © Nokia Solutions and Networks 2017
A Mobile Network with Two RAN/Core Network Slices, Separated Cells
Public
Fixed radio interface resources per slice
Internet
Edge Cloud
Central cloud
Cell
CellCell
Cell
CellCell
Cell
CellCell
Slice A: eMBB
Slice B: V2X
Common parts
14 © Nokia Solutions and Networks 2017 Public
Slice Isolation Issues in the Shared Telco Cloud
An industry vertical renting/operating a slice needs to trust the telco cloud provider (typically the mobile network operator):• Correct assignment of NFV infrastructure resources
• Isolation against other slices
• No traffic interception or meta data collection by the telco cloud provider
Isolation between slices in the cloud by NFV mechanisms
➢ Relies on a secure telco cloud - security measures as discussed
➢ Option: Usage of vertical-owned infrastructure
➢ Investigated in 5G PPP project 5G NORMA (work in progress)
Option: Security isolation via over-the-top security
15 © Nokia Solutions and Networks 2017
Vertical – Private 5G Network
A Fully Isolated Private 5G IoT Network Owned by a Vertical
Public
Internet
Edge CloudCentral Cloud
5G Radio - eMBB
eMBB Devices
Mobile Network Operator – Public 5G Network
eMBB subscriptions
IoT sub-scriptions5G Radio – IoT
IoT Devices IoT-DN5G network
16 © Nokia Solutions and Networks 2017
Public eMBB Service in a Private Network: MOCN-like Solution
Public
Internet
Edge CloudCentral Cloud
Vertical – Private 5G Network5G Radio –IoT + eMBB
5G Radio - eMBB
IoT Devices
eMBB Devices
Mobile Network Operator – Public 5G Network
IoT sub-scriptions
eMBB subscriptions
IoT-DN5G network
AS-key
MOCN support
AS: Access Stratum MOCN: Multi-Operator Core Network
17 © Nokia Solutions and Networks 2017 Public
Internet
Edge CloudCentral Cloud
Vertical – Private 5G Network5G Radio –IoT + eMBB
5G Radio - eMBB
IoT Devices
eMBB Devices
Mobile Network Operator – Public 5G Network
IoT sub-scriptions
eMBB subscriptions
5G network
Public eMBB Service in a Private Network: Slicing Solution
AS-key
Two RAN slices
PDCP(crypto-layer)
IoT-DN
18 © Nokia Solutions and Networks 2017
Strong impact on the security architecture
• Securing the NFV infrastructure + the VNFs
• Transferring network security measures into the telco cloud –physical separation is much less likely than in 4G
Public
Summary: Securing 5G Mobile Networks Built on Distributed Telco Clouds
In 5G, there is a substantial change in the network architecture:
• NFV and SDN support highly dynamic networking
• Network slicing supports multi-tenancy
We can secure 5G networks built on distributed telco clouds- but we must work for it!
19 © Nokia Solutions and Networks 2017
Backup
Public
20 © Nokia Solutions and Networks 2017
Security for NFV-Based Products (Example Nokia)
Public
Nokia Networks Product Security Policy
Nokia Networks Product Security
Policy
Technical issues
Nokia Networks Product Privacy Policy
Nokia Networks Product Privacy Baseline
Secure Coding
Guidelines
Hardening Guideline
Security Testing
Guideline
CryptoGuideline
Virtualization Security Guideline
Nokia Networks Product Security Baseline
Product Privacy Process Guideline