Wireless networks typically implement perimeter security (AKA north-south traffic security) by protecting the inside perimeter of a data center from external threats at the edge. Detecting and stopping security threats happens through network firewalls and intrusion prevention at the perimeter of telco properties like national data centers, regional data centers, hub sites, and cell sites. Prevention protections are like the lock and key analogy, where a key keeps intruders from entering your home. However, if the intrusion traffic makes it through, it can access any network function and data inside the data center.
5G enables many services beyond its predecessors' wireless networks, making it more vulnerable to cyber security threats. Below are a few examples that make a 5G network more vulnerable to security threats:
- 5G is expected to connect billions of IoT devices that bring many applications. Could those devices be hijacked and cause network Denial of Service (DoS) attacks?
- External players like gaming application functions, connected cars, and factory automation can interact with the 5G network using APIs. The result of the various application functions' interactions may request items such as policy, traffic detection rules, and traffic steering. Could some traffic be directed or intercepted by undesired entities if malicious players get in the way?
Let us consider a 5G security threat example. Imagine a phishing attack that obtains the credentials of a network staff or a network function and starts a severe security threat inside the 5G network to collect user profiles and other private details such as their location and mobility pattern. 5G needs to protect against these types of threats and limit the damage from any security threat.
5G network clouds must implement tight security. A zero-trust approach implementation using microsegmentation is applied in 5G. A zero-trust policy assumes no default trust of actors such as users, devices, or external or internal network entities. Microsegmentation enhances security within the perimeter, also known as east-west traffic.
What is Microsegmentation?
You leave your home for a while but forget to lock your door. An intruder can easily come into your home, roam around freely, and grab what they wish. However, can you add more protection to your valuables, like an excellent safe box with access only by your authorized family members? Can you monitor your home while away, detect intrusions, and get notified? Microsegmentation is about more refined and granular security that minimizes exposure to the network within the perimeter. Network resources, like a network function container or virtual machine, and user profiles are resources you must protect. Only authorized access to a specific resource is allowed, whether the request is initiated internally within the perimeter or from external sources. Let us consider another analogy. Using a badge enables employees to enter the office building. However, some rooms or sections inside the building require a different clearance to enter. Therefore, only staff authenticated and authorized through their badge can enter those rooms or sections of the building, while the rest are not allowed by their badge.
Why is Microsegmentation Security Important?
Data centers for 5G exchange a lot of control plane signaling and manage the user plane traffic, like accessing an enterprise network or the internet. Microsegmentation breaks a data center into distinct security segments down to a single workload to minimize the impact of security breaches on any network resource. Examples of a workload are a container and a virtual machine, like if a container that belongs to a 5G Access and Mobility Management Function (AMF) needs to communicate with another container that is part of the Session Management Function (SMF). The access from the AMF to the SMF must be authorized to a specific resource, such as a session management service, and all communication must be encrypted.
Microsegmentation applies the principle of least privilege access, which means that a workload like an SMF can only have access to the allowed UDM services or data like obtaining the session management profile of a subscriber but not the access and mobility subscriber profile from the UDM. The ultimate result, even if malicious traffic can pass through the security perimeter, its ability to access network workloads is either blocked or its damage is limited in scope. Therefore, even if an intrusion was successful, with microsegmentation, the scope of the intrusion is limited to the specific segment or resource.
Key Benefits of Microsegmentation in 5G
There are several important benefits to applying microsegmentation security principles in 5G. Let us discuss some key ones:
1. Limit any security breach only to the smallest part of the network. For example, suppose a network function like a User Plane Function (UPF) security is exposed. In that case, the malicious intrusion should be limited to the specific container, pod, or virtual machine of the UPF.
2. Prevention of lateral movement across the network functions in the data center. Prevention is accomplished by the tight security policies instrumented among the different 5G network functions. For example, suppose a network function like a User Plane Function (UPF) security is exposed. In that case, the malicious intrusion should not be able to cause a security threat to the Session Management Function (SMF).
3. Proactive threat detection as violations of unauthorized access are detected, monitored, and reported. For example, if non-authorized access to a service or data to a network function like a Unified Data Management (UDM) by a peer network function is performed, it should be blocked and reported. The granular security allows more effortless operation for the Security Operations Center (SOC) team to isolate the security incident to the specific application segment among the massive number of workload components running in the network.
4. Protect and prevent sensitive data from being exfiltrated. Examples of data theft and exfiltration are subscriber profiles at the UDM and location tracking of a subscriber at the Access and Mobility Management Function (AMF).
Ways to Implement Microsegmentation
Multiple methods for implementing microsegmentation and implementations might vary in terminology and approaches. Below are some common approaches:
- Network-based: A network infrastructure approach that utilizes the networking approaches such as subnets, VLAN segmentation, and Virtual Network Identifiers in VxLAN overlays.
- Agent-based: An approach that utilizes an agent on each host to isolate containers, virtual machines, and the host.
- Firewall-based: Using Next Generation Fire Wall (NGFW) to apply up to L7 firewall policy. NGFW combines the traditional firewall with additional functions such as Intrusion Prevention
System (IPS), website filtering, traffic inspection, and Deep Packet Inspection (DPI). One example is using technologies such as Scalable Group Tag (SGT) for workload tagging and applying access control based on these tags.
Conclusion
5G networks are expected to be fully virtualized and are on the path to implementing most container workloads. Therefore, increasing the number of software components in the telco clouds. 5G also allows for external application functions interactions for policy control of various types of applications that can affect their traffic filtering and Quality of Service (QoS). In addition, 5G is expected to have billions of IoT devices and solve various business use cases such as connected cars and factory automation. All the above are factors that add to the cyber-security threats to the 5G network.
Zero-trust authenticates and authorizes each access. Also, zero trust does not prevent inside attacks, such as legitimate users doing bad things. Therefore, we need network traffic security to implement firewall rules that protect network traffic based on segments. If the segments are too small, we have too many restrictions. If the segments are too big, there isn't much added value. Microsegmentation makes segments specific to an application's need for connectivity. In other words, microsegmentation enables limited access to network resources at a granular level (ex, a particular application), allowing proactive monitoring and detection of security violations and protecting sensitive data transfer to malicious players.