Threat detection and the mitigation of network vulnerabilities in an evolving 5G architecture is an essential factor of a modern 5G ecosystem. 5G network security is a fundamental concept that builds trust and enhances the relationship between a 5G Operator and its customers.
In mobile networks, with thousands of end-sites, there is a large attack surface, and the scale of physical security needed is quite considerable. Physical security is part of securing specific buildings, data centers, etc., while technical security is the protection and encryption of data channels over wireless, fiber, and copper media.
Security on fixed networks and services
The network security approach is different in both worlds. Fixed networks rely more on physical security, while mobile networks on technical security.
Historically, fixed networks rarely needed ciphering. They followed the sturdy sheet-metal-housing path. Later, they added tampering alerts, transponder keys, and call-on-site security staff. Direct comparison with technical security showed that physical security is more expensive.
Fixed network signaling is not like the complex mobile AS and NAS signaling. Furthermore, there is not much you can attack in a fixed access network, because it is basically a pipe.
Security on mobile networks
Radio transmission needs ciphering and cryptographic access control, so anyhow, the technical security mindset was there from the start. At the same time, BTS sheet-metal-housings are typically weak, cheap, and/or non-existing.
Authenticated radio access control and air ciphering require the transfer of keys via the backhaul. If these keys are not protected on the wire, one attack in a BTS location will provide material to commit fraud, attacks, and spy upon thousands of customers.
There is often the misconception that with mobile backhaul security only user data is protected. This is not the only reason. The main reason is that central NEs have to be protected from attacks originating in any of the many thousand base station locations. Once you have a scalable solution for that such as IPsec with integrity protection and base station authentication, you get the ciphering for free.
5G network security principles
IPsec is used mainly for authentication, integrity, confidentiality, and anti-spoofing.
It is possible to start by securing the VoIP and corporate APN traffic towards the RAN. There is a small risk with potential attacks on the core infrastructure associated with this, which can be mitigated by better security auditing the (SGW-U) core network element.
Internet traffic may not be extra protected, as the Internet is securing itself nowadays. For example, Google is using https by default, and the percentage of web pages loaded by Firefox using htpps has moved up to 80%.
With advanced security, the network will be able to authenticate which device is at the other end. Furthermore, it will be able to validate what is the “other end“ allowed to say or do via a firewall, ACL, or traffic filter.
The system should also be able to protect the integrity by ensuring that the messages from the “other end“ have not been faked or tampered with. Confidentiality via encryption methods is also crucial so that the messages cannot be read by third parties.
“Line” identification is important to learn the physical source of messages, regardless of its claimed source addresses, to locate problems.
The network may use the Line identification (anti-spoofing) to authorize messages correct source addresses so that other elements and firewalls can trust the address information for further operations.
Where is IPsec required
IPsec is required if a network element is placed at a site without sufficient physical security, such as a cell site.
IPsec is used in cases where the interface does not provide logical security itself such as LTE/5G S1-U, LTE/5G S1-C, and the management plane. Secure protocols based on TLS is questionable, but if any IPsec is provided, management plane shall be carried through the tunnel. IPsec is not required for interfaces like CPRI/eCPRI and F1.
5G Security methods
A multi-layer defense scheme can be adopted. Physical security to nodal sites can be enhanced via access cards and locked cabinets. IPsec will keep attackers out of the core network and protect CN and customer privacy, with network encryption, authentication, and gNodeB hardening. Access to the central system should be granted only with the proper key which protects the central elements. This way, an intruder without a key is limited to the gNodeB site and its uplink. User traffic will be protected against eavesdropping and fraudulent injection, while a common scalable solution should be used for all sites and all transport technologies on the network.
The security model should conform to 3GPP Mobile Network with a single trust zone. A pipe for user packets should be maintained by complex protocols, where network elements fully trust each other, user traffic is encapsulated, and user and server IP traffic may be untrusted but cannot exit the pipe.
5G network Security motivation
For 5G operators, the biggest motivation for network security is simply to protect their investment. Security for a subscriber is not the same as the Operator. The Operator cares a lot about the brand name and the company image. The subscribers care about their privacy and their voice and internet traffic to be protected. The Operator needs to find ways to secure customer privacy and find an enhanced security model to apply for all customers.
There are some alternatives for network security, such as enhancing the physical RAN site security, deploy intrusion alerts, and establish call-on-site security staff. However, these solutions will profoundly impact the overall Opex costs while they can only provide detection and reaction, but no prevention of security attacks.
The other alternative is just to bear the increased risk without additional countermeasures. However, one large-scale attack can damage the brand name of the company and result in unlimited revenue losses.
