5G core network, who will be responsible for your security
5G core network, who will be responsible for your security When a large number of terminals access the core network through the transmission network, who will ensure the security of the 5G core network (5GC)? As we all know, in the 5G era, we are greeted by a world where everything is interconnected. With the continuous development of the Internet of Things, more and more devices need to access the 5G network, but this also means that these devices will become potential targets for attack by criminals. Have you ever thought that in the age of the Internet of Things, viruses could infect cars in motion and smart home devices in use .... When a large number of terminals access the core network through the transmission network, who will ensure the security of the 5G core network (5GC)? 5GC Threat Analysis The above scenario may only be a microcosm of the security threat of 5GC. 5GC is based on a cloud-based architecture that decouples software and hardware through the introduction of virtualization technology and deploys virtualized network elements on a cloud-based infrastructure through NFV technology, eliminating the use of proprietary communication hardware platforms. As a result, the physical environment originally thought to be secure has become insecure. In the infrastructure layer (NFVI), in addition to the traditional physical security risks, virtualization security threats are worth noting, such as virus and Trojan horse attacks on virtualized cloud platforms, misuse of virtual resources, and malicious destruction of virtual machines and mirrors. In the network element function layer (VNFs), there are attacks such as illegal user access to the network, eavesdropping and tampering of communication data between network elements, and traffic fraud against roaming users. In the management and orchestration layer (MANO), there are security threats against the management plane, including illegal user access, malicious operations by internal personnel, privilege abuse attacks, and personal data privacy exposure. Since there are so many potential threats in 5GC, can't lawbreakers or hackers do whatever they want? 5GC Security Framework To address the above threats, we propose a 5GC security framework based on 5G security specification. This security framework looks quite complicated ah! Next, I will take you from the following five levels to explain the 5GC security framework. If the 5GC network is compared to the national highway network, the data in the network is compared to the passing vehicles. We can simply make a simple analogy between several aspects of the 5GC security architecture. (1) Access Security Access security is like the DMV's annual vehicle inspection, where only vehicles that meet the security requirements are allowed on the road. Similarly, when various user equipment (UE) accesses the 5G core network through the base station (NR), the 5G core network will perform access authentication and access control on the user equipment, and perform data encryption and integrity protection during the data transmission. In the 5GC system, the two-way authentication method ensures that the access device is connected to the real and secure 5G core network, eliminating access to "fake base stations", while authenticating the access device through UDM and AUSF. For 3GPP access and non-3GPP access, a unified access process and authentication method are adopted, and different authentication methods such as EPS-AKA, 5G-AKA and EAP-AKA are supported. 5G authentication process enhances the control of the attribution network and prevents possible fraud in the visiting network. (2) Network Security 5GC network achieves network security by dividing different network planes and transmitting different types of data. Data from one network plane will not be transferred to other network planes. This is similar to having highways and provincial roads between cities and BRT lanes within cities, which realize the value of classification management. (3) Management Security Managing safety is just like the function provided by the traffic management bureau: managing traffic and serving the mass of vehicles. Traffic police in different areas are responsible for traffic safety in their area. Similarly, the 5GC NF is managed and scheduled through MANO, which supports a decentralized and domain-specific safety management scenario. Power management: Different operation rights are provided for different levels of users to achieve the purpose of visible/invisible, manageable/unmanageable. In the system, rights are operation sets, and the system has default operation sets, including security manager, administrator, operator, monitor, and maintenance, and can also customize operation sets. Sub-domain management: Centralized control of node data or operation maintenance functions, according to the management domain, divided into multiple virtual management entities to achieve user management of different domains. The system supports the domain dimensions of geography (administrative area), business domain (vendor, profession, network element type), and resource pool (resource pool and tenants under the resource pool). (4) Capability Open Security 5GC supports network capability openness and opens network capability to third-party applications through capability open interfaces, so that third parties can design customized network services according to their own needs. Capability open security focuses on the security protection of the open interface and uses secure protocol specifications. When the third-party user devices access through the API, authentication is required. (5) Data Security The 5GC data security system is based on the data protection principles of data minimization, anonymization, encrypted transmission, and access control. Service-oriented architecture security As 5GC adopts a service-based architecture, the security risk brought by the new service-based architecture, 5GC security architecture adopts a complete service registration, discovery and authorization security mechanism to ensure service-based security. In the NF registration and discovery process, two-way authentication is adopted between NRF and NF. After successful authentication between NRF and NF, NRF determines whether NF is authorized to perform the registration and discovery process. In a non-roaming scenario, i.e., within the same PLMN, a Token-based authorization mechanism is used between NFs in the 5G core network control plane, and NF service visitors are required to authenticate before accessing the service API. In roaming scenarios, i.e., when authorizing NFs between different PLMNs, the vNRF in the place of visit and the hNRF in the place of attribution need to do two-way authentication. Virtualization Platform Security The virtualization platform provides the deployment, management and execution environment for all 5G core network NFs. To implement virtualization platform security, Hypervisor plays an important role. Hypervisor unifies the management of physical resources, ensuring that each virtual machine gets a relatively independent computing resource, and isolating physical and virtual resources. All I/O operations of a virtual machine are intercepted by the Hypervisor, and the Hypervisor ensures that a virtual machine can only access the physical disks assigned to that virtual machine, thus isolating the hard disks of different virtual machines. The Hypervisor is also responsible for scheduling the context switching of the vCPU, so that the virtual machine operating system and the application run on different instruction levels (Ring), ensuring the isolation between the operating system and the application. For users, the communication isolation between VMs is achieved by configuring different VDCs. By configuring security groups, end-users can control virtual machine interoperability and isolation relationships to enhance the security of virtual machines. Closing remarks Now, you know how the security of 5G core network is guaranteed. The 5GC security framework proposed by ZTE guarantees 5GC network security in terms of access security, network security, management security, data security, and capability open security, which greatly reduces security threats such as illegal access to user devices and communication data leakage between network elements. In addition, ZTE proposes MEC security architecture and solutions to secure the core network in the MEC scenario.