TelcoNews Asia - Telecommunications news for ICT decision-makers
Story image
Exploring end-to-end 5G security
Tue, 25th Oct 2022
FYI, this story is more than a year old

The rise of 5G has been well documented and highly anticipated over the last couple of years. However, for all the understandable excitement regarding next-generation cellular performance and low latency, many organisations are still questioning whether 5G - connecting all those people, places, and things - will also increase the attack surface of any network. If you have more network endpoints, you have more places for hackers to penetrate the network, right?  Well, the answer is, not necessarily.

What enterprises should know is that cellular-enabled Wireless WAN has been capable of enterprise-grade security at the network’s edge for years. With new developments at the network core level, there’s an argument that 5G is even more secure than other LAN and WAN solutions available today. 

From 4G to 5G: Security improvements at the network level

With each new cellular technology generation, there has been an opportunity to improve security. The 5G network core (the service provider’s network) has been accompanied by several key changes:

1. New authentication framework 

The 5G standard introduces a new authentication framework based upon a well-established and widely used IT protocol called extensible authentication protocol (EAP) that is open, network agnostic, and more secure. 

2. Enhanced subscriber privacy 

The 5G standard introduces privacy improvements against attacks that occur when a false base station pages the UE to tell it to come out of idle. In 5G, the International Mobile Subscriber Identity (IMSI) is not used in paging, the text exchanged is less, and the network performs analytics on the radio environment, detecting anomalous base stations. 

3. Improved core network agility and security 

The 5G network core moves to a Service-Based Architecture (SBA) that is delivered by a set of interconnected Network Functions (NFs), with authorisation to access each other's services. An SBA allows for plug-and-play software, agile programming, and network slicing, which streamline operations and enable faster innovation. 

4. Expanded roaming security 

The 5G standard introduces enhanced interconnect security between network operators, centered on a network function called Security Edge Protection Proxy (SEPP) that sits at the edge of each network operator's 5G network. Each operator's SEPP is authenticated, and application layer security protects traffic.

5. Advanced integrity protection of the user plane 

The 5G standard introduces a new feature that protects the user plane traffic between a device and cellular tower. This feature aims to mitigate sophisticated man-in-the-middle attacks that tamper with sensitive over-the-air user plane data that is unprotected.

Cellular broadband security at the network edge 

At the network edge, organisations should continue using the advanced network security tactics that they’ve been using to wired and 4G broadband networks. But now the following features are also available with 5G-related technologies.

Network slicing 

The speeds, low latency, and reliability of 5G can only be balanced if the components of the network are sharing the correct information with the appropriate Virtual Network Functions (VNFs). This is achieved via network slicing within the SBA. 

Similar to how cloud computing has shifted to containerisation and VNFs, the 5G core is shifting to this model and building microservices contained within security groups, or slices, that work to achieve the promises made for specific traffic based on its QoS markings (Single-Network Slice Selection Assistance Information, or S-NSSAI).  

Network slicing allows carriers to provide tailored network services for each enterprise’s unique needs, while enabling companies to select the right level of security for each use case. 

Private 5G networks 

IT/OT teams that have large areas requiring secure LAN-like connectivity can deploy their own Private Cellular Network (PCN). 

5G is the first cellular network specification to truly embrace virtualisation, providing significant cost savings for deploying otherwise expensive physical network cores. An organisation can control its own PCN by implementing localised micro towers and small cells — similar to access points. It’s like a scaled-down version of a public network, except you control security and QoS.

Trusted technologies for securing wired and wireless networking 

If network security professionals have not adopted new and adapting security protocols to protect their traditional wired network, now’s the time to implement these security architectures to secure both wired and wireless endpoints.

Zero Trust Network Access (ZTNA) 

Zero Trust Network Access (ZTNA) is an overall security concept  that assumes anyone attempting to access a network or application is a malicious actor who needs to constantly be verified.  ZTNA uses an adaptive verification policy on a per-session basis that can take into account the user’s identity, location, device, time and date of request, and previously observed usage patterns.  

ZTNA will be a key component of 5G security at the network’s edge, as the rapid and far-reaching expansion of IoT and other connected use cases will require enterprises to more strictly and remotely control authentication and identification of devices and the flow of data between them.

Secure Access Service Edge (SASE) 

With such a large percentage of data now headed to the cloud, most security services reside there, too. Secure Access Service Edge (SASE) is a cloud-delivered security model that combines network and security functions. In the SASE model, traffic is encrypted and directed to a cloud service where a highly sophisticated stack of security technologies are applied. 

With so many companies preparing to roll out 5G connectivity in widespread branch offices, stores, vehicles, and other scenarios, these enterprises can greatly improve their ability to safely scale fast by deploying cloud-manageable wireless edge routers and security layers in a cohesive manner. Wireless WAN and SASE fit perfectly at the distributed edge.

With the enhanced edge-to-core security capabilities of 5G as well as today’s edge-to-cloud security technologies such as SASE and ZTNA, enterprises can embrace 5G while significantly improving their end-to-end security posture.