FEATURE: NETWORK SECURITY
security stack at service provider scale with
other functions most needed in mobile
networks, including a firewall for all network
peering points, deep packet inspection
(DPI), carrier-grade network address
translation (CGNAT) and IPv6 migration,
integrated distributed denial of service
(DDoS) threat protection, intelligent traffic
steering and analytics.
Below is a blueprint of five of the key
solutions required for a successful
migration to 5G:
1. Gi-LAN Security –
Gi/SGi Firewall
Significant threats to mobile subscribers
and networks come through the Internet
interface – the Gi/SGi. As traffic volume,
devices and cybercriminal expertise
increases, so do these threats. An integrated
Gi/SGi firewall protects infrastructure and
subscribers and delivers the performance
that mobile carriers require.
The Gi/SGi firewall solution meets both
current and future traffic requirements for
any service provider. This comprehensive
and consolidated approach provides bestin-class
performance, efficiency and scale
to protect the mobile infrastructure while
reducing OPEX and CAPEX costs. Service
providers can also use a Gi/SGi firewall
solution in a virtual form factor to gain a
flexible, easy-to-deploy and on-demand,
software-based deployment.
2. Mobile Roaming Security –
GTP Firewall
The GTP protocol used in the roaming
and other EPC interfaces has known
vulnerabilities that can be readily exploited
by malicious actors. Operators must meet
the growing security challenges while
also providing a seamless subscriber
experience – wherever they travel, whatever
devices they use, and whatever network is
accessed. A GTP firewall provides extensive
capabilities including stateful inspection, rate
limiting, and filtering of traffic for protocol
abnormalities, invalid messages, and other
suspicious indicators. It protects against GTP
WHILE THE REPORT SHOWS 5G
ADOPTION IS SCALING RAPIDLY,
ONE OF THE MAIN CONCERNS FROM
THE REPORT WAS SURROUNDING
CYBERSECURITY.
protocol vulnerabilities such as fraudulent
use, confidentiality breaches, DDoS attacks
by malicious peers and other threats. A
GTP firewall can be inserted into multiple
interfaces carrying the GTP traffic. In the
primary use case, it is inserted on S5-Gn and
S8-Gp (roaming) interfaces.
The GTP firewall provides scalability and
supports uninterrupted operations while
protecting subscribers and the mobile
core against GTP-based threats such as
information leaks, malicious packet attacks,
fraud and DDoS attacks through GTP
interfaces in the access networks and GRX/
IPX interconnect.
3. Network slicing –
Intelligent Traffic Steering
Network slicing will allow mobile operators to
offer security and other capabilities tailored
to each vertical application and to capture
revenue from these diverse use cases,
without losing the economies of scale of
common infrastructure.
Network slicing isolates each use case or
service from one another so that the services
can be independently deployed, managed
securely and delivered in a robust way. This
solution identifies specific types of traffic
by multiple criteria including radio access
type, IP address, DNS address, device
type, destination, subscriber ID and other
parameters and then redirects these ‘slices’
of traffic to value-added service platforms,
such as protection platforms for deeper
threat analysis and scrubbing. This redirection
can be based on either static policy
or dynamic factors. This solution enables
differentiated treatment to the developing
5G use cases, deepens the security posture
and boosts revenue opportunity without
adding unnecessary inspection load on the
entire network.
4. Network Wide
DDoS Detection and
Mitigation System
Mobile operators must maintain high
network availability at all times. DDoS
attacks target mobile networks and their
subscribers with high volume message floods
that overwhelm infrastructure and can cause
service degradation and network outages.
Now, targeted attacks can also come from
any network peering point and include both
volumetric and lower volume, sophisticated
attacks against specific network elements
or important applications of key enterprise
customers. Over-provisioning of network
elements to meet rising threat volume or
simply blocking traffic during an attack
increases costs and can result in service
denial for critical traffic.
Operators need a more cost-efficient and
comprehensive approach that quickly detects
and mitigates DDoS and infrastructure
attacks across the entire mobile network
without denying service to important
traffic. Service providers can achieve full
DDoS resilience and improve security by
using a layered approach for detecting and
mitigating attacks of all types and sizes
before attackers take down their targets.
5. Secure, efficient MEC
Multi-Access Edge Compute (MEC)
architecture is often part of the 5G transition
plan. In a MEC architecture, network traffic
processing functions move from a centralised
data centre or mobile core to a number of
distribution points that are located closer to
the user at the Edge.
A distributed architecture with thousands
of nodes increases management difficulty
and requires a high level of automation and
analytics for deployment, management and
42 INTELLIGENTCIO www.intelligentcio.com