By Liia Sarjakoski, Senior Product Marketing Manager, 5G Security, for Palo Alto Network Security
Today, governments, organizations, and enterprises are easily embracing transformation at the edge of mobile networks. The mobile edge – with its distributed support for low latency, ability to deliver massive amounts of data rapidly, and scalable cloud-native architectures – enables mission-critical industrial and logistics applications and creates richer experiences in workplaces. distance learning, education, retail and entertainment. Bringing resources closer to the user enables a better user experience, serving critical applications and leveraging improved economics.
But the mobile edge, including multi-access edge computing (MEC), requires a new kind of approach to cybersecurity. It is a new environment in which the network, applications and services are not only distributed geographically but also across organizational boundaries. The 5G infrastructure of service providers and corporate networks will be closely linked. Additionally, the moving edge will be highly adaptive. It will dynamically evolve to meet new application demands and changing usage patterns.
Effective 5G edge security is best achieved through a platform approach that combines the protection of various mobile edge environments under one umbrella. A platform approach not only provides visibility for advanced network-wide threat detection, but it also provides the foundation for security automation. Automation is essential for security to keep up with the dynamically changing 5G environment.
We can think of 5G networks to include four types of edge environments. Effective edge security extends to all of these environments.
Regional data centers – protect the distributed core network with distributed security
Driven by the explosion of mobile data and improved customer experience, service providers are distributing core network functions – for example, Session Management Function (SMF) and Data Management Function. access and mobility (AMF) – closer to users towards regional data centers. Service providers are able to improve user traffic latency and optimize their transport architecture to reduce costs.
As network functions, for example, SMF and AMF, are brought to the edge of the network, their securing must also take place there. Instead of providing protection in one to three national data centers, it must now be implemented in five to 10 regional data centers. The main interfaces to be protected are N2 and N4. Unprotected N2 interfaces may be vulnerable to radio access network (RAN) based threats from gNodeB base stations (gNB). Unprotected N4 interfaces can be vulnerable to Packet Forwarding Control Protocol (PFCP) threats between the Distributed User Plane Function (UPF) – for example located in an MEC environment – and the core network.
Additionally, SMF, AMF, and other network function workloads must be protected in this typically cloud-native container-based environment.
The key to protecting the regional data center environment is a cloud-native security platform that can automatically adapt to changing traffic or topology demands. At the same time, many threats are specific to telecom carriers and preventing them requires built-in support for telecom protocols.
Public MEC — supports user experience with cloud-native security
Public MEC is part of the public 5G network and generally serves consumer and IoT use cases. It integrates applications as part of the 5G network and brings them closer to the user. This improves the user experience while optimizing costs by deploying resources where they are needed. The public MEC is integrated with the service provider’s network using a Distributed User Plane (UPF) feature to distribute traffic directly to edge applications. Many service providers are partnering with cloud service providers (CSPs) to create these application environments, as CSP platforms have become the norm.
As third-party apps become part of 5G networks, protecting and monitoring app workloads and protecting UPF with microsegmentation helps stop any lateral movement of attacks.
Edge apps are also an integral part of the 5G user experience. Smooth running apps — for example, video content, AR/VR and games — promote the loyalty rate of service providers’ customers.
Securing the public MEC requires a cloud-native, multi-cloud approach to cloud workloads and microsegmentation.
Private MEC – giving enterprises full control of 5G traffic
Private MEC is deployed at a customer company’s premises and is often configured with a private 5G or LTE network, serving critical enterprise applications. It uses a local UPF to distribute traffic from the user plane to the corporate network. The traffic is then routed to a low-latency edge application or deeper into the corporate network. A key driver of private MEC adoption is traffic privacy – a company has full control of its 5G traffic, which never leaves its environment.
Private MEC transports client company data. In today’s distributed world with eroding security perimeters, many enterprises rely on the Zero Trust approach to protect their users, applications, and infrastructure. A critical part of implementing a Zero Trust enterprise is the ability to enforce granular security policies and security services across all network segments, including 5G traffic. Service providers need to find ways to give enterprise customers full control over 5G traffic.
At the same time, the service provider must securely expose the customer premises interfaces to its core network, namely the N4 to SMF interface for PFCP signaling traffic originating from the private MEC.
Private MEC security requires a flexible approach to secure heterogeneous private MEC environments across appliance, virtual, and cloud environments. Many companies will choose to leverage partners for turnkey private MEC solutions and they will require built-in security. Additionally, cloud service providers are tackling the private CME market, and the ability to provide cloud-native security will be essential.
Mobile devices — better protected with network-based security solutions
Accelerated by the rapid rise of IoT devices, the number of mobile devices is enormous. Devices are heterogeneous across a multitude of software and hardware platforms. The limited computing and battery capacity of these devices often forces device vendors to compromise on security capabilities, making mobile devices an easy target. Infected devices can compromise organizations’ critical business data and disrupt critical operations. They also pose a risk to the mobile network itself, especially in the event of massive and coordinated DDoS attacks from botnets.
The combination of limited device resources, heterogeneous device types, and tight platform control by device vendors makes it difficult to implement device-based security solutions at scale. Network-based security, on the other hand, is a very effective method for protecting large-scale mobile devices. When supported with granular visibility into traffic flows at the user (SUPI) and device (PEI) level, network-based security can see and stop advanced threats in real time . Organizations are able to protect their mobile devices against attack vectors including vulnerability exploits, ransomware, malware, phishing and data theft.
Network-based security can be deployed as part of any edge environment or the service provider’s core network.
Staying on Top of Privacy in Distributed 5G Networks
Protecting private information is more important than ever. The handling of private information is heavily regulated and violations can lead to backlash from the public. As the mobile core network becomes more distributed, service providers must work harder to protect customer proprietary network information (CPNI) that is now often carried in signaling traffic (e.g., N4) between MEC sites and regional and national data centers. Service providers often use encryption to protect CPNI.
Securing the 5G edge requires a zero-trust approach that can adapt to many different environments. The distributed 5G network no longer has a clear perimeter. The assets and workloads of service providers, enterprises, and CSPs are intertwined. Only through system-wide visibility and control can service providers and enterprises detect breaches, lateral movements, and stop chains of destruction.
New mobile networks are complex, but securing them doesn’t have to be. The key to simple 5G edge security is a platform approach that manages the protection of major 5G interfaces under one umbrella, whether they are distributed across private and public clouds and data centers.
Learn more about Palo Alto Networks 5G-Native Security to protect 5G interfaces, user traffic, network function workloads and more. Our ML-powered NGFW for 5G provides deep visibility into all key 5G interfaces and can be deployed in data center (PA-series), virtual (VM-series), and container-based (CN-series) environments. Our Prisma Cloud Compute provides cloud-native protection for container-based network function (CNF) workloads.
About Liia Sarjakoski:
Liia is the Senior Product Marketing Manager, 5G Security, for Palo Alto Network Security