Network core advancement combined with edge models such as ZTNA and SASE push the security of 5G beyond that of 4G
You don’t have to look far to find a headline or advertisement touting the phrase “5G security.” Marketers know that security is important, 5G is sexy, and the two combined are edgy enough to stop the scrolling thumbs of businesses that are eager to better understand the security upsides of 5G.
Is 5G secure? Outlining the primary questions from enterprise businesses
As organizations continue researching and assessing where 5G might fit into their enterprise networking plans, they’re also asking key questions about security. For instance, they’re concerned about their enlarged attack surface resulting from rapidly increasing IoT. They’re also considering the impact of the increasing prevalence of wireless edge computing and virtualization.
Many of these challenges have been facing wired and wireless networks alike for several years. As a result, important security technologies and strategies have arisen, and enterprises should pay attention.
We’ll take a look at these edge strategies that will extend to 5G networking. But first, let’s explore security improvements that carriers are making in the wireless portion of the cellular network.
Understanding 5G security upgrades at the network level
With every generation of cellular, carriers have made significant improvements in security. 5G is no exception.
With 5G, the evolution of cellular technologies continues to usher in new levels of security led by collaboration between the 3GPP, ETSI, and IETF standards. The 3GPP working body for security, known as SA3, has put forward the following five categories of standards for all carriers to implement.
New authentication framework
The 5G standard introduces a new authentication framework based upon a well-established and widely used IT protocol called extensible authentication protocol (EAP) that is open, network-agnostic, and more secure. The framework advances security by ensuring that the originating network makes the final authentication decision and that all the authentication communication is encrypted, instead of using temporary identifiers. Further advancements include using additional information beyond the SIM card for identification and enabling secondary user plane authentication for web surfing and call delegation.
Enhanced subscriber privacy
In the 5G standard, the International Mobile Subscriber Identity (IMSI) information is not exchanged until after authentication. This helps prevent false base station attacks. The network performs analytics on the radio environment, detecting anomalous base stations.
Improved core network agility and security
Service-Based Architecture (SBA) at the 5G network core increases programming modularity and allows users to call up a combination of services in a very agile fashion. According to the 3GPP, the SBA for a 5G network core is delivered by a set of interconnected Network Functions (NFs) with authorization to access each other's services. Unlike proprietary network operator architectures, an SBA allows for plug-and-play software, agile programming, and network slicing, which streamline operations and enable faster innovation.
In addition to Internet protocol layer communication that typically uses IPsec, the SBA added security to the transport and applications layers. Core network services communication is protected by security protocols such as TLS, while authorization access is handled by the framework OAuth2 at the application layer.
Expanded roaming security
Interconnections between network operators are where some of the biggest network exposures occur. The 5G standard implements a security edge protection proxy (SEPP) that encrypts and filters all communication across the user plane. Each operator's SEPP is authenticated, and application layer security protects the traffic between the SEPPs.
Advanced integrity protection of the user plane
The 5G standard introduces a new feature that protects the user plane traffic between a device and cellular tower. This feature mitigates advanced man-in-the-middle attacks that aim to obtain sensitive, unprotected over-the-air user plane data, such as DNS messages, as it travels between devices and cellular towers.
Enhancing network security with strategies at the edge
Beyond the core, at the network edge, organizations can and should keep using the advanced network security technologies they’ve likely already been using with wired and 4G broadband. It’s also a good idea to explore and try some newer strategies and tools that have been gaining popularity amid the rise of 5G.
Thanks to the SBA architecture of the 5G standalone core, businesses and agencies can take advantage of network slicing when they deploy 5G solutions. Much like how cloud computing has shifted to containerization and VNFs, the 5G core is shifting to this model and building microservices contained within security groups, or slices, that work to achieve the promises made for specific traffic based on its QoS markings (Single-Network Slice Selection Assistance Information, or S-NSSAI).
Through network slicing, carriers can give businesses tailored services, as well as the precise level of security that’s ideal for each use case. In a nutshell, the network services available in each “slice” are tailored to its users’ unique traffic and security needs and charged accordingly.
The granular control of quality of service (QoS) and quality of experience (QoE) parameters enabled through 5G network slicing can also be applied to a Private 5G Network, creating custom slices ad infinitum.
That said, network slicing only provides confidentiality and integrity protections within the 5G network boundaries. Thus, it’s important to remember that each enterprise remains remains primarily responsible for confidentiality and data integrity.
Zero Trust Network Access (ZTNA)
While cellular network operators are deploying enhanced security controls for 5G, enterprise security improvements at the edge require a paradigm shift toward zero trust.
ZTNA is a security concept that assumes anyone attempting to access a network or application is a malicious actor whose access must be restricted through ongoing verification of user identity, location, device, request timestamp, and previous patterns of use. This robust trust algorithm r— leveraging Security Information and Event Management (SIEM), Identity and Access Management (IAM), Public Key Infrastructure (PKI), and more — requires computational power that is made more efficient and effective through 5G, which ultimately improves QoE.
According to NIST, the official goal of ZTNA is to “unauthorized access to data and services coupled with making the access control enforcement as granular as possible.”
In other words, it’s an invitation-only strategy for securing network access groups. ZTNA will be a key component of 5G security at the network’s edge, as the rapid and far-reaching expansion of IoT and other connected use cases will require enterprises to more strictly and remotely control authentication and identification of devices and the flow of data between them.
Secure Access Service Edge (SASE)
Today it’s commonplace for enterprises to send most of their data to the cloud. It’s fitting that most security services are located there, too. SASE is a cloud-delivered security model that combines network and security functions. In the SASE security model, network and security functions work together to encrypt traffic and direct it to a cloud service. Once there, advanced security technologies are applied.
SASE’s cloud-based network and data security technologies include Softtware-Defined WAN (SD-WAN), Firewall as a Service (FWaaS), Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and ZTNA. Security service policies can be applied to different connections and sessions as they access the Internet or cloud, such as SaaS apps, social media, data center apps, and personal banking.
For Wireless WAN, enterprises can improve edge security by implementing a SASE model that includes a wireless edge solution, such as Cradlepoint’s routers and adapters, and a cloud-based security service, such as Palo Alto or Zscaler.
Building security layers for custom protection
The security of 5G is better than any previous iteration of cellular broadband, partially due to infrastructure enhancements, but also because of entrenched and emerging strategies at the edge.
Standard security best practices for physical security remain essential, such as disabling unused interfaces, encrypting data in transit, and implementing firewall rules by use case. In addition, implementing edge-to-cloud security technologies such as ZTNA and SASE provides enterprises with new layers of end-to-end security.