13 Apr The security conundrum of network slicing | Light Reading
One benefit of moving to a standalone 5G network is that it makes it possible for wireless operators to implement network slicing, which means they can run multiple dedicated networks that all share a common, physical infrastructure. Each network slice can have its own characteristics and identity but that also means it will have its own risks.
For example, one slice might be intended for an artificial reality (AR) use case and therefore be provisioned for high throughput and low latency. Another network slice might be intended for an Internet of Things (IoT) use case and be provisioned for extreme reliability and a lower speed. Using network slicing, operators will be able to partition their networks for these different use cases and run them independently.
This network slicing vision is appealing because it will let operators develop different business cases for each slice. But it is also a challenge because wireless operators will need to make sure that each network slice is protected from interference from the other slices and immune to distributed denial of service (DDoS) attacks and other security breaches. “The security challenge is to provide different dynamic security policies for different slices,” said Sree Koratala, vice president of product management for network security at security company Palo Alto Networks. “For example, enterprise-grade security is needed for enterprises served by 5G network slices.”
How operators handle the security of their network slices is up to them. The 3GPP, an industry standards group, has defined specifications for how operators build their 5G networks, but it hasn’t developed any protocol for how security should be handled for network slicing.
However, the GSMA, an industry trade group, has created a security document that provides recommendations to operators on how to detect and prevent attacks using GPRS tunneling protocol (GTP-U).
“A lot of this is in an area of implementation that is outside the 3GPP spec,” said Jason Boswell, head of security and network products solutions at Ericsson North America, an infrastructure vendor. “[The 3GPP spec] doesn’t define security controls per slice or how you define risk profiles or access controls.”
Boswell, of course, recommends that operators stick with their existing network equipment suppliers such as Ericsson for their security. However, they could work with other vendors as well. Boswell added that how an operator decides to implement security for network slicing will depend a lot upon how much of their network is virtualized and how they have architected their core network.
One reason securing network slices is more complicated is that the slices add complexity to the network, making it harder to manage and engineer.
First, operators need to implement security that isolates network components such as the compute, storage and networking layers that are being used by the network slice. This is called “resource isolation” and means that these components are being protected so they can’t be hijacked by other slices.
According to Patrick Donegan, founder and principal analyst at security consulting firm HardenStance, telcos will need to figure out how to have strict isolation between network slices across cloud, RAN and transport domains as well as develop strict isolation for each network function within each slice. Donegan adds that he believes network slicing has a long way to go for operators to implement it in a way that meets enterprise expectations.
Keeping information and data that is being used by one network slice from being accessed or modified by another slice that is sharing the same common infrastructure is another challenge for operators. This type of isolation of data is called security isolation, and Boswell said this is often handled at the hypervisor layer of the network. He compared it to an apartment building where tenants are like network slices and are partitioned from other tenants. Security firewalls are like having thick walls so that tenants can’t hear each other.
“All these things add a layer of complexity,” Boswell said. “You can’t just push the button so everything is automatically secure. You also need to have separate risk profiles and separate security controls.”
However, that doesn’t mean that securing network slices is impossible. Boswell said that with 5G there are already a lot of enhancements that are built into the network core and transport layer that separate different functions. “There are different ways to build it. It will depend upon how centralized or decentralized or how virtualized your network is,” he said.
Sue Marek, special to Light Reading. Follow her @suemarek.