we create the technology to connect the world · *figures and positions reflect market share as for...
Post on 28-May-2020
3 Views
Preview:
TRANSCRIPT
1 © Nokia Solutions and Networks 2017
We create the technology to connect the world
François CosquerSeptember 6th, 2018Challenges and Opportunities in SDN/NFV and 5G Security
Note: The views expressed in this presentation are those of the author and not necessarily those of NOKIA Corporation
2 © Nokia Solutions and Networks 2017
The “new” Nokia
Public
2018201620142012
AcquiredMotorola Solutions wireless networks
CreatedNokia Technologies
Pulp, Paper, Rubber, Early Bell System products, Mobile phones
Launched Networkstransformation plan
SoldDevices & Services
AcquiredAlcatel-Lucent
SoldHERE
AcquiredGainspeed
AcquiredDeepfield
AcquiredComptel
CreatedNokia Shanghai Bell
Acquired Unium
AcquiredSpaceTimeInsight
3 © Nokia Solutions and Networks 2017
A position of strength in networks, software, and services
#2in 4G*
#1in copper access*
#2in edge routing*
#3in services**
*Figures and positions reflect market share as for FY 2017 based on Dell’Oro’s Q4 2017 market share reports**Figures and position of operator-independent global service suppliers, based on TBR TIS Benchmark Data of Q3 2017*** Figure and position is based on revenue estimates. Source: Analysis Mason for FY 2016.
3 © 2018 Nokia Public
#2in telecom software***
4 © Nokia 2017
MobileNetworks
Fixed Networks
IP / Optical Networks
Applications & Analytics
Nokia Technologies
NokiaBell Labs
Public
GlobalServices
Comprehensive portfolio and expertise
5 © Nokia 2017 5
A culture inside corporate functions
• Security in the architecture (DFSEC, design, test, PSIRT,..)
• Standards & Regulations
• Government and universities relationship
• Quality
Security is in the heart of Nokia DNA
R&D~37 000
Program of research and innovation
• « Bell Labs research », « Innovation Steering »
A complete portfolio
• Service providers and vertical markets
Protection of information
• Customer data and internal data
• Training program
NetGuard
Nokia SoftwareSecurity BU
NetworkSecurity
DeviceSecurity
Cloud Security
Security Management
x10k traffic >10Gbps peak data
10 years on battery1M devices/km2
<1ms latencyUltra reliability
Massivemachine
communication
ExtremeMobile
Broadband
Critical machine
communication
3GPP
5G phase 1
(Rel-15)
3GPP
5G phase 2
(Rel-16)
Nokia's 5G Future X – Unleashing the potential of 5G
7 © Nokia 2017
https://www.youtube.com/watch?v=ndkzlyjAn7g
5G: driving the automation of everything
… 5G also heavily linked to SDN&NFV
8 © Nokia Solutions and Networks 2018 8
SDN: Software Defined Networking
• SDN provides a solution for the networking challenges in NFV:
- Enables the definition of abstract networking requirements (programmability)
- Automates advanced connectivity establishment (service chaining)
- Provides centralized control over virtualized switches (vSwitches) on servers
• Software Defined Networking
- Separation of control and data planes
- A logically centralized control plane
- Network virtualization and slicing
- Standard protocols between control and data planes: e.g. Openflow
• Originally defined by Open Networking Foundation (ONF)
From “Software Define Networking: The New Norm for Networks”, ONF Whitepaper
9 © Nokia 2017 9
NFV: Network Function Virtualization
From : Network Elements with dedicated hardware
To: software-based applications running on uniform hardware platforms
Off-the-shelf
server blades
10 © Nokia 2017 10
NFV = Migration from legacy to « cloud » environment
IaaS
boundary
ETSI NFV ISG
Virtual
Network
Functions
11 © Nokia Solutions and Networks 2018 Public
From LTE to 5G: Adopting New Networking Paradigms
LTE
5G
eNB Evolved Node BHSS Home Subscriber ServerIMS IP Multimedia SubsystemMME Mobility Management Entity
PCRF Policy and ChargingRules Function
PDN Packet Data NetworkSEG Security Gateway
12 © Nokia Solutions and Networks 2018 Public
Edge Cloud
Internet
Central Cloud
Cell
Cell
Cell
Slice A
Slice B
Common parts
SDN switches
Virtual Network Functions
Distributed Telco Clouds enable “Network Slicing”
13 © Nokia 2017
Where is the risk in 2 simple questions:
1) What’s new or different?
Volume of new technologies (NFV/SDN/Edge Cloud, Slices…)
Speed cycle of technology (vs previous Gs)
Scale (in many dimensions) and usage includingindustry&mission critical
2) What is the context?
Security manpower shortage in general
Lack of strong field experience in particular
IT and Telcos worlds in need for alignment
Also one big opportunity « to get it right this time! »
Challenges and Opportunities in SDN/NFV and 5G Security5G is at the crossroad of many « Industry Mega Trends »
Network, compute & storage
Broadband every-where, distributed cloud, near infinite storage
Connectivity for a trillion things
Internet of Things
Augmented intelligence
Human assistance and task automation at machine scale
Social & trust economics
Sharing economy and digital currencies making trust and security essential
14 © Nokia Solutions and Networks 2018
Layers of Mobile Network Security as of Today (Example LTE)
Public
PCRF
eNB
PDN-GW Internet
IMS,Application
Servers
MME
Backhaul
link
security
Core interface
security
HSSAuC
K
UEUSIM
K
User Identity Privacy
Secure Environment
VoLTE/IMS security
ServingGateway
PDNGateway
Non access stratum
signaling security
Authentication and Key Agreement
KASME
KASME
Access
stratum
security
KeNB
KeNB
SEG
Network security not
specified by 3GPP
3GPP-specified security architecture
Network element security measures
15 © Nokia 2017
5G Security Vision: Top 3 Objectives
Best in Classbuilt-in security
Automation@ scale
Flexible securitymechanisms
Increased robustness
against cyber attacks
Enhanced privacy
Alternative identification
and authentication
procedures
Holistic security
orchestration and
management
Security assurance
User plane encryption
and integrity protection
optional to use
Optimize security
mechanisms
for specific markets
Self-adaptive, intelligent
security controls
16 © Nokia Solutions and Networks 2018
Network elementsreplaced by VNFsrunning on a cloudplatform
➢Secure the platform
➢Secure the VNFs
➢Security assurance for VNFs that can be deployed on different platforms
Public
“Network Element Security” for Virtualized Networks
17 © Nokia Solutions and Networks 2018 Public
Non-Standardized Network Security Measures for Virtualized Networks
Network zoning can be implemented in a straightforward way:• The NFV environment facilitates separation, e.g. virtual machines are
separated by a hypervisor
• Dedicated VLANs to provide connectivity between the VMs forming a zone
• Traffic between zones may be filtered by virtual firewalls
• Even physical separation may be possible – on the cost of resource usage efficiency
The external perimeter may be secured by a virtual firewall; physically separated firewalls can protect the overall data center infrastructure
Traffic separation by dedicated virtual switches, VLANs and wide area VPNs – physical separation is hardly applicable
18 © Nokia Solutions and Networks 2018 Public
Non-Standardized Network Security Measures for Virtualized Networks
Secure operation and maintenance• Securing the MANO stack in addition to element managers, OSS and BSS
• Usage of secure protocols, securing access to management functions (e.g.
role based access), password policies similar to today’s networks
• Separating O&M traffic from all other traffic (only logically)
• Need for a high degree of automation to cope with the dynamics of fast changing, multi-slice networks
Reactive security measures• analytics- and machine-learning-based attack detection
• leverage scalable edge cloud resources for attack mitigation
• automatic deployment and adaption to varying network configurations and conditions (including slicing-awareness)
19 © Nokia Solutions and Networks 2018
Securing an SDN-based Network
Public
SDN Controller
Application
Control Network
SDN SwitchSDN Switch
Fire-wall
Cryptographic protection
Sound authentication and
authorization conceptsSecure SDN controller
Robust implementation,
overload control
Virtualized/Cloud
Environment
SecureVirtualized/
Cloud En-vironment
Application
ApplicationCryptographic protection
SDN SwitchRobust implementation,
overload control
SDN SwitchSDN Switch
SDN Switch
20 © Nokia 2017
Elements of a 5G Security Architecture
Edge Cloud
Central cloudCell
Subscriber/device identifiers/ credentials
Hardware security modules
Security negotiation, key hierarchyEnhanced control plane robustness
Enhanced subscriber privacy
Crypto algorithmsPhysical layer
securityJamming protection
Authentication/authorization, key agreement
NFV/SDN security
Network slicingsecurity
Security assurance for NFV environments
Security management and orchestration
Self-adaptive, intelligent security controls
Best in Classbuilt-in security
Automation
@ scale
Flexible securitymechanisms
Multi-tenancysecurity
21 © Nokia Solutions and Networks 2018
Summary: Securing a 3GPP 5G System
Public
Network security not specified by 3GPP
3GPP-specified security architecture
VNF security Telco cloud security
New access-agnostic authentication framework
Enhanced subscription privacy and user plane protection
EAP-based “secondary authentication”
Security for service-based interfaces
Enhancements for interconnection security
Sound, robust implementations of the virtualization layer
(e.g. hypervisor) and the overall cloud platform software
Sound, robust, security aware implementation of the VNFs
Integrity (trust) assurance for both platform and VNFs
Holistic, automated security management and orchestration
Perimeter security and traffic filtering by virtual firewalls
Logically or even physically separated security zones
Traffic separation by VLANs and wide area VPNs
Automated, self-adaptive, intelligent security controls
22 © Nokia 2017
- Participate actively and support deployments: Make SDN/NFV rollout and Cloud RAN&Edge Cloud an operational reality
- Put stronger focus on security resources: Make strategic choices for standards and technology
- Define clear operational roles and responsibilities: Migrate to new Model of operations so as to reflect new deployments scenarios
- Ensure industry/academia/regulators collaboration: Promote and participated in information and threat intelligence sharing
From Vision to « Reality »What’s next ? Where do we start ? Key Success Factors
Best in Classbuilt-in security
Automation
@ scale
Flexible securitymechanisms
Let’s get it right this time ! … Everything is NOT going to be OK
“Reality” note: Still cyber crime currently focusses rather on exploiting vulnerabilities in mobile devices,
their applications and the “human factor”!
23 © Nokia 2017
WHITE PAPERS RESOURCES: - Security Challenges and Opportunities for 5G mobile networks- Building Secure Telco Clouds
From NFV Insight Series:
- NFV Migration: Top 5 Security Risks- NFV’s Security Top 9 Impacting Choices
24 © Nokia Solutions and Networks 2018
Which Threats Matter Most?
Public
Result of a comprehensive LTE threat
and risk analysis carried out in the
research project ASMONIA, 2010-2013(Funded by German Federal Ministry of
Education and Research)
Still it seems that cyber crime currently focusses rather on exploiting
vulnerabilities in mobile devices, their applications and the “human factor”!
© 2018 Nokia25
5G security architecture achievements in Rel-15
Unified authentication
framework &
Access-agnostic authentication
Primary authentication
(Registration)
Secondary authentication
(Access to ext. DN)
Network slice security
Long term key update
256 bit key
EnhancedSBA
Security assurance
Vertical security
What about Rel-16?
Increased homecontrol
(UE in SN verification)
Enhanced subscriber privacy
(no IMSI catcher anymore)
RAN security
(now also user plane integrity protection)
Service based architecture & Interconnect
security
5GS-EPS interworking
security
LTE-NR Dual Connectivity
3GPP TS 33.501 (5G security) & TS 33.401 (EDCE5)
top related