we create the technology to connect the world · *figures and positions reflect market share as for...

1 © Nokia Solutions and Networks 2017

We create the technology to connect the world

François CosquerSeptember 6th, 2018Challenges and Opportunities in SDN/NFV and 5G Security

Note: The views expressed in this presentation are those of the author and not necessarily those of NOKIA Corporation


The “new” Nokia

Public

2018201620142012

AcquiredMotorola Solutions wireless networks

CreatedNokia Technologies

Pulp, Paper, Rubber, Early Bell System products, Mobile phones

Launched Networkstransformation plan

SoldDevices & Services

AcquiredAlcatel-Lucent

SoldHERE

AcquiredGainspeed

AcquiredDeepfield

AcquiredComptel

CreatedNokia Shanghai Bell

Acquired Unium

AcquiredSpaceTimeInsight


A position of strength in networks, software, and services

#2in 4G*

#1in copper access*

#2in edge routing*

#3in services**

*Figures and positions reflect market share as for FY 2017 based on Dell’Oro’s Q4 2017 market share reports**Figures and position of operator-independent global service suppliers, based on TBR TIS Benchmark Data of Q3 2017*** Figure and position is based on revenue estimates. Source: Analysis Mason for FY 2016.

3 © 2018 Nokia Public

#2in telecom software***

4 © Nokia 2017

MobileNetworks

Fixed Networks

IP / Optical Networks

Applications & Analytics

Nokia Technologies

NokiaBell Labs

Public

GlobalServices

Comprehensive portfolio and expertise

5 © Nokia 2017 5

A culture inside corporate functions

• Security in the architecture (DFSEC, design, test, PSIRT,..)

• Standards & Regulations

• Government and universities relationship

• Quality

Security is in the heart of Nokia DNA

R&D~37 000

Program of research and innovation

• « Bell Labs research », « Innovation Steering »

A complete portfolio

• Service providers and vertical markets

Protection of information

• Customer data and internal data

• Training program

NetGuard

Nokia SoftwareSecurity BU

NetworkSecurity

DeviceSecurity

Cloud Security

Security Management

x10k traffic >10Gbps peak data

10 years on battery1M devices/km2

<1ms latencyUltra reliability

Massivemachine

communication

ExtremeMobile

Broadband

Critical machine

communication

3GPP

5G phase 1

(Rel-15)

3GPP

5G phase 2

(Rel-16)

Nokia's 5G Future X – Unleashing the potential of 5G

7 © Nokia 2017

https://www.youtube.com/watch?v=ndkzlyjAn7g

5G: driving the automation of everything

… 5G also heavily linked to SDN&NFV

https://www.youtube.com/watch?v=ndkzlyjAn7g

8 © Nokia Solutions and Networks 2018 8

SDN: Software Defined Networking

• SDN provides a solution for the networking challenges in NFV:

- Enables the definition of abstract networking requirements (programmability)

- Automates advanced connectivity establishment (service chaining)

- Provides centralized control over virtualized switches (vSwitches) on servers

• Software Defined Networking

- Separation of control and data planes

- A logically centralized control plane

- Network virtualization and slicing

- Standard protocols between control and data planes: e.g. Openflow

• Originally defined by Open Networking Foundation (ONF)

From “Software Define Networking: The New Norm for Networks”, ONF Whitepaper

9 © Nokia 2017 9

NFV: Network Function Virtualization

From : Network Elements with dedicated hardware

To: software-based applications running on uniform hardware platforms

Off-the-shelf

server blades

10 © Nokia 2017 10

NFV = Migration from legacy to « cloud » environment

IaaS

boundary

ETSI NFV ISG

Virtual

Network

Functions

11 © Nokia Solutions and Networks 2018 Public

From LTE to 5G: Adopting New Networking Paradigms

LTE

5G

eNB Evolved Node BHSS Home Subscriber ServerIMS IP Multimedia SubsystemMME Mobility Management Entity

PCRF Policy and ChargingRules Function

PDN Packet Data NetworkSEG Security Gateway


Edge Cloud

Internet

Central Cloud

Cell

Cell

Cell

Slice A

Slice B

Common parts

SDN switches

Virtual Network Functions

Distributed Telco Clouds enable “Network Slicing”

13 © Nokia 2017

Where is the risk in 2 simple questions:

1) What’s new or different?

Volume of new technologies (NFV/SDN/Edge Cloud, Slices…)

Speed cycle of technology (vs previous Gs)

Scale (in many dimensions) and usage includingindustry&mission critical

2) What is the context?

Security manpower shortage in general

Lack of strong field experience in particular

IT and Telcos worlds in need for alignment

Also one big opportunity « to get it right this time! »

Challenges and Opportunities in SDN/NFV and 5G Security5G is at the crossroad of many « Industry Mega Trends »

Network, compute & storage

Broadband every-where, distributed cloud, near infinite storage

Connectivity for a trillion things

Internet of Things

Augmented intelligence

Human assistance and task automation at machine scale

Social & trust economics

Sharing economy and digital currencies making trust and security essential


Layers of Mobile Network Security as of Today (Example LTE)

Public

PCRF

eNB

PDN-GW Internet

IMS,Application

Servers

MME

Backhaul

link

security

Core interface

security

HSSAuC

K

UEUSIM

K

User Identity Privacy

Secure Environment

VoLTE/IMS security

ServingGateway

PDNGateway

Non access stratum

signaling security

Authentication and Key Agreement

KASME

KASME

Access

stratum

security

KeNB

KeNB

SEG

Network security not

specified by 3GPP

3GPP-specified security architecture

Network element security measures

15 © Nokia 2017

5G Security Vision: Top 3 Objectives

Best in Classbuilt-in security

Automation@ scale

Flexible securitymechanisms

Increased robustness

against cyber attacks

Enhanced privacy

Alternative identification

and authentication

procedures

Holistic security

orchestration and

management

Security assurance

User plane encryption

and integrity protection

optional to use

Optimize security

mechanisms

for specific markets

Self-adaptive, intelligent

security controls


Network elementsreplaced by VNFsrunning on a cloudplatform

➢Secure the platform

➢Secure the VNFs

➢Security assurance for VNFs that can be deployed on different platforms

Public

“Network Element Security” for Virtualized Networks


Non-Standardized Network Security Measures for Virtualized Networks

Network zoning can be implemented in a straightforward way:• The NFV environment facilitates separation, e.g. virtual machines are

separated by a hypervisor

• Dedicated VLANs to provide connectivity between the VMs forming a zone

• Traffic between zones may be filtered by virtual firewalls

• Even physical separation may be possible – on the cost of resource usage efficiency

The external perimeter may be secured by a virtual firewall; physically separated firewalls can protect the overall data center infrastructure

Traffic separation by dedicated virtual switches, VLANs and wide area VPNs – physical separation is hardly applicable


Non-Standardized Network Security Measures for Virtualized Networks

Secure operation and maintenance• Securing the MANO stack in addition to element managers, OSS and BSS

• Usage of secure protocols, securing access to management functions (e.g.

role based access), password policies similar to today’s networks

• Separating O&M traffic from all other traffic (only logically)

• Need for a high degree of automation to cope with the dynamics of fast changing, multi-slice networks

Reactive security measures• analytics- and machine-learning-based attack detection

• leverage scalable edge cloud resources for attack mitigation

• automatic deployment and adaption to varying network configurations and conditions (including slicing-awareness)


Securing an SDN-based Network

Public

SDN Controller

Application

Control Network

SDN SwitchSDN Switch

Fire-wall

Cryptographic protection

Sound authentication and

authorization conceptsSecure SDN controller

Robust implementation,

overload control

Virtualized/Cloud

Environment

SecureVirtualized/

Cloud En-vironment

Application

ApplicationCryptographic protection

SDN SwitchRobust implementation,

overload control

SDN SwitchSDN Switch

SDN Switch

20 © Nokia 2017

Elements of a 5G Security Architecture

Edge Cloud

Central cloudCell

Subscriber/device identifiers/ credentials

Hardware security modules

Security negotiation, key hierarchyEnhanced control plane robustness

Enhanced subscriber privacy

Crypto algorithmsPhysical layer

securityJamming protection

Authentication/authorization, key agreement

NFV/SDN security

Network slicingsecurity

Security assurance for NFV environments

Security management and orchestration

Self-adaptive, intelligent security controls


Automation

@ scale


Multi-tenancysecurity


Summary: Securing a 3GPP 5G System

Public

Network security not specified by 3GPP

3GPP-specified security architecture

VNF security Telco cloud security

New access-agnostic authentication framework

Enhanced subscription privacy and user plane protection

EAP-based “secondary authentication”

Security for service-based interfaces

Enhancements for interconnection security

Sound, robust implementations of the virtualization layer

(e.g. hypervisor) and the overall cloud platform software

Sound, robust, security aware implementation of the VNFs

Integrity (trust) assurance for both platform and VNFs

Holistic, automated security management and orchestration

Perimeter security and traffic filtering by virtual firewalls

Logically or even physically separated security zones

Traffic separation by VLANs and wide area VPNs

Automated, self-adaptive, intelligent security controls

22 © Nokia 2017

- Participate actively and support deployments: Make SDN/NFV rollout and Cloud RAN&Edge Cloud an operational reality

- Put stronger focus on security resources: Make strategic choices for standards and technology

- Define clear operational roles and responsibilities: Migrate to new Model of operations so as to reflect new deployments scenarios

- Ensure industry/academia/regulators collaboration: Promote and participated in information and threat intelligence sharing

From Vision to « Reality »What’s next ? Where do we start ? Key Success Factors


Automation

@ scale


Let’s get it right this time ! … Everything is NOT going to be OK

“Reality” note: Still cyber crime currently focusses rather on exploiting vulnerabilities in mobile devices,

their applications and the “human factor”!

23 © Nokia 2017

WHITE PAPERS RESOURCES: - Security Challenges and Opportunities for 5G mobile networks- Building Secure Telco Clouds

From NFV Insight Series:

- NFV Migration: Top 5 Security Risks- NFV’s Security Top 9 Impacting Choices


Which Threats Matter Most?

Public

Result of a comprehensive LTE threat

and risk analysis carried out in the

research project ASMONIA, 2010-2013(Funded by German Federal Ministry of

Education and Research)

Still it seems that cyber crime currently focusses rather on exploiting

vulnerabilities in mobile devices, their applications and the “human factor”!

© 2018 Nokia25

5G security architecture achievements in Rel-15

Unified authentication

framework &

Access-agnostic authentication

Primary authentication

(Registration)

Secondary authentication

(Access to ext. DN)

Network slice security

Long term key update

256 bit key

EnhancedSBA

Security assurance

Vertical security

What about Rel-16?

Increased homecontrol

(UE in SN verification)

Enhanced subscriber privacy

(no IMSI catcher anymore)

RAN security

(now also user plane integrity protection)

Service based architecture & Interconnect

security

5GS-EPS interworking

security

LTE-NR Dual Connectivity

3GPP TS 33.501 (5G security) & TS 33.401 (EDCE5)

we create the technology to connect the world · *figures and positions reflect market share as for...

Documents