Securing the Onion: 5G Cloud Native Infrastructure

1. Securing the Onion: 5G Cloud Native Infrastructure

2. ©2023 F5 2 Agenda • Architecture Transformation to 5G Service Based Architecture (5G SBA) • 3GPP Releases Update • Important component in securing 5G SBA • Service Proxy for Kubernetes (SPK) • Secure Communication Proxy (SCP) Service Proxy for Kubernetes (SPK) 3GPP REL 14 TO REL 15 JOURNEY • Ingress and Egress Requirement to Secure Cloud Native Infrastructure (Kubernetes) • Kubernetes Networking Weaknesses in Addressing Carrier Grade needs • Handling Ingress traffic with SPK Ingress • Handling Egress traffic with SPK Service Mesh Secure Communication Proxy (SCP) 3GPP REL 15 TO REL 16 JOURNEY • Intelligently and Securely Simplify 5G Core Operation • Bridging 4G/5G in Multiple Domains • 5G SBA Secure Signaling Flow • Securing Distributed 5G Network Deployment • 5G Core Security in Onion Model with SCP and SPK

3. ©2023 F5 3 5G: Functional and Architectural Transformation 5G Service-Based Architecture (SBA) MME SGSN PCRF HSS SGW PGW 2G/3G 4G Data network S3 (GTP) S6a (Diameter) Gx (Diameter) S1-MME S1-U (GTP) S5/S8 S4 (GTP) 4G Core: Telco Architecture HTTP/2 Microservices API centric Telco cloud Web protocol CUPS 5G SBA Technology Principles (derived from IT industry) Data network HTTP/2 JSON API 5G-AN Non 3GPP Access N 6 N1 N2 N3 N4 N3IWF Control and Signaling Edge (CUPS) UPF User data and packet gateway Regional Central 5G Core: IT Architecture NSSF NEF NRF PCF UDM AF AUSF AMF SMF

4. ©2023 F5 4 3GPP Releases Updates SERVICE BASED ARCHITECTURE RELEASE 15 RELEASE 14 RELEASE 16 Control Plane Control Plane Control Plane EHANCED SERVICE BASED ARCHITECTURE CONTROL USER PLANE SEPARATION CONTAINERS VIRTUALIZATION LAYER COMPUTE NETWORK STORAGE VIRTUAL MACHINES CNF 1 CNF 2 CNF n VNF 1 VNF 2 VNF n RELEASE 17 Enabling Edge Application CONTAINERS

5. ©2023 F5 5 Security Threat within 5G Service Based Architecture ... and some additional security points to pay attention to (R)AN Access UE Nnssf Npcf Nchf Namf N1 N2 N3 DN networks Networks Interworking Nnrf Nsmf Nudm Nausf Naf Nnef N9 N6 UPF Data Plane AMF Mobility AUSF Authentication SMF Sessions CHF Charging NEF Exposure AF Application UDM Sub Repo PCF Policy NRF Repository NSSF Slicing “HSS” “PCRF” “OCS” “HSS” “MME” “PGW-C” “PGW-U” IPX partners Billing environment Networks Apps and APIs

6. ©2023 F5 6 Security Threat within 5G Service Based Architecture ... and some additional security points to pay attention to (R)AN Access UE Nnssf Npcf Nchf Namf N1 N2 N3 DN networks Networks Interworking Nnrf Nsmf Nudm Nausf Naf Nnef N9 N6 UPF Data Plane AMF Mobility AUSF Authentication SMF Sessions CHF Charging NEF Exposure AF Application UDM Sub Repo PCF Policy NRF Repository NSSF Slicing “HSS” “PCRF” “OCS” “HSS” “MME” “PGW-C” “PGW-U” IPX partners Billing environment Networks Apps and APIs SCP + (BSF) + SPK

7. ©2023 F5 7 Security Threat within 5G Service Based Architecture ... and some additional security points to pay attention to (R)AN Access UE Nnssf Npcf Nchf Namf N1 N2 N3 DN networks Networks Interworking Nnrf Nsmf Nudm Nausf Naf Nnef N9 N6 UPF Data Plane AMF Mobility AUSF Authentication SMF Sessions CHF Charging NEF Exposure AF Application UDM Sub Repo PCF Policy NRF Repository NSSF Slicing “HSS” “PCRF” “OCS” “HSS” “MME” “PGW-C” “PGW-U” IPX partners Billing environment Networks Apps and APIs SCP + (BSF) + SPK • Enhanced ingress security with per-service secure proxy • scalability CNF’s • dynamic network elasticity • Multi-protocol support • SBA Security, mTLS • Routing, LB, Message Prioritisation, Persistence, Session Binding, etc. • HTTP/2 Protocol Validation

9. ©2023 F5 9 Securing Cloud Native (Kubernetes)Telco Cloud Requirement for Telco Cloud Infrastructure • Ingress for 5G SBA HTTP/2 traffic • Automation through Kubernetes control plane • Support for non-HTTP traffic* • SCTP, GTP/PFCP for 5G* • Diameter, GTP, SIP for hybrid 4G/5G deployment* • Full proxy (ingress + egress) for network-centric deployment* • Support for multi-vendor environment* • Proxying HTTP/2 traffic • Policy driven through Kubernetes control plane • Mutual TLS encryption • Packet capture and legal intercept* • Analytics and visibility* • Certificate management* • Support for multi-vendor environment* * Additional functions not supported natively in Kubernetes East/West Traffic (Service Mesh) North/South Traffic (Service Proxy)

10. ©2023 F5 10 Kubernetes Networking Weaknesses Addressed Additional abilities applied to Kubernetes ingress/egress is powerful for telco deployment Kubernetes provides flexibility, scalability, and efficiency that will be key for service providers • 5G packet cores • Edge computing / Edge sites • Digital transformation But is not designed for service providers Traditionally developed for web and enterprise use: • Difficulty with telco protocols • NGAP/SCTP, 5G HTTP/2, Diameter, GTP, SIP, lawful intercept, others • Limited egress capabilities • Lack of routing integration with service provider networks • Lack of security controls • Lack of visibility and revenue controls • Difficulty with public cloud providers

11. ©2023 F5 11 F5 Service Proxy for Kubernetes (SPK) for 5G Core Kubernetes ingress and egress services for telco protocols User Internet, other DNs Telco Cloud cscf pcrf upf ocs Virtualisation / Containerisation Layer Service Proxy for Kubernetes (SPK) scp Far Edge (MEC) Near Edge (MEC) Regional PoP Central PoP HTTP/2 Diameter SIP Multiprotocol Ingress Security Visibility L7 Routing 4G/5G Core Functions Other Other Kubernetes Platform Typical Telco Locations Kubernetes Platform Like GTP, but also considering adding PFCP

12. ©2023 F5 12 F5 SPK is the Modern Telco grade Ingress Proxy Ingress Proxy & Egess GW Signaling control • Routing • Load balancing • Rate limiting Traffic Management • Load Balance • Persistence • Service continuity Diameter SIP HTTP/2 TCP SCTP UDP Egress GW • Routing • Traffic control policy • Topology(IP) hiding Egress NGAP

13. ©2023 F5 13 E.g. Egress Security Control Use Case No control on container egress Without firewall function to regulate the risk of data leak/loss is real Central DC Edge CNF CNF CNF CNF SPK secures Telco everywhere Enables Telco cloud to control network flow and Core CNF topology hiding Central DC Edge SPK SPK CNF SPK SPK CNF #1 NSM for Telco in a controlled ACL and topology hiding for workloads to interact with NF from another network or another PLMN #2 Virtual Stop Gap deployed as policy for public cloud or untrusted environment to restrict traffic leaving CNF and Telco application container.

14. ©2023 F5 14 Simplify, Scale and Securing NF communication with Service Communication Proxy (SCP) RELEASE 16 Control Plane EHANCED SERVICE BASED ARCHITECTURE SERVICE BASED ARCHITECTURE RELEASE 15 Control Plane

15. ©2023 F5 15 What’s New in 3GPP Release 16 5G SA Core Control Plane Communications Model Options 3GPP Release 15: With Or without NRF Interaction 3GPP Release 16: SCP for Routing Selection and Load Balancing A NF consumers are configured with the producer and perform selection of producer Direct Communication WITHOUT NRF B Every NF consumer interacts with NRF for service discovery and has to support discovery result caching, and selection Direct Communication WITH NRF C SCP aggregates Hypertext Transfer Protocol (HTTP) links, and provides centralized signaling monitoring SCP WITHOUT delegated discovery D In addition to characteristics in Model C, SCP takes over service discovery and selection for NF consumers. Hence, NF consumers need not to perform discovery and selection of producer SCP WITH delegated discovery

16. ©2023 F5 16 Service Communication Proxy (SCP) Helps to build a reliable, robust and secure 5G Standalone Core 5G NF 5G NF 5G NF 5G NF 5G NF 5G NF 5G NF 5G NF 5G NF 5G NF SIMPLIFY § Move from a full mesh between all Networks Functions (NFs) by acting as a hub/proxy for all NF traffic. SCALE § Real-Time traffic management and network scalability § Internetworking Functions to simplify inter-vendor deployments. SECURE § Secure Communications with mTLS protection & OAuth2.0 authentication between NFs. § Restrict unknown connection or abnormal traffic flow SERVICE COMMUNICATION PROXY (SCP)

17. ©2023 F5 17 SCP+ Intelligently and Securely Simplify 5G Core Operation Leading the movement toward using AI/ML mechanism F5 SCP+ increase network resiliency 1 2 3 4 5G NF 5G NF 5G NF 5G NF 5G NF 5G NF 5G NF 5G NF 5G NF 5G NF Intelligent Load Balancing maximize 5G service availability and minimize 5G service disruption Advanced Overload Protection to improve network resiliency 5G aware DDoS Protection with deep insights 5G aware metrics provide deep insight to address transient events and feed for SBI encrypted traffic visibility CONFIDENTIAL Data Collection SCP+

18. ©2023 F5 18 SCP+ Bridging 4G/5G in Multiple Domains Support 4G/5G telco protocols to reduce complexity and integration to 4G/5G services HTTP/2 Request Message Diameter-Request-Message 5G NF 5G NF 5G NF 5G NF 5G NF SCP+ 5G NF 5G NF 5G NF 5G NF Nxxx-request-message (HTTP/2) 4G Nodes 4G Nodes 4G Nodes Nxxx-message (HTTP/2) Diameter-Request-Message ß---------> Diameter Message 4G Nodes 4G Nodes

19. ©2023 F5 19 5G SBA Secure Signaling Flow Mitigate spoofing messages from unknown or abnormal traffic flow NF PRODUCER SET NF CONSUMER SET NRF Request Token Validate Token Auth HTTP Request Unknown Consumer • TLS connections terminate in SCP • Decrypts traffic from NF Consumer and encrypts traffic to NF Producers • Identify unknown or abnormal traffic flow • Restrict connection from any unknown peer and drop the message CONFIDENTIAL X SIMPLIFY SCALE SECURE SCP mTLS NF Consumer NF Producer 1 HTTP Request mTLS Oauth 2.0 Oauth 2.0 • Consumer interacts with NRF first for Discovery and then for Auth before sending a service request message with authorization token embedded to a SCP. • SCP verify the “Subject” in the token against the information present in the Consumer’s TLS certificate* and presents to the producer a valid access token that was issued to the NF service consumer • SCP support TLS 1.2/1.3 to securely transport the tokens in 5G Signaling, makes it easier to terminate security directly in the network function • NF Producer then will verify the integrity of the access token before granting the NF service consumer access to its services. • Service Request is passed on to NF Producer after successful verification, • Verify the “Subject” in the token

21. ©2023 F5 21 5G Core Security with Onion Model with SCP and SPK Telco Cloud • All CNF traffic via ingress/egress proxy • Proxy deployed as separate pod(s) within CNF namespace • Proxy deployment model same for external, intercluster, and intra-cluster SCP+ SCP+ Management Access network N2 Ingress/Egress Non- Exposed Services Cluster SBI mTLS namespace NSSF SPK namespace NRF SPK namespace PCF SPK namespace CHF SPK Kubernetes control plane Secure Services Cluster SBI mTLS namespace UDM SPK namespace AUSF SPK Kubernetes control plane Exposed Services Cluster namespace AMF SPK Kubernetes control plane SBI namespace NEF SPK mTLS namespace SEPP SPK namespace SMF SPK namespace UPF SPK namespace IPUPS SPK N9 N32 N6 Diameter N33 CHF info to OCS via NEF or via direct CAPIF link Potentially shared RAN Intercluster security Intercluster security SCTP proxy TCP proxy SCP+ Intercluster-FW Intercluster-FW SPK API/Management Firewalling N6-FW SIG-FW API-FW SECGW SCTP-FW SPK

Securing the Onion: 5G Cloud Native Infrastructure

Securing the Onion: 5G Cloud Native Infrastructure

Recommended

More Related Content

Similar to Securing the Onion: 5G Cloud Native Infrastructure

Similar to Securing the Onion: 5G Cloud Native Infrastructure(20)

More from MyNOG

More from MyNOG(20)

Recently uploaded

Recently uploaded(20)

Securing the Onion: 5G Cloud Native Infrastructure