Let's talk about virtual mobile network security

1. Introduction

With the rise of 5G technology, virtual mobile networks (VMNs) are becoming an important part of modern communications, bringing unprecedented flexibility and efficiency to mobile communications. However, with the widespread application of these innovative technologies, we are also facing new challenges, one of which is the security of virtual mobile networks. Emerging technologies such as virtualization of VMNs, software-defined networks (SDN) and network slicing not only bring high flexibility, but also raise new concerns about data and communication security.

This article will introduce the key issues facing VMNS network security, identify the threats faced in modern communication infrastructure, and propose strategies and innovations to address these challenges. It will guide you to gain a deep understanding of the core issues of VMNS network security and how to deal with them.

General Overview

Virtual Mobile Networks (VMNs) leverage cloud computing, network function virtualization (NFV) and software defined networking (SDN) to efficiently deploy network functions and scale resources when needed, providing a unified platform for network management, thereby achieving Telecom Network as a Service (TaaS). As shown in the figure, by leveraging network and virtualization technologies, a slice, such as the vehicle-to-everything (V2X) experimental slice, can be generated to provide diverse services on the same shared infrastructure.

Figure 3 SDN-enabled slice and security function layout

Therefore, the security of VMNs will depend on the security of SDN, cloud platforms, and most importantly, virtualization technology NFV. Virtualization of communication networks enables us to deploy multiple services on the same physical infrastructure. Virtualization enables generic commodity systems to run one or more different virtual network functions (VNFs). Network function virtualization (NFV), which is the implementation of network functions in software for deployment on generic network equipment, has led to the rise of virtual network functions (VNFs) [1]. NFV has subsequently become an important technology for 5G and beyond networks [2]. In the future, new verticals will span multiple operator environments to provide new services such as e-health, smart homes, and vehicle-to-vehicle communications.

Software Defined Networking (SDN) is one of the main enabling technologies for VMNs due to its ability to provide abstraction of the physical network infrastructure [3]. SDN separates network control from data forwarding elements, introduces network programmability, and logically centralizes network control to a central location for management of the entire network. These features make the network more powerful, simplify network management, and minimize operational expenses. However, these features also open the door to new security vulnerabilities and challenges. SDN greatly facilitates NFV in the deployment of VNFs while providing support in the network infrastructure, so SDN and NFV are highly complementary [4]. Since all these technologies are highly related and interdependent, in this subsection we will discuss the security challenges faced and their possible solutions.

2. NFV security challenges

In virtual mobile networks (VMNs), the security challenges faced by network function virtualization (NFV) mainly focus on hypervisors, virtual machines (VMs), and virtual network functions (VNFs). The concept of virtualization threats has emerged recently, and the availability, integrity, and confidentiality of hardware and software in VMNs may be threatened. In VMNs, the hypervisor is a central entity responsible for creating virtual instances on hardware. Security threats may originate from security weaknesses in software implementation, VNF configuration, hypervisors, and cloud platforms, as well as direct attacks on VNFs such as side channel attacks, flooding attacks, and malware injection [5].

Trust management becomes another serious issue due to the dynamic nature of virtual network functions (VNFs). Since VNFs are able to move between multiple networks and are supported by cloud platforms maintained by different owners and operators [5], they may become targets of attacks. The targets of such attacks include user traffic, VNF code and policy inputs, and the state of the VNF. Attackers may exploit the inherent limitations of the operating environment, including its software and hardware [6], to implement these attacks. In addition, if standard interfaces are not defined, more serious security challenges may be faced [7].

Security Solutions for NFV

Similar to centralized or core network elements, protecting the hypervisor NFV must be done through proper authentication, authorization, and accountability mechanisms, and security mechanisms must be implemented to ensure availability. Security verification checks on VNF packages can avoid introducing security vulnerabilities into the entire system. Therefore, there are multiple proposals to include confidentiality checks on VNF packages through proper authentication and integrity verification to be incorporated into NFV systems. There are also other proposals to protect the system from malicious VNFs. For example, the authors in [8] proposed and demonstrated a verification system to protect the security attributes of different VNFs in the NFV infrastructure (NFVI) using the standard TOSCA [9] data model.

3. Network Slicing Security Challenges

Network slicing brings innovation to mobile communications by enabling resource sharing in 5G networks, but it also brings new challenges to security and privacy protection. Since slicing is a new concept in mobile networks, design and implementation errors similar to those in service-based architecture (SBA) may occur. In the lifecycle management of slices, slice templates, slice configuration APIs, and user data processing may become targets of attack. When slices are running, they may face risks such as denial of service (DoS) attacks, performance attacks, data leakage, and privacy violations. Potential attack points cover user devices, service interfaces, sub-slices, slice managers, network functions, and various network resources involved in network slicing. Inter-slice communication scenarios also bring additional security risks to the network[10]. In addition, new network functional areas such as slice management, slice isolation, security differentiation between slices, and the interaction between the evolved packet core (EPC) and the 5G core network (5GC) during the slicing process also face potential mobile network security threats[11].

Network Slicing Security Solution

In order to provide consistent and efficient security for all 5G network slices, special attention should be paid to methods and technologies to ensure end-to-end slice security, slice isolation, and slice resource management and orchestration. For different slicing scenarios, new trust models need to be developed to facilitate resource sharing between the various actors involved in the slice and the network [10]. At the same time, it is also necessary to establish a strong isolation mechanism, which can minimize the impact of a malicious slice on other slices and virtualization hypervisors [12]. The security of different slices in the network can be improved by actively monitoring network traffic, identifying suspicious and malicious activities in a timely manner, and stopping inbound traffic using SDN concepts.

4. Security Challenges of Software-Defined Networking

The separation of data and control planes, centralized control, and network programmability (via programmable APIs) present security challenges for SDNs [13]. For example, an attacker could exploit the inter-plane communication channel to impersonate one plane and launch an attack against another plane. In addition, the presence of a centralized controller makes it a potential target for DOS and resource exhaustion attacks, as demonstrated by fingerprinting the timestamps [14] or round-trip times [15] of live packets in the network. As a result, attacks against network control points in SDNs are relatively easy to carry out. In addition, the fact that SDNs allow applications to program or change network behavior may give malicious programs the opportunity to surreptitiously manipulate network resources, such as redirecting traffic to botnets or hackers or stealing user traffic. In virtual mobile networks (VMNs), the threat level of malware that can manipulate the network is higher because it is more difficult to find malware.

Software Defined Networking Solutions

To protect networks from SDN attacks, it is first necessary to overcome the weaknesses of traditional SDN architectures. For example, by logically centralizing but physically decentralizing network control, it is possible to protect against resource exhaustion attacks and ensure that network control points remain always available in the data plane [16]. To achieve this resilience, a variety of strategies can be adopted, including decomposing controller functions, such as implementing local decision making [17], adopting hierarchical controllers [18], increasing resources and improving resource capabilities, and leveraging intelligent security systems equipped with machine learning (ML) to take proactive preventive measures before attacks enter network weak points [12].

In addition, SDN can also be used to improve the security of virtual networks [19]. By leveraging the virtual machine (VM) migration technology of SDN, resources can be moved to a secure area. For example, in the face of DoS attacks, by monitoring the load status in the SDN forwarding plane (such as the packet counter value in the flow table), VM migration can be performed effectively in real time, thereby improving scalability. Compared with traditional networks, SDN successfully solves the problems faced by real-time VM migration, such as unpredictable network status and VM migration being limited to the local area network (LAN), through programmable APIs for programming real-time networks on a centralized control platform and the characteristics of being independent of the hierarchical IP protocol stack. Therefore, strengthening the resilience of SDN helps to improve the security of virtual mobile networks (VMNs) [13].

5. Summary

This article explores the key issues in the security of virtual mobile networks (VMNs) in depth, with a particular focus on the challenges posed to network security by emerging technologies such as 5G, network function virtualization (NFV), software-defined networking (SDN), and network slicing. The introduction of 5G enables VMNs to share physical infrastructure more flexibly, but it also introduces new security issues, such as the surge in flash network traffic, the security of wireless interfaces, and user plane integrity. The application of network slicing facilitates resource sharing, and the application of NFV and SDN provides greater flexibility for the network, but they make VMNs more complex and bring new security threats.

This article also explores security solutions to these challenges, including protection of NFV, end-to-end security assurance of network slices, and attack prevention measures in SDN. It emphasizes the importance of proper authentication, authorization, accountability mechanisms, and security verification checks, and points out that measures such as distributed control, resource addition, and machine learning in SDN can improve the resilience and security of the overall network.

summary

[1]B. Yi, X. Wang, SK Das, K. Li, and M. Huang, ''A comprehensive survey of network function virtualization,'' Comput. Netw., vol. 133, pp. 212–262, Mar. 2018.

[2] FZ Yousaf, M. Bredel, S. Schaller, and F. Schneider, ''NFV and SDN— Key technology enablers for 5G networks,'' IEEE J. Sel. Areas Commun., vol. 35, no. 11, pp. 2468–2478, Nov. 2017.

[3] G. Biczok, M. Dramitinos, L. Toka, PE Heegaard, and H. Lonstethagen, ''Manufactured by software: SDN-enabled multi-operator composite services with the 5G exchange,'' IEEE Commun. Mag., vol. 55, no. 4, pp. 80–86, Apr. 2017.

[4] J. Matias, J. Garay, N. Toledo, J. Unzilla, and E. Jacob, ''Toward an SDN-enabled NFV architecture,'' IEEE Commun. Mag., vol. 53, no. 4, pp. 187–193, Jan. 2015.

[5] I. Ahmad, T. Kumar, M. Liyanage, J. Okwuibe, M. Ylianttila, and A. Gurtov, ''Overview of 5G security challenges and solutions,'' IEEE Commun. Standards Mag., vol. 2, no. 1, pp. 36–43, Mar. 2018.

[6] E. Marku, G. Biczok, and C. Boyd, ''Towards protected VNFs for multioperator service delivery,'' in Proc. IEEE Conf. Netw. Softw. (NetSoft), Jun. 2019, pp. 19–23.

[7] W. Yang and C. Fung, ''A survey on security in network functions virtualization,'' in Proc. IEEE NetSoft Conf. Workshops (NetSoft), Jun. 2016, pp. 15–19.

[8] M. Pattaranantakul, Y. Tseng, R. He, Z. Zhang, and A. Meddahi, ''A first step towards security extension for NFV orchestrator,'' in Proc. ACM Int. Workshop Secur. Softw. Defined Netw. Netw. Function Virtualization, New York, NY, USA, Mar. 2017, p. 25.

[9] Tosca Simple Profile for Network Functions Virtualization (NFV) Version 1.0, TOSCA, Atlanta, GA, USA, 2015.

[10] RF Olimid and G. Nencioni, ''5G network slicing: A security overview,'' IEEE Access, vol. 8, pp. 99999–100009, 2020.

[11] J. Cao, M. Ma, H. Li, R. Ma, Y. Sun, P. Yu, and L. Xiong, ''A survey on security aspects for 3GPP 5G networks,'' IEEE Commun. Surveys Tuts., vol. 22, no. 1, pp. 170–195, 1st Quart., 2020.

[12] M. Liyanage, I. Ahmad, AB Abro, A. Gurtov, and M. Ylianttila, A Comprehensive Guide to 5G Security. Hoboken, NJ, USA: Wiley, 2018.

[13] I. Ahmad, S. Namal, M. Ylianttila, and A. Gurtov, ''Security in software defined networks: A survey,'' IEEE Commun. Surveys Tuts., vol. 17, no. 4, pp. 2317–2346, 4th Quart., 2015.

[14] A. Azzouni, O. Braham, TM Trang Nguyen, G. Pujolle, and R. Boutaba, ''Fingerprinting OpenFlow controllers: The first step to attack an SDN control plane,'' in Proc. IEEE Global Commun. Conf. (GLOBECOM), Dec. 2016, pp. 1–6.

[15] H. Cui, GO Karame, F. Klaedtke, and R. Bifulco, ''On the fingerprinting of software-defined networks,'' IEEE Trans. Inf. Forensics Security, vol. 11, no. 10, pp. 2160–2173, Oct. 2016.

[16] E. Sakic, N. Ðerić, and W. Kellerer, ''MORPH: An adaptive framework for efficient and Byzantine fault-tolerant SDN control plane,'' IEEE J. Sel. Areas Commun., vol. 36, no. 10, pp. 2158–2174, Oct. 2018.

[17] JC Mogul, J. Tourrilhes, P. Yalagandula, P. Sharma, AR Curtis, and S. Banerjee, ''DevoFlow: Cost-effective flow management for high performance enterprise networks,'' in Proc. 9th ACM SIGCOMM Workshop Hot Topics Netw., 2010, pp. 1–6.

[18] MA Togou, DA Chekired, L. Khoukhi, and G.-M. Muntean, ''A hierarchical distributed control plane for path computation scalability in large scale software-defined networks,'' IEEE Trans. Netw. Service Manage., vol. 16, no. 3, pp. 1019–1031, Sep. 2019.

[19] M. Liyanage, I. Ahmad, M. Ylianttila, A. Gurtov, AB Abro, and EM de Oca, ''Leveraging LTE security with SDN and NFV,'' in Proc. IEEE 10th Int. Conf. Ind. Inf. Syst. (ICIIS), Dec. 2015, pp. 220–225.