5G core network, who is responsible for your security?

As we all know, in the 5G era, we are greeted by a world where everything is connected. With the continuous development of the Internet of Things, more and more devices need to access the 5G network, but this also means that these devices will become potential targets for attacks by criminals. Have you ever thought that in the era of the Internet of Things, viruses may infect cars in motion and smart home devices in use... When a large number of terminals access the core network through the transmission network, who will ensure the security of the 5G core network (5GC)?

5GC Threat Analysis

The above scenario may be just a microcosm of the security threat of 5GC. Based on cloud architecture, 5GC has achieved the decoupling of software and hardware by introducing virtualization technology, and deployed virtualized network elements on cloud infrastructure through NFV technology, no longer using proprietary communication hardware platforms. Therefore, the physical environment that was originally considered safe has become unsafe.

• At the infrastructure layer (NFVI), in addition to traditional physical security risks, virtualization security threats are more noteworthy, such as virus and Trojan attacks on virtualized cloud platforms, abuse of virtual resources, and malicious destruction of virtual machines and images.
• At the network element function layer (VNFs), there are attacks such as illegal users accessing the network, monitoring and tampering of communication data between network elements, and traffic fraud against roaming users.
• At the management and orchestration layer (MANO), there are security threats to the management plane, including illegal user access, malicious operations by insiders, privilege abuse attacks, and personal data privacy exposure.

Since 5GC has many potential risks, can't criminals or hackers do whatever they want? No way!

5GC Security Architecture

In response to the above threats, a 5GC security architecture based on 5G security specifications is proposed.

This security architecture looks quite complicated!

Next, I will explain the 5GC security architecture from the following five aspects.

If the 5GC network is compared to the national highway network and the data in the network is compared to the vehicles passing through, we can simply make an analogy between the several levels of the 5GC security architecture.

(1) Access security

Access security is like the annual vehicle inspection by the vehicle management office. Only vehicles that meet safety requirements can be on the road. Similarly, when various user equipment (UE) access the 5G core network through the base station (NR), the 5G core network will perform access authentication and access control on the user equipment, and perform data encryption and integrity protection during data transmission.

In the 5GC system, a two-way authentication method is used to ensure that the access device accesses the real and secure 5G core network, and access to "fake base stations" is prevented. At the same time, the access device is authenticated through UDM and AUSF. For 3GPP access and non-3GPP access, a unified access process and authentication method are adopted, and multiple different authentication methods such as EPS-AKA, 5G-AKA, and EAP-AKA' are supported. The 5G authentication process enhances the control of the home network and prevents possible fraud in the visited network.

(2) Network security

The 5GC network achieves network security by dividing different network planes and transmitting different types of data. Data on a certain network plane will not run to other network planes. This is similar to the existence of expressways and national and provincial roads between cities, and BRT dedicated lanes within cities, which reflects the value of classified management.

(3) Management Security

Managing security is like the function provided by the Traffic Management Bureau: managing traffic and serving the vast number of vehicles. Traffic police in different areas are responsible for traffic safety in their respective areas. Similarly, 5GC NF is managed and orchestrated through MANO. MANO supports decentralized and domain-based security management scenarios.

• Decentralized management: Provide different operating permissions for users of different levels to achieve the purpose of visible/invisible, manageable/unmanageable. In the system, permissions are operation sets. The system has a default operation set, including security administrator, administrator, operator, monitor, and maintainer. You can also customize the operation set.
• Domain management: The data or operation maintenance functions of the centralized control nodes are divided into multiple virtual management entities according to the management domain to achieve user management in different domains. The system supports the domain dimensions of region (administrative region), business domain (manufacturer, profession, network element type), and resource pool (resource pool and tenants under the resource pool).

(4) Capability exposure security

5GC supports network capability opening, and opens network capabilities to third-party applications through capability opening interfaces, so that third parties can design customized network services according to their own needs. Capability opening security focuses on the security protection of open interfaces and uses secure protocol specifications. When third-party user devices access through APIs, authentication is required.

(5) Data security

Data in the 5G era is characterized by large data volume, multiple data types, and wide exposure, so it is crucial to establish a 5GC data security system to protect the security of 5G data. The 5GC data security system is established based on the data protection principles of data minimization, anonymization, encrypted transmission, and access control.

Service-Oriented Architecture Security

Since 5GC adopts a service-oriented architecture, in order to address the security risks brought by the new service-oriented architecture, the 5GC security architecture adopts a complete service registration, discovery, and authorization security mechanism to ensure service-oriented security.

• In the NF registration and discovery process, a two-way authentication method is used between NRF and NF. After the NRF and NF are successfully authenticated, NRF determines whether the NF is authorized to perform the registration and discovery process.

• In non-roaming scenarios, that is, within the same PLMN, a token-based authorization mechanism is used between the NFs in the 5G core network control plane, and NF service visitors need to be authenticated before accessing the service API.
• In the roaming scenario, that is, when NF is authorized between different PLMNs, the vNRF in the visited location and the hNRF in the home location need to be bidirectionally authenticated.

Virtualization Platform Security

The virtualization platform provides the deployment, management, and execution environment for all 5G core network NFs. To achieve virtualization platform security, Hypervisor plays an important role:

• Hypervisor manages physical resources in a unified manner, ensuring that each virtual machine can obtain relatively independent computing resources and achieving isolation between physical resources and virtual resources.
• All I/O operations of the virtual machine will be intercepted and processed by the Hypervisor. The Hypervisor ensures that the virtual machine can only access the physical disk allocated to the virtual machine, thereby isolating the hard disks of different virtual machines.
• Hypervisor is also responsible for scheduling vCPU context switching, so that the virtual machine operating system and application programs run at different instruction levels (Rings), ensuring isolation between the operating system and application programs.

For users, by configuring different VDCs, communication isolation between virtual machines can be achieved. By configuring security groups, end users can control the intercommunication and isolation relationship of virtual machines to enhance the security of virtual machines.

Conclusion

Now, you know how the security of the 5G core network is guaranteed. The 5GC security architecture proposed by ZTE ensures the security of the 5GC network from the aspects of access security, network security, management security, data security, and capability exposure security, greatly reducing security threats such as illegal access of user devices and leakage of communication data between network elements. In addition, for multi-access edge computing (MEC) scenarios, ZTE has proposed MEC security architecture and solutions to ensure the security of the core network in MEC scenarios.