Overview: 5G Cybersecurity Architecture

5G technology is transforming how people and machines operate in the Physical and virtual world. Because of 5G,?things that weren’t possible.?Cybersecurity professionals must serve as guardians of 5G technology to ensure that as it is?evolving, people and organizations?can safely deploy it.?

The NCCoE at NIST has built a laboratory where cyber engineers are designing a solution that operators and users of 5G networks can use to lessen 5G cybersecurity risks.        

Reference System Architecture Description / Components

1. User equipment (UE) (i.e., mobile devices using the 5G network); radios and antennas; and baseband units (BBUs) known as gNodeBs (gNBs), which generate RF signals.
2. Back haul network—the connection between the radio access network (cell sites) and the core network (data center). Terminating the back haul network is an optional security gateway, depicted as a firewall. This firewall provides an IPsec tunnel for protecting signaling and user plane communications between the radio access network and the 5G packet core.
3. The 5G packet core consists of numerous 5G network functions with various responsibilities (e.g., authentication, mobility, charging). The data center also provides basic services required for configuring, managing, and maintaining all network components. This includes both infrastructure services.
4. Data network: the right side of the diagram depicts a firewall connecting the data center to the data network. This firewall protects network functions within the core network in the data center from Internet Protocol (IP)-based attacks from the internet.
5. Network testing nodes: enable end-to-end validation of converged wireless and wired infrastructure, services, and security functionality.

2- System Architecture Components

• Dell Technologies Dell Technologies has leveraged its hardware that is designed to telco-grade specifications and is leveraging validated configurations to support the Nokia software elements to deliver critical hardware components within the infrastructure. (Dell PowerEdge 650/750 servers & Dell EMC PowerSwitch 3048, 4048, and 5232-ON switches) MiTAC Aowanda edge server

• AMI TruE AMI’s security management solution designed to manage data center and edge infrastructure hardware resources. The backend application services discover and collect resource information from lower-level hardware layers and expose them via an intuitive web-based user interface. Administrators can also perform administrative operations such as overriding the boot source, provisioning, and power operations.

• Network Infrastructure

• Secure Firewall (Security Gateway)Secure Firewall is a layer 3,4 stateful firewall being used to provide IPsec for the network’s backhaul connection in accordance with 3GPP specifications. The device allows or blocks traffic based on state, port, and protocol. It monitors all activity from the opening of a connection until it is closed. It enforces filtering decisions based on both administrator-defined rules and context.
• Nokia (5G System)3GPP is standardizing a set of different 5G deployment solutions based on whether or not the 5G NR access is used as an independent radio system in an SA mode or if it is to be combined with a parallel LTE access network using a technology called “Multi-Radio Access Technology - Dual Connectivity” (MR-DC) in an NSA mode. In this mode, one access technology is used as the “Master” system while the other is used as a “Secondary” system. Radio bearers may be either carried over a single radio access system or split and then delivered using a combination of both radio access technologies.

• 5G Access NetworkThe Access Network component is expected to enable the following security capability demonstrations: 1.1, Subscription Permanent Identifier (SUPI) Protection 1.2, Reallocation of Temporary IDs 1.3, Initial NAS Message Security1.4, No SUPI-Based Paging 1.5, Respond to Identity Request with SUCI1.6, User Plane Integrity Protection 1.7, Cryptographic Algorithms Recommended Practice1.8, IPsec/NDS IP
• Backhaul Transport ComponentsBackhaul transport between the gNB cell sites and the 5G Core Network is provided by the Nokia 7705 SAR8v2 Service Aggregation Router at the cell site and the Nokia 7750 SR-a8 Service Router as a core aggregation router at the cloud location.
• 5G CoreThe heart and brains of the 5G system is the Nokia 5G Core (5GC). As shown in Figure, the 5GC is primarily containerized, consisting of cloud-native network functions deployed in the Nokia Container Services cloud infrastructure based on Kubernetes. One NF is virtualized and is deployed in a VMware-based cloud. The 3GPP network functions comprising the 5GC are described below, including the association with the corresponding Nokia product, as shown in figure.
• Services 5G networks can enable a broad range of telecommunication services in addition to traditional voice, basic text messaging, and web access services.
• Cloud Infrastructurethe 5G Core consists of cloud-native network functions as containers. The cloud infrastructure orchestrating the containerized core is the Nokia Container Services (NCS), a platform providing Container-as-a-Service (CaaS) functionality.
• Network Security ApplicationsIt manages user identities and permissions, and it provides for activity monitoring. Centralized security management provides several capabilities, including: ? Separation of users from actual device credentials ? User groups ? Device grouping to manage large networks. ? Monitoring of all active sessions and live keystroke mirroring ? Account lock-out support ? Alarm generation ? Centralized log management ? Full native logging of command line sessions ? Video logging of all GUI sessions ? Compliance with law enforcement requirements

• References
• Start 5G deployment with an eye on the future - NOKIA White paper.
• NIST SPECIAL PUBLICATION 1800-33B - 5G Cybersecurity.