Huawei has adopted various measures to assure the security for the 5G core network in the practice, from security standards to slice access and management security.
5G core networks enhance the key hierarchy and roaming security mechanisms used in 4G:
- In terms of key hierarchy, the UE access authentication and key derivation framework and NAS signaling encryption and integrity protection for UE access are inherited in 5G. 5G enhances access authentication by defining a unified authentication framework for both 3GPP and non-3GPP access and supporting EAP Authentication and Key Agreement (EAP-AKA) and 5G AKA for enhanced security ﬂ
- Roaming networks may access to core networks. To address this risk, the SEPP can be deployed on 5G networks to provide the following security protection functions for signaling messages at the roaming boundaries: topology hiding, message filtering, TLS channels, and application-layer security protection for roaming messages through the Internet Packet Exchange (IPX) networks. This prevents data breach and unauthorized tampering at the transport and application strata, thereby enhancing transport and data confidentiality and integrity.
- 5G also provides security requirements and functions for user access authentication on the home operator networks to address the threat of home network spoofing by roaming networks.
Compared with legacy architecture, the cloud architecture introduces universal hardware and runs network functions in a virtual environment, facilitating low-cost network deployment and quick service provisioning.
Many core networks have adopted cloud-based deployment around the globe. Huawei has deployed cloud-based core network security solutions for multiple operators.
Huawei complies with security protocols and architectures defined by industry-recognized virtualization standards. The European Telecommunications Standards Institute (ETSI) is responsible for standards formulation for network functions virtualization (NFV) technologies used in the cloud architecture. Huawei adheres to NFV security standards, such as SEC009 (multi-tenant hosting management security) and SEC002 (security feature management of open source software), defined by the ETSI.
Huawei believes that NFV security isolation is an end-to-end solution. From the data center (DC) data interface to the virtual machine (VM) on the core server, NFV security requires a complete security solution that covers both the external and internal layers and everything in between. The NFV security isolation solution includes intra- DC security zone isolation, security isolation of different service domains in a zone, isolation of different host groups in a zone, isolation of VMs in a host, and a series of security hardening measures, implementing outside-in NFV security isolation.
Huawei has mature virtualization security applications in 4G. In terms of 5G network equipment security, Huawei provides the following standards-based security hardening measures:
- To improve the availability of DCs on the operator’s network, resource pools can be deployed across DCs for data backup, ensuring service continuity in case of geographical disasters and other scenarios.
- In a DC, zones with different security levels can be designed based on services. Each zone is isolated by a firewall. Users cannot directly access zones with higher security levels. Instead, they can access only through specific servers.
- In a security zone, domains are used to further classify and isolate services. For example, operator network services are generally classified into O&M domain, gateway domain, control domain, and data domain. Different service types are aggregated into different domains. Domains are isolated from each other by firewalls and only authorized access is allowed.
- In a multi-vendor environment, intra-domain host isolation can be performed. In the same host, VM, virtualization layer, and even CPU, storage, and network security isolation is supported.
Mobile Edge Computing (MEC) Security
In the MEC architecture, the computing capabilities of cloud data centers are moved to the edge of the core network. Huawei provides cloud and virtualization security technologies and supports third-party application authentication and authorization management and user data protection to build security for edge networks. The MEC supports security domain division to isolate resources and networks between these domains. MEC security domains must be strictly defined between the UPF and Multi-access Edge Platform (MEP) and between the UPF and applications based on services and deployments. Security isolation for software, resources, systems, and application programming interfaces (APIs) is also supported for third-party applications deployed on the MEC.
For the security of MEC interfaces, Huawei provides the built-in IPsec solution for the N4 interface to protect the confidentiality and integrity of signaling data. The solution provides more comprehensive security protection than an external IPsec gateway. The management interface provides a TLS channel for secure transmission, enabling data security on the management plane. Moreover, the security deployment solution is provided to comprehensively protect MEC interfaces. For example, an IPsec gateway can be deployed on the N3/N6/N9 interface for encrypted transmission of user data, and a firewall can be deployed on the MEC to defend against DDoS and other traffic attacks.
Slice Access and Management Security
Network slicing is introduced in 5G networks so that a network can support multiple types of services. In addition to 5G security features, Huawei provides more security measures for slice access and management:
- Slice access security: On the basis of existing user authentication and authorization mechanisms on the 5G network, network slicing allows slice access authentication and authorization for users by operators and vertical industries collaborating together. This ensures authorized user access to slices and control over slice networks and end users by vertical industries.
- Slice management security: Slice-level rights- and domain-based management is provided. Tenants can view only their own slice’s KPIs and configurations, preventing unauthorized O&M among multiple slices. The slice management service uses authentication and authorization mechanisms. Security protocols can be used for slice management and between slices to ensure communication integrity, confidentiality, and anti-replay. In the slice lifecycle management, the slice templates and configurations have a check and verification mechanism to prevent slice access failures caused by incorrect configurations or security risks of data transmission and storage.