Towards Micro-Segmentation in 5G Network Security

Download PDF
1 downloads 0 Views 176KB Size Report
Comment
network components from the hardware), network slicing. [7], [8], [9], [10] (i.e. isolating .... the horizontal isolation provided by network slices. Micro- segmentation ...
Towards Micro-Segmentation in 5G Network Security Olli M¨ammel¨a, Jouni Hiltunen, Jani Suomalainen, Kimmo Ahola, Petteri Mannersalo, Janne Vehkaper¨a VTT Technical Research Centre of Finland Finland Email: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]

Abstract—5G mobile networks are currently designed with a vision of reshaping the mobile network architecture. 5G will be a completely new ecosystem with heterogeneous high-speed access technologies and built-in support for various applications and services. The amount of mobile traffic and number of users increases gradually each year as the demand for interactive multimedia, social networking, online gaming, Industrial Internet of Things (IIoT), and vehicle-to-vehicle communication grows. To enable operators to better support different applications, mobile networks will be software-defined and virtual in the future. Security of 5G is going to be crucial in those critical applications that must rely on the mobile network to provide strong authentication, confidentiality, availability and privacy guarantees. In the case of an attack the consequences could be dramatic. For example, an IIoT based factory may occur severe damages if faulty information by an IoT sensor is provided. The roles of isolation, virtualization and network management are going to be important. Applications or services requiring high level of security can be protected by isolating them from the rest of the network. Micro-segmentation is a concept, originating from data centres, for isolating different applications and parts of networks from each other. This paper contributes by describing how the concept of micro-segments can be adapted and utilized in 5G mobile networks. We present the key aspects of microsegmentation and provide a description of our initial proof-ofconcept demonstration and ideas how micro-segmentation could be integrated into 5G network architecture. We also describe challenges for future research.

I. I NTRODUCTION It has been estimated that 5G networks will be heterogeneous in nature with a variety of different services, applications, users, devices and large amount of network traffic [1], [2], [3]. This brings scalability challenges for the security of the mobile network as an heterogeneous environment will be difficult to monitor and manage. Network virtualization [4], [5], [6] (i.e. decoupling logical network components from the hardware), network slicing [7], [8], [9], [10] (i.e. isolating nodes and communication related to particular applications from each other), and network programmability (i.e. controlling the behaviour and communication of network devices and flows with software operating independently from network hardware) are key concepts in 5G network design. These can be implemented with Software Defined Networking (SDN) and Network Function Virtualization (NFV) technologies. SDN will be used for monitoring and controlling networks while the NFV concept is used for

virtualization of mobile network entities and functions, such as Packet Data Network Gateway (PGW), Serving Gateway (SGW), Mobility Management Entity (MME), load balancing, traffic monitoring, QoS, etc. This paper enlarges the concept of network slicing by introducing micro-segmentation [11], [12], [13], [14] into 5G network security. Micro-segmentation has been implemented previously in data centre networking, ultimately promoting the idea of a Software-Defined Data Centre and how network virtualization can improve security. Micro-segmentation and network slicing are two related concepts and the aim of this paper is to clarify their key aspects and differences. The rest of the paper is organized as follows: Section II describes evolution of the mobile network security, network slicing and micro-segmentation in data centre networking, Section III presents the micro-segmentation concept in 5G mobile networks, Section IV describes our initial proof-ofconcept demonstration. Future work and research challenges are presented in Section V and the paper is concluded in Section VI. II. BACKGROUND A. Evolution of Mobile Network Security 5G needs an efficient baseline security and trust model and this includes several challenges, which include 1) Wide range of use cases in different network environments. This means that a flexible architecture and dynamic network management functions are needed. 2) Legacy requirements for security visibility and configurability defined in TS 33.401 [15]. The security visibility and configurability had a minor role in legacy 3GPP networks, e.g. ciphering indicator feature specified in TS 22.101 [16] is not widely adopted and configurability is limited to enabling/disabling user-USIM authentication, but because of 5G network flexibility, these security aspects have become more topical. 3) Threat landscape tends to evolve over time. In the past GSM has been proposed as an example of good enough security with the good balance between security, usability and cost-effectiveness [17]. However, attacks that could be made only by well-resourced actors in the past could today be made with open source, e.g. Software

Defined Radio, technologies and low cost commercial systems, e.g. bogus base stations (IMSI-catchers). 4) New deployment models, such as third-party and multioperator deployments, and new third-party APIs, enabling e.g. full configuration control of network functions, will be supported in 5G [18]. This exposes additional attack surface that could be exploited to gain and leverage access within the 5G network. In general, isolation could be used as an important security enabler which reduces the attack surface and minimizes the effects of breaches, including insider threats. Therefore, there is a basic need for improved security controls in order to maintain the good-enough security in 5G but enablers for business-driven security configurability could be needed to facilitate a plethora of 5G use cases. On the other hand, the security configurability could be needed to achieve the required network performance. The security configurability can be achieved through network management functions for instance in SDN supported networks. The network management enables dynamic network isolation and forming of security domains for improved security. B. Network Slicing Network slicing is one of the key concepts in 5G networks. A single network slice can be defined as a logical instantiation of a physical network with all the needed functionalities that is needed for running a given service. Network slicing can be thought as networks-on-demand in which slices are isolated and restricted to the assigned resources. Network slices can support a communication service for a particular connection type. A slice provides all necessary functionality for a service and basic isolation. All other functionality is avoided, which thus minimizes the internal complexity of a slice. Virtual Private Networks (VPNs) can be considered as a basic version of a network slice. They are generally used for allowing users to access private networks from remote public connections. The creation of VPNs is done by establishing a virtual point-to-point connection through the use of dedicated connections, virtual tunnelling protocols (Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol (L2TP), Secure Socket Tunneling Protocol (SSTP)), or traffic encryption protocols (Internet Protocol Security (IPsec), Transport Layer Security (TLS)). VPNs provide point-to-point connections and they do not support or connect broadcast domains. In addition to VPNs, an overlay network is a related concept to network slicing. In both overlay networks and network slicing, the main approach is to build a computer network on top of another network. Network slicing, however, is a more fundamental feature of 5G systems rather than just is a simple network overlay concept. Also, the harder requirements and the larger scope of use cases, which 5G networks will need to cope with, demand a whole new definition of slices with regard to VPNs. Network slices can be considered more as networks on-demand, which will be created, deployed and removed

dynamically. Ultimately, with network slicing it is possible to guarantee a certain level of quality and security to an application or a service. In other words, network slicing is an SDN-based alternative to VPNs for isolating traffic associated with a certain user or application from other traffic on the network. SDN decouples traffic flow decisions (control plane) from the traffic forwarding infrastructure (data plane). In practice, centralized SDN controllers provide decisions on how packets are forwarded when switches notice previously unknown packets. For example, emergency communications could be isolated from the rest of the network with the goal of improving response time. C. Micro-segmentation in Data Centre Networking Micro-segmentation - a term originally proposed by VMware [11], [12], [13], [14] - has been implemented in data centres to get rid of the single point-of-failure in the security of the system. Traditionally, data centres have had firewalls at the edge or perimeter, and once attackers have bypassed the firewall, they are free to move laterally within the data centre and carry out their attacks. Micro-segmentation enables security monitoring inside the data centre in addition to the traditional security monitoring at the perimeter, i.e. between internal components in addition to between the external and internal network. III. M ICRO - SEGMENTATION IN 5G M OBILE N ETWORKS In the context of 5G, micro-segments can be considered as isolated parts of the 5G network dedicated for particular application services or users. Compared to network slices, micro-segments can provide more fine grained isolation and segmentation, specific access controls and tuned security policies based on unique trust models of respective use cases and application services. A micro-segment instance is not necessarily required to form a complete logical network. By focusing on smaller, less heterogenous parts in the network, better accuracy can be achieved for e.g. anomaly detection. Within the mobile network, the minimum requirements could be to include virtualized instances of both the Serving Gateway (SGW) gateway and the Policy Control Resource Function (PCRF) in a network slice or micro-segment. For applications or services requiring Internet access, the network slice or micro-segment should include also the Packet Data Network (PDN) gateway (PGW). For applications requiring mobility, Mobile Management Entity (MME) and SGW is needed. Each network slice and micro-segment could also have its own AAA entity, but the AAA functionality of a microsegment should not be too heavy to avoid the complexity. All these components would be virtualized resources or functions, i.e., Network Function Virtualization (NFV) would be used. For instance, a massive IoT service may not necessarily require features such as handover or location update, which are being used with mobile devices. This is because the IoT service connects with a large number of immobile sensors that

Mobile Network Operator

Mobile Network Operator

LTE/5G network

Personal health company

MME

AAA

5G/LTE network

Helsinki IoT company

Mobile Network Operator

PCRF

Mobile Network Operator

MME

AAA

PCRF

SGW

HSS

PGW

IoT GW

IoT GW

eNode B SGW

PGW

Smart metering company

Oulu IoT company

Virtualization

Internet

Internet

IXP

(v)AAA

(v)MME

(v)SGW

Personal health micro-segment

(v)AAA (v)MME (v)PGW

(v)SGW (v)PGW (v)AAA

(v)AAA (v)PGW

(v)SGW

(v)PGW

(v)PGW

Virtual Mobile Network Operator Personal health microsegment

Personal health microsegment

(v)SGW (v)SGW

Helsinki IoT Network slice

Oulu IoT Network slice

(v)PGW Virtual Mobile Network Operator

Smart metering microsegment

IXP

Virtualization

IoT Network slice

VPN/IPSec

(v)SGW

(v)MME (v)AAA

(v)SGW (v)PGW (v)AAA

(v)AAA

Fig. 1. Micro-segmentation in a single domain network.

measure different parameters, such as humidity, precipitation, etc. and mobility is thus not considered. However, security for the service is critical. Figure 1 shows an example of the micro-segmentation approach in a single domain (single operator) that could be built on top of existing 4G LTE architecture. Network slices and micro-segments are created by the use of virtualization. For example, there could be one general network slice for IoT, but two micro-segments for smart metering and personal health. The user, i.e., subscriber of a micro-segment could be an organization, service provider or a Virtual Mobile Network Operator (VMNO). The overall control of the micro-segments would be by (virtual) operators. The organizations and service providers that use the micro-segments may also have some control, especially related to the security functionalities within the micro-segment. Individual end-users would not have control over a micro-segment. Within a single network domain, the segments should typically lay within a single network slice. In a multidomain/multioperator setting, end-to-end security could be achieved by chaining micro-segments from multiple network slices. In a multi-domain/multi-operator setting, end-to-end isolation could be achieved by chaining micro-segments from multiple network slices. Figure 2 depicts an example of how micro-segmentation might be deployed in a multi-domain network based on the existing 4G architecture. There are two network slices: one located in the city of Helsinki, and one in the city of Oulu. In both network slices there is a microsegment for Personal Health. The two micro-segments could be chained together by the use of VPN or IPSec to provide end-to-end security. A VMNO may have control over both network slices. Consequently, in a multi-domain scenario, microsegmentation enables vertical isolation in addition to the horizontal isolation provided by network slices. Microsegmentation can ultimately provide service isolation, which will be crucial for 5G applications and services.

Fig. 2. Micro-segmentation in a multi-domain network.

A. Trust in micro-segmentation Micro-segmentation in 5G networks can also take into account unique trust models in some use cases. More importantly, it can enable trust models that do not fit reasonably to 5G baseline and network slice security architecture in terms of costs, network performance and usability. The uniqueness of the trust model originates mainly from varying protection modes and application characteristics. Transport based hopby-hop protection leads to service centric trust model to provide reliable services and access controls, for example. Media independent end-to-end protection leads to application based trust model which might be utilized dynamically and to form exclusive trust relationships. The application dependent part of the trust model is due to varying threat profiles and business requirements. For example, if application does not handle sensitive information, the eavesdropping attacks are not of high importance or if the application pricing does not allow additional support infrastructure, a third-party providing the necessary security controls may be assumed to be trusted. Besides the aforementioned assumptive trust model, the two other major trust models, based on direct and transitive trust, are possible. Network Domain Security for IP (NDS/IP) provides an example of direct trust where a single network admin authority is clearly defined that may provide a single certificate authority within the domain. A micro-segment may implement advanced access controls that enable transitive trust in which any nodes certificate can be validated by another node in the micro-segment. Some micro-segments may require a Zero Trust model [19], [20], [21], which states that all nodes should be authenticated before attaching them into the micro-segment. The main principle of Zero Trust is ”Never trust, always verify and authenticate”. Zero Trust employs a least privilege and unitlevel trust model that has no default trust level for any entity or object in the network. Such a trust model could be, e.g., provided to micro-segments with critical services. Such a case could be an authority network in a crisis situation, in

which trust would not be self-evident and the micro-segment should be highly secure. Other possible use case includes networks related to critical infrastructures, such as electricity distribution. Another extreme trust model could be used in a network where there is no traditional access control based on credential validation or provisioned UEs. In this trust model advanced security monitoring would enable decoupling of trusted identities from trusted data in order to form trust relationships for e.g. low resource IoT devices.

Layer 3 (IP) connection between segments

IV. P ROOF OF CONCEPT DEMONSTRATION OF MICRO - SEGMENTATION In order to implement micro-segmentation, SDN and virtualization technologies are needed. There needs to be a network virtualization platform that is able to create virtual networks that are isolated from the physical network. In our scenario, the virtualization is done by OpenVirteX software [22], but other network virtualization hypervisors are possible. A detailed review of different hypervisors can be found here [23]. Each micro-segment will have its own SDN controller for management. In our case we are using the Ryu SDN controller [24], but other type of SDN controller is plausible. The security in micro-segments is achieved by employing security applications, such as AAA and security monitoring, to the SDN controller. The AAA application will be used for authenticating and authorizing users and monitoring user statistics, i.e., accounting. Fig. 3 depicts our initial scenario that has been implemented in a Mininet environment [25]. In the scenario there are two micro-segments A and B with several SDN switches inside them. Host ha is connected to micro-segment A and host hb is connected to micro-segment B. SDN A controller is used for monitoring and controlling micro-segment A and SDN B controller monitors and controls micro-segment B with the use of OpenFlow protocol [26]. The two micro-segments are in different IP subnets, as shown in the figure. Between the micro-segments, there is an IP router used to connect the micro-segments to enable a multi-domain scenario. Currently, the connection between ha and hb is working, and we have

hb

1

SDN Controller B

SDN Controller A

B. Authentication, Authorization, Accounting In general each network slice and micro-segment could have its own AAA entity, but the AAA functionality of a microsegment should not be too heavy to avoid the complexity of the whole system. The authentication protocol of micro-segments depends on the needed security level, which is adjustable. For example, if the application or service requires strong authentication, Extensible Authentication Protocol over LAN (EAPoL) may be used. Micro-segments may support and require particular authentication mechanisms. For example, if the mobile device has been authenticated strongly to the mobile network by the use of USIM, it can be authorized to use the micro-segment. However, if lighter authentication methods have been used in the mobile network, the device needs to be authenticated using stronger mechanism to authorize use of the micro-segment.

Personal Health Micro-segment B 10.10.20.0/24

Personal Health Micro-segment A 10.10.10.0/24 ha 8

7

2

6

3

5

h_x

Hosts in different IP sub-network

4

x

SDN Switch

Security device / IP Router

Fig. 3. Micro-segmentation in a multidomain scenario.

implemented an IEEE 802.1X Extensible Authentication Protocol over LAN (EAPoL) based authentication method into the scenario for authenticating users and authorizing them to use the micro-segment. V. F UTURE W ORK AND R ESEARCH C HALLENGES Bringing micro-segmentation into 5G mobile networks has several different research challenges. Our future work includes investigating how the micro-segmentation concept can be implemented in the mobile network architecture. Generally, there needs to be a way how to integrate the different functionalities of mobile networks (e.g. PGW, SGW, MME, PCRF) with SDN and network virtualization technologies. Another challenge is how to technically connect two micro-segments residing in different domains and what trust issues arise when combining micro-segments located in network domains that are controlled by different network operators. It is also worth investigating the size and granularity of micro-segments: how large should micro-segments be, what size of micro-segments do different use cases in practice require, and are hierarchical microsegments needed. Another challenge is the implementation of security monitoring spanning multiple micro-segments. This may happen, for instance, when a car requires access to vehicle-to-vehicle, traffic broadcasts, radio, and web segments. Further, since micro-segments are dynamic, it is challenging to implement secure monitoring systems that use machine learning concepts. Finally, micro-segmentation brings scalability problems: how large will monitoring data be and how could big data technologies facilitate to manage large amounts of data. VI. C ONCLUSION This paper presented the concept of micro-segmentation and how it could be integrated into 5G network security. A comparison with network slicing was also done and we presented our initial test bed scenario, future work, and research challenges.

Micro-segmentation could be a good security solution especially to Massive Machine-Type Communications (mMTC), Machine-to-machine (M2M) or Industrial Internet based companies, which require a high level of security for their application services and service isolation. Also mobile network operators and virtual mobile network operators would benefit from the solution as they would be able to provide adequately secure segments of the mobile network for further use. Microsegmentation could be also used to provide customers with micro-segments that have different security levels depending on the used service. For example, a micro-segment supporting automotive or e-health, the security is of high concern while for a micro-segment supporting general IoT a lower security level may be acceptable. ACKNOWLEDGMENT This research has been performed within 5G-ENSURE project (www.5GEnsure.eu) and received funding from the European Unions Horizon 2020 research and innovation programme under grant agreement No 671562. R EFERENCES [1] J. G. Andrews, S. Buzzi, W. Choi, S. V. Hanly, A. Lozano, A. C. K. Soong, and J. C. Zhang, “What will 5g be?” IEEE Journal on Selected Areas in Communications, vol. 32, no. 6, pp. 1065–1082, June 2014. [2] X. Ge, H. Cheng, M. Guizani, and T. Han, “5g wireless backhaul networks: challenges and research advances,” IEEE Network, vol. 28, no. 6, pp. 6–11, Nov 2014. [3] F. Boccardi, R. W. Heath, A. Lozano, T. L. Marzetta, and P. Popovski, “Five disruptive technology directions for 5g,” IEEE Communications Magazine, vol. 52, no. 2, pp. 74–80, February 2014. [4] A. Khan, A. Zugenmaier, D. Jurca, and W. Kellerer, “Network virtualization: a hypervisor for the internet?” IEEE Communications Magazine, vol. 50, no. 1, pp. 136–143, January 2012. [5] A. Wang, M. Iyer, R. Dutta, G. N. Rouskas, and I. Baldine, “Network virtualization: Technologies, perspectives, and frontiers,” Journal of Lightwave Technology, vol. 31, no. 4, pp. 523–537, Feb 2013. [6] C. Liang and F. R. Yu, “Wireless network virtualization: A survey, some research issues and challenges,” IEEE Communications Surveys Tutorials, vol. 17, no. 1, pp. 358–380, Firstquarter 2015. [7] Ericsson, “Network functions virtualization and software management,” Tech. Rep., 2014. [Online]. Available: {http://www.ericsson.com/res/docs/whitepapers/ network-functions-virtualization-and-software-management.pdf} [8] ——, “5G systems Enabling Industry and Society Transformation,” Tech. Rep., 2015. [Online]. Available: {http://www.ericsson.com/res/ docs/whitepapers/what-is-a-5g-system.pdf} [9] ——, “5G Security - Scenarios and Solutions,” Tech. Rep., 2015. [Online]. Available: {http://www.ericsson.com/res/docs/whitepapers/ wp-5g-security.pdf} [10] NGMN Alliance, “Description of Network Slicing Concept,” Tech. Rep., 2016. [11] VMware, “Data Center Micro-Segmentation: A Software Defined Data Center Approach for a Zero Trust Security Strategy,” Tech. Rep., 2014. [12] L. Miller and J. Soto, “Micro-segmentation for Dummies,” VMware, Tech. Rep., 2015. [13] Microsegmentation: How VMware Addresses the Container Security Issue. (2016). [Online]. Available: {http://thenewstack.io/ microsegmentation-how-vmware-addresses-the-container-security-issue/ } [14] Three Requirements For True Micro-Segmentation. (2016). [Online]. Available: {http://www.networkcomputing.com/networking/ three-requirements-true-micro-segmentation/1151379004} [15] 3GPP, “Technical Specification Group Services and System Aspects; 3GPP System Architecture Evolution (SAE); Security architecture,” Tech. Rep. TS 33.401 V13.0.0, 2010.

[16] ——, “Universal Mobile Telecommunications System (UMTS); Service aspects; Service principles,” Tech. Rep. TS 22.101. [17] R. Sandhu, “Good-enough security,” IEEE Internet Computing, vol. 7, no. 1, pp. 66–68, Jan 2003. [18] NGMN Alliance, “NGMN 5G White paper,” Tech. Rep., 2015. [Online]. Available: {https://www.ngmn.org/uploads/media/NGMN 5G White Paper V1 0.pdf} [19] J. Kindervag, “Building Security into Your Networks DNA: The Zero Trust Network Architecture,” Forrester Research, Tech. Rep., 2010. [20] ——, “No More Chewy Centers: Introducing the Zero Trust Model of Information Security,” Forrester Research, Tech. Rep., 2010. [21] ——, “Applying Zero Trust to the Extended Enterpise,” Forrester Research, Tech. Rep., 2010. [22] OpenVirteX Network Virtualization Platform. (2016). [Online]. Available: {http://ovx.onlab.us/} [23] A. Blenk, A. Basta, M. Reisslein, and W. Kellerer, “Survey on network virtualization hypervisors for software defined networking,” IEEE Communications Surveys Tutorials in print, 2015. [24] Ryu SDN framework. (2016). [Online]. Available: {https://osrg.github. io/ryu/} [25] Mininet. (2016). [Online]. Available: {http://mininet.org/} [26] N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, and J. Turner, “Openflow: Enabling innovation in campus networks,” SIGCOMM Comput. Commun. Rev., vol. 38, no. 2, pp. 69–74, Mar. 2008. [Online]. Available: http://doi.acm.org/10.1145/1355734.1355746