与5G安全要求保持同步

Keeping Pace with theRequirements of 5G Security Keeping Pace with the Requirements of5G Security Introduction The requirements for 5G Security are continually evolving, as is the attack surface. Here, a continuous and growing number ofvulnerabilities must be accounted for in a comprehensive testing approach, and with the capability of accelerated speed poweredby state-of-the-art automation. Spirent SecurityLabs’ years of experience in testing a range of environments, along with Spirent’sindustry-leading expertise in 5G testing, offer a mature and informed perspective on the best practices of 5G cybersecurity, whichare presented in this white paper. The Rapid Evolution of 5G Security Requirements Understanding the vulnerabilities in 5Gcybersecurity Network operators are actively engaged in deploying5G networks around the globe on a widespread scale.This technology trend is defining and transforming thetechnological landscape for the foreseeable future.Meanwhile, a myriad of new 5G devices is appearing inthe market, with many more to come. As with any newtechnology, security must be taken into consideration asearly as possible in the development process. To facethat challenge, 5G security was substantially redesignedto address the known vulnerabilities that existed withinthe architecture of earlier networks. New cybersecurityframeworks were developed: Telecommunication network carriers, services providers,equipment manufacturers, suppliers, and enterpriseorganizations have common areas of concern. They residein the 5G core (NFs, NFVi), telecommunication infrastructure(physical and virtual) and transport security. Cloud security,cloud-native components (containers, Kubernetes, etc.)must also be accounted for, along with applications andapplication programming interfaces (APIs), edge devices,and network products. Typical vulnerabilities.Through Spirent SecurityLabsengagements, an array of vulnerability categories has beenidentified during the assessment phase. They include: •Zero Trust and Zero Trust Network Access (ZTNA).ZeroTrust eliminates the notion of trust, necessitating thataccess must be granted for each application transaction •Hardware/Firmware/Software.Misconfigurations (e.g.,incorrect access rights); Default or static credentials;Unrestricted access through diagnostic interfaces. •Use of encryption on the transport-level.Targetedat preventing malicious unauthorized altering oftransmitted data between endpoints and eavesdropping •Signaling/Control Plane protocols.Insecure protocols inuse; Authentication bypass. •Mutual authentication.Where the sender and recipientmust verify the other party is genuine and trusted •Containers/Kubernetes.Admission controller: norestriction of specific registries; Host OS issues: over-permissive access, outdated software. •Secure Access Service Edge (SASE).A cloud-centricdistributed security architecture securing users andapplications as opposed to subnetworks and IP resources •PKI/NF.Network function (NF) isolation issues in theplatform; Misconfigurations in encryption algorithmsused in NF-to-NF communications; Integrity andconfidentiality issues on the policy store and routing info(data-at-rest); Protocol support issues at the PKI (PublicKey Infrastructure) platform and NFs. Failure to adopt these strategies, or to implement themwithout comprehensive and continuous execution, can leadto security breaches on varying scales with varying impacts. •Operations, Administration and Management.InsecureAPIs; Various privilege escalations; Various authenticationand authorization issues; Outdated software; Missingcritical patches. WHITE PAPER Potential impact of risk.If the vulnerabilities remain unaddressed, the impact can affect an organization in a host of ways, somemore severe than others, yet all impacting the ability to conduct an organization’s business operations as planned. The domainsthese threats occur in include: •Core network.Abuse of remote access; Abuse of userauthentication/authorization data; Abuse of third-partyhosted network functions; API exploitation; Exploitationof poorly designed architecture and planning (network,services and security, administrative interfaces);Exploitation of misconfigured or poorly configuredsystems/networks; Fraud scenarios related to roaminginterconnections; Memory scraping; Manipulation ofnetwork traffic, network reconnaissance and informationgathering; Manipulation of network configurationdata; Malicious flooding of core network components;Malicious diversion of traffic; Manipulation of thenetwork resources orchestrator; Opportunistic andfraudulent usages of shared resources; Registration ofmalicious NFs; Traffic sniffing; Side-channel attacks. •Multi-edge computing.False or rogue multi-edgecompute (MEC) gateway; Edge node overload; Abuse ofedge open APIs. •Virtualization.Abuse of Data Centers Interconnect(DCI) protocol; Abuse of cloud computational resources;Network virtualization bypassing; Virtualized hos