行业研究公司研究宏观策略财报招股书会议纪要 seedance2.0 低空经济 DeepSeek AIGC 大模型

FS.61 5G核心网资源池细分指南：1.0版

电气设备 2025-04-24 GSMA CS杨林

1. 引言

随着 5G 核心网的虚拟化，不仅面临着来自 5G 核心网外部的攻击，还面临着内部东西向流量的安全挑战。东西向流量是指数据中心或内部网络中设备之间的数据流，例如服务器、容器或虚拟机之间的数据流。与南北向流量（例如互联网）不同，东西向流量始终处于内部网络的边界内，这使得监控和安全管理更加困难。由于内部通信的隐式信任和内部网络缺乏全面的安全监控，东西向流量面临着一些独特的威胁：

攻击者可以利用虚拟化网络功能 (VNF) 的漏洞进行横向移动，从而影响同一核心网资源池中部署的其他功能。
拥有合法访问内部网络的恶意内部人员可以利用他们的权限在东西向流量中自由移动。
攻击者可以将数据窃取尝试伪装成东西向流量，使其比南北向流量更难检测。
攻击者可以利用内部系统中的配置错误或弱访问控制来提升权限并获得对关键资产的访问权限。
内部 API、微服务或应用程序中的漏洞可能被攻击者利用以获得未经授权的访问权限、提升权限或进行横向移动。

2. 东西向流量威胁分析

本节详细分析了 VNF 和 CNF 部署场景下东西向流量的安全威胁：

VNF 部署场景：东西向流量分为管理平面、服务平面和存储平面。管理平面存在恶意 OMU 攻击、恶意 VM 攻击和 MANO API 滥用等威胁；服务平面存在 VM 逃逸攻击和不同资源池之间的互连威胁等威胁。
CNF 部署场景：管理平面存在容器编排管理平面凭证泄露、容器编排管理平面组件泄露和容器基础设施服务管理 API 滥用等威胁；服务平面存在受感染的容器发起的网络攻击和受感染的容器发起的主机攻击等威胁。

3. 5G 核心网微分段建议

为了缓解上述威胁，本节提出了一个微分段框架，并建议了微分段的功能属性和部署及操作属性：

微分段框架：由中央微分段管理单元 (MSMU) 和本地微分段实施单元 (MSIU) 组成。MSMU 负责创建和部署安全策略，MSIU 负责应用安全策略并报告异常。
功能属性：包括流量捕获、资产管理、安全监控、安全策略管理、安全控制、流量报告和流量可视化等功能。
部署及操作属性：包括与 VNF/CNF 的兼容性、可扩展性、互操作性、对网络和接口的影响、对 VNF 性能的影响等。

4. 候选微分段解决方案

本节提出了四种候选微分段解决方案：

基于网络的微分段：在网络层控制流量，具有与网络基础设施完全兼容的优点，但可能缺乏对工作负载特定安全控制的粒度。
本地防火墙微分段：在单个工作负载或设备级别使用本地防火墙来执行微分段策略，能够提供非常细粒度的应用级安全控制，但可扩展性可能存在挑战。
基于代理的微分段：包括与 VNF 高度耦合的微分段组件、与 VNF 耦合度较低的微分段组件、基于数据分析功能的解决方案和基于与互操作性优化的解决方案等。这些方案具有与 VNF 高度兼容的优点，但可能存在供应商锁定和性能影响等问题。
解决方案比较：根据与 VNF 的兼容性、可扩展性、互操作性、对网络和接口的影响、对 VNF 性能的影响等标准，对四种候选解决方案进行了比较。

5. 建议

本节提出了以下建议，以帮助运营商在 5G 核心网中部署微分段：

在不同级别（网络、本地防火墙和代理）实施微分段，并彻底测试对 5G 核心网性能和安全的影响。
审查每个解决方案的管理开销和易用性。
必要时，为基于容器和虚拟机的 5G 核心网实现设计新的解决方案或优化现有解决方案。
制定将微分段系统与现有安全平台（例如态势感知平台）集成的具体指南。
分享不同运营商部署的微分段系统之间的协调和沟通的最佳实践。
制定用于评估安全策略实施的时间和准确性的具体指标和基准。
提供此文档的更新，以分享基于实施经验的学习成果和见解，以进行可能的改进。

Security Classification: Non-Confidential Access to and distribution of this document is restricted to the persons permitted by the security classification. This document is subject tocopyright protection. This document is to be used only for the purposes for which it has been supplied and information contained in it must not bedisclosed or in any other way made available, in whole or in part, to persons other than those permitted under the security classification withoutthe prior written approval of the Association. Copyright Notice Copyright ©2025GSM Association Disclaimer The GSMA makes no representation, warranty or undertaking (express or implied) with respect to and does not accept any responsibility for, andhereby disclaims liability for the accuracy or completeness or timeliness of the information contained in this document. The information containedin this document may be subject to change without prior notice. Compliance Notice The information contained herein is in full compliance with the GSMA Antitrust Compliance Policy. This Permanent Reference Document is classified by GSMA as an Industry Specification, as such it has been developed and is maintained byGSMA in accordance with the provisions set out GSMA AA.35-Procedures for Industry Specifications. GSMAOfficial Document FS.61 Table of Contents 1Introduction41.1Overview41.2Scope51.3Definitions61.4Abbreviations61.5References71.6Conventions72Threat Analysis of East-West Traffic82.1East-west Traffic82.2Use Case 1: Virtual Network Function (VNF) Deployment92.2.1Management Plane92.2.2Service Plane112.3Use Case 2: Container Network Function (CNF) Deployment122.3.1Management Plane122.3.2Service Plane133Recommendations for Micro-segmentation in 5G Core Networks133.15G Core Network Micro-segmentation Framework133.2RecommendedFunctionalAttributes143.2.1Security Policy Management Recommended Attributes143.2.2Security Control Recommended Attributes163.2.3Traffic Report Recommended Attributes163.2.4Traffic Capture FeatureRecommended Attributes163.2.5Asset Management Recommended Attributes173.2.6Security Monitoring Recommended Attributes173.2.7Traffic Visualisation Recommended Attributes183.3Deployment And OperationRecommended Attributes184.CandidateMicro-segmentation Solutions194.1Solution #1 Network-BasedMicro-segmentation194.1.1Solution Description194.1.2Advantages204.1.3Disadvantages214.2Solution #2 Local FirewallMicro-segmentation214.2.1Solution Description214.2.2Advantages224.2.3Disadvantages224.3Solution #3: Agent-BasedMicro-segmentation224.3.1Solution #3a:Micro-segmentation Component Highly Coupled to VNF224.3.2Solution #3b:Micro-segmentation Component Loosely Coupled To VNF254.3.3Solution #3c: Data Analysis Function-Based Solution274.3.4Solution #3d: Optimise for Inter-Operability Solution Based on Solution #3a304.4Comparison of solutions325Recommendations34 GSMAOfficial Document FS.61 AnnexADocument HistoryA.1Other Information 1Introduction 1.1Overview With 5G core networks becoming virtualised, they not only face attacks from outside of the5G core network but also security challenges from east-west traffic inside the core network(see GSMA FS.33[1]risk 27 & risk 36). If a virtualised network function (VNF) iscompromised, anadversarymay attempt further enumeration or attacks within theenvironment, known as moving laterally or lateral movement, which could affect otherfunctions deployed in the same core network resource pool. To prevent attacks in east-westtraffic, it is essentialto have clear visibility and an appropriate capability to inspect the east-west traffic, identify the attack source and then take corresponding mitigation actions. One of the techniques for east-west network traffic protection is micro-segmentation.Micro-segmentation is a security strategy that divides a network intosmallersegments, allowingtraffic in and out of each segment to be monitored and controlled. The main goal is to limitthe impact from a breach by isolating segments and improving visibility, enabling granularaccess control through defined policies. Micro-segmentation can be implemented at thenetwork level, host level, hypervisor level, or workload level. It is easiest and most familiar tocreate network level micro-segmentation, however it offers the least flexibility and granularityfor access control and telemetry. On the other end of the spectrum, workload identity basedmicro-segmentation offers the most granularity in terms of control and visibility but requiresagent software and management software to orchestrate and implement segmentation. Micro-segmentationhelps prevent unauthorised lateral movement within the network,whether from external breaches or internal threats.Withmicro-segmentation, mobile networkoperators (MNOs) can create policies that segregate traffic between virtual machines orcontainers based on a zero-trust approach. Only permitted services can communicate witheach other if there is a specific functional requirement for a5G

点击免费查看完整报告