5G Network Security: Charting a New Frontier

Unveiling the Next Level of 5G Network Security Wireless technology has advanced swiftly, with 5G Network Security deployments making great strides globally. Regarding wireless RAN, previous RAN providers used closed-box appliance solutions until recently. In addition to failing to provide optimal RAN TCO, this closed-box method must be more efficient and scaled. The list of... Read More

Table of Contents

Unveiling the Next Level of 5G Network Security

Wireless technology has advanced swiftly, with 5G Network Security deployments making great strides globally. Regarding wireless RAN, previous RAN providers used closed-box appliance solutions until recently. In addition to failing to provide optimal RAN TCO, this closed-box method must be more efficient and scaled. The list of its flaws is length.

This closed-box thinking isn’t going to cut it in the 5G Network Security world, we’ve since learned.

So, the telecommunications sector has banded together to push for and develop RAN solutions that are cloud-native and virtualized on COTS hardware platforms that have open and standard interfaces. Applying the benefits of virtualization and cloud-native technologies opens the door to a more robust ecosystem and more adaptable solutions on general-purpose server systems.

Reduced costs, more ecosystem and vendor options, shorter innovation cycles, automation, and scalability are just a few of the many benefits of this method. However, the open RAN architecture could increase the attack surface and introduce new security issues that must be addressed.

An industry frontrunner in accelerated computing platforms, NVIDIA has been collaborating with customers, partners, and the standards community (3GPP and O-RAN Alliance) to develop and implement a comprehensive suite of security features for virtual radio access networks (VLANs).

Our goal is to facilitate tomorrow’s applications by accelerating innovation at the intersection of cloud computing, artificial intelligence, and 5G Network Security. We will monitor the platforms on which these technologies are based to ensure they adhere to the highest security standards.

Problems with open RAN architecture security

The adoption of new standard interfaces in open RAN design and the separation of software and hardware increase RAN systems’ vulnerability. One example is the introduction of new open interfaces for disaggregated RAN, such as OFH, A1, or E2.

xApps supplied by vendors and near-real-time RIC were able to take advantage of the RAN environment.
The trust chain becomes more vulnerable as hardware and software become increasingly uncoupled.
Management interfaces like OFH M-plane, O1, or O2 can introduce new security holes.

When implementing security features, including expedited cryptographic procedures, over the OFH interface, it is essential to consider the stringent latency requirements on the RAN. As the use of open-source software grows, so does the importance of secure development processes within open-source communities for open RAN. Lastly, due to the immense increase in Internet of Things (IoT) devices, all RAN deployments must take precautions to prevent attacks from compromised devices.

CSRIC Council

The FCC formed the Communications Security, Reliability, and Interoperability (CSRIC) Council VIII to encourage the US communications infrastructure’s stability, consistency, and robustness.

Published in a comprehensive report, the council outlined the obstacles to securing open RAN technology and offered numerous suggestions to the industry to help them overcome them. Moreover, the paper suggests that the open RAN sector follows the guidelines set out by the O-RAN Alliance’s Working Group 11 regarding security. These recommendations and needs are addressed in the sections that follow.

Guidance on architecture from the CSRIC Council

According to the findings of the FCC CSRIC VIII report, the following are the most critical architectural recommendations focused on security for the open RAN sector:

The use of digital signatures in production software should be extended to open RAN workloads, which encompass both network services and applications.
Segmenting Ethernet-based fronthaul networks is an excellent way to separate fronthaul traffic from other types of traffic.
Enabling the authorization of network parts attached to the FH network should be done via port-based authentication.
It is recommended that radio units (RUs) with Ethernet-based fronthaul be deployed in US production networks using secure protocols that provide mutual authentication.
All network components that link to the FH network in hybrid mode should have an installed IEEE 802.1X port-based network access control system.
It is recommended that open RAN implementations adhere to the concepts of zero trust architecture (ZTA).
It is recommended that Open RAN software be installed on high-security server hardware. Please ensure that the credentials and keys used by the Open RAN software are encrypted and kept in a secure location.
The use of safeguards in open RAN designs helps to ward off adversarial machine learning (AML) assaults. Businesses can help reduce the likelihood of anti-money-laundering assaults by collaborating with the O-RAN Alliance to establish security standards.
Master network operator (MNO) systems should have a secure boot based on hardware root of trust (RoT), with credentials stored securely (e.g., in a hardware security module; HSM) and software signing to create an end-to-end trust chain.

O-RAN WG11 defines durable security criteria.

The O-RAN Alliance Security Working Group (WG11) is responsible for 5G Network Security rules for the entire O-RAN architecture. Security analysis and specifications are being created closely with regulators, standards development organizations, and other O-RAN Working Groups. Earlier, we covered how it complemented the security recommendations provided by FCC CSRIC VIII.

Integral to systems is a commitment to security.

Top priority is providing strong security capabilities that cover all bases. This includes

Zero-trust platform security for data performed on the platform.
Data protection for the network, including the air interface, fronthaul, and backhaul.
Data kept on the platform and protection in all administrative interfaces are paramount.

The most effective security measures in the business are what we use to do this. The company’s primary goal when creating these products was to secure the development of ConnectX SmartNICs and BlueField DPUs. For security vendors, edge providers, and cloud service providers to build their solutions on the characteristics of the platform, they execute all requisite requirements.

With the ConnectX SmartNIC, you can offload and support many encryption-based solutions, including MACSEC and IPSEC, as well as TLS, rule-based filtering, and precise time-stamping, all at line-rate rates.

Along with these features, the DPU’s fully isolated platform (a server within a server) offers:

Secure BMC
Secure boot
Root of trust
Deep packet inspection (DPI)
Extra engines for special cryptographic operations and data plane pipeline processing.

These capabilities allow you to set up a safe, secure, and independent network. To build a secure cloudRAN architecture, the DPU connects directly to the GPU and supplies the post-screened packets independently of the host.

We have integrated the specifications of O-RAN WG11 into our software and hardware platforms. Aerial 5G Network Security vRAN is powered by convergent accelerators, which include the Bluefield DPU and A100 GPU. The Aerial program implements a complete inline offload of RAN Layer 1 with critical security characteristics.

Technology

SHVARAM