How to integrate packet core firewall in the user plane
Securing service availability in 5G requires a holistic view beyond dedicated security solutions. Now, we're taking actions in the user plane – one of the key elements in the network that will be exposed to security threats – to meet this need. Here, we catch up with Folke Anger, Head of Solution Line Packet Core at Ericsson, to find out more.
Hi Folke, why has security become more important for 5G?
Folke: There are many factors that together put the spotlight on 5G security. Firstly, the number and sophistication level of threats are continually increasing at a high rate, and attacks are no longer limited to those coming from the internet. Secondly, 5G is expected to be the bearer of not only mobile broadband subscriptions – but also carry data from billions of new IoT devices and mission-critical communication for industry applications.
This means the mobile system must be very resilient against any type of disruption. In addition, the network must be able to scale secure delivery on new required services.
For these reasons, many regulators are raising the security bar, not only related to network security controls, but also security by design. Lastly, new deployment models, like virtualized and container-based solutions, may introduce new attack vectors and challenges. So all in all, security has become an important part of 5G, since a disruption or a breach could have a severe impact on society.
Does security in 5G get better as we move to the standalone 5G Core (based on Release 16 specifications from 3GPP)?
Folke: Yes, it gets better. Today, 4G is already very robust in terms of security and has, for example, strong encryption. Now, 5G will improve security levels even further. The basic functionality for service-based architecture and slicing are already in Rel-15, and there will be additional features in Rel-16. On a high level, Rel-15 was about enhancing mobile broadband. Rel-16 will be more about supporting massive IoT with ultra-low latency features etc.
While 3GPP security mechanisms mainly support the control plane and signaling, they do not protect against all possible threats, for instance, distributed denial of service (DDoS) and radio jamming. Protecting against these threats is something that is left for vendor implementation and deployment, for example, scaling mechanisms and selective dropping/throttling in case of DDoS. Therefore, standards will only cover some security issues.
When talking to service providers, what are the main challenges they raise with packet core security solutions?
Folke: A main concern is how to proactively protect the user plane function and manage the internet, roaming and access threats. But how can you mitigate threats with 5G throughput and deploy a security solution without degrading the 5G latency? To maintain this, time-to-mitigation should be kept to milliseconds – which current dedicated security solutions can’t deliver.
Other concerns include deployment flexibility and how to scale the user plane together with the security functions to the edge. To support 5G uses cases you might need to manage and orchestrate 100s-1000s of edge site. And of course, total cost of ownership (TCO) is always a hot topic, as TCO increases proportionally with additional security network functions. Considering hardware capacity limitations on the edge, scaling dedicated edge security solutions to accommodate new 5G use cases becomes a showstopper.
How do you respond to their challenges?
Folke: The first step is to listen. Then we start to analyze how to best solve these challenges. As a result, in 2019 we launched Ericsson’s dual-mode 5G Core, a cloud-native 5G Core with common operations and maintenance for EPC and 5GC. Since then we have enhanced the solution with the Signaling Controller and built-in software probes. Now we continue with a new enhancement targeting service provider pain points in 5G Core user plane security by launching an integrated Packet Core Firewall.
Can you share more information about how this Packet Core Firewall is integrated in the user plane?
Folke: The integrated Packet Core Firewall is a cloud-native product, providing a fusion of user plane security and advanced security functions. It is a unique all-in-one security offering, powered by A10 Networks leading security technology, and integrated in the Ericsson Packet Core Gateway. It’s all based on cloud-native architecture and principles.
Unlike dedicated security solutions, the integrated Packet Core Firewall provides a single cloud-native network function (CNF) solution, including user plane function (UPF) and firewall (FW), with efficient user session traffic management and no NFVI traffic steering, giving more than 50 percent TCO savings in NFVI SDN. Since there is no extra hop in the NFVI, 5G latency and throughput performance are also maintained.
The integrated Packet Core Firewall addresses security use cases for core network deployments in MBB and IoT. This single CNF solution means it scales in and out simultaneously with the UP, meeting specific 5G use case requirements, including edge/deep edge and small-scale deployments. As it’s tightly integrated with the UP function, it triggers no hardware dependencies, life-cycle management or orchestration complexities, enabling deployment flexibility to the thousands of sites at the edge.
Download the full solution brief, including ‘Securing service availability in 5G Core’ chapter here.Download
Thanks Folke, looking forward to learning more about this solution in the field. Let’s catch up again soon!
Folke Anger, Head of Solution Line Packet Core at Ericsson