Skip to main content

Securing 5G mobile anyhaul

buildings in night

5G brings so many benefits: better bandwidth, lower latencies, massive IoT support, and lots more. It also introduces new security considerations. Fortunately, our current Nokia solution for securing the 4G/LTE transport network, the Nokia IPsec Security Gateway, also provides the same security coverage for 5G. It’s just that some of the issues are a bit different with 5G, which is what I’m blogging about today.

It probably helps to review why mobile backhaul or anyhaul needs to be secured at all. Some mobile anyhaul travels over third-party networks, such as wholesale carriers, which can be a source of unauthorized entry. An attacker can snoop and even manipulate traffic on transit links, including fiber. Some segments go through Wi-Fi or the internet. Insiders within the operator’s organization can also account for a significant percentage of security breaches. And, finally, RAN nodes themselves can often be physically insecure, especially with small cells, which will play a much bigger role in 5G.

IP was first used for backhaul with 4G networks and required a new security protocol. IPsec provides three essential functions to secure a link: authentication, integrity and confidentiality. Authentication ensures that the sender and receiver are who they say they are by checking the authenticity of their certificates during IPsec tunnel setup based on their mutual trust of a certificate authority. The integrity of the data transmission in IPsec is done by authenticating the packets sent by the radio unit (RU), distributed unit (DU) or centralized unit (CU) to ensure that the data has not been altered in any way. Encryption ensures traffic confidentiality.

Whereas 4G allowed either a centralized or distributed RAN, both of which are still possible under 5G, there is now also the possibility of centralized and distributed Cloud RAN among other archtectures. These different 5G architectures enable operators to place the distributed unit (DU) and centralized unit (CU) in regional cloud data centers and the edge cloud (see figure 1). This creates new midhaul and fronthaul links that need to be secured — thus, we need “anyhaul” security.

Figure 1. Securing various RAN options in 5G with different distributions of RU, DU and CU.

infographic

While figure 1 may seem a bit complicated, it is actually only showing a subset of possible or theoretical configurations! These are the ones that we see as being the most likely. Note that only the upstream receivers of this IPsec traffic require a Security Gateway because the DU and CU can natively create IPsec tunnels. Also, with  control and user plane separation (CUPS), different anyhaul routes can be taken by the user (data) plane, control plane and management plane through multiple backhauling options, all of which can be secured separately by the Security Gateway.

There are several other key differences with 5G to consider, such as the addition of virtualization and decomposition in its cloud-native core architecture. Various functions as well as end-user applications can be distributed to the edge of the network for multi-access edge computing— often for the sake of time-sensitive networking and lower latencies.

The Nokia IPsec Security Gateway, coupled with the Nokia NetGuard Certificate Manager, accomodates all these different architectures. It has been highly successful in securing 4G/LTE networks and after a decade of successful deployments, there have been no known breaches of 4G/LTE public mobile networks. They have also withstood rigorous testing by public safety authorities who are now adopting them for public safety networks in many jurisdictions.

As we’ve seen, the move to 5G networks will multiply the need for Security Gateways, because of the greater variety of anyhaul options under 5G. But the fundamental characteristics of the problem are the same as in 4G/LTE, which brings a lot of confidence to operators as they implement 5G, knowing that the Nokia IPsec Security Gateway has a proven track record.

If you want more detailed information on the implementation of the Nokia IPsec Security Gateway in 5G networks, download our recently published application note which covers it in much greater detail.

Share your thoughts on this topic by joining the Twitter discussion with @nokia or @nokianetworks using #ipsec #ipanyhaul #backhaul