It’s Never Too Early

0

Find the Right Path to Secure Your 5G Network —

All experts agree that DDoS attacks are increasing in volume and complexity. In the telecom industry, whether aimed at the network or at individual users, every DDoS attack dumps garbage traffic onto the network, which can affect customer Quality of Experience (QoE) and even lucrative SLA fulfillment for business customers. That’s why every telecom service provider needs to have a comprehensive DDoS attack protection solution for their network.

But will DDoS attack protection designed for 4G networks work on a 5G network? The harsh reality is that it will not — at least not effectively. With 5G, the threat landscape will grow exponentially larger for numerous reasons including massive deployment of IoT that will add many millions of new connected devices to the network. That translates into the growth in potential points of attack with hundreds of traffic-sensitive multi-access edge computing (MEC) servers, and the greatly increased throughput per connection. 

Add to that the expectation for ultra-low latency for critical applications, and you can see how a sluggish DDoS mitigation solution, even for relatively small attacks, can cause major headaches, if not financial loss for 5G providers. To avoid unnecessary service disruptions, 5G providers need to implement inline DDoS attack protection that is designed and built specifically for 5G.

5G Attack Surface

5G Attack Surface

Although prevalent in 4G networks, there are 2 architectures that will dominate across 5G networks, and are already starting to become more commonplace in today’s networks: 1.) network function virtualization (NFV), and 2.) cloud native networking. These architectures further complicate the DDoS attack protection picture, and not every solution takes them into consideration.

With NFV, physical appliances are replaced with virtual network functions (VNFs). This can significantly lower CapEx but requires a different approach in contrast to traditional network architecture. 

In terms of DDoS attack mitigation, an NFV-based solution needs to be deployed as a set of DDoS attack mitigation VNFs. In a 5G network, this is important when network slices (dedicated logical virtual networks) can support different customer performance requirements — for example, ultra-low latency services or a dedicated slice for a particular application. 

When a 5G provider markets slices to their business customers, they need to offer end-to-end protection against attacks. Only a solution that is designed to operate with 5G slices supports this type of offering.

Rethinking the 5G DDoS Solution

Cloud native telecom network architecture is similar to NFV in that services are virtual. However, in cloud native networks, the network functions are developed as software in a public or private cloud environment. Those cloud environments can be built on one platform or across a mix of several platforms. Unlike NFV architecture, cloud native network functions (CNFs) are composed of microservices — small, scalable components that can be called up in conjunction with one another from the cloud, to perform their combined function. Some telecom providers are starting to migrate their legacy networks to cloud native, while others are new to the game of creating a cloud native network from the ground up. Regardless of which scenario is true, cloud native networks deliver advantages that also come with challenges.

The cloud native approach improves network elasticity and scalability. But it, like NFV, adds a level of complexity to DDoS attack detection and mitigation. A cloud native DDoS attack solution is also built of microservices that are activated and deactivated instantly, as required. This is the direction that 5G telecom networks are headed. A good example is Rakuten in Japan. They are building a new 5G network utilizing cloud native technologies including DDoS attack detection and mitigation services. 

Another advantage of microservices for DDoS attack protection is that the detection and mitigation services can run on selected slices for selected applications. This adds to the flexibility of the solution by using the underlying network architecture to its advantage.

Further complicating the DDoS attack protection story is the ultra-low latency facet of 5G networks. This feature of 5G ranges from a QoE feature for consumer applications to a critical feature for machine-to-machine (M2M), automotive, healthcare, and other applications that rely on near-zero latency to function. 

The way to ensure that the DDoS attack protection solution does not interfere with mission-critical latency policies is to implement an inline solution that inspects network traffic without reducing latency, and in case of an abnormal event, prioritizes mission critical traffic. An inline DDoS attack protection solution will also reduce reaction time to seconds when a DDoS attack hits.

Regardless of how DDoS attack protection is implemented, high bandwidth access is one factor that is common to all 5G networks which is not only the primary draw of 5G. It also adds complexity to the process of detecting attacks. High bandwidth connections present an unprecedented amount of data flowing from end-to-end with each connected device on the network. Only a solution with a high bandwidth interface in the range of 100Gbps is fast enough to catch attacks among all the legitimate traffic in time to make a difference.

Inline DDoS Protection

Inline DDoS Protection

It’s Never Too Early to Secure the 5G Network

It is not uncommon for new technologies, which bring fantastic benefits to the market, to also bring with them challenges — and security is usually at the top of the liabilities list. Fortunately, with 5G, many of the vulnerabilities have already been identified and bridged. That’s not to say that as 5G technology matures, we will not discover new security vulnerabilities but it is important that 5G providers plug the known holes as soon as possible. In some cases, intuitive CSPs are working on DDoS and botnet attack mitigation before their 5G networks are even built. 

In a cloud native 5G network, whether it is built over bare metal, virtualized or cloud native technology, or from the ground up, 5G opens the door to multiple security vulnerabilities with the growth of bandwidth and unprotected IoT devices used to perform attacks, new latency standards, and the architecture itself. 

  • To protect the user plane against DDoS and botnet attacks, 5G network providers need to implement an inline solution that blocks even the most evasive new attacks while providing QoE assurance for mission critical applications. 
  • The solution needs to collect information on each subscriber from the 5G session management function (SMF) so that infected subscribers can be properly tracked and quarantined to prevent future attacks. 
  • The solution should be able to mitigate attacks that are initiated from both the Internet as well as from the network subscribers themselves. 
  • It should be compliant with the unique architectural components of the 5G network
  • It should be fast enough to handle the massive amounts of traffic that needs to be checked to enable fast and accurate attack detection and mitigation. 

These considerations serve as building blocks in the construction of a well-protected 5G network that offers excellent QoE, and ensures a trusting relationship with customers.

For more information, email allot-marketing@allot.com or visit https://www.allot.com/. You can also follow us on Twitter @allot_ltd. Read Itay’s blog at https://www.allot.com/blog/author/iglick/.

Like this Article?

Subscribe to ISE magazine and start receiving your FREE monthly copy today!

Related

About Author

Itay Glick is the AVP of Network and Cloud Security at Allot. He has more than 17 years of executive management experience in cybersecurity at global technology companies based in the US, Europe, and Asia. Itay launched his career as a software engineer in an elite intelligence unit of the Israel Defense Forces. He holds an M.B.A. from Bar-Ilan University and a B.Sc. in electrical engineering from the Technion – Israel Institute of Technology. For more information, email allot-marketing@allot.com or visit https://www.allot.com/. You can also follow us on Twitter @allot_ltd. Read Itay’s blog at https://www.allot.com/blog/author/iglick/.

Comments are closed.