Author Archives: telcosecurityspecialists

Stop, Think, then Do: Rethinking Security Architectures for 5G Networks

Traditional approaches to telecom security are not cutting it, so why do some telecom professionals continue to think that traditional approaches to security will work in the future? One problem with traditional approaches is that they make incorrect assumptions about security ─ assumptions that lead to failure.

It’s time to stop and rethink how to build and operate secure telecom networks to avoid creating difficult-to-secure 5G architectures that will be nearly impossible to fix or replace later.

Existing Architectures Complicate the Ability to Apply Patches

Most technology vendors try to build secure hardware and software and follow sound security policies as they develop their products. Just a quick glance at the security advisories from a variety of vendors show that at least five of them reported important vulnerabilities in their products in February 2021. This spate of reported vulnerabilities provides the first hint that there are faulty assumptions at play.

A comprehensive approach to security cannot be built on component security alone. But surely, must security not start with vendors? That’s true, and most vendors tend to quickly release patches for reported vulnerabilities. But what’s the benefit of quickly released patches when the components, which are deployed in an end-to-end solution, cannot be patched because of differing solution dependencies or inadequate resources to implement the patches?

The situation can rapidly devolve further if vertical stack providers, which use other vendors for components in their vertical stacks, do not supply the component patches in time. At that point, simple component security has no meaning in itself.

Once the patches are supplied, the operational capacity of CSPs can limit their ability to patch their environments within 14 days of a critical patch. Most service providers, it seems, struggle to patch their environments twice a year. If service providers can switch to a SecDevOps operational model, it will help patch system faster and shift to a position of strength. SecDevOps alone, however, is not enough.

Shifting to a Proactive Position of Strength

Communications service providers need a new approach. At VMware, we call this new approach intrinsic security for telecom networks. It is neither a product nor a solution. Rather, it is a strategy for taking advantage of your infrastructure, architecture, and control points in new ways and in real time so that you can shift from a reactive security posture to a proactive position of strength.

It is about using what you have in new ways to help unify your security and network service teams; accelerate how they identify risk; enable them to automate patching without service disruption; and empower them to prevent, detect, and respond to threats with the right context and insight. This approach assumes that the next critical vulnerability will be announced today and assumes that exploits using it will be directed at your network.

Isolate, Abstract, and Automate: Traits of an Intrinsic Approach

Here’s a summary of the key characteristics of intrinsic security:

  • Build a horizontal platform architecture that lets you deploy multi-vendor solutions on the platform. This architecture lays the foundation for a consistent approach to security by providing the basis for proper separation and segmentation, which limit the blast radius of an exploit. Using separate vertical stacks makes security exponentially more difficult.
  • Use the abstraction layer of virtualization and avoid bypassing abstraction layers as much as possible. A major advantage of virtualization is the abstraction between hardware and an application’s operating system. The virtualization layer lets you automate patching without service disruption. Bypassing the abstraction layer with technologies like CPU pinning and SR-IOV makes patching of independent components much more difficult without disrupting a service.
  • Use an API-driven, software-based overlay network solution to foster the kind of programmatic automation that is impossible with traditional SDN concepts created for underlay automation. Use this network architecture to implement proper segmentation and firewalls between services, devices, the management control plane, and management system access.
  • Implement orchestration tools to automate as many operational procedures as possible to avoid human error and configuration mistakes.
  • Build a zero-trust management access solution that properly secures the management plane for both internal and third-party access.
  • Use security tools like VMware Carbon Black that can analyze behavior of both users and components at cloud scale over time and undertake automated responses.
  • Select VNF and CNF vendors that make public their vulnerabilities so their customers can take appropriate actions and mitigations as quickly as possible. There is no security in obscurity.

At its core, intrinsic security is built into the infrastructure and the network to focus defenses in the right place at the right time. Future blog posts will delve into the key characteristics of intrinsic security for telecommunications infrastructure and 5G networks.

Previous Blog Posts and Papers on Telecom Security

This blog post is part of a continuing series of posts on security for telecom infrastructure and networks. Here’s a list of previous blog posts on security:

In addition, see our high-level solution overview titled Protect infrastructure with built-in measures and our technical white paper titled Intrinsic Security for Telco Clouds at the Dawn of 5G: An Integrated Approach to Helping CSPs Meet Emerging Security Standards.

Evolution in Principle: Emerging Wireless Security Threats and the State of Cybersecurity

By Henrik Oberg, VMware Telco Cloud Specialist, and Steve Hoenisch, VMware Technical Marketing Manager

The evolution of security threats is outpacing the transformation of telecom networks. Given the current state of telecom networks and their shift to 5G architectures, the rapid emergence of new security threats and attack vectors demands new principles and new approaches to protect telecom network security.

Part of the problem lies not in the changing security landscape but in the evolution of telecommunications networks themselves. Initially, 1G and 2G wireless cellular networks were considered additional networks that didn’t require the same security measures as fixed-line PSTN networks. As the importance of the wireless networks grew and 3G became the standard, the importance of security requirements ballooned. With the first generations of mobile networks before 3G, the number of connections was growing quickly, and poor security meant that phone calls and their mobile networks could be easily compromised. With 3G, however, telecom standards organizations began to mandate better security.

But the security requirements of PSTN networks were largely superimposed on 3G networks, despite their differences. 3G networks carried similar requirements to PSTN networks, and similar security measures were implemented.

3GPP standards for security have evolved, and with 4G and then 5G the standards improved security for existing attack vectors on the signaling plane between services, for example, but many of these measures are optional and open to interpretation in a multi-vendor environment. In addition, 3GPP standards are only applicable on the 3GPP level and do not consider the underlying new cloud architecture being implemented for 5G solutions. Some of the critical use cases for 5G being promoted, such as low-latency communications for autonomous vehicles and super-low-latency health care applications, elevate 5G networks to national security infrastructure.

Publish and Perish

Hackers were, of course, considered the main threat. To defend against them, most operators implemented an early 21st-century approach. It entailed building security controls to fulfill security requirements for every component, both hardware and software, and then using third party automated testing tools to test the implementation.

Such an approach, however, brings with it a problem that plagues telco network security to this day: The security system is only reactive to known threats. As new threats and exploits emerge, they render the security requirements of the underlying compliance regulations obsolete. For many security standards and published guidelines from government bodies and industry-agency partnerships, the end result can all too often be summarized as publish and perish.

The Co-evolution of Security Requirements and Network Hackers  

As soon as a set of security requirements, certifications, or compliance guidelines are published, organizations begin implementing security measures to meet them and the tests to prove it. When the guidelines are published, however, hackers start looking for gaps they can exploit. Since the testing tools that are often used to validate a security implementation will not unearth holes or attack vectors that are not in the implementation of the guidelines, fulfilling the guidelines does not mean that a platform or network is in fact secure. Hackers, unfortunately, find a way to infiltrate the networks and systems built with these published guidelines.

There are several related problems that stem from this kind of regulation-driven approach to cybersecurity:

  • As the main threat moves from hackers to organized groups of hackers protected by nation states, the less effective a regulation-driven security model becomes. Organized hackers have the time and resources to mount long-term, coordinated attacks at various levels.
  • Some regulations do not adequately single out security-sensitive parts of a network, nor do such regulations typically limit the blast radius if a system or network element is compromised.
  • A regulation-driven approach does not identify how configuration errors should be avoided. Manual configuration errors are always a possibility, and they have been at the core of some highly publicized recent attacks. What’s more, there can be a divergence between automated testing and human misconfiguration and error. Many organizations should strive to automate as much configuration as possible to help eliminate us error-prone humans from the equation. Still, there will always be a balance here because it is, after all, us humans who build the automation.

Shifting the Focus from Requirements to Principles

A modern security approach should ensure that security is built into products and operations based on a set of principles and policies that recognize the need to continuously evolve security to protect against known, new, and unknown threats.

Principles and policies can be found in some emerging security guidelines, such as new telecom security requirements (TSRs) from the United Kingdom’s National Cyber Security Centre. Examples include the principle of least privilege, not only for administrators but also for connections across systems and services. Isolation and segmentation provide additional examples: Both are key because they force you to identify sensitive systems and to limit the blast radius if there is a breach. Proper network segmentation ensures that only components that should be able to communicate can communicate.

Here are a few more key principles and policies:

  • Automate as much as possible of both deployment and operations to minimize human errors.
  • Ensure that there is a properly secured system for management and operations access to the network components. This type of access, which is typically through what is sometimes called a privileged access workstation, should include secure access for required third-party personnel.
  • Identify security critical systems in relation systems management, automation, and orchestration  tools.
  • Test early and often with tests that continuously evolve at multiple points in system, network, and service chains, including unexpected possibilities; example: system changes necessitate both new and modified tests.
  • Monitor both components and human behavior for changes by, for instance, using a tool like VMware Carbon Black. Carbon Black is a cloud native endpoint and workload protection platform that combines system hardening and behavioral prevention to keep emerging threats at bay. By analyzing security events, Carbon Black proactively uncovers attackers’ behavioral patterns and empowers you to detect and stop emerging attacks.
  • Assume you will be or already are compromised. The implication here to plan and deploy systems in a way that limits damage. For example, it can be a problem in the cloud if you use only cryptographic authorization and encryption — a hole that emerges with the authorization or encryption that creates a large attack vector. To protect against the inevitable, you must be able to isolate every level in the stack with virtual firewalling and other means, such as network access policies. Encryption should be accompanied by micro-segmentation.

Extending Protection Principles to CNFs

Similar principles apply to containerized network functions (CNFs). As you work to package and deploy networking code in containers for 5G, you should consider how to secure the container lifecycle and address the following principles and policies, conceivably in a multi-cloud environment, a context often overlooked, at least in a detailed way, by telecom security standards:

  • Protect CNFs as they move through a continuous integration and deployment (CI/CD) pipeline.
  • Implement a trusted container image registry with role-based access control and vulnerability scanning.
  • Test containers to eliminate privileged access or execution.
  • Inspect containers against security benchmarks.
  • Automate security patching of containers.
  • Isolate, protect, and monitor the communications of CNFs and microservices.
  • Enforce policies governing CNF connectivity.
  • Protect your CNF supply chain by establishing end-to-end security from code provenance to CNFs running in production, preferably by using DevSecOps.

Continuously Evolve

On a final note, embracing DevSecOps and continuously applying new security principles can help address emerging threats and to help evolve security so it keeps pace with emerging threats. In future posts, we will elaborate on not only the principles and policies we mentioned but also on how to implement a 5G network with security that’s built into the stack.