(L’italiano qui) Government hackers, data leaks, backdoors, malware, billions of objects connected… About how to protect systems against these threats with a “Security Fabric,“ I spoke with Fortinet’s Ronen Shpirer, EMEA Solutions Marketing Senior Manager, Benjamin David, Director Systems Engineering for Southern Europe and Filippo Monticelli, Regional Director Italy.
The 5G infrastructure is being deployed. Some networks are on. I’ve been told that security is intrinsic to 5G. So, how vulnerable is 5G, maybe already in the upgrade phase from 4G to 5G? What is required for these new more complex networks to be ready from a security point of view?
5G moves away from the very monolithic close environment that 4G was—with its interfaces and protocols that only network operators handled—into an extremely dynamic and open environment with web-based API calls, HTTP/2, and so on. This all requires a wholly different new type of security: you need to trace and check that the API calls are valid and correct and make sure that the intelligence, the awareness and the ability to look into protocols and identify malwares and attacks are there.
When 5G vendors say that 5G security is provided with the technology, they are talking about the cloud, which is fully orchestrated, automated and distributed, and does not allow human intervention anymore. The cloud has security mechanisms built in to make sure that errors are not made and that the network can correct itself to avoid conflicts, etc. This is however just one very specific aspect of security.
So, yes, 5G vendors provide a basic level of security, but there still needs to be a true security solution in place, and here vendors are not experts. That implies to the core, to the new RAN (Radio Access Network), to multi-access edge computing, to the telco cloud, to whatever IoT (Internet of Things) services they are going to provide and so forth.
With 5G this even becomes more drastic, in the sense that 5G, besides being the technology in itself more vulnerable and open to attacks and risks, if it keeps its promises, will allow for use cases where 5G itself is critical as the services it will provide. And if these are not secure, very bad thing to do things can happen.
There is much talk these days about government hacking, data leaks, backdoors…
Our job is to protect against any kind of attack, regardless of the source. Keep in mind, though, that when someone has the resources and the talent, eventually they will find a way in. So the question for the carriers and for enterprises is: what capabilities do you have to cater for such an event? Do you recognize as fast as possible that something is in, can you figure out as fast as possible how to solve it and how to mitigate? Whatever solution you need, we make sure that you have the right threat intelligence behind looking at the data constantly and that you have automation technologies, like sandboxing, so that if something suspicious comes in your security solution knows what to do without human intervention. We are constantly protecting against the unknown.
So, which are your target clients besides the carriers: the enterprises that will move their applications onto the 5G networks, or other enterprises providing services to enterprises, or the IoT dedicated networks…?
Unlike the previous question, this is not an easy one: we manage all of these aspects at the same time but with different teams. I take your IoT example. At the Mobile World Congress (MWC19) for instance, we had a team introducing how we protect IoT infrastructure against an IoT storm—and we are talking here about billions of connected things. At the same time, one of my colleagues was talking to an enterprise that had just sold IoT data to the market, and needed to secure its home data. Requests are different, like when you have to manage the connectivity side or the signaling side of a service provider, or when you have to protect databases or web APIs, or the firewall side of IoT, or the application side of the IoT… Our dedicated teams and solutions cater to each and anyone of the topics. We work together in an end-to-end solution providing the full service tackling all fronts of cybersecurity—network, content analysis, reputation base system, web apps firewalls, email, etc… We call it “Security Fabric.”
How do protect networks that can be sliced or segmented and have many layers?
In 5G service design, automation allows to select the type of security services that you want for the one slice or the one service. This solutions can be easily integrated because by design orchestrators enable virtual network function (VNFs: network functions that are software-based and separate from the hardware) as close as possible to the resources that need to be secured.
In this way the orchestrator can provision dynamically for the appropriate VNFs providing the security services in that one slice or segmentation.
So it is never a standalone solution. We are the enforcement points, the visibility points but we work with the bigger ecosystem of 5G to immediately put security in place where needed and when needed: if I want to deploy a security service now, I want it to be ready within 15 seconds, not 15 minutes.
How vulnerable is the edge in the case of 5g networks?
There are several aspects to this. A first one is scalability. We will see huge quantities of devices connected to the edge. You will want to provide them with the appropriate security services, but you will also want to be able to meet that need of scalability—millions and millions of devices—and scale not just to that number, but also to the bandwidth that they will have and to the type of services that they are going to consume. That is really an impact on the security provider.
Second, suddenly you are in fact taking some competences off the core and putting them at the edge of the network. This could be the case of the PDN (Packet Data Networks) gateways, which in some cases will have direct Internet breakout, so you will need to have there Internet firewalling as well… You have the core functionality plus a cloud environment, where you have applications and services delivered to the end users. Since these can be very critical it is essential that they are delivered in a secure way.
How do we segment between different types of traffic, users, applications? How do we make sure that the applications, the devices or the people trying to connect are allowed to do so? These types of considerations all go beyond what carriers are doing today, which is essentially planning for how to protect their networks.
With 5G, networks are not just connectivity but platforms for service delivery, so services need to be secured. This is crucial, because you don’t want to have a situation where you have an application that gets hacked and causes harm to human beings, because it didn’t have the right security services attached to it.
Your security systems need to be also scalable for performance…
That is a very good point. Traditionally, we have been providing appliances, physical appliances that have very, very high and wide performance with our SPU technology (virtual security processing units), and that contribute to our control plane to provide security capabilities such as content inspection and open SSL (Secure Sockets Layer) inspection.
We are talking here about a cloud environment—we believe that in the beginning it is going to be a hybrid cloud environment—where you have not only the physical appliances, but also the virtual ones running on a platform. And a said, you want a security service to be ready within 15 seconds, not 15 minutes.
We do this by having very lean, small-footprint, very efficient and very performing VNFs that can instantiate themselves very quickly, move very fast to the full capacity and upscale and downscale automatically.
How are you planning for 5G networks that support critical services or local dedicated networks like in the case of ports or airports?
In these cases, enterprises will want that the service provider guarantees not just security but also particular types of security. From a technical point of view this will happen before we expect, but it will be use case-driven. Especially in your example with restricted areas or in airport and ports or similar locations where also drones will be used, or in a nuclear plant.
In manufacturing, buildings can run on Wi-Fi for another 10 years. It depends on the field of activity, but the network evolution will not happen over the next year or the next 5 years. In the industrial sector, when a hardware solution is installed, it takes more than 10 years to replace it, because the equipment connected to it will not be refreshed before 10 years.
Retail is different. In a store you want to be able to connect to your visitors to provide ads, promotions or streaming. That means that you will need to have the latest technology, which could be Wi-Fi, 5G, network through lights… The main evolutions will be also to integrate thgem into the security vision of the physical location. Currently, on the retail side, we try to localize people to know if they spent five minutes in front of the chips or in front of soda or drinks, but perhaps in the future, the goal will be to use this same kind of localization to protect against threats.
What about Iot?
At the device, at thing level, either they are secure or not, and most won’t be. So the first point is that all their traffic is normally going to the nearest spot, like the edge, so we provide security there: we can terminate the sessions, desencrypt them to look at the traffic, analyze them, segment them, decide what different type of IoTs can access or not, make an informed decision whether it makes sense that an IoT connects to one IP address, and so on.
But it doesn’t end here because all of that traffic is going to be aggregated and moved to a platform, which will store it, analyze the data and share the information. Since this platform is multi-tenant, we need to segment it, see who is trying to use it, and what they are trying to do. We need to be able to show that access via web applications is secure, and that the information being transferred though emails is secure. Then we provide data leak protection. It is an entire ecosystem for which we provide security.
And what about the physical infrastructure?
This is easy to respond. We don’t protect the antenna physically, against, say, an attempt to replace it, but we have protection in place for the signaling part. I can guarantee that nobody can avoid the control plane at the other end of the antenna.
There are and will be so many fronts and use cases…
What organizations need is a global, systemic approach that applies to every type of organization and that addresses the complexity of the current technological scenario—from the IoT to the cloud, with visibility on every single device, appliance or network segment, whether it is virtual in the cloud or local, and against ever increasingly sophisticated threats. A “Security Fabric”, to put it briefly.