Securing Your 5G Edge

API Protection: A Must-Have in 5G API-Driven Ecosystems

Service providers have been using more APIs in their networks as they’ve disaggregated network hardware from software and adopted microservices to make their networks more modular and efficient. The trend is ever more important with cloud-native 5G, which uses a service-based architecture built with container-based microservices that are interconnected with APIs. Service providers will also use APIs to give their partners and customers access to services and applications in the MEC environment. This facilitates integration of third-party solutions and a proliferation of enterprise applications, and it plays a vital role in massive machine-type communications, a key use case in 5G.

Given the reliance on APIs for service and business integration, service providers should assume that APIs have the potential to introduce additional threat vectors in a network, and they should take precautions to ensure these software components are as safe as they can be. In fact, F5 has found that lack of authentication or inadequate authorization can leave APIs vulnerable to attack^.[2] APIs must be analyzed, authenticated, and secured before they are allowed on the network and they must be managed throughout their life cycles to ensure their safety.

API Gateways Guard the Door to Your MEC

API gateways have quickly become necessary for managing a diverse set of APIs and their traffic. The gateways are especially suited to managing traffic coming into the network from outside connections. They can play an important role securing 5G services. As described by the 5G Future Forum, the API gateway helps prevent “accidental or deliberate uses of requests targeting the infrastructure and services.” ^[3]

Many API gateways offer integrated authentication and authorization functionality, and these capabilities can limit the impact of an intrusion in the event that a public-facing API endpoint is compromised. The API gateway must deliver these precautions without degrading the gateway’s functionality when routing traffic to ensure the 5G service achieves its requirements for low latency and other demanding performance parameters. The gateway should also use lightweight programming to manage API traffic for microservices, which have a small footprint in the network.

The F5 API Gateway, available as part of NGINX Plus, is a cloud-native solution that simplifies security for microservices architectures. It meets the recommended requirements for integrated authentication and authorization and is ideally suited for use in 5G MEC environments. The solution also provides a portal and documentation for developers.

IoT Security: Strategically Placed in the 5G Access Network

Human beings have been considered the “weakest link” for network security, but now with IoT devices pervading the ecosystem, connected devices are also a serious concern. The sheer number of connected devices, the range of use cases, and device limitations increase the scale and scope of potential vulnerabilities. The conditions are unprecedented and create a networking environment attractive to IoT botnets. When designing IoT services architectures, service providers must include security as part of the design.

For example, the mobile operator industry organization GSMA projects that the number of IoT devices connected to the network will reach nearly 25 billion globally by 2025, up from 12 billion in 2019.^[4]. Many of the IoT use cases expected with 5G will require specialized security. This includes devices used for mission-critical communications to autonomous vehicles, connected health devices, and telemedicine as well as entire ecosystems that will emerge with “smart” infrastructure including buildings, manufacturing facilities, smart homes, and the smart grid.

The sheer number of connected devices, the range of use cases, and device limitations increase the scale and scope of potential vulnerabilities.

IoT devices, themselves, can only do so much to mitigate the risks. Devices used in small-form factor IoT designs, in particular, have limited computing power to allocate for security. And even if the devices can accommodate security features, inconsistent delivery of security updates by device manufacturers can undermine these precautions. The issues can be long lasting because many IoT devices are expected to be in use in the market for many years. 

Service providers do need to address IoT security throughout their systems, but with 5G and MEC architectures, they have an additional, strategic need to incorporate protection at the critical point where IoT data enters the edge of the network. A practical and robust solution should allow service providers to offer IoT security services without the need to host the service in their data centers or directly manage it. The solution should be designed to mitigate network threats, device threats, and service abuse. It should be subscriber-aware and protect against unmanaged IoT devices.

IoT Gateways That Understand IoT and Security Protocols

IoT gateways, deployed in the access network, enable connected devices to use the network and applications. Because communications from devices are funneled through these locations, the gateways consolidate a variety of services needed for the success of IoT initiatives—including security.

The F5 IoT Gateway, for example, is built to understand the many protocols used in IoT as well as security protocols. The gateway can understand IoT routing messages and topics to ensure data is valid before transmitting it, providing a strategic point of control for security enforcement.  The F5 IoT Gateway protects against exploitation by detecting anomalies and bad behavior. The process not only ensures security, but also prevents the waste of precious network resources on illegitimate or malicious connections.

 

Subscriber-Aware IoT Firewalls That Are Shareable and Scalable

An IoT firewall is a user-plane firewall deployed near the core. It goes beyond the capabilities of traditional network firewalls because it is specific to the IoT domain and can provide device-aware, application-centric policies to prevent threats from the IoT device that would otherwise disrupt the integrity and availability of the service provider’s network.

For example, an IoT firewall ensures that devices connect only to “safe” locations in the network and not to unknown services. The precautions minimize the chances devices will be compromised through malware or exploited remotely by malicious communications. This capability also prevents IoT devices from being used for unintended services that reduce revenue for the service provider or application owner.

The F5 IoT Firewall addresses these concerns for service providers and their partners. As shown in Figure 1, the firewall is both scalable and granular to provide IoT security cost-effectively in the edge environment. For example, the firewall can be shared between different IoT customers and easily support thousands of IoT customers with subscriber awareness, enabling each subscriber to implement their own security policies. It can accommodate traffic for millions of devices. The solution significantly simplifies deployment and lowers operational costs for service providers and their customers, giving service providers confidence in their ability to provide ongoing, high-quality services in the face of new threats.

Figure 1: The IoT Firewall data plane serves as the enforcer of the security policy implemented by the customer, allowing the passage of explicitly permitted traffic, and blocking all other traffic. Customer 3 is passing infected traffic from an infected device. Green lines represent traffic that is allowed to pass, while the red line represents traffic that is blocked.

DDoS Mitigation: Preventing Attacks Rapidly, Efficiently, and at Scale

DDoS attacks on service provider networks are increasing in size, frequency, and significance. According to F5 research, 77% of attacks handled by the F5 Security Incident Response Team in 2019 were DDoS related. Moreover, the risk is accelerating with a 52% increase in reported DDoS attacks on publicly exposed service infrastructure in 2019.^[5]

DDoS attacks have serious implications because they steal bandwidth and compromise the connections of legitimate users. The attacks are getting more complex, sophisticated, and adaptive as botnets find ways to exploit network capabilities to execute ever larger attacks. In response, service providers are using proactive solutions such as F5 Advanced Web Application Firewall (Advanced WAF) to detect and stop these evolving threats.

For service providers rolling out 5G on cloud-native distributed architectures, there is growing concern that a new generation of hyperscale DDoS attacks will threaten their networks. In particular, the distribution of compute resources at the edges and far edges of the network opens more opportunities for DDoS and other threats to enter 5G systems. Edge resources will also attract increased threats from the billions of connections on the network—and 5G’s powerful connections, used for high bandwidth or ultra-low latency use cases, will help speed the attacks.

The industry has noted the security implications for 5G’s distributed core architecture. According to 5G Americas, architectural vulnerabilities will include “low latency capable (next-generation N6) interfaces exposed to the Internet and susceptible to DDoS and DoS threats from the Internet.”^[6]

Service providers deploying DDoS protection in this environment should look for efficient, high-performance solutions designed for implementation at this point in the network. The solution should be applicable in cloud-native environments built on commercial off-the-shelf servers, and automatically detect and protect the service provider network against volumetric DDoS attacks. It should provide the performance to ensure service providers can deliver ultra-low latency connections and meet service level agreements (SLAs) without requiring customized hardware. The solution should be proactive rather than reactive so it can protect capacity of the server for other purposes, provide scalability and CPU efficiency to reduce operating costs, and ensure that service providers and their customers avoid any revenue losses associated with outages.  

F5 DDoS protection, delivered via the Intel SmartNIC, fulfills these requirements and more. F5 is the first company to use virtual DDoS software with SmartNIC technology, and the solution is ideal for the MEC environment. The SmartNIC device is deployed on a node and integrated with F5 BIG-IP Virtual Edition.

The solution has been proven in the market for service provider networks. In fact, many have used it in fronthaul in O-RAN architectures, where it is deployed on distributed units (DUs). It works by detecting DDoS attacks and offloading the affected traffic to a scrubbing center to keep the node secure and protect routine traffic. As an added precaution, it uses topology hiding to mask the internal structure of cloud-native functions (CNFs) within a Kubernetes cluster. When deployed on nodes at the edge of the network, service providers will be able to extend these protections, and their benefits, to these locations.

F5 and its customers have found that the solution provides unparalleled DDoS mitigation capabilities in cloud environments, which service providers need as they build out their 5G architectures. The solution can withstand DDoS attacks up to 300 times greater in magnitude than software-only versions of the solution while reducing total cost of ownership by 47%.^[7]

Figure 2: F5 DDoS protection, delivered via Intel SmartNIC, can be deployed as part of an ingress function to stop attacks from stealing bandwidth from legitimate users. The solution prevents bad traffic from reaching the core network, reducing edge-to-core data transmission costs. And because it integrates with BIG-IP AFM, it can become multi-functional by adding other virtualized network functions (VNFs), such as carrier-grade network address translation (CGNAT) or DNS.

App-Centric Firewalls: Designed for App-Centric 5G Networks

The 5G network is app centric. Its cloud-native, service-based architecture runs on applications. Service providers deploy virtualized core services, network slices, and other key functions in Kubernetes-based software containers, and the network’s distributed architecture gives them the flexibility to move many of these internal applications to the MEC. Enterprise and consumer applications can also run in the MEC environment.

The architecture requires app-centric security because compromised apps can cause service downtime, expose sensitive data, and enable fraudulent transactions. Service providers can use firewalls to mitigate these risks. Two approaches are recommended: firewalls that secure access to apps and firewalls that secure the apps themselves.

 

Using Firewalls to Secure Access to Apps in the MEC

Service providers can use firewalls to protect access to container-based applications that are deployed in the MEC. The approach can protect the service providers’ MEC-deployed core network functions and applications as well as enterprise and consumer applications hosted there. By guarding access to applications, the firewall mitigates attacks before they degrade or overwhelm services. The firewall must have the scalability, flexibility, performance capabilities, and control to stop the most aggressive attacks.

F5 BIG-IP Advanced Firewall Manager (BIG-IP AFM) for service providers protects container-based applications regardless of platform or location in the network with advanced network protection capabilities that exceed traditional firewalls. It works by putting a firewall around the application itself. It delivers high-performance DDoS protection with a full-proxy architecture that enables inspection and detection of DDoS attacks, which is unusual for firewalls. It aligns firewall policies with the applications it is designed to protect, thus increasing the effectiveness of policies. And it intercepts and inspects all incoming connections and ensures a connection’s safety before letting it reach its intended application, which increases the accuracy of threat detection.

F5 BIG-IP Advanced Firewall Manager (BIG-IP AFM) for service providers protects container-based applications regardless of platform or location in the network.

Service providers can use BIG-IP AFM to mitigate network flooding, DNS threats, DDoS, and other attacks while allowing legitimate traffic to flow through without compromising application performance. In addition to its protective role, BIG-IP AFM streamlines security operations. It can be deployed as an appliance, virtualized network function (VNF), or container in Kubernetes, which makes it easier to integrate, and it scales easily to meet any level of traffic demand. It has an efficient user interface that helps automate deployment, implementing security policies, monitoring, and deprovisioning. Its dashboard provides extensive visibility into application security status for insights and analysis.

Using Firewalls for Application-Layer Security at the Edge

Applications are often the target of attacks. These attacks can be hard to detect and prevent because organizations might inadvertently leave their applications unprotected, bots might bypass standard protections, and the attacks can be especially sophisticated when coordinated by organized crime or nation states.

5G service providers need to keep these critical risks in mind as they deploy containerized applications in the MEC, taking added precautions to make sure data processed at the edge is secure and can’t be stolen. Enterprise applications and public cloud-services deployed in the MEC must also be protected.

F5 Advanced Web Application Firewall (Advanced WAF) provides controls at the application layer to protect communications that go over web-based apps as well as servers. The solution can be used to secure web applications, microservices, containers, and APIs. It provides application-layer encryption to prevent web attacks that steal credentials and gain unauthorized access to user accounts. It performs web scraping, protects applications from malicious bots, provides DDoS detection and mitigation, and isolates malicious from legitimate traffic. It is highly programmable and intelligent so it can dynamically adapt policies and proactively stop attacks.

Advanced WAF provides many benefits for security operations. For example, built-in intelligence and auditing capabilities make it easy to understand and maintain compliance with key security standards and regulatory mandates. The solution performs dynamic security testing and automatic virtual patching to quickly identify and resolve vulnerabilities. A feature-rich, interactive dashboard, suitable for use by experts and generalists, provides direct visibility into attacks. With these insights, service providers can make confident and informed security decisions to keep their applications secure.

Securing Your Edge

F5 offers vital know-how and solutions that help service providers address these strategic challenges. The company’s extensive heritage in enterprise networking, service provider networks, and 4G helps operators securely deploy new platforms and run 5G services such as enterprise workloads in the cloud. With the robust and comprehensive solutions they need, service providers can ensure security for both their current and future edge deployments.

^[1] Analysys Mason, “Edge Computing: Operator Strategies, Use Cases, and Implementation,” by Gorkem Yigit, June 2020, p. 11.

^[2] F5, “2020 Application Protection Report, Volume 1: APIs, Architecture, and Making Sense of the Moment,” by Sander Vinberg et al., July 30, 2020.

^[3] FG Future Forum, “Multi-access Edge Computing Exposure and Experience Management Abstract.”

^[4] GSMA, “The Mobile Economy 2020,” p. 3

^[5] F5, “Top Attacks Against Service Providers 2017-2019,” Feb. 6, 2020.

^[6] FG Americas,  “The Evolution of Security in 5G,” Oct. 2018, pp. 25-28. 

^[7] F5, “Mitigate DDoS Attacks up to 300x greater in Magnitude in Cloud Environments: Introducing BIG-IP VE for SmartNICs,” by Tom Atkins, June 24, 2020.