5G network security requirements analysis

当前,全球新一轮科技革命和产业变革正孕育兴起,跨行业、跨领域的融合创新不断深入,将产生大量新应用、新业态、新模式,对移动通信技术也提出了更高要求。第五代移动通信(5G)作为新一代移动通信技术发展的方向,将在提升移动互联网用户业务体验的基础上,进一步满足未来物联网应用的海量需求,与工业、医疗、交通等行业深度融合,实现真正的“万物互联”。
At present, a new round of global technological revolution and the industrial revolution is pregnant the rise, cross industry, cross domain integration and innovation unceasingly, will produce a large number of new applications, new formats, new model, also put forward higher requirements on mobile communication technology. The fifth generation mobile communication (5G) as the development of a new generation of mobile communication technology, mobile Internet will be based on enhancing the user experience of the business, to further meet the massive demand for future networking applications, integration and industrial, medical, transportation and other industries to achieve true depth, all things internet.
面对5G网络的新发展趋势,尤其是5G新业务、新架构、新技术,都会对安全和用户隐私保护提出新的挑战。5G安全机制除了要满足基本通信安全,还需要为不同业务场景提供差异化安全服务,能够适应多种网络接入方式及新型网络架构,保护用户隐私,并支持提供开放的安全能力。本文从5G需求与愿景入手,基于5G网络架构和技术的研究进展,分析5G网络面临的安全问题和安全需求,从而为后续5G安全网络架构的研究和标准化工作提出一些建议。
In the face of the new development trend of 5G network, especially 5G new business, new architecture, new technology, security and user privacy protection will pose new challenges. The security mechanism of 5G in addition to meet the basic communication security, but also need to provide different security services for different business scenarios, able to adapt to a variety of network access methods and new network architecture, protect user privacy, and support the ability to provide security open. This article from the 5G demand and vision of the research progress of 5G network architecture and technology based on the analysis of 5G network security problems and security requirements, so as to put forward some suggestions for the follow-up research and standards 5G security network architecture work.
一、5G网络场景和技术挑战
First, 5G network scenarios and technical challenges
与以往移动通信系统相比,5G需要满足更加多样化的场景和极致的性能挑战。归纳为移动互联网和物联网两大类业务,主要包括移动宽带增强(eMBB)、大规模物联网(mMTC)和低时延高可靠(URLLC)三个5G主要技术场景:
Compared with the previous mobile communication systems, 5G needs to meet more diverse scenarios and the ultimate performance challenges. Summed up as the mobile Internet and Internet of things two categories of business, including mobile broadband enhancement (eMBB), mass Networking (mMTC) and low latency high reliability (URLLC) three 5G major technical scenarios:
• eMBB场景在连续广域覆盖时,在保证用户移动性和业务连续性的前提下,无论在静止还是高速移动,覆盖中心还是覆盖边缘,用户都能够随时随地获100Mbps以上的体验速率。在热点覆盖时,为用户提供极高的数据传输速率,满足网络极高的流量密度需求。主要技术挑战包括1Gbps用户体验速率、数十Gbps峰值速率和数十Tbps/km2的流量密度。
EMBB scene in the continuous wide coverage, in the premise of ensuring the user mobility and business continuity, both in static or high-speed mobile, covering the center or edge coverage, users are able to receive more than 100Mbps experience rate whenever and wherever possible. In hot coverage, to provide users with extremely high data rates, to meet the high network traffic density requirements. The main technical challenges include 1Gbps user experience rate, dozens of Gbps peak rate and traffic density of dozens of Tbps\/km2.
• mMTC场景主要面向环境监测、智能农业等以传感和数据采集为目标的应用场景,具有小数据包、低功耗、海量连接的特点,要求支持百万/平方公里连接数密度,并实现终端的超低功耗和超低成本。
MMTC scene mainly for environmental monitoring, intelligent agriculture application scenarios with sensing and data acquisition targets, with small packets, low power consumption, large connection characteristics required to support million \/ square kilometer connection number density, and achieve low power consumption and low cost of the terminal.

美兰机场荣获Future-S中国IT治理和管理践行最佳组织奖

• URLLC场景主要面向车联网、工业控制等物联网及垂直行业的特殊应用需求,为用户提供毫秒级的端到端时延和/或接近100%的业务可靠性保证。

• URLLC scenarios for car networking, industrial control and other special needs of the Internet of things and the vertical industry, providing users with a millisecond end-to-end delay and \/ or close to 100% of the business reliability assurance.
[公告]国栋建设:关于收到政府补贴的公告
托管安全服务即安全运营外包日渐被人们接受,环顾发达国家,提供安全服务的可管理安全服务商MSSP已经大行其道;在国内,包括安全厂商、电信运营商、安全集成商和安全服务商也开始进入这一领域。
总之,5G的技术挑战主要包括:0.1~1Gbps的用户体验速率,数十Gbps峰值速率、数十Tbps/平方公里的流量密度,1百万/平方公里的连接数密度,毫秒级的端到端时延,以及百倍以上能效提升和单位比特成本降低。
In short, 5G technical challenges include: user experience rate 0.1~1Gbps Gbps peak rate, dozens of dozens of Tbps\/ square kilometers traffic density, connection number density of 1 million \/ km2, millisecond end-to-end delay, and more than one hundred times to improve energy efficiency and reduce the cost of special units.
二、5G新场景带来新的安全威胁
Two, 5G new scene brings new security threats
5G的eMBB场景与传统移动互联网场景相比,主要的区别是为用户提供高速的网络速率和高密度的容量,因此将出现数量众多的小站(small cell、femtocell)。小站的部署方式、部署条件以及功能都存在灵活多样的特点。传统4G安全机制未考虑此种密集组网场景下的安全威胁,因此,除了传统移动互联网所存在的安全威胁外,在这种密集组网场景下可能会存在小站接入的安全威胁。
Compared to the 5G eMBB scene with the traditional mobile Internet scene, the main difference is to provide high-speed network speed and high density capacity for users, so there will be a large number of small (small cell, femtocell). Station deployment, deployment conditions and functions are flexible. The security mechanism of the traditional 4G does not consider such intensive security threats, network scenarios so, in addition to security threats existing in traditional mobile Internet, security threats in the dense network scenarios under there may be access to the station.

应对人感染H7N9禽流感应急预案实战演练

针对大规模物联网场景,预计到2020年,联网设备达500亿台。终端包括物联网终端、RFID标签、近距离无线通信终端、移动通信终端、摄像头以及传感器网络网关等。由于大部分物联网终端具有资源受限、拓扑动态变化、网络环境复杂、以数据为中心以及与应用密切相关等特点,与传统的无线网络相比,更容易受到威胁和攻击。
For large-scale networking scenario, is expected to 2020, networking equipment up to 50 billion units. The terminal comprises an Internet of things terminal, a RFID tag, a short distance wireless communication terminal, a mobile communication terminal, a camera and a sensor network gateway, etc.. Because most of the Internet of things with limited resources, dynamic topology, network environment, data centric and application is closely related to other characteristics, compared with the traditional wireless network is more vulnerable to threats and attacks.
在此海量设备情况下,为了确保信息的准确有效性,需要在机器通信中引入安全机制。而若每个设备的每条消息都需要单独认证,则网络侧安全信令的验证需要消耗大量资源。在传统4G网络认证机制中没有考虑到这种海量认证信令的问题,一旦网络收到终端信令请求超过了网络各项信令资源的处理能力,则会触发信令风暴,导致网络服务出现问题。进一步的,整个移动通信系统可能会因此出现故障,进而崩溃。
In order to ensure the accuracy and validity of the information, it is necessary to introduce the security mechanism in the machine communication. However, if each message of each device needs to be authenticated separately, the verification of network side security signaling needs to consume a large amount of resources. This massive problem authentication signaling is not considered in the traditional 4G network authentication mechanism, once the network terminal is received over the network signaling request signal resource processing ability will trigger a signaling storm, resulting in network service problems. Further, the entire mobile communication system may therefore fail, thus crashing.
而在低时延高可靠场景,尤其针对车联网、远程实时医疗等时延敏感应用,提出了低时延高安全性的需要。在这些场景中,为避免车辆碰撞、手术误操作等事故,要求5G网络能在保证高可靠性的同时提供低至1ms的时延QoS保障。
However, in the case of low latency and high reliability, especially for delay sensitive applications such as vehicle networking, remote real-time medical, etc.. In these scenarios, in order to avoid accidents such as vehicle collision, operation and other accidents, the 5G network can guarantee the high reliability of the 1ms network and provide the delay QoS protection.
而传统的安全协议,如认证流程、加解密流程等,在设计时未考虑超高可靠低时延的通信场景。这样可能会带来传统的复杂的安全协议/算法造成的时延无法满足超低时延的需求。同时,5G中超密集部署技术的应用使得单个接入节点覆盖范围很小,当车辆等终端快速移动时,网络的移动性管理过程将会非常频繁,为了低时延的目标,安全上下文的移动性管理相关的功能单元和流程需要进行优化。
However, the traditional security protocols, such as authentication, encryption and decryption, do not consider the high reliability and low latency communication scenarios. This may result in the delay caused by the traditional complex security protocols \/ algorithms can not meet the needs of ultra low latency. At the same time, the application of 5G in intensive deployment technology enables a single access node coverage is very small, when the fast moving vehicle terminal, network mobility management process will be very frequent, for low delay, the security context of mobility management functions related to the single element and process needs to be optimized.
三、对安全提出了新的要求
Three, put forward new requirements for security
5G新型网络架构需要具备更加灵活、更高智能和更好性能的能力,可以自动适配海量业务的差异化服务要求,基于全网视图来综合调度网络资源,包括接入能力、计算能力、存储能力和网络连接能力等,具体包括:5G网络基于控制和转发分离模式实现用户面更加扁平的架构;依托新型架构的全局控制功能,可以实现多种接入技术的协同控制;借鉴IT虚拟化技术思想对网元形态和网络连接方法进行重构,5G网络的基础设施引入NFV等虚拟化技术,实现网络切片和网元按需部署,增加整体网络的灵活性和伸缩性。
5G new network architecture requires more flexible and more intelligent and better performance, service differentiation can be automatically adapted to massive business requirements, integrated scheduling based on cyber source view of the entire network, including access capability, computing power, storage capacity and network connectivity, including: control and achieve a more flat user face forward separation mode architecture based on 5G network; relying on the global model architecture of control function, cooperative control can achieve a variety of access technology; using IT virtualization technology for the network ideological form and network connection method for reconstruction, NFV virtualization technology into 5G network infrastructure, network and network on-demand deployment section and increase the overall network flexibility and scalability.
1 、NFV安全需求
1, NFV security requirements
5G网络基础设施平台将更多的选择基于通用硬件架构的数据中心构成支持5G网络的高转发性能和电信级管理要求。NFV技术实现底层物理资源到虚拟化资源的映射,构造虚拟机(VM),加载网络逻辑功能(VNF);虚拟化系统实现对虚拟化基础设施平台的统一管理和资源的动态重配置。NFV具有帮助强化网络安全的潜力,安全策略可编排,并且可以发挥虚拟化的优势,隔离业务负载从而强化安全。NFV在强化安全的同时也带来了新的安全隐患。相比传统电信设备,软件硬件分离的特点以及虚拟化网络的开放性给NFV带来了新的潜在安全问题:
5G network infrastructure platform will be more choice based on the general hardware architecture of the data center to support the high forwarding performance of 5G networks and telecommunications management requirements. The mapping of physical resources to the virtual NFV technology resources, construct the virtual machine (VM), load the network logic function (VNF); dynamic reconfiguration of system virtualization virtualization infrastructure platform for unified management and resources. NFV has the potential to help strengthen network security, security policies can be arranged, and can play the advantages of virtualization, isolation of business load to strengthen security. NFV in strengthening security also brings new security risks. Compared with the traditional telecom equipment, the characteristics of the hardware and software separation and the openness of the virtualization network bring new potential security problems to NFV:
•引入新的高危区域–虚拟化管理层。虚拟化管理层是NFV的核心,一旦被攻破,在其上的所有虚拟机将直接处于攻击之下,后果将不堪设想。
Introduction of a new high risk area – virtualization management. Virtual management is the core of NFV, once compromised, all virtual machines on which will be directly under attack, the consequences will be unbearable to contemplate.
•弹性、虚拟网络使安全边界模糊,安全策略难于随网络调整而实时、动态迁移,虚拟机容易受到同一主机的其他虚拟机的攻击;传统基于物理安全边界的防护机制在云计算的环境难以得到有效的应用。
– flexible, virtual network security fuzzy boundaries, with the network security strategy is difficult to adjust in real time, dynamic migration of virtual machine vulnerable to other virtual machines with a host of attack; the traditional physical security protection mechanism in cloud computing environment based on boundary is difficult to be effectively applied.
•用户失去对资源的完全控制以及多租户共享计算资源,带来的数据泄漏与攻击风险,给数据安全的保护提出了更高的要求。并且用户、应用和数据资源聚集,容易成为黑客攻击的目标,而且一旦被攻击,影响范围广、危害大。

Gartner:可穿戴设备新奇外表之外,更需实用性

The loss of resources and the sharing of computing resources by multi tenant, the data leakage and the risk of attack, the higher requirements for the protection of data security. And users, applications and data aggregation, easy to become the target of hacker attacks, and once attacked, the impact of a wide range of hazards.
因此5G安全针对NFV等虚拟化技术的引入,需要为网络设备提供多元化的系统级防护,防止各类非法的攻击和入侵。5G网络环境将包含多厂家的软硬件基础设施,因此网络身份必须得到有效管理,从而防止非法用户对网络资源的访问。5G安全将提供传输保护,为数据传输提供如机密性和完整性等安全防护,应对传输中数据的恶意窃听和转发。
Therefore, 5G security for the introduction of virtualization technology such as NFV, the need for network equipment to provide a wide range of system level protection against all kinds of illegal attacks and intrusions. 5G network environment will include multi vendor hardware and software infrastructure, so the network identity must be effectively managed, so as to prevent illegal users access to network resources. 5G security will provide protection for transmission, such as confidentiality and integrity of data transmission and other security protection, response to malicious data transmission and forwarding.
2 、网络切片安全需求
2, network chip security requirements
网络切片是5G网络的关键特征。一个网络切片将构成一个端到端的逻辑网络,按切片需求方的需求灵活地提供一种或多种网络服务。网络切片重要的安全问题是网络切片需要提供不同切片实例之间的隔离机制,防止本切片内的资源被其他类型网络切片中网络节点非法访问。例如医疗切片网络中的病人,只希望被接入到本切片网络中的医生访问,而不希望被其他切片网络中的人访问。相同业务类型的网络切片之间也存在隔离的需求,例如不同的企业的在使用相同业务类型的切片网络时,并不希望本企业内的服务资源被其他企业的网络切片节点访问。
Network slicing is the key feature of 5G network. A network slice will form an end-to-end logical network that provides one or more network services flexibly according to the requirements of the slicing requirements. The important security problem of network slicing is that the network slicing needs to provide the isolation mechanism between different slices, so as to prevent the resources in the slice from being illegally accessed by the network nodes in other types of network slices. For example, a patient in a medical slicing network only wants to be accessed by a doctor in the slice network without the need to be accessed by someone else in the network. There is also the same type of isolation between the needs of business network sections, such as different enterprises in the slice network using the same business type, does not want the service resources within the enterprise network node enterprise access other sections.
服务、资源和数据在网络切片中被隔离保护的效果要达到接近于传统私网一样用户感受,这样才能使得用户能放心的将原本存放在私有网络中的应用数据存放到在云端,用户在享有随时随地可访问私有资源的同时不需要担忧这些资源的安全问题,这样才能促进各种垂直业务的健康快速发展。
Services, resources and data protection in isolated sections of the network to achieve results similar to the traditional private network as the user experience, so that users can rest assured that the application of the original data stored in the private network storage in the cloud, users can enjoy the security problem in accessing private resources whenever and wherever possible and don’t need to worry about these the resources, so as to promote the rapid development of a variety of vertical business health.
3 、多RAT接入的安全需求
3, multi RAT access security requirements
异构接入网络将是下一代接入网络的主要技术特征之一,5G网络将是多种无线接入技术融合共存的网络。异构不仅体现在接入技术的不同,如Wi-Fi和蜂窝网络,还体现在接入网络因为属于不同拥有者而造成的局部网络架构方面的差异,因此,5G网络需要构建一个通用的认证机制,能够在不同的接入技术,不安全的接入网之上建立一个安全的运营网络。
Heterogeneous access network will be one of the main technical characteristics of the next generation access network, 5G network will be a variety of wireless access technology integration and coexistence of the network. Not only in the heterogeneous access technologies, such as Wi-Fi and cellular network, also reflected differences in local network architecture in the access network because of different owners caused the result, constructs a universal authentication mechanism of 5G network, can be in different access technologies, unsafe access network based on a safe operation network.
另外,在异构网络间的安全互操作方面,终端可能在异构网络间进行切换,这时需要保证在异构网络间切换的安全互操作,如安全上下文的传递、密钥的更新、异构网络间安全上下文的隔离等。
In addition, the interoperability between heterogeneous networks, terminal may switch between heterogeneous networks, the need to ensure that switching between heterogeneous network security interoperability, such as security context transfer, key security context update, heterogeneous network isolation etc..
四、总结
Four, summary
未来5G安全将在更加多样化的场景、多种接入方式以及新型网络架构的基础上,提供全方位的安全保障。除满足基本通信安全外,5G安全机制能够为不同业务场景提供差异化安全服务,能够适应多种网络接入方式及新型网络架构,保护用户隐私,并支持提供开放的安全能力。当前,5G标准化工作已经全面启动,3GPPSA2将在2016年底完成5G网络架构的研究工作,因此亟需尽早明确5G网络安全需求,并且在5G网络的整体架构设计和后续标准化中综合考虑5G安全要求,这样才能最终实现构建更加安全可信的5G新型网络的目标。
Future 5G security will provide a full range of security protection on the basis of more diverse scenarios, a variety of access methods and a new network architecture. In addition to meet the basic communication security, 5G security mechanism can provide different security services for different business scenarios, able to adapt to a variety of network access methods and new network architecture, protect user privacy, and support the ability to provide security open. At present, 5G standardization work has been started, 3GPPSA2 will complete the research work of 5G network architecture at the end of 2016, so it is necessary to clear as soon as the 5G network security requirements, and the overall architecture of the 5G network design and subsequent standardization in considering 5G safety requirements, so as to ultimately build a more secure and trusted network model 5G target.
微信扫一扫关注该公众号
Sweep the concern of the public, WeChat

公司不得将信息系统安全管理责任外包。对涉及国家及本公司商业秘密和客户隐私等敏感信息系统内容进行外包时,应遵守国家和监管部门有关法律法规与要求,并经过公司决策机构批准。

猜您喜欢

VMware公布IT管理和安全云计算的主要研究结果
公司员工信息安全意识教育动画视频
网络安全公益短片社交网络安全基础
著名语言学家李佩去世曾被称作"中科院最美玫瑰"
SANSOKAN TUMBLEBOOST
ISO-IEC27001通用信息安全意识培训