5g and iot - radware
TRANSCRIPT
S H A R E T H I S B R O C H U R E
5G and IoTReal-World Rollouts
Launch New Opportunities and
Security ThreatsWHAT SERVICE PROVIDERS
NEED TO KNOW NOW
01 5G — The Time Is Now
02 The 5G Distributed Architecture
03 5G Security Considerations for Security Providers
04 The IoT Security Opportunity
05 Radware Addresses 5G Security Threats
Contents
5G and IoTReal-World Rollouts Launch New Opportunities and Security Threats
01
5G — The Time Is Now
01 5G — THE TIME IS NOW
After years of buildup about the promise of blazing fast data speed on mobile networks enabled by new 5G technology, it’s here.
2020 marks the beginning of commercial rollouts by service providers. How will the demand for higher data connection speeds, lower latency services and the emergence of the internet of things (IoT) industry affect adoption rates? It depends on whom you ask.
5 G A N D I OT — R E A L- W O R L D R O L LO U T S L A U N C H N E W O P P O R T U N I T I E S A N D S E C U R I T Y T H R E AT S | 4
Full Speed Ahead
Hans Vestberg, Verizon’s CEO, predicts that half of the United States will have access to a 5G network in 2020, and half of Americans will own 5G phones by 2024.
Based on strong support from hardware vendors and component manufacturers, Ericsson forecasts 1.9 billion 5G subscribers by 2024 — 400 million more than its previous estimate in 2018.
Moody’s Investors Service feels that a lack of demand and a murky business case will slow adoption and rollout of 5G in Asia-Pacific markets.
Gaining Traction
Glass Half
Empty
Whatever the calculation, one thing is for sure: 5G technology forever changes expectations for the mobile network experience. All traffic is in the cloud, and computing elements and services are closer to the edge of the network, which improves performance and makes it easier for service providers to scale services.
Under ideal conditions, consumers should be able to download a season of their favorite binge-worthy Netflix series in just a few seconds.
HACKERS CAN’T WAITThe bad guys are looking forward to 5G as well, but for very different reasons. The distributed architecture vastly expands the number of access points from which hackers can launch attacks, either as solo actors or by teaming with an army of others to search for and exploit network vulnerabilities.
ROADBLOCKS TO 5G DEPLOYMENTConsumers are aware of the buzz about 5G and eager to experience it for themselves. According to a survey by Piper Jaffray, demand for Apple’s iPhone 11 is lower because people are waiting for 5G models that are rumored for release in 2020. Here are a few factors that can slow implementation of 5G networks:
î Investment timing — Service providers need to balance when and where to rollout 5G networks to maximize returns
î Range limitations — 5G cell towers are limited in transmission range and require deployment of numerous small cells to transfer data
î Government regulations — Many cities are lagging behind in approving deployment of 5G hardware
î Spectrum considerations — International regulators need to sort out reallocation of spectrum for 5G communications
WHERE IN THE WORLD IS 5G?Even with deployment challenges, it likely will only take two years until 100 service providers have launched live 5G networks, significantly faster adoption rate than previous network technology generations.
Source: TeleGeography
MO
NT
HS
60
50
40
30
20
2G
10
2G 3G 4G 5G
0
01 5G — THE TIME IS NOW
5 G A N D I OT — R E A L- W O R L D R O L LO U T S L A U N C H N E W O P P O R T U N I T I E S A N D S E C U R I T Y T H R E AT S | 5
01 5G — THE TIME IS NOW
5 G A N D I OT — R E A L- W O R L D R O L LO U T S L A U N C H N E W O P P O R T U N I T I E S A N D S E C U R I T Y T H R E AT S | 6
COUNTRIES WITH 5G NETWORKS – TRIALS, (ACTIVE OR EXPECTED) IN 2020
AustraliaAustriaBahrainBrazilCambodiaCanadaChileChinaColombiaDenmarkEstoniaFaroe IslandsFinlandFranceGermanyGuam (U.S. territory)IndiaIndonesiaIranIrelandItalyJapanKuwaitMalaysiaMexicoMonaco
MoroccoNew ZealandNigeriaNorwayPhilippinesPolandPortugalPuerto RicoQatarRomaniaRussiaSaudi ArabiaSingapore
South KoreaSpainSri LankaSwedenSwitzerlandThe NetherlandsTurkeyUnited Arab EmiratesUnited KingdomUnited StatesVietnam Source: Lifewire
RADWARE INSIGHTS
THE NECESSARY BURDEN OF 5G SECURITY
Protecting profit margins starts with a robust 5G security plan.
02
The 5G Distributed Architecture
02 THE 5G DISTRIBUTED ARCHITECTURE
The race to 5G deployment has begun. In addition to enabling new revenue-generating opportunities, the distributed nature of 5G networks enables service providers to be more flexible in response to market conditions.
All network elements and operations move to the cloud. There is no longer a need for dedicated fronthaul or backhaul, a transport layer or central office connectivity.
Service providers can expect:
î 100x faster transmission speeds, which improve network performance
î Lower latency, which improves device connections and application delivery
î 1,000x greater data capacity, which better supports more simultaneous device connections
î Better user experience through value-added services enabled by network slicing
Software-defined networking (SDN) and network function virtualization (NFV) flatten the radio access network (RAN) as well as the evolved packet core (EPC) and reduce power requirements for data transmission.
Services can be flexibly allocated anywhere on 5G networks, including network nodes, end-user devices or external hosts. This means that services are not necessarily confined to service providers’ networks and can originate from outside the network domain.
5 G A N D I OT — R E A L- W O R L D R O L LO U T S L A U N C H N E W O P P O R T U N I T I E S A N D S E C U R I T Y T H R E AT S | 8
THE 5G NETWORK INFRASTRUCTUREThe benefit of a distributed 5G network is that services can be placed on virtualized network functions on resources that are physically close to users and IoT devices for faster, more efficient delivery.
02 THE 5G DISTRIBUTED ARCHITECTURE
5 G A N D I OT — R E A L- W O R L D R O L LO U T S L A U N C H N E W O P P O R T U N I T I E S A N D S E C U R I T Y T H R E AT S | 9
Critical Interfaces User plane traffic: N3/N6/N9 — Edge/Core/Peering Control Plane: APIs and Signaling traffic: N1 — Far Edge, eNodeB, N32 — 5G signaling (SEPP)
Far Edge
5G Edge 5G Core
AMF
UPF UPF
Distributed DC Central/Regional DCData networks/
SP services
N3
N32
[ 1,000+ ] locations
User plane Control plane
[ 1…10 ] locations [ 1…10 ] locations
N32
N32
N6
N6/N9
N6
[…]
N6
N1
N1
N3
Local breakout Internet/Telco cloudMEC
[…]
User Equipment
RADWARE INSIGHTS
5G: YOU CAN HAVE YOUR SLICE AND SECURITY TOO!
How does network slicing change security protocols?
RADWARE INSIGHTS
NETWORK SLICING: NOT AS DICEY AS YOU MIGHT THINK!
How can network slicing enable new value-added services?
02 THE 5G DISTRIBUTED ARCHITECTURE
5 G A N D I OT — R E A L- W O R L D R O L LO U T S L A U N C H N E W O P P O R T U N I T I E S A N D S E C U R I T Y T H R E AT S | 10
NETWORK SLICING ISOLATES SERVICES5G enables service providers to “slice” portions of spectrum to offer specialized services for specific types of devices. Different slices can be associated with security, data-flow isolation, quality of service, reliability and other important factors. The technique of network slicing enables the definition of multiple logical network slices on top of the same physical infrastructure.
Resources can be dedicated exclusively to a single slice or shared between different slices. A network slice may also support one or many services. For example, a service provider may increase bandwidth to stream a live concert.
Slicing can also be used to create a virtual operator network for several purposes, including a complete private network, a copy of a public network to test a new service or a dedicated network for a specific service.
Because most network functions will operate in NFV environments, NFV security considerations greatly impact 5G mobile network security architectures. Security measures that separate different network slices running on the same infrastructure are necessary to secure data and prevent virtual machines in one slice from communicating with other slices. When network functions are no longer assigned to specific hardware elements, dynamic software allocation plays a big role in security protocols.
03
5G Security Considerations for Security Providers
03 5G SECURITY CONSIDERATIONS FOR SECURITY PROVIDERS
Because of its distributed nature, the deployment of 5G networking infrastructures is dramatically different than previous generations of mobile networks.
Service providers face new challenges in the move from a component-based topology to a service-based network.
MAIN CHALLENGES
5 G A N D I OT — R E A L- W O R L D R O L LO U T S L A U N C H N E W O P P O R T U N I T I E S A N D S E C U R I T Y T H R E AT S | 12
SERVICE-BASED ARCHITECTUREPrior to 5G, mobile radio access and the core networks consisted of isolatable network elements with specific tasks. In 4G networks, a virtual evolved packet core (EPC) in the core of the network emerged. 5G takes it a step further by transforming all network components into virtual, microservice elements that are software-based, disaggregated and deployed in various locations.
2SOFTWARE-DEFINED NETWORKThe software-based, microservices architecture enables network slicing, the ability to isolate different services — each with its own parameters, setup and security policies — on one hardware element. The 5G network must be designed to support multiple security policies, segregated by slice on individual network components.
The more slices, the more microservices and interface points in the network that are in turn exposed to the internet. For example, in a medium-sized network, there can be 10,000 to 55,000 protected objects such as application programming interfaces (APIs).
1
5 G A N D I OT — R E A L- W O R L D R O L LO U T S L A U N C H N E W O P P O R T U N I T I E S A N D S E C U R I T Y T H R E AT S | 13
AUTOMATED ONBOARDINGTraditional security methods with predefined rules, thresholds and manual setup and provisioning will not work in a 5G environment. Service providers need to automate operations and have a scalable infrastructure to manage policies, which will require development and operations (DevOps) capabilities. All security tools need to be automated for onboarding and deployment.
4NEW TRAFFIC PATTERNSTraffic on traditional mobile networks runs north/south with aggregation points and hierarchy from the RAN to the outbound core interfaces. 5G networks introduce new traffic patterns that run east/west toward applications. Thus, there is a need to inspect egress traffic. The number of inspection points increases dramatically not only from peering points but also from traffic at edge computing points and from other parts of the network.
Additionally, end-to-end traffic encryption is delivered through IPsec tunnels toward the core. The cost is high if service providers need to inspect the payloads inside.
3
03 5G SECURITY CONSIDERATIONS FOR SECURITY PROVIDERS
03 5G SECURITY CONSIDERATIONS FOR SECURITY PROVIDERS
5 G A N D I OT — R E A L- W O R L D R O L LO U T S L A U N C H N E W O P P O R T U N I T I E S A N D S E C U R I T Y T H R E AT S | 14
5G INTRODUCES SIX NEW SECURITY THREATSThe 5G architecture expands the threat surface for attacks because the network architecture is distributed and open to the internet. Service providers must consider six unique security threats when planning protection strategies for 5G networks.
LOCAL BREAKOUTMultiple edge points and types significantly increase exposure to attacks.
1
PUBLIC CLOUD EDGEThe shift in some areas of workload to the public cloud introduces new security concerns to service provider networks.
4
NEW TRAFFIC PATTERNSMesh, east/west and internal traffic flows can carry attacks from one part of the network to another.
2BOTNET PLAYGROUNDIoT devices typically have low security measures embedded at endpoints, making them ideal launch points for coordinated malware attacks within and outside networks.
5
NETWORK SLICINGEach slice has its own threat risk that requires per-slice policies and a coherent defense strategy across all slices.
3
HTTP/2-BASED SIGNALINGHTTP/2 protocol with JSON replaces Diameter and exposes APIs to wider base of attackers.6
03 5G SECURITY CONSIDERATIONS FOR SECURITY PROVIDERS
5 G A N D I OT — R E A L- W O R L D R O L LO U T S L A U N C H N E W O P P O R T U N I T I E S A N D S E C U R I T Y T H R E AT S | 15
OVER TIME bots have become more sophisticated. Each generation adds capabilities in an effort to thwart security solutions by mimicking human behavior.
First GenerationScript Bots — First-generation bots were built with basic scripting tools and make cURL-like requests to websites using a small number of IP addresses (often just one or two). They do not have the ability to store cookies or execute JavaScript, so they do not possess the capabilities of a real web browser.
Second GenerationHeadless Browsers — Second-generation bots operate through website development and testing tools known as “headless” browsers as well as later versions of Chrome and Firefox, which allow for operation in headless mode. Unlike first-generation bots, they can maintain cookies and execute JavaScript. Botmasters began using headless browsers in response to the growing use of JavaScript challenges in websites and applications.
Third GenerationHumanlike Bots — Third-generation bots use full-fledged browsers — dedicated or hijacked by malware — for their operation. They can simulate basic humanlike interactions such as simple mouse movements and keystrokes. However, they may fail to demonstrate humanlike randomness in their behavior.
Fourth GenerationDistributed Bots — The latest generation of bots have advanced humanlike interaction characteristics, including moving the mouse pointer in a random, humanlike pattern instead of in straight lines. These bots also can change their user agents (UAs) while rotating through thousands of IP addresses.
There is growing evidence that points to bot developers carrying out “behavior hijacking” — recording the way in which real users touch and swipe on hijacked mobile apps to more closely mimic human behavior on a website or app. Behavior hijacking makes them much harder to detect, as their activities cannot easily be differentiated from those of real users.
FAMILY TIES: FOUR GENERATIONS OF BOTS
RADWARE INSIGHTS
IOT EXPANDS THE BOTNET UNIVERSE
Every IoT device added to the network grows the hacker’s tool set.
5G NETWORK INFRASTRUCTURE PROTECTION POINTSThis network diagram represents a single slice deployment. It is helpful to visualize how security risks are mapped to links or segments of the 5G network, including use plane and control plane traffic.
Now picture multiple slices in a service provider’s 5G network. Every N1 link in every slice needs attention, which quickly adds a high level of complexity to security planning.
5 G A N D I OT — R E A L- W O R L D R O L LO U T S L A U N C H N E W O P P O R T U N I T I E S A N D S E C U R I T Y T H R E AT S | 16
03 5G SECURITY CONSIDERATIONS FOR SECURITY PROVIDERS
The Third Generation Partnership Project (3GPP) unites seven telecom standards organizations to partner on defining technical specifications for radio access networks (RANs), services & systems aspects (SAs) and core network & terminals (CTs).
In April 2019, the group delivered Release 15 of specifications, the first full set of 5G standards. The scope of the release “covers ‘stand-alone’ 5G, with a new radio system complemented by a next- generation core network.”
Source: 3GPP website
3GPP STANDARDS FOR 5G
To protect against 5G security threats, service providers must implement solutions to secure these protection points in the network infrastructure:
A Threats from actors targeting 5G network infrastructure elements from the internet
B Threats from connected devices
C Attacks on carrier workload in the public cloud or through the public cloud
Far Edge
5G Edge 5G Core
AMF
UPF UPF
Distributed DC Central/Regional DCData networks/
SP services
N3
N32
[ 1,000+ ] locations
User plane Control plane
[ 1…10 ] locations [ 1…10 ] locations
N32
N32
N6
N6/N9
N6
[…]
N6
N1
N1
N3
Local breakout Internet/Telco cloudMEC
[…]
A
B C
ABUser
Equipment
04
The IoT Security Opportunity
04 THE IOT SECURITY OPPORTUNITY
The 5G infrastructure is ideal for the deployment of IoT devices because it can handle massive amounts of data with very low latency from mobile connections.
5 G A N D I OT — R E A L- W O R L D R O L LO U T S L A U N C H N E W O P P O R T U N I T I E S A N D S E C U R I T Y T H R E AT S | 18
The current wireless networks simply do not have the capacity to support this type of device traffic.
Devices that monitor activity via video surveillance or with sensors are poised for growth in a number of industries, including medical, industrial, office productivity and home applications. Soon billions of machines around the globe will require always-on connections to the internet to gather and feed data for analysis to drive decisions, whether in real time for self-driving cars or predictive maintenance for manufacturing machines.
By 2025, International Data Corporation (IDC) estimates that there will be 41.6 billion connected IoT devices generating 79.4 zettabytes (ZB) of data.
IOT PROTECTION REVENUE MODELSCan service providers generate incremental revenue by offering IoT security protection services? According to Jim Hodges, chief analyst — cloud and security for Heavy Reading, the better question may be “can service providers afford to not secure the new traffic flows from connected devices that will hit their networks?”
Hodges modeled possible scenarios for service providers to IoT device security as a service to enterprises. His conclusion was that monetization of NB-IoT will be driven by scale. The minimum number of IoT connected devices that would need to be protected to generate a profit is 2 million, a small fraction of the number of IoT devices on ATT/Vz today, as over 1.5 million devices were added per quarter back in 2015. Automated security protocols that lower operating costs to secure connected devices are key. There is no one correct pricing model.
Possibly more important is the need for service providers to protect their networks from the influx of botnets that will try to use connected devices to attack. Protection against network outages/degradation and revenue loss can be just as significant to service providers as generating new revenue streams.
î Chief Analyst — Cloud and Security, Heavy Reading
5G, Security, IoT and ROI: Some Assembly and Automation Required
What are the financial and return on investment (ROI) fundamentals of IoT security services for service providers? Check out the modeling tool for a number of IoT-based scenarios and prospects for revenue generation.
Read the blog.
Watch the webinar.
MEET JIM HODGES
ACCORDING TO GSMA, an organization representing the interests of mobile operators, “NarrowBand-Internet of Things (NB-IoT) is a standards-based low power wide area (LPWA) technology developed to enable a wide range of new IoT devices and services. NB-IoT significantly improves the power consumption of user devices, system capacity and spectrum efficiency, especially in deep coverage. Battery life of more than 10 years can be supported for a wide range of use cases.”
NB-IoT eliminates the power and maintenance cost issues for IoT devices in many industries and applications, propelling the growth of IoT business models.
WHAT ABOUT NARROWBAND- IOT?
04 THE IOT SECURITY OPPORTUNITY
5 G A N D I OT — R E A L- W O R L D R O L LO U T S L A U N C H N E W O P P O R T U N I T I E S A N D S E C U R I T Y T H R E AT S | 19
RADWARE INSIGHTS
DON’T GET SCHOOLED IN “HACKADEMIA”
Universities increasingly rely on IoT devices to create smart campuses. Service providers may be the best line of defense.
FROM DAIRY FARM TO DATA CENTER
Can hackers milk connected cows for ransom?
Why securing agtech is so important.
SECURING THE CUSTOMER EXPERIENCE FOR 5G AND IOT
What is the impact of billions of IoT devices connected to 5G networks? Take a look at how new security challenges could affect the food supply chain.
05
Radware Addresses 5G Security Threats
05 RADWARE ADDRESSES 5G SECURITY THREATS
To support the architectural demands of 5G networks, service provider networks will no longer be dependent on dedicated appliances.
As a result, carriers can expect to expand capacity, reduce latency, lower costs and shrink power requirements.
As network functions are virtualized, services can expand beyond service providers’ networks to external network domains to be physically closer to connected devices for more efficient delivery.
These technical revolutions have significant impacts on cybersecurity for service providers. In a world driven by apps, how do service providers accommodate the new requirements?
î Service providers must scale protection strategies and architectures to defend against volumetric attacks while addressing new, complex attack surfaces, which require more sophisticated defenses.
î API and application protection become a key component in edge security. 5G networks rely heavily on HTTP/2 and APIs, thereby inadvertently exposing critical infrastructure to tech-savvy hackers. Malicious network traffic can evade networking monitoring and attack detection solutions and erode computing resources.
î Automated software delivery is critical to enable service providers to address the complexity of a widely distributed architecture in a repetitive model. Network and security alignment will improve resource allocation while optimizing consumption- based delivery from edge computing systems.
î When cybersecurity is built into the networks, attacks can be addressed locally to avoid backhauling attacks and drive efficiency back into the core computing environments.
î A scalable infrastructure protection strategy also serves as a point of escalation for more sophisticated or persistent attacks seen in gateways, applications and APIs.
5 G A N D I OT — R E A L- W O R L D R O L LO U T S L A U N C H N E W O P P O R T U N I T I E S A N D S E C U R I T Y T H R E AT S | 21
î Travis Volk is the Technical Vice President of Global Business Development and Carrier Sales for Radware.
RADWARE INSIGHTS
NETWORK INFRASTRUCTURE PROTECTION FOR 5G
Radware’s Travis Volk, VP of Carrier, discusses the security impacts
for service providers as they transition to 5G.
EDGE PROTECTION: N1 AND N32
RADWARE SOLUTIONS FOR 5G NETWORKSRadware offers solutions that secure all protection points of 5G networks. By protecting against known and emerging network and application threats in real time, Radware’s layered approach is designed to help service providers mitigate the unique 5G threats. Radware’s solutions provide maximum coverage, accurate detection and the shortest time to protection, all from a single vendor.
Radware provides detection and mitigation solutions to protect against control plane threats at the edge and local breakout segments of 5G networks.
First, stateful attacks — application, encryption, and network layers — are inspected in a cloud-native environment. In this example, the cloud-native environment is a private cloud service provider that consists of all virtual components. There is potential for malicious attacks from machine-to-machine APIs.
Radware’s API protection module is implemented in Kubernetes where it can detect these attacks and serve as a next-generation web application firewall (WAF). Radware’s security orchestrator and policy controller, DefenseFlow, receives suspect traffic that is attacking APIs through DefenseMessaging. If warranted, DefensePro instructs the peering edge router to block the traffic.
DefensePro is also deployed to monitor Netflow telemetry from routers to find stateless attacks and instruct the routers to either block or allow the traffic. Monitoring is based on filters and the system’s automated, behavioral-based signature generation capabilities that utilize machine learning. All functions are automated and are fed by internal messaging between the various security elements and DefenseFlow’s policy rules.
5 G A N D I OT — R E A L- W O R L D R O L LO U T S L A U N C H N E W O P P O R T U N I T I E S A N D S E C U R I T Y T H R E AT S | 22
05 RADWARE ADDRESSES 5G SECURITY THREATS
DefensePro
DefenseMessaging
DefenseMessagingPolicies (FS)Packet sampling
CNF: API protectionSSL Inspection + L7
Inspection + ACL
Peer EdgeLocal breakout/Edge/Public cloud
Control PlaneAttacks
Stateless attacks
Application layer
Encryption layer
Network layer
Stateful attacks
Application layer
Encryption layer
Network layer
N1/N32
DefenseFlow
AMF/SEPP
Core servicesAPI attacks
L3–L4 volumetricattacks
EDGE PROTECTION: N3/N6/N9
5 G A N D I OT — R E A L- W O R L D R O L LO U T S L A U N C H N E W O P P O R T U N I T I E S A N D S E C U R I T Y T H R E AT S | 23
05 RADWARE ADDRESSES 5G SECURITY THREATS
DDoS attacks that originate from edge and local breakout are mitigated by a smaller form factor version of DefensePro (MicroDP), which can be hosted on the router in a microservice architecture. The solution employs a unique technique that allows for variations in sampling and control of traffic on the peering edge with sampling rates automatically adjusted as needed.
When an attack sign is detected, the sampling rate is increased via flowspec and NETCONF rules sent to the router to produce a more granular filter for attack detection. The automated sampling and control function reduce the need to detect attacks and make system adjustments manually.
Telemetry/ packet sampling
1 2
DefensePro
DefensePro
DefenseMessaging
Policies/samplingcontrol
Peer EdgeLocal breakout/Edge/Public cloud
N3/N6/N9
DefenseFlow
UPF
Core services
L3–L4 volumetricattacks
Detector can be hosted on router
CNF: Detector
Keyless HTTPSdetection
Enforcementby router
EDGE PROTECTION: MEC HOST
5 G A N D I OT — R E A L- W O R L D R O L LO U T S L A U N C H N E W O P P O R T U N I T I E S A N D S E C U R I T Y T H R E AT S | 24
05 RADWARE ADDRESSES 5G SECURITY THREATS
The mobile edge computing (MEC) hosting environment enables multiple virtual functions. There are two primary security concerns for this type of architecture.
First, local breakout is one of the MEC infrastructure’s crucial functionalities. It enables traffic offloading in the radio access network (RAN) to reduce end-to-end latency and save core network load. A micro-implementation of Radware’s DefensePro is used to detect attacks from local breakout. Then through DefenseMessaging, a signal is sent from from DefensePro to the DefenseFlow cybercontroller to initiate a BGP redirect in the peering router. In this
example infected traffic is sent to the scrubbing center for cleansing before the route is restored to normal.
The second case is protection from rogue IoT devices, which is typically bad botnet traffic. DefensePro detects an anomaly in the network originating from an infected device, then sends a signal through DefenseMessaging to DefenseFlow to automatically take a mitigation action toward the 5G EPC API.
DefenseMessaging
DefenseFlow
BGP ruleRedirection
rule
Divertedattacks
Policy/Control Telemetry Infected Device/Botnet
Localbreakout
DDoSProtection
5G EPCAPI
Mitigation action
Single UE/PDP session mitigation
Core network
MEC Host
Visualization infrastructure
MECPlatform
P
T
P T
ROUTER
L3–L4 volumetricattacks, redirectedto cloud scrubbing
Rogue device detachedfrom network or kill
and wipe request sent
CNF: MicroDefensePro
WWWμDP
CONNECTED DEVICES AND NB-IOT
5 G A N D I OT — R E A L- W O R L D R O L LO U T S L A U N C H N E W O P P O R T U N I T I E S A N D S E C U R I T Y T H R E AT S | 25
05 RADWARE ADDRESSES 5G SECURITY THREATS
Hackers can go after connected devices that use NB-IoT by abusing APIs that direct telemetry devices and external networks. Their goal is to reach the IoT application servers.
DefensePro detects anomalies and volumetric attacks from devices attached to the network and signals DefenseFlow to initiate automated notification and attack mitigation at the IoT application servers before the attack traffic can hit the network core.
Radware’s API protection module also prevents malicious behavior from the external network that targets APIs to prevent actions such as changing traffic sampling rates or takeover of interface programming from bots.
Core networkPeer Edge
DefenseFlow
DefensePro
Telemetry Policies
Policies
Detector
DefenseMessaging
DefenseMessaging
IoTapplication
serverCNF: API protectionSSL inspection + L7
Inspection + ACL
WWW
WWWL3–L4 volumetric
attacks
Signaling metrics
Attacks on IoT API
Outgoing attacksfrom infected
User Equipment
Device anomalies andvolumetric attacks
CARRIER WORKLOAD PROTECTION
5 G A N D I OT — R E A L- W O R L D R O L LO U T S L A U N C H N E W O P P O R T U N I T I E S A N D S E C U R I T Y T H R E AT S | 26
05 RADWARE ADDRESSES 5G SECURITY THREATS
5G security services that reside on public cloud platforms such as Amazon and Google can be controlled by service providers through APIs. Radware’s Cloud Workload Protection Service measures workloads to determine if security policies are being applied and administrative permissions are secured. Radware also utilizes patented technology, which is based on artificial intelligence and machine learning, to detect and mitigate malicious activity on workloads that originates from outside the cloud environment.
RADWARE INSIGHTS
SAVING CREATURES BIG AND SMALL WITH CYBERSECURITY
The stakes are high for protecting 5G networks.
5G Core
WWW
5G serviceson public cloud
Workload Protection
Radware’s Cloud WorkloadProtection Service
Cloud-native SecurityRadware’s Emergency
Response Team (ERT) Service
Cloud-nativeintegration
Public cloud infrastructure
AWS
Carrier workload
AI and ML detection ofmalicious activity and for
security policy enforcement
Radware offers industry-leading solutions to mitigate attacks on 5G networks and protect IoT devices.
06 SUMMARY
TO LEARN MORE:
Visit radware.com
Read the Radware Blog
Download the Mitigating
Business Risks in Your
5G Deployment white paper
Talk to a Radware sales professional,877-524-1419
5 G A N D I OT — R E A L- W O R L D R O L LO U T S L A U N C H N E W O P P O R T U N I T I E S A N D S E C U R I T Y T H R E AT S | 27
www.radware.com
ABOUT RADWARERadware® (NASDAQ: RDWR) is a global leader of cybersecurity and application delivery solutions for physical, cloud and software-defined data centers. Its award-winning solutions portfolio secures the digital experience by providing infrastructure, application and corporate IT protection and availability services to enterprises globally. Radware’s solutions empower more than 12,500 enterprise and carrier customers worldwide to adapt quickly to market challenges, maintain business continuity and achieve maximum productivity while keeping costs down. For more information, please visit www.radware.com.
Radware encourages you to join our community and follow us on: Radware Blog, LinkedIn, Facebook, Twitter, YouTube, Radware Connect app for iPhone® and our security center DDoSWarriors.com that provides a comprehensive analysis of DDoS attack tools, trends and threats.
© 2019 Radware Ltd. All rights reserved. The Radware products and solutions mentioned in this handbook are protected by trademarks, patents and pending patent applications of Radware in the U.S. and other countries. For more details, please see: https://www.radware.com/LegalNotice/. All other trademarks and names are property of their respective owners.