Improved frontline security with DPI for RAN

A mobile network enables wireless communications through radio waves transmitted through macro and small cells. From their first commercial deployment in the 1990s to the rapidly proliferating modern 5G networks, mobile networks have revolutionized remote and wireless communications by delivering ubiquitous connectivity with unprecedented speeds and latencies.

Radio Access Networks (RAN) are at the forefront of advancements seen in the mobile connectivity space. While backhaul and backbone technologies play an important role in moving bulk traffic from cell sites to the core network, it is the RAN that provides seamless and reliable connectivity to roaming devices up to 35 kilometers or more. It is also the RAN, consisting of antennas, remote radio units and baseband units, which is responsible for managing last mile traffic, deciding on access, routing and security implementations. for every incoming voice call and every data packet.

An easy target

RANs are as susceptible to network threats as any other part of a mobile network, and arguably more so. As the least obscure part of the network, RAN is an easy target for cybercriminals and saboteurs. They provide an easy point of attack for physical tampering – from theft of batteries and radio equipment to launching frequency jamming attacks and misusing signaling messaging. As more cell sites dot cities and towns, perpetrators find themselves in close proximity to their targets, making such attempted attacks virtually effortless. The deployment of small cells for network densification in recent years has also rapidly increased the physical attack surface of the RAN. Femtocells and picocells, for example, are connected via third-party ADSL or FTTH connections which themselves may be poorly secured or controlled by parties not acting in the best interest of the operator.

As with any other network, securing the RAN requires visibility into the network. Advanced DPI engines such as R&S®STAGE 2 and ipoque’s R&S®vPACE, which provide in-depth, real-time insight into packet flows over IP networks, can equip mobile operators and network security providers with traffic insights that help them monitor and secure the RAN. This allows operators to stay ahead of a range of security threats affecting the RAN.

Danger on the tower

Man-in-the-middle attacks, for example, occur when an attacker intercepts and modifies messages between a sender and receiver, when both parties believe they are genuinely communicating with each other. Rogue cell nodes are often used to launch these attacks. Another form of attack is the Distributed Denial of Service (DDoS) attack. In this type of attack, a server, application, or network function is flooded with traffic in a way that renders it dysfunctional. To do this, a number of devices called botnets simultaneously hit the network infrastructure to overload it. DDoS attacks can hit the RAN by flooding the antennas with decoy messages, overloading the radio unit with meaningless radio signals, or sending nonsensical digital signals to the BBU.

Man-in-the-middle and DDoS attacks are revealed by sudden volume and frequency changes in traffic patterns, spanning traffic flows in both the user plane and the control plane . These signals, provided in real time by R&S®STAGE 2 and R&S®vPACE, allow network operators to take the necessary measures to fight back and secure the network immediately.

Another security threat carried out through RAN is the injection of malware into a mobile network with the aim of corrupting its servers, stealing data and using network resources. User devices infected with such malware in the form of viruses, bots and Trojans can be used to infect operator’s servers or initiate unauthorized actions such as sending paid SMS, to the detriment of the user’s device and also the capacity of the network. Equipped with an extensive library containing weekly updated signatures of malicious and suspicious traffic patterns, both R&S®STAGE 2 and the R&S®vPACE can help RAN firewalls identify and block such malware, even for encrypted traffic streams, before it penetrates deeper into the network.

New architectures, new threats

Virtualized RAN (vRAN) and Virtualized Network Functions (VNF) configuration introduce threats typically associated with infrastructure sharing and lateral movement of traffic between virtual machines and containers. Open firewall ports or infected VM images, for example, can lead to attacks such as VM Sprawl, malware, and ransomware. These vulnerabilities are exacerbated in Cloud RAN (C‑RAN) deployments where security breaches in the data center, cloud, containers, or open source applications can lead to major network performance degradation, potential data breaches and loss of valuable data. Examples of such attacks are worms in malicious container images, rootkits, and application code errors. In these scenarios, the R&S®vPACE, which is optimized for cloud computing environments, can be used to identify traffic irregularities including speed, latency, jitter and packet loss mismatches on packet streams. unlimited at very high speeds for continuous and extremely reliable tracking of malicious activity.

The implementation of Open RAN (O-RAN), which introduces vulnerabilities inherent in multi-vendor architectures such as misconfigured or unsecured APIs and differentiated, sometimes conflicting access and user rights, compounds the threats of vRAN and C-RAN. By flagging suspicious hosts, addresses, and applications based on traffic anomalies and identifying risky traffic sources in real time, DPI can be used to enforce stricter authentication policies for the O -RAN, including zero-trust policies that limit the perimeter in which threats can operate. out. This includes protection against adversarial machine learning (ML) attacks that aim to trick ML systems into providing misleading inputs. While the best defenses against such attacks involve using ML itself to make systems resilient to adversarial attacks ex ante, DPI can help spot anomalies in traffic patterns and data packet payloads. which may indicate such a misleading entry.

Granular Monitoring

As networks grow, so do their security complexities. 5G, for example, despite containing user traffic in isolated network slices, can still suffer highly contagious attacks due to shared VNFs. Such flaws can lead to the evolution of newer, more elusive attacks on networks. Granular and highly accurate DPI information is therefore required to form the fundamental intelligence layer capable of monitoring, reporting and securing every packet traversing the RAN, providing the best defense for each cell site.

Source link