Business & Technology

Fortinet Secures the Path to 5G

By John Maddison | February 19, 2019

Fortinet has just announced its portfolio support for the Mobile Service Provider transformation to a 5G core network. Fortinet has a growing family of advanced security solutions not only designed for, but fully integrated together to protect today’s evolving networks and virtual infrastructures. The latest addition to this portfolio is the introduction of Virtual SPU (Security Processing Unit) technology to power our VM-based security products.

Service Providers are embracing 5G transformation to increase network capacity, improve operational efficiency, deliver gigabit speed connectivity, and support new revenue generating use cases—such as enhanced mobile broadband, multiaccess edge computing, and IoT. To accomplish this, they have to support and secure a rapid architectural shift to open, virtual, and cloud infrastructure. In fact, the rapid adoption of these technologies is one of the primary reasons why Service Providers need to implement advanced security techniques designed to protect their new network infrastructures and revenue generating services in order to augment their traditional perimeter-based security measures.

5G market overview and new service opportunities

We are at the threshold of remarkable growth and opportunity in the mobile space. 5G has now been commercially launched and there is strong momentum in the global 5G market. In the United States, a major communications service provider launched a 5G fixed in-home service (internet service) at the beginning of October 2018, and all four of the country’s major service providers have now publicly announced that they will begin providing 5G services by mid-2019. On a global level, major 5G network deployments are anticipated beginning in 2020.

According to Ericsson’s Mobility report from November 2018, there will be 8.9 billion mobile subscriptions by the end of 2024. Further, mobile broadband subscriptions will reach 8.4 billion, accounting for close to 95 percent of all mobile subscriptions. To frame the context of the 5G transition opportunity, by the end of 2024 there will be 1.5 billion 5G subscriptions for enhanced mobile broadband, accounting for close to 17 percent of all mobile subscriptions.

With global mobile data traffic forecast to increase more than 5X between 2018 and 2024, key drivers for 5G deployment include increased network capacity and decreased cost per byte. In fact, 5G subscription uptake is expected to be faster than it was for LTE, which has been the fastest growing mobile technology to date.

Similarly, the number of cellular IoT connections is expected to increase at an annual growth rate of 27 percent, reaching 4.1 billion in 2024. These cellular IoT connections and fixed wireless access (FWA) subscriptions support new use cases, and will come on top of mobile subscriptions. New IoT services will also address diverse and evolving requirements across a wide range of use cases in different verticals, including utilities, smart cities, transportation, logistics, agriculture, manufacturing, and wearables.

To support this evolution, massive IoT cellular technologies such as NB-IoT and Cat-M1 are taking off and driving growth in the number of cellular IoT connections worldwide. And as the IoT application market begins to widen, even more advanced use cases requiring enhanced network capabilities are beginning to emerge. For example, service providers have announced the deployment of 85 cellular IoT networks worldwide using Cat-M1 and/or NB-IoT.

These new use cases—and the need to support a magnitude increase in bandwidth and ultralow latencies— are driving the evolution of traditional hierarchical service provider architectures to a flatter, cloud-based architecture where services can be offered from the edge of the mobile core network.

A shift in the core architecture

Traditionally, the core of the mobile network was run from a handful of datacenters. All mobile traffic was hauled into the core before providing access to service provider-delivered application services, such as end-user account applications or walled garden applications, or sending mobile traffic over the internet to third party cloud networks or services. These networks have been designed to handle hundreds of millions of connections and deliver megabit connection speeds.

However, in order to meet the challenges of billions of connected devices, gigabit connection speeds, and ultralow latencies—in addition to delivering rich context around data transiting the mobile network—service providers must now rapidly increase network capacity and deployment agility, in addition to adding more compute and storage—all while avoiding raising costs and/or lowering the reliability and availability of the infrastructure and services.

Cloud service providers have already demonstrated that it is possible to quickly and reliably deliver services at massive scale and capacity to both enterprise customers and consumers. Service providers are adopting a similar approach, but with a twist. They plan to deliver services from thousands of edge clouds rather than from a few mega-capacity central clouds. To support agility in service delivery, there is also a heavy focus on the programmability of the network to make dynamic changes - add/delete/update - anytime and anywhere.

The adoption of virtual and cloud native technologies to support these initiatives means opening the service provider stack to open-source technologies. At the same time, new service use cases require support for extensive web-based application delivery frameworks, with a heavy emphasis on APIs to connect the different service layers together. These new architectural changes and open technologies open up a Pandora’s box of security issues that service providers have never had to consider or deal with before, at least not at the scale and complexity that this new transformation demands.

Key security use cases

A properly engineered service provider mobile core needs to consider the need for specific security controls early on in its lifecycle. These early considerations are driven by security principles and policies established by the service providers, as well as by regulations and laws imposed by oversight and governing bodies. These drivers, together with the assessed risks to the business and its assets, give rise to security requirements, which in turn lead to having safeguards and countermeasures planned and put in place to deal with vulnerabilities and protect infrastructure and information assets from threats, whether naturally occurring or adversarial, from day one.

Today, with the movement to virtual infrastructures and cloud-based architectures that rely on open technologies, there is a significant need for security capabilities that go well beyond the traditional safeguards provided by stateful firewalls. The surface attack area of this emerging infrastructure extends far beyond physical assets, backhaul and fronthaul, signaling, roaming, charging, and internet interfaces. Service providers also need to secure the virtual infrastructure and cloud platforms. And with new strategies such as network slicing, service providers have to be able to accommodate the complete end-to-end isolation of slices, in addition to the agile and dynamic allocation of end-to-end resources to multiple tenants running different services with varied requirements.

Another new concept arising from 5G transformation is edge clouds designed to deliver high bandwidth and low latency applications. These edge clouds will also need to support multiple tenants and specialized IoT applications that don’t run in the central cloud. However, from a security perspective, their policies and enforcement will need to be consistent with those in the core.

The most important consideration of the 5G threat landscape is that it is far more than the volumetric DDoS attacks and signaling protocol-specific hacks of the past. It also includes advanced persistent threats, lateral propagation, web application layer vulnerabilities, API security, and more. As a result, service providers need to ensure that the diverse set of security requirements imposed by this new architecture—along with the related use cases and services supported by their core networks—are adequately addressed by the security solutions they have in place. And further, these solutions need to be fully integrated and automated to ensure consistent and effective security enforcement to protect infrastructure assets and revenue generating services.

Fortinet solutions for 5G transformation

Fortinet offers a suite of strategic security solutions specifically designed to address the unique challenges facing operators as they migrate their core networks to deliver 5G mobility services. These specialized tools provide the ability to build an integrated security framework that optimizes the cost of launching and operating new services and revenue opportunities and enhances the ability to achieve service level goals, all while mitigating advanced threats.

Fortinet has a pedigree of building high performance carrier-class products and solutions. For example, we offer next generation firewalls that not only protect the mobile carrier signaling, roaming, charging, and internet interfaces with our 5G-ready FortiGate 7000 and FortiGate 5000 series, but we also provide secure transport for backhaul and fronthaul traffic with our FortiGate 3000 series. FortiGate NGFWs powered by the FortiCarrier OS offers several key security features including:

Stateful termination of GTP-C and GTP-U traffic (Gn/Gp interfaces and S5/S8 interfaces) to provide complete protection and content inspection to prevent GTP signaling attacks.

Comprehensive SCTP protection and inspection, including SCTP over IPSec VPN, IPS DoS protection, flood attacks, fuzzing attacks, and more.

Extensive protection with hardware acceleration for SIP (Voice) and MMS (multimedia messaging) features, including inspect only and header rewrite modes, complex SIP NAT environments, rate limiting, topology hiding, and more

Highest capacity for virtual domains and very high scale for profiles to enable true multi-tenancy needed to support MVNOs, IoT providers ,etc. Carrier features can be defined per-virtual domain.

For virtualized infrastructures, Fortinet offers a broad range of next generation virtual firewalls and virtual web application firewall virtualized network functions (VNFs). Powered by Fortinet’s Virtual SPU Technology, FortiGate Virtual Network Functions (VNFs) deliver significant increases in application and carrier security performance through innovative security processing optimizations and the latest packet processing acceleration technologies. While the FortiGate NGFW VNFs provide comprehensive network security capabilities along with deep application visibility and control, the FortiWeb WAF VNFs protect web applications and APIs powering cloud-based services.

These VNFs also have a small footprint, boot within seconds, and require less storage, thereby enabling service providers to protect their virtual networks and cloud platforms cost effectively. And for the efficient and agile deployment and utilization of these security VNFs, Fortinet also delivers integrations with NFV platform and SDN vendors. At the same time, FortiSIEM offers service providers offline inspection, security event correlation, and advanced analytics to detect and respond to application and user threats that may have evaded other inline protection systems.

Conclusion

The move to 5G presents service providers with a tremendous opportunity to grow their revenue streams into enterprise service offerings, in addition to improving ARPU with advanced mobile applications for consumers. These new services, however, require the adoption of virtual and cloud-based technologies that open up an entirely new set of vulnerabilities and threats to the infrastructure and services.

By utilizing Fortinet advanced security and high-performance systems, service providers can continuously monitor their extensive and complex mobile core networks and automatically detect and respond to threats. Additionally, Fortinet’s security fabric components provide mobile carriers with improved visibility through comprehensive and correlated analytics, and the ability to thwart complex external and internal security threats that can impact network infrastructure and services through massive scalability, high performance, broad visibility, and deep, granular controls.

Learn more about Fortinet's 5G security solutions.

Read the 5G Security Survey by Heavy Reading or the "Securing 4G, 5G and Beyond" white paper.