5G Network Slicing: The Catalyst for a Secure, Virtualized EPC



Next-generation 5G networks and the theoretical delivery of 10 Gbs bandwidth to every user make for an exciting proposition – one that mobile network operators (MNO) are actively discussing and, in many cases, trialing or even marketing. But the promise of more bandwidth alone will not attract all existing dedicated network services and proposed new services to a shared, best-effort model. These services require not only performance but also guaranteed availability, privacy and security (services such as connected car, first responder, enterprise, niche IoT and more to come).

Enter the concept of 5G network slicing – creating virtualized, dedicated service layers for RAN, EPC and switching. Where infrastructure is shared, network functions are virtualized, orchestration logically slices the network per service, and SDN segments traffic and dynamically reroutes based on overload or outage.

And there’s more. With 5G network slicing and the NFV ecosystem that enables it, MNOs can realize a fully virtualized EPC and, at the same time, provide for stronger, preventive security posture. Here’s how:

Historically, migrating “big iron” networking elements and interfaces within the EPC to virtual network functions (VNFs) has been problematic due to the inherent limitations of typical VNF throughputs. This has also proven to be a challenge for network security elements guarding the EPCs, such as legacy ACLs, port-based firewalls, point security solutions and unified threat management.

These legacy solutions are being replaced by next-generation firewalls and security platforms that provide application-layer inspection and advanced threat prevention. This is a necessary step for MNOs to address the evolving mobile threat landscape. Because of the way existing 4G networks are architected, however, improving the security posture of these interfaces still runs up against the same VNF throughput challenges previously discussed. As an example, virtualizing an all-in-one 500 Gbps SGi firewall requires load balancing and orchestration across several VNFs just to replace existing port-based security functions. Additionally, there is a need to evolve to next-generation solutions where throughputs are no longer simply line-rate.

By dedicating “slices” in 5G end-to-end across the network, we can establish more granular VNF deployments – RAN and SGi security interfaces dedicated to specific service and application offerings. For example, instead of one monolithic Gi security interface, we can have a network security segment dedicated to a particular IoT solution, enterprise offering or emergency responder network, each with varying SLAs on performance, redundancy and privacy. This same network slice is extended across the architecture with equivalent RAN-side security slicing per service, as well as roaming-side security slicing. Here, MNOs can implement Next-Generation Security Platform deployments looking across all applications and ports, inspecting content and leveraging decryption capabilities as necessary for dedicated services, all without exhausting VNF capacities. In doing so, they can achieve stronger security posture without exhausting throughput or requiring highly complex load-balancing schemata.

Network slicing has introduced the missing link in the full circle of virtualized security in the EPC – the ability to segment advanced security to dedicated services. Palo Alto Networks Next-Generation Security Platform includes innovations in the areas of GTP-U content inspection and threat prevention, full application-level SGi inspection and threat prevention, and IoT innovations for application-based security, all of which now fit into VNF footprints with growing throughput capacities (for example, PAN-OS 8.0, VM-700 16 Gbps for full application visibility).

Incorporating these capabilities into a virtually segmented services architecture like 5G network slicing allows dedication of the security VNF and replacement of legacy hardware that would otherwise lead to complex load-balancing architectures. This, in turn, enables virtualized security interfaces into the EPC, which has been one of today’s gating factors to full EPC virtualization.

Learn more about the Palo Alto Networks VM-Series Firewall Performance Enhancements.


Register for Ignite ’17 Security Conference
Vancouver, BC June 12–15, 2017

Ignite ’17 Security Conference is a live, four-day conference designed for today’s security professionals. Hear from innovators and experts, gain real-world skills through hands-on sessions and interactive workshops, and find out how breach prevention is changing the security industry. Visit the Ignite website for more information on tracks, workshops and marquee sessions.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42


SUBSCRIBE TO RSS