DPI supporting SASE for 5G security
By Tobias Roeder
Published on: 19.10.2021
The promise of unlimited bandwidth and unrivalled speeds is set to make 5G synonymous with cellular connectivity in the coming years. 5G will make a huge impact redefining industries and expanding the potential of emerging technologies. These technologies leverage new speeds and almost nonexistent latency to enable breakthrough applications. Central to most of the capabilities touted for 5G is network slicing. Network slicing enables operators to abstract a common physical infrastructure which they can use to create virtualized networks customized to specific use cases.
Use cases from network slicing are broadly classified into three distinct classes: enhanced mobile broadband (eMBB), which is an upgrade on 4G, ultra-reliable low-latency communications (URLLC), which provides lowest latency and highest speeds, and massive machine-type communications (mMTC), which is used for cohering IoT applications. These slices can be combined in different ways to create an industry-specific vertical fulfilling particular needs: autonomous vehicles with strict safety requirements will be skewed heavily toward implementing the URLLC service that offers very low latency; virtual reality (VR) and augmented reality (AR) will rely greatly on the higher speeds and bandwidths afforded by eMBB while also drawing upon URLLC; smart-city infrastructures will be dominated by the endpoint reach and coverage provided by mMTC, etc.[1]
Companies with applications that require specific speeds, latencies, coverage and intensity will essentially rent a vertical that is best suited for their needs. This makes way for creating thousands of private networks built and managed by the operators on behalf of their corporate clients. In 5G, such networks extend to thousands of end nodes that make up IoT use cases or, in the case of remote workers, all the users accessing the private network from outside of the network perimeter. This is where the security of 5G networks becomes a key concern because noncorporate entities might try to gain access to a corporate network. This can result from poor configurations that lead to users being misdirected to networks they do not belong to, nefarious threat actors trying to break into a corporate network or free riders exploiting network loopholes to enjoy services they did not pay for.
Secure access service edge (SASE) is a cloud-based security model on the rise. 30 percent of digital businesses worldwide plan to adopt in the next year.[2] Essentially, it is a secure gateway at the edge of a network. It bundles network and security functions provided on demand as a cloud service, with data centers located close to remote users and devices. For example, SASE allows employees to work remotely by offering connectivity to their enterprise network while guarding it with cloud-based firewalls and zero-trust network access.
This matches perfectly with the capacities of enterprise private 5G networks. It allows a remote worker or device (e.g. a delivery truck) to connect to their enterprise network that another user on the same 5G network cannot, as authentication and authorization into different virtualized networks take place at the network edge. From there, retail customers use a common slice, while an enterprise's remote users and devices are able to access their sealed-off network. SASE ensures a secure access. Instead of tracing traffic back to the 5G network core for these security purposes, SASE offers an automatic verification and authentication gateway between the user and the enterprise. It allows all endpoints to seamlessly access private 5G networks. It authenticates users not only as they cross the enterprise boundary, but also verifies them based on authorization rules and hierarchy as they access each specific application.
Deep packet inspection (DPI) is a network technology that offers in-depth visibility, not only into the basic information about data packets passing through a network but also the underlying applications and their services. An advanced DPI engine like R&S®PACE 2 identifies and classifies data through a network based on its associated application and protocol. It leverages a frequently updated library with the latest traffic signatures captured from the continuous analysis of global data traffic. On top of that, DPI provides traffic metadata covering quality-specific metrics, giving companies a comprehensive picture of what is going on in their networks.
With these capabilities, DPI can bolster the ability of SASE to authenticate traffic in an enterprise 5G network. It can identify the traffic source in real time. Real-time identification can ensure that only authorized remote users and remote devices have access to the enterprise network. By identifying only legitimate SIMs, fraudulent users and devices can be filtered out. This not only makes the network more secure but also speeds up the authentication that SASE offers. On top of that, real-time identification enables automatic login into the network, which is especially important for URLLC use cases.
R&S®PACE 2 in particular can also garner information about the number of devices behind tethering and identify the operating systems, protocols, applications and the services involved in tethering. Knowing how many and what kind of devices will be connected, a company can ensure that no unauthorized tethering takes place and that no connections are dropped.
Even if a device is legitimate, it could access the network for illegitimate purposes if hijacked by a third party or exploited by a user. That is where DPI can go a step further than SASE by identifying unusual traffic, application patterns and anomalies. DPI helps to identify malicious traffic being sent to the network, distributed denial-of-service (DDoS), botnet and man-in-the-middle attacks, data theft or unauthorized use of network capacity on expensive slices such as URLLC.
In general, DPI provides deeper insights into an enterprise network and reveals general trends within the traffic. This is all the more useful when the network users and endpoints are widely distributed and the network and application usage patterns are specific to their operations. These insights enable SASE to improve its authentication processes in the long run, refining its credential requirements, authentication frequency as well as continuous and point authentication policies to better reflect a company’s connectivity and security needs.
SASE strengthens enterprise networks by building on innovations in cloud computing and network security. It leverages software-defined networking and creates secure perimeters in the cloud. However, while SASE is powerful, it is not perfect without DPI. A tool such as DPI offers detailed traffic awareness and adds the necessary visibility layer. Combined, DPI and SASE ensure that enterprises can massively enhance the efficiency and security of their 5G networks, bringing the benefits of 5G to more endpoints and users.
Download our whitepaper: DPI and 5G and learn more about how DPI-empowered real-time traffic classification supports 5G.
Sources
[1] 5G RAN slicing for verticals: Enablers and challenges - HAL archives-ouvertes.fr - 2019 - https://hal.archives-ouvertes.fr
[2] 64% of businesses are adopting or plan to adopt SASE in the next year - Security - 2021 - https://www.securitymagazine.com