Strengthening mobile networks: The power of zero trust and DPI in Open RAN

In recent years, the idea of zero trust architecture (ZTA) has started gaining a lot of traction in Open RAN. Open RAN refers to a multi-vendor architecture that is used in radio access networks (RAN). ZTA in Open RAN means adopting zero-trust principles for access to Open RAN resources including network functions, interfaces, applications and data.

Distributed, virtualized and cloud-based

Open RAN moves traditional baseband functions from proprietary, monolithic stacks to a software-driven architecture that is also flexible, virtualized and cloud-driven. These functions are modularized and distributed, giving rise to open radio units (O-RUs) that remain onsite, open distributed units (O-DUs) that are placed in the edge cloud and open centralized units (O-CUs) that are hosted in the core network or the cloud, including public clouds. These components are connected through open interfaces and APIs, and are hosted on an Open Cloud (O-Cloud) infrastructure.

The components are controlled by the service and management orchestration (SMO) platform which provides analytics, AI, inventory management and configurations for the entire RAN. It integrates with the non-real-time RIC (Non-RT RIC). Non-RT RIC taps into the SMO and various radio applications (rApps) to deliver high-level RAN functions, whose processes take more than 1 second. Non-RT RIC’s outputs, such as policies, are delivered to the near-real-time RIC (Near-RT RIC). RT RIC runs lower-level RAN functions that are executed between 10 milliseconds and 1 second, for example load balancing, fault monitoring and interference management.

Managing access in an open network

With an increased number of independent functionalities hosted and managed separately, granting and controlling access can become challenging. For example, access to one extended application (xApp) opens access to not only other xApps in the RT-RIC, but also SMO components such as AI/ML and policy engines. Similarly, access to a single rApp creates inroads to other rApps as well as O-DUs and O-CUs. To add to these complexities, access requests can originate from humans and devices. Network management users, for example, can include internal staff as well as vendors, cloud providers, app developers or third-party integrators. These parties can comprise multiple personnel, each with different roles, tasks and privileges.

How ZTA helps secure Open RAN

ZTA removes inherent trust, handling access requests fast and at scale. It leverages the operator’s security controls, including its network access control (NAC) solutions and built-in security mechanisms in each Open RAN component to enforce principles such as least privilege access (LPA) and microsegmentation. LPA limits access to any one resource, while microsegmentation splits an asset and gates each sub-unit separately.

At its core, ZTA uses user identification (ID), context and usage policies. While user IDs are referenced from credentials, context and policies are established dynamically via traffic and network inputs from real-time monitoring tools using deep packet inspection (DPI).

DPI as a key component of zero trust for Open RAN

DPI plays an important role in implementing zero trust security in Open RAN environments. By analyzing network traffic in real time, DPI enables granular policy enforcement, ensuring that only legitimate data flows are passing network gateways. Since zero trust assumes that no network traffic is inherently trustworthy, DPI helps detect and prevent unauthorized communication between Open RAN components.

DPI for user verification and authenticity

The DPI engines from ipoque, R&S^®PACE 2 and R&S^®vPACE, can be embedded into every component of the network, enabling real-time analytics of the overall IP communication. Both DPI engines leverage traffic classification techniques and metadata extraction, such as behavioral, statistical and heuristic analysis, to classify applications, protocols and services accurately. This helps operators ascertain the authenticity of a user’s request. Embedding DPI as part of the ZTA framework speeds up verification of users and their context, and ensures fast access to RAN resources. DPI is especially pertinent in establishing continuous adaptive trust through deep analysis of traffic behavior throughout a session to help operators uncover anomalies at any point.

New architecture, new security vulnerabilities – security challenges in Open RAN

The openness introduced by Open RAN is inherently susceptible to various security risks. Open RAN’s modularized and dispersed architecture contains many more entry points compared to conventional RAN. This vulnerability is exacerbated by multi-vendor components that come with different security standards. Zero-day attacks, core errors and malware can reside in any one of its components, but may end up disrupting the entire network. Additionally, joint hosting of RAN functions as virtualized functions on a common platform facilitates the lateral movement of threats. Open RAN also features many open interfaces such as O2, A1, E2 and hundreds of APIs that can be manipulated by threat actors to penetrate the network. Any unsecured link or unencrypted communication is a ripe target for MiTM attacks.

Another vulnerability in Open RAN comes from the use of cloud. Placing critical RAN workloads on a shared infrastructure predisposes the network to cloud-related threats that target vulnerable VMs/containers, container orchestration platforms and hypervisors. Shared hosting increases the likelihood of cross-tenant exploits and augments the risk of resource depletion due to DoS attacks.

The use of O-Cloud further exacerbates this as it promotes the use of cloud components from different parties with their own risks and susceptibilities.

Using DPI analytics for threat detection and mitigation

To execute security responses in real time, ZTA implementations require threat awareness from DPI. These responses might be:

• blocking suspicious users
• terminating unattended sessions
• sending alerts to the security operations center

ipoque offers a suite of DPI solutions able to detect anomalous, suspicious and malicious flows. By tracking packets, flows and sessions across the network against given benchmarks, our next-gen DPI software is able to identify unexpected changes in user behavior, O-RUs, O-DUs, O-CUs, applications and other components of RAN. A sudden surge in access requests, new user identities, multiple logins, session overruns, unknown applications, slow response from functions, presence of rogue devices, large data transfers, blacklisted geographies, unrecognized networks and degradation in network performance can all indicate active attacks on the network.

With encrypted traffic intelligence (ETI), the DPI engines R&S^®PACE 2 and R&S^®vPACE are also able to deliver insights about traffic flows that are encrypted, obfuscated and anonymized. This is extremely useful in ZTA, as the communication between users and resources is always encrypted. This inadvertently creates a safe refuge for threats that are masked as regular traffic. With ETI, network operators can:

• identify the underlying flows,
• detect the aforementioned threats,
• ensure that the very mechanism used to protect the network is not manipulated by malicious parties.

ETI also helps uncover masking techniques that are used to disguise malicious traffic.

Another key area of Open RAN is the heavy use of AI and ML. AI/ML applications and associated databases are vulnerable to attacks such as data infiltration, data poisoning and data theft. As AI/ML workloads are critical to the functioning of the SMO and RIC, ZTA needs traffic intelligence that can adequately monitor irregularities in their access and use. Again, DPI’s application awareness provides operators with the necessary real-time insights to implement dynamic controls on sensitive and important RAN resources.

Towards a secure Open RAN

With the industry’s growing emphasis on RAN security, including the latest specifications by 3GPP and the O-RAN Alliance Security WG11 on ZTA, real-time end-to-end visibility of RAN will become a key focus area in Open RAN deployments. This drives the need for advanced visibility tools such as next-gen DPI. Ultimately, DPI enables operators to accelerate the adoption of both open architectures and zero-trust frameworks, knowing that comprehensive insights on every packet traversing today’s Open RAN networks are available at their fingertips.

DPI supports the zero-trust strategy in Open RAN networks by:

• Analyzing and blocking suspicious or unauthorized data packets.
• Detecting attacks such as DDoS, malware and anomalies early.
• Ensuring compliance with security policies.
• Improving the quality and performance of Open RAN.

Curious about our Open RAN research report? It delves into the critical role of advanced analytics and deep packet inspection (DPI) in enhancing Open RAN's capabilities, providing insights that can empower MNOs to optimize their networks for the future.