Network Management for Next-Generation Wireless Security
In the good old days, ICT research used to be just about technology. The success of any research project could easily be measured in terms of technical advances achieved. Back then, metrics for R&D on wireless networks included increases in data transfer rates, wider network capacity, and, naturally, higher levels of security between connection points.
While these technological improvements are still part and parcel of research projects, many publicly funded grant programs now require researchers and technologists alike to consider the businesses and vertical sectors that their work will enable and support. Like ICT itself, wireless networks can enhance the running of any modern business. From manufacturing to agriculture, healthcare to environment and water management, and onto smart energy and smart cities, each sector requires its own specific support from wireless networks.
When we talk, therefore, about the next generation of networks and connectivity, one of the first considerations is the current network’s approach to security. Can we say the existing security protocols will adequately support the network requirements of the various industries above? It would be nice to be optimistic, but optimism is not yet an accepted part of any security policy!
Before getting into specific security risks and requirements for next-generation networks, let’s look at a few of the wider, more general issues:
(1) Multi-tenancy – more network operators are taking advantage of cloud computing and sharing virtual infrastructure. This means isolation at multiple levels to guarantee security.
(2) Variability – as more industries become dependent on the network, security requirements for network managers will become more diverse. This begs the question of how to manage arbitrary, service-oriented security in any given ecosystem.
(3) Reliability – for future networks, reliability will not just mean simple availability or up-time, but also high connectivity, capacity and coverage. This implies an overhaul of security policies regarding the maintenance of confidentiality and integrity in the network.
These give but a flavor of issues the security research community is currently discussing and taking tentative steps towards tackling. Now, let’s move onto some specific risks and their subsequent requirements.
Risks and Requirements
The risks and requirements listed should not be taken as exhaustive, given that network technology is continuously evolving, plus the fact that vertical sectors will additionally influence certain developments. Nevertheless, the following highlights key security aspects that must be considered in managing next-generation networks.
(a) Unauthorized access
Next-generation networks will be heterogeneous in nature, giving rise to the need for mulita-level access protocols. Combine this with the network providers’ goal of offering seamless continuity, and we create an environment where unauthorized or opportunistic access can thrive. Where several domains, or slices, must interact (e.g. radio access slice, vertical industry slice, core slice) it may be difficult to achieve interoperability for access control at each sub-party.
(b) Domain lock-in
Within our globalized world, network slices are likely to span several administrative domains. Cloud and data centers may be in the USA, the company may be registered in Australia, and their customer accesses the network from France. The lack of common security standards could lead to the owner of any particular network slice unable to migrate to other providers without affecting the security levels of their users.
(c) SLAs versus regulation
Liability regulations protect users’ data. If your data is misused, someone must take responsibility. Now, however, more vertical industries are moving into and becoming dependent on the network, leading to new service-level agreements (SLAs) for their customers that may diverge from existing data protection and security regulatory requirements.
(d) Undetected traffic theft
Software-defined networking (SDN) and network function virtualization (NFV) allow operators to replace costly hardware with more efficient software. However, this may inadvertently facilitate traffic capture and re-routing if there is any inconsistency between management-, control-, and data-planes; especially if the overall operator does not have full visibility of the various constituent network parts.
(a) Maintainability and handover
Next-generation wireless networks must, at a minimum, maintain the same security levels employed in current networks. Mutual authentication is required and the security of legacy systems must not be negatively affected.
As already highlighted, heterogeneity and complexity will be the hallmarks of next-generation networks. The overall automation of security, via context-awareness and dynamic security policies, will help network managers address potential cracks in the ever-changing network.
(c) Slice isolation
Zero correlation must be the aim among different tenants on neighboring and shared network slices, akin to the isolation security enjoyed by physically separated networks. Furthermore, such slice/tenant isolation must be demonstrable end-to-end over the operator’s entire infrastructure.
Updated and novel liability schemes must be proposed. These would build on existing regulations and take account of the unprecedented topology of next-generation networks. Delegation of responsibilities to third-parties could be considered (most license obligations cannot currently be sub-delegated).
Given the opportunities presented by complex future networks for attacks and fraudulent intrusions, a monitoring system must be in place to not only detect threats, but also to support coordinated monitoring across different slices of the network. Intelligence-driven monitoring such as that possible via machine learning or artificial intelligence is worth consideration.
(f) Value-added services
Traffic encryption could be generalized across next-generation networks, since this will allow compliance with wider privacy regulations. However, end-to-end encryption may impede the use of security services such as attack detection, QoS monitoring, and fine-grained access control. New value-added security services are required, therefore, in the context of encrypted traffic.
Any attempt to tackle the above requirements should begin with a few overarching design principles, more so than worrying about any particular technology or security attack. In this section, we discuss underlying concepts to help network managers secure their next-generation networks. But first we ask…
Is a new approach really needed?
While network security architectures are already defined for 3G/4G, the structure of future networks is worthy of re-examination for several reasons. First is the necessity of a trust model, which is not fully documented for 3G/4G. New actors and services in the future network need to be trustfully incorporated, with issues already arising in existing trust models used by inter-operator networks.
Second, virtualization is only now becoming integral to wireless networks and so is largely outside the scope of current standards. This too must be addressed for the next-generation network that will depend so much on it.
Thirdly, as we have already seen, many new mission-critical services (health, transport, etc.) will rely on the future network; thus, a security architecture that properly considers the potential damage and liability caused by cyber-attacks in their domains is essential.
(a) Logical as well as physical
The security architecture for next-generation networks should be logical rather than purely physical. With a large dependence on virtualization, network managers must ensure their slices isolate resources and data on shared infrastructure. However, radio access network (RAN) slices, for example, must be flexible enough to support dynamic allocation of functions across different planes.
(b) Distributed but hierarchal
Security controls will be spread over several administrative domains. A hierarchal approach will allow trade-offs between centralized and distributed functions. It will also facilitate decisions to be taken on what security mechanisms to deploy as dynamic changes are made to the network topography.
(c) Support out-sourcing
We expect vertical industries to improve efficiency by using shared infrastructure. While some will retain control of security, next-generation networks should allow others to continue their policy of out-sourcing by moving selected security services to the third-parties. Examples would include firewalls, device access control, and/or geo-location assertions provided by the network.
To work towards future-proofing security architecture, an extensible set of authentication methods and cryptographic algorithms should be supported. In addition, extensibility should also allow users to choose end-to-end application layer security rather than network-terminated security.
(e) Enhance M2M communication
Heterogeneity amongst wireless devices and scalability issues could render existing security protocols unsuitable for machine-to-machine (M2M) communications, especially with the massive deployment of Internet-of-Things expected. Variable crypto-algorithms, incorporating energy efficiency concerns, would support many envisioned services.
Wireless networks and related security issues have been constantly evolving since Alexander Graham Bell patented his photophone. Moving from the current to the next-generation network is a paradigm shift though, as the number of vertical sectors reliant on the network has reached unprecedented levels. Simply put, the impact of network security failures would now be felt in ways previously unimagined.
In this article, we identified risks, requirements, and design principles that are kick-starting research on security for the next-generation wireless network. These provide an overview of emerging trends and can be applied to various network security domains to appraise the likely impact of security requirements in future networks.