SECURITY ASSESSMENT: FUTURE OF MOBILE NETWORKS (SDMN)
SECURITY ASSESSMENT
ON
FUTURE OF MOBILE NETWORK (SDMN)
NAYANESH ARVIND ACHARYA STUDENT ID – 1062829
FASIUDDIN MOHAMMAD STUDENT ID – 1061877
PROJECT 870 – RESEARCH PAPER
INSTRUCTOR: PROF. AHMED AWAD
NEW YORK INSTITUTE OF TECHNOLOGY
Abstract
The complexity of network management in 5G mobile networks arises the need for software-oriented design in mobile networks. SDMN is seen as a promising solution to manage the 5G networks. Software-defined mobile networking (SDMN) is an idea to build mobile networks consisting of all protocol based features in design that can be implemented using software that maximizes the use of software and hardware in core network and radio network. This will in turn ease the complexity of networks caused due to increasing mobile traffic demand, heterogeneous wireless environments and diverse service requirements. SDMN works towards improvements of network performance and scalability in mobile networks. In this research paper, we will present the significance the future requirements of mobile networks in the form of SDMN architecture leveraging Software Defined Networking (SDN), Network Function Virtualization (NFV) and Cloud Computing Technologies for meeting the wireless data demands. Since SDMNs will be the next big thing for the mobile industry and its security is of utmost importance. This paper will conduct a research on the posed security concerns with respect to relevant security threats and attack surfaces of SDMN architecture in accordance to the key enablers of SDMN i.e. SDN and NFV. The paper concludes with the business impacts and benefits of SDMN offered to various roles in the mobile industry.
KEYWORDS
Software defined mobile network (SDMN), Software defined network (SDN), Network function virtualization (NFV), Cloud Computing, Fog Computing, Heterogeneous Mobile Network (HMN), Security, Threat, Vulnerability, CIA (Confidentiality, Integrity, Availability)
Introduction
Rising number of smartphones, intricate network services and rapid growth in data traffic pose serious challenges for the mobile network operators. Mobile networks provide variety of network services such as voice over IP, high-density video streaming, Internet TV and mobile cloud services. Therefore in turn mobile operators face competition from various providers and to maintain a competitive edge, they must roll out new network services and applications. 5G have established the next revolution in mobile communications. It is expected to drive increasing mobile traffic demand, heterogeneous wireless environments, and diverse service requirements delivering ultra-fast, ultra-reliable network access. Disruptive changes in mobile networks are quite essential to improve performance to provide high-quality services at an affordable budget.
Existing mobile network infrastructure operates with certain limitations that hinder the development of telecommunication networks such as:
Complex and Expensive Network Equipments
Mobile backhaul equipment’s must deal with broad usefulness. For example, Packet Data Network Gateway is in charge of numerous critical data plane capacities, such as quality-of-service (QoS) management, access control, trace monitoring and billing. Thus, the equipments are complex and costly.
Inflexibility and Scalability
The standardization process for mobile networks is lengthy. It takes many months or years to introduce new services. Existing static mobile networks are inflexible and expensive to scale to keep up with increasing traffic demands.
Complex Network Management
Because of complexity of mobile backhaul devices, significant expertise and platform resources are required to manage mobile networks.
Frequent roaming
Since mobile users keep moving across different access networks, this in turn significantly increases the complexity to manage the mobile networks. Inter operability of various access technologies to guarantee consistent security and efficient QoS dynamically is very challenging.
To cope up to the limitations of traditional mobile networks, Software defined networking (SDN), network functions virtualization (NFV), and cloud computing principles are seen as promising technologies to manage an intricate communication network. Software defined mobile network (SDMN) architecture integrates all these technologies shaping specific requirements in mobile networks. Software oriented design in mobile networks will not be a simple extension of the SDN concept for the Internet, because mobile networks deal with complex radio environments, while the Internet mainly addresses the routing protocol. The essential idea from SDN introduces the concept of decoupling of the data planes (DP) and control planes (CP), and allows control of the network via a centralized controller. NFV offers a new way to design, deploy and manage networking services.
NFV allows decoupling the network functions from proprietary hardware appliances, so that they can run in software. The software-defined approach allows spectrum to be managed more efficiently, since the logical centralized control can be aware of the spectrum usage in the network, and allow proper spectrum mobility and effective implementation of spectrum sharing strategies in SDMN.
Google trends on the search of SDMN shows that from June 2014 there is gradual increase in search of SDMN term and is become the hot topic for discussion and the ongoing research domain.
Figure 1. Google trends for SDMN search
ANALYSIS
SDMN INTRODUCTION
The software-defined mobile network (SDMN) is a programmable, flexible and flow-centric mobile network architecture constructed integrating software-defined networks (SDNs), network functions virtualization (NFV), and cloud computing principles. It incorporates an application, control, and data plane. SDMN is an important component of next generation (5G) mobile telecommunication networks that essentially works towards improving network functions, performance, flexibility, energy efficiency, and scalability. Figure 2 represents the SDMN Overview.
Figure 2. SDMN Overview
KEY ENABLERS OF SDMN
Technical advances in SDN, network functions virtualization (NFV), and cloud computing give specialized empowering agents to SDMN.
Software Defined Networking (SDN)
Software defined networking is one of the transforming approach to the computer networking that allows network administrators to network with high-level functionality. SDN provide a centralized network management and a global perspective on the network. So, this enables effective management of the large and complex networks. In simple words, we remove all the physical hardware components from the network into software defined. The idea behind SDN is basically taking away the networking intelligence from the networking equipment and creating a management system so as to make over all networking system much more efficient. In 2006 Martin Casado, a PhD student at Stanford University proposed a centralized controller security architecture (SANE), from this came the idea of routing based on the central controller which was initially known as Open Flow.
Figure 3. SDN Architecture
There are three planes/layers including application, control and data and two interfaces including application-control and control-data. These planes and interfaces are very important as they form the basis of SDMN and SDN. Control plane decides where frames/packets will be forwarded/routed i.e. routing decisions. The data plane forwards the traffic to the destination. The data plane includes the routing tables, forwarding tables and address resolution protocol. Routers and switches, includes control plane and data plane are integrated on the same hardware. Since switches and routers are in the network they exchange information such as host reachability, status with neighbors etc. SDN concept is based on the idea of the separation of these planes. Control plane in other words network intelligence is moved to a high performance server and network management is performed with centralized controller software. The data plane is left on OpenFlow-enabled router or switch and is responsible for forwarding of packets only. SDN architecture is shown in Figure 3. This architecture provides ability to directly programming the network and enables underlying infrastructure layer to be abstracted for network services and applications. So this provides more dynamic, flexible, scalable platform and easy management of the network compared to traditional network infrastructures.
The control plane is also known as a network operating system that enables the communication between network applications and data plane. The communication between control plane and the data plane is provided with an open source network protocol OpenFlow. OpenFlow is considered as a standard for SDN. SDN architecture brings some benefits from the security perspective. SDN provides programmability and centralized controller has a global view on the network. These characteristics of SDN have an advantage against security threats. For example, when an anomaly is detected on the network, related traffic can be sent to the controller for analyzing. After the analysis process, existing rules can be updated or new rules can be created for preventing attacks.
Network Function Virtualizations (NFV)
NFV is the recent initiative from the telecom industry to achieve more flexible and cost-efficient network architecture. NFV is the concept that uses virtualization to virtualize entire classes of network node functions. It is basically replacing dedicated network appliances such as routers and firewalls with software running on commercial off-the-shelf servers. The goal of NFV is to decouple network functions from dedicated hardware devices to be hosted on virtual machines (VMs). NFV examples include virtualized load balancers, firewalls, intrusion detection devices and WAN accelerators. NFV is not dependent on SDN or SDN concepts. It is entirely possible to implement NFV as standalone entity. NFV needs central management system that takes operator requests associated with a Virtual Network Function.
Figure 4. Network Function Virtualization
A virtualized network function (VNF) can be run across different software and processes through virtualization techniques. The focus of NFV is currently on infrastructure networks. It will be an important technology to redesign the mobile telecommunication networks. The combination of NFV and SDN bring new architecture design to mobile networks.
Network Function Virtualization (NFV) Software Defined Networking (SDN)
Relocate network functions from dedicated appliances to generic servers. Separates control and data, centralized control and programmability of network.
Target location is service provider network.
Target devices include servers and switches. Target location is data center / cloud.
Target devices include servers and switches.
Applications include routers, firewall, gateways, WAN Applications include networking and cloud orchestration.
Table 1. Difference between NFV and SDN
Cloud Computing and Fog Computing
The development of SDN is tightly connected to cloud computing, since cloud computing makes large-scale logical centralized control solutions feasible. Cloud computing allows centralized data storage and processing, and online access to computer resources through remotely deployed server farms and software networks. It aims to maximize the effectiveness of resource sharing.
Cloud computing is one enabler of NFV. However, the traditional cloud computing architecture may have a problem in meeting the strict latency requirements for fine timescale control functions in SDMNs. It is reasonable to move the logical centralized control close to the edge in mobile networks. Fog computing could fill this gap for better architecture design of SDMNs. Fog Computing describes what happens when the capabilities of the Cloud extend right to the edge of the network. Devices at the edge have increasingly powerful capacity in terms of compute, storage and networking.
In mobile networks, fog computing can be utilized for the control and joint signal processing at the RAN level to serve densely deployed cells, while cloud computing can be used for control in CNs for packet processing and forwarding. The integration of fog computing and cloud computing may lead to an end-to-end (E2E) SDN solution for mobile networks.
SDMN ARCHITECTURE
SDMN comprises of three layers: Data Plane (DP), Control Plane (CP), and Application Plane (AP). Figure 1 illustrates the SDMN architecture.
Figure 5. SDMN Architecture [1]
The SDN architecture consists of the following key planes.
– Data plane (also known as the infrastructure layer): primarily consists of a data-forwarding unit including physical switches and virtual switches for exchanging and forwarding data packets. We also categorize the physical mobile terminal as belonging in the data plane.
– Control plane: consists of a series of controllers providing centralized control. The Open API (application pro- gram interface) enables open switches data forwarding functions to realize the state collection and centralized control of the data plane.
– Application plane (also called application layer): provides various applications to end-users, such as mobile management, security application, network virtualization, etc. The mobile terminal applications are categorized into this plane.
The DP consists of mobile network elements such as base stations, femtocell stations, gateways, routers, and switches; it’s also called the infrastructure layer. The mobile backhaul network consists of DP switches and links between them. Base stations, femtocell stations, access points, and external gateways are connected to the border switches. DP switches route the backhaul traffic based on flow rules, which are installed by the network controller.
The CP contains a logically centralized controller the brain that manages every function in the network. e network OS runs on top of the controller to sup- port the control functions. The controller uses a control protocol, such as OpenFlow, to communicate with DP switches. In some deployment models, a part of CP software can reside on network routers or DP switches.
The AP consists of all the telecommunications net- work’s control and business applications. In SDMN architecture, the traditional mobile network control entities, such as policy and charging rules function (PCRF), home subscriber server (HSS), mobility management entity (MME), and authentication authorization and accounting (AAA), will run as so ware applications at the application layer.
Benefits of software-defined mobile networks (SDMN’s):
Logically centralized control
A centralized controller can make control decisions based on the global view of the network. These decisions are more accurate and efficient than existing autonomous system–based decisions.
Flexibility
SDMN architecture defines a common standard among the backhaul devices. Therefore, the controller can manage any SDN-enabled mobile network component from any vendor as long as there’s a common stranded platform, such as Openflow.
Automatic network management
Automatic network management allows the deployment of new network services and functions in a matter of hours instead of days. Also, it’s possible to dynamically fine-tune the device configurations to achieve better resource utilization and security and lower congestion than static configurations. Furthermore, troubleshooting network configuration is very fast due to the controller’s global view.
Virtualized abstraction
SDMN architecture hides the complexity of various access technologies and topologies. SDMN’s network programmability and proposed flow model support granular policy control, flexible traffic aggregation, and partition.
Higher rate of innovation
The network programmability and common application programming interfaces accelerate business innovation in mobile networks. The operator has the flexibility to quickly innovate and test various novel controlling applications on top of the network OS. Deploying these novel software-based applications is faster than deploying today’s hardware-based applications.
Low-cost backhaul devices
SDN architecture removes the control plane from backhaul devices, so they’re needed only for very basic functions. Therefore, SDN switches don’t require hardware with high processing power; the data plan can use low-cost switches with low processing.
MOBILE NETWORK SECURITY IMPROVEMENTS USING SDMN
The adaptation of SDMN concepts offers new features such as centralized intelligence, network programmability, abstraction, NFV, common device standards, and flow-based traffic management, which will be particularly useful in implementing dynamic, flexible, and manageable security mechanisms in future telecommunications networks. Below, are the high-level analyses of key SDMN features that can be used to apply security for future mobile networks.
Centralized Intelligence and Control Orchestration
The SDMN controller has centralized intelligence and can monitor security breaches over the entire network. The controller not only makes informed decisions but also optimizes resource utilization for security. Validating and synchronizing various security policies will be fast and efficient with centralized intelligence. The controller can remove overlapping rules and optimize the decision-making phase for operational efficiency.
Granular Policy Management
SDMN supports more granular policy management schemes than the existing mobile networks. The controller can enforce security policies based on application, service, user, flow, device, and other levels. Such fine-grained enforcement and security policies are necessary to provide carrier-grade services while supporting millions of dynamic users in a single mobile network.
Scalability and Flexibility
SDMN architecture supports virtualized security solutions and allow dynamic scaling of the security resources to match traffic load. It reduces the requirement to allocate physical resources to correspond with heavy traffic loads. Virtualized security solutions are cost efficient because optimizing the utilization of network resources is possible. Moreover, the security resources are available on demand, and security policies can extend across multi access and multi operator networks.
Abstraction
SDMN abstracts the security away from physical constructs such as stateful port firewalls, wire sniffers, and multi-access technologies. Thus, it’s possible to implement common security mechanisms that can be deployed repeatedly without concern for underlying physical infra- structure capabilities and access technologies.
Dynamic Attack Mitigation
Network security personnel can leverage a centralized controller to monitor network activity and use it to detect anomalous behavior and mitigate it with higher accuracy. For instance, malicious traffic generated by an attack can be dropped as early as possible (for instance, the wireless edge for mobile-based DDoS attacks) rather than allowing it to reach the core network switches. Moreover, holistic network informatics is useful and efficient for forensics.
Dynamic and Flexible Adjustment
SDMN enables on-demand dynamic and flexible security policy adjustment by using network programmability. Security administrators can dynamically adjust security mechanisms to protect the network and optimize resource utilization. More important, these policies aren’t tied to the physical configuration or the user’s access technology. Thus, they can be reprogrammed and upgraded without changing or resetting the physical hardware.
Real-Time Monitoring and Decision Making
SDMNs’ centralized architecture offers network wide real-time security monitoring. The controller can facilitate dynamic security policy alteration, real-time security service insertion, and accurate network forensics measures. The controller can also help with informed decision making by blending historical and real-time network status and performance data. For instance, it can be used to assign resource limits for malicious network segments as a proactive security mechanism against denial-of-service (DoS) attacks.
Economically Viable
SDMN architecture significantly reduces the resources required for security by optimizing resources and implementing middleboxes in virtual environments. It eliminates the need for complex and expensive security devices in the network and decreases capital expenditure network costs. In addition, adoption of the SDMN concepts offers flexible management, dynamic counter- measures, and automatic configuration, reducing operating expenses. Moreover, these security mechanisms can be automatically executed, significantly reducing human errors.
SDMN SECURITY ISSUES
Despite the expected advantages, adopting SDMN concepts also brings many security disadvantages. The proposed open network architecture of SDMN minimizes the technological gap between the common IP networks and telecommunications networks. As a result, SDMNs would become vulnerable to most attacks in general SDN networks. Since SDMN is developed on the basis of SDN, we first introduce SDN and its related security problems before discussing SDMN security issues.
1. Security issues in SDN
Figure 6. SDN Security Threats & Attack Surfaces [link in notes 3]
SDN architecture has network programmability and centralized control advantages but these advantages can lead to new security threats and increase of the attack surfaces. There are variety of security threats targeted to the plane and interface of the SDN. Security threats and attack surfaces in SDN are shown in Figure 6. The security threats such as Denial of Service (DoS), unauthorized access, data leakage, data modification, malicious applications which are seen in all other network architectures is also seen in SDN.
The SDN specific ones are the attacks, which target the controller software, communication between the control plane and the data plane (control-data interface) and the communication between the control plane and the application plane (controller-application interface). All those threat vectors have a potential effect on the operation of the entire network. Attacks against SDN planes and interfaces and the targeted security services are shown in the table 2 below:
Attack Surface Attack Type Attack Definition Attack against Security Service
Application Plane Interception, Modification Unauthorized/Unauthenticated Applications Confidentiality, Integrity
Application – Control Interface Fabrication Fraudulent Rule Insertion Integrity
Control Plane Interruption DoS, DDoS Availability
Interception Controller Hijacking, Unauthorized Controller Access Confidentiality
Control – Data Interface Interception, Modification Man-in-the-Middle Confidentiality, Integrity
Data Plane Interruption Flow Table Flooding Availability
Table 2. Summary of Attacks against SDN and SDMN
Unauthorized and unauthenticated applications target confidentiality and integrity principle of the security in the Application plane. Attackers can use third-party applications those run at application layer to hide identity and gain access to network resources and manipulate the operation of the network.
Malicious applications can inject fraudulent rules into the flow tables of switches, if security measures are not ensured between the control plane and the application plane thereby causing conflicting rules in the network.
DoS and Distributed Denial of Service (DDoS) attacks against the controller and flow table flooding attacks against the switches in the data plane target the availability principle or service of the security. The attacker may expose DoS attacks to the controller by sending too many packets to the controller. DoS and DDoS attacks on the controller have a potential affect the functioning of the entire network in a negative way. Similarly, DoS attack may be possible also for the switches in the data plane. The flow tables of the switches, which have limited cache will be vulnerable to flooding attacks when the attackers send large packets which belong to different flows.
The confidentiality principle of security is targeted by attacks such as unauthorized controller access or controller hijacking thereby causing danger to entire network. The attacker can take over the management of misconfigured, vulnerable controller and also the management of the network.
Man-in-the-middle (MITM) attack, which occurs between control plane and the data plane communication targets confidentiality and integrity principle of security. MITM attack, which performs in the second layer of the OSI reference model, allows eavesdropping or modifying the traffic flow between network resources such as server, router or switch and endpoint on the network. The attacker cannot view or modify the contents of messages when encrypted protocols are used.
2. Security issues in NFV
NFV principles propose decoupling network functions from proprietary hardware appliances and running them as so ware applications in a cloud environment. The implementation of mobile network functions in the cloud introduces vulnerabilities inherent in cloud computing.
A major security challenge is ensuring trust among new elements such as virtual machines, virtual switches, hypervisors, controllers, and management modules. For instance, network functions now have the potential to run on any server anywhere in the world. Therefore, network operators need trust mechanisms to ensure that the code is indeed correct. The introduction of new elements such as hypervisors creates new attack surfaces on mobile networks. It’s practically impossible to define security zones or perimeters in a way that is managed in current mobile networks. Virtual machines that run virtualized network functions are dispersed across racks and datacenters and can migrate to other servers for optimization or maintenance purposes. Therefore, the physical perimeters of network functions become blurred and fluid adding to the risk of security threats due to mismatched security policies at various datacenters/ servers.
3. Special Security issues in SDMN
SDMNs, carrying the security issues of SDN, have its own set of security concerns. The end user devices in this case often do not have enough processing capabilities, memory, and battery power. Since the communication is IP based, these user devices are prone to the same security threats as their fixed counterparts. The air interface is open to the feats of hacks and thefts; hence, securing the air interface to counter malicious programming of open and programmable network devices is a real challenge. Since the mobile users are mostly on the move and topological changes are frequent, updating the security procedures according to mobility and topological changes is very important. The security between the controller and switches specified in the OpenFlow switch specification is using Transport Layer Security (TLS) to secure the channel between the controller and the switch. Some security problems are brought about by the centralized control, resulting from the isolation between the data level and control level, and due to the specific architecture of SDMN under the cloud environment. Other than the characteristics of SDN, the combination of NFV and SDN has resulted in a series of security problems. Examples include OpenFlow, NFV, software defined fronthaul network security problems, and terminal problems, etc. For software-defined fronthaul, a virtualized attack is a threat. In terms of Software-Defined Fronthaul (SDF) wireless programs, the threat to SDMN security is extended to the launch of the wireless medium and the recognition of attack surface. Certain radio frequency interference, Media Access Control (MAC) tampering and malicious RF interference can consistently adapt to the heterogeneous network environment, so that the radio program segment of the SDMN fronthaul can be regarded as the target of the attack. Considering the spectrum utilization method, the convergence of SDF program is vulnerable to be simulated by the primary user, Byzantine or spectrum sensing data operation/forgery and several DoS attacks.
BUSINESS IMPACTS OF SDMN
SDMNs will provide an open network architecture wherein it provides total vertical and horizontal control flexibility in mobile networks. As a result providing ability to extend and program services for control and coordination in Heterogeneous Mobile Networks (HMN). Therefore the existence of SDMNs will tremendously have a positive impact on businesses present in the mobile industry.
With the implementation of software-defined architecture, Mobile Network Operators will be able to reduce operational expenditure (OPEX) by enabling more efficient use of spectrum, energy resources and network infrastructure. Similarly software defined control and open control interfaces will reduce capital expenditure (CAPEX) and deployment time for new services.
Due to open control interfaces, network equipment vendors have more flexibility for network function implementation that will make their network equipments easy to be integrated into operators network.
SDMNs could provide interfaces to allow over-the-top (OTT) services, which enables the content providers and MNOs to benefit their business by providing a cooperation framework.
End users will definitely face smooth network experience because of the improved coordination among various mobile networks. SDMN will also enable deployment of newer services in shorter times.
The benefits of SDMNs for different business roles are summarized in Table 3.
Role Business Benefits
Mobile Network Operators (MNO) Reduced capital expenditure (CAPEX) and time to deploy services; decreased operational expenditure OPEX through more efficient use of spectrum, energy and infrastructure.
Network Equipment Vendors Easier and faster integration of technologies and services.
Content Providers Over-The-Top (OTT) services for providing network as a service locally.
Business to Business (B2B) end users Easier and faster adoption and integration of new services.
Business to Consumer (B2C) end users Seamless and smooth network experience, new value-added services.
Table 3. SDMN Business Impacts
Conclusion
In this research study, we present a new approach on the networking known as software defined mobile networks, how smartly it can replace the existing mobile network approaches to implement the revolutionary 5G mobile networks. Software-defined design has been identified as an important evolution path for 5G networks. As a result, the architecture of SDMN is clearly illustrated here in the study.
The understanding of SDMN implementation significantly benefits the convergence of heterogeneous wireless networks, improve the resource utilization, facilitate the network innovations, provide customized services and guarantee the QoS, and increase the revenue of all the network entities. Therefore, future mobile and wireless network needs a revolutionary architecture while supporting the smooth evolution form existing mobile network approach to SDMN.
Adapting SDMN concepts brings both security advantages and disadvantages for mobile networks. Therefore security aspects towards SDMN considering security issues at SDN, NFV implementation have also been discussed. Since the implementation of SDMN is a complete revolution of existing mobile telecommunication network, business roles involved such as operators, vendors etc will not take risks until they clearly understand the business benefits regards to revenue and cost. Therefore we have also listed the business impacts after establishment and implementation of SDMN for every business role.