Confidential | Do Not Distribute 1
Always Secure. Always Available.
迎接 5G 時代
5G 行動網路和多雲環境的安全性、可視性和自動化
A10 Networks 台灣區技術總監 Nick Chen
Confidential | Do Not Distribute 2 2
5G Evolution Path
1G 2G 3G 4G 5G
Year 1980s 1990s 2000s 2010s 2020s
Peak Speed 2 Kbps 100 Kbps 10 Mbps 1Gbps 10 Gbps +
語音通話 V V V V V
文字簡訊 V V V V
行動上網 V V V
音樂串流 V V V
影音串流 V V
4K/8K 影音串流 V
VR 直播 V
自駕車 / AIoT V
Confidential | Do Not Distribute 3 3
Major Features of 5G
Enhanced Mobile Broadband
高頻寬 High Throughput
• 4K/8K UHD
• VR/AR
Ultra Reliable Low Latency
Communication
低延遲 Low Latency
• SELF-DRIVING CAR
• REMOTE SURGERY
Massive Machine Type
Communication
多連線 Massive Connection Rates
• LOGISTICS TRACKING
• SMART CITY
• SMART METER
Confidential | Do Not Distribute 4 4
Native 4G (Standalone)
Native 5G (5G-SA) (Standalone)
Moving from 4G to 5G
eNB EPC
Internet
Hybrid Mode (5G-NSA) (Non Standalone)
EPC eNB
gNB
gNB 5G-Core
Internet Internet
Confidential | Do Not Distribute 5 5
MOBILE AND
IoT DEVICES
EVOLVED PACKET CORE (EPC)
Gi/SGi LAN
Internet
ROAMING PARTNER
SUBSCRIBERS ARE EXPOSED TO MALICIOUS
TRAFFIC
Gi/SGi LAN IS THE GATEWAY FOR GPRS/LTE NETWORK TO
THE INTERNET
ATTACKS FORM ROAMING POINTS OF
INTERCONNECT
APPS & SERVICES
EPC & Gi-LAN VULNERABLE TO DDoS ATTACKS
SGW/PGW
Why Security Is Important?
GTP FW
GiFW/CGN eNB
gNB GTP FW
Confidential | Do Not Distribute 6 6
Security on MEC
Edge Cloud
EPC
SGW PGW
MME
RAN
Core functions
Applications
Core functions
Applications
GTP FW GTP FW
GTP FW GTP FW
GTP FW
Core functions
Applications
Core functions
Applications
<1 ms >100 ms
Internet
Video
Application
Data Center Centralized
gNB
gNB
Confidential | Do Not Distribute 7 7
DDoS DST Zone : Web Server Farm
False Positive Prevention
Level 4–Wartime
Level 3–Wartime
Level 2–Wartime
Level 1–Wartime
Level 0–Peacetime
Final Countermeasures
Aggressive Countermeasures
Increase Countermeasures
Add Countermeasures
Establish Baseline
Basic (or No) Countermeasures
Threshold DST
Per-SRC
Tracking Mitigation Policies
Threshold DST
Per-SRC
Threshold DST
Per-SRC
Threshold DST
Per-SRC
Threshold DST
Per-SRC
IP & Protocol anomaly filter (default)
Pass through
+ Malformed request check
+ Source authentication
+ Per-connection rate limit
+ Per-type request rate-limit (DST/Per-SRC)
+ Per-SRC GLID
+ Destination rate-limit
+ Zero-day Attack Pattern Recognition (ZAPR)
Example Countermeasures
Mitigation Level?
Manual Mode
Confidential | Do Not Distribute 8 8
Automatic Attacks Pattern Creation
Legitimate Traffic
Attack Traffic
Collect and Analyze Flood Traffic
Identify Attack Vector & Pattern (ML)
Filter extraction • SRC IP, DST IP • IP ID, TTL, Length, Frag. • DST Port, SRC Port • TCP Flags, Window Size • Seq/Ack Numbers • UDP Length • DNS Flags, Resp.Code • and more…
Block Zero-day Flood Attack
Automatically created BPF filter
Zero-day protection powered by unsupervised Machine Learning (ML)
Confidential | Do Not Distribute 9 9
GTP FW for Roaming Interface (S8)
S11
S1-U eNodeB PGW
MME
HSS
GTP-U
GTP-C
VPLMN
S5
S8
SGW
SGW
HPLMN
GRX
???
GTP FW
EPC
GTP-C
Mandatory-ie-filtering (GTPv1/v2) • Create Session Request (GTPv2): APN, FTEID, RAT …
Protocol Anomaly Filtering (GTPv0/v1/v2)
• Reserved IE (0, 4-31) • Invalid TEID field (GTPv1/v2) (non-zero) • Invalid T flag Field (GTPv2 only) (0 or 1) • Invalid Reserved Field (GTPv1/v2) (0) • Out of order IE (GTPv1/v0)
Confidential | Do Not Distribute 10 10
Exploiting The Growing Encrypted Blind Spot
94% of all internet traffic is
encrypted
Almost half of cyber attacks use
encryption to evade security
Source: Google Transparency Report | Dark Reading
Confidential | Do Not Distribute 11 11
Decryption Scale and Security Problems Encrypted Internet Traffic Decrypted Internet Traffic
Each device must decrypt and re-encrypt its own traffic for full visibility
SWG
DLP/AV
ATP IPS NGFW
Separate decryption licenses required on each device
No single point of decryption policy control & key management
SSL/TLS decryption is extremely compute-intensive and adds latency
Expensive upgrades required to scale with rising demands
Confidential | Do Not Distribute 12 12
SWG DLP/AV ATP IPS NGFW
Improved user experience due to reduced latency
Enhance Performance with Secure Decrypt Zone
SECURE DECRYPT ZONE
Encrypted Internet Traffic Decrypted Internet Traffic
Centralized decryption, policy control and key management
Enhanced performance due to Decryption/Re-encryption offload
Confidential | Do Not Distribute 13 13
Clear Text Clear Text
A10 SSLi Solution
Internet
Internal Clients
Internet
Internal Clients
Clear Text Clear Text
Private Root CA
Private Root CA
Public Root CA
Public Root CA
Public Root CA Server Certificate & Key
Server Certificate & Key
Encrypted Data Encrypted Data
NG Firewall / ATP / IPS
SSL Encryption SSL Decryption
Confidential | Do Not Distribute 14 14
Challenge: Certificate Pinning (Reset by client)
Problem • Certificate Pinning validates against a key embedded in the certificate chain for a domain name
• Some Apps (ex. Twitter) contain a predefined list of ‘pinned certificates’, specifically designed to defeat SSLi type solutions
Solution o Apply SSLi-Bypass for Pinned-Cert Apps. There is no standard technique to decrypt such apps
o Bypass by SNI in client SSL hello or SAN/Issuer/subject in server certificate.
SSL Decryption SSL Encryption
Internet
Internal Clients
Confidential | Do Not Distribute 15 15
Selective Bypass Option For Compliance
Selective bypass option to Preserve privacy and compliance
Meet data privacy regulations (HIPAA, PHI, PCI/DSS etc..) by keeping sensitive data encrypted
Traffic can be bypass based on
A10 Web Classification Powered by Webroot
Domain Names
Server Name Indication (SNI)/ Certificate Issuer/ Certificate Subject
Source & Destination IP Addresses
AD User & User-Group
Physical Interface
Option for ssli exception list to intercept traffic for bypass category Allow to intercept a domain under a category even if that category is set to bypass
WEB CLASSIFICATION SERVICE
Note: A10 web classification Subscription is required
Confidential | Do Not Distribute 16 16
• Preventive security service
• Block access to known malicious and harmful content • Specific categories for K-12 user protection
• Block access based on security concerns (malware, phishing etc.)
• Stop users from bypassing security (proxies, VPNs)
• User-ID/Group-ID based filtering for granular control
URL and Web Filtering
Security
• Malware • Phishing • Proxy • Spyware/Adware • Botnets • Spam • Keyloggers/Monitoring
Employee Productivity +
• Social Networking • Internet Communication • Games • Shopping • Recreation & Hobbies
Network Speed + • Streaming Media • Shareware/Freeware • Peer to Peer
Legal / Compliance + • Financial Services • Legal • Educational Institutions • Web-based Email • Health & Medicine
Parental Controls + • Adult & Pornography • Abused Drugs • Gambling • Illegal • Hate & Racism • Violence • Cheating
Note: Web Classification service subscription is required
Confidential | Do Not Distribute 17 17
• Continuously classifies and scores 95% of the Internet, and monitors the entire IPv4, and in-use IPv6 address space
• Enhances security efficacy to cover a broad range of attacks originated by different IP threat categories
• Applied through Thunder CFW firewall rules
Threat Intelligence
27+ Billion URLs
600+ Million
Domains
4+ Billion
IP Addresses
15+ Billion
File Behavior Records
62+ Million
Mobile Apps
52+ Million
Connected Sensors
Note: Web Classification service subscription is required
Confidential | Do Not Distribute 20 20
• Customizable Dashboards
• Intuitive Widgets and Tiles • Grouped by service type
• Detailed Access Logs • Exportable logs
• Threat Investigator Integration
• Instantaneous Reports
Intuitive Dashboards and Detailed Visibility
SSL/TLS and other traffic statistics Web Classification widgets and Application Visibility tree chart More Application Visibility charts with detailed drill-downs SSLi, Access and Authentication logs with Threat Investigator integration
Screenshots Source: AppCentric Templates (ACT) v4
Confidential | Do Not Distribute 21 21
Across Clouds & Diverse Application Services
Per-App Visibility Across A10 ADCs Visibility and enhanced troubleshooting across all apps
Thunder
© A10 Networks, Inc. | Confidential
Multi-Cloud ADC Deployment
A10 Harmony Controller
Public Private Traditional
Thunder Thunder
App Insights
MG
MT
MG
MT
Confidential | Do Not Distribute 22 22
Cloud Bursting Management
Private
Centralized Management
IP : 60.250.157.11
APP1 APP2
Harmony Controller
Public
IP : 200.10.10.1
APP1 APP2
SLB+GSLB
Confidential | Do Not Distribute 23 23
Per-application Response Time Analysis
Time series distribution o Client SRTT o Server RTT o APP Latency o ADC Latency(In/Out)
Confidential | Do Not Distribute 24 24
Per-request Log Analysis
Time series distribution of
o Client SRTT o Server RTT o APP Latency o ADC Latency(In/Out)
Confidential | Do Not Distribute 25
Thank You
Always Secure. Always Available.
5G 行動網路和多雲環境的資安領導品牌