We have been working with Service Providers and various colleagues across the world to develop the threat surface and use cases to properly apply 5G today and in applications coming tomorrow.  We call your attention to our white paper and to our session on this topic at Cisco Live US in Orlando.  The title of the session is BRKSPM-2010 (Security for Mobile Service Providers).

5G touches almost every aspect of the way we live our lives. It’s not just about faster, bigger or better, it’s about utilizing 5G as an enabler to a series of services that we all will consume in every aspect of our lives. The time is NOW to consider the security implications and cyber risk profile that come with 5G. The business operational risk, legal risk and reputational risk of not only the companies who provide 5G transport, but allcompanies, nation states and individuals who provide the services that will utilize 5G. The time is now to evaluate the cyber risk posture and apply innovative thoughts to how we can approach these challenges today and build for what’s to come tomorrow. Many IoT(Internet of Things) services will utilize 5G services. The intersection of 5G and IoT brings an extension of the existing threat surface that requires careful consideration from a cyber risk perspective. This white paper highlights innovative thoughts which enable you to take action and meet the challenges creating a security safety net for the successful deployment and consumption of 5G based services.

5G is as much the application of new architectural concepts to traditional mobile networks as it is about the introduction of a new air interface. The 5G mobile network intentionally sets out to be a variable bandwidth heterogeneous access network, as well as a network intended for flexible deployment. Aside from the usual reasons of generational shifts in mobile networks, i.e. those concerned with the introduction of networking technologies on lower cost curves, the 5th generation of mobile networks has to be able to allow the mobile service providers to evolve towards new business models that may result in future modes of operation that are very different from those of today. This presents a problem from the view point of securing such a network. The need to be flexible increases the threat surface of the network.

Security provides the foundation of service assurance. Adversaries and the threats that they impose against the networks used to deliver critical services continue to get smarter, more agile, and more destructive.

Networks used to deliver applications continue to converge, making it more important to properly segment threats and vulnerabilities by domain, while examining the aggregate threat landscape at the same time.


Examples of this include the evolved packet core where traditional and mobile services share an infrastructure leveraging the carrier data center and cloud for operational efficiency and also for service delivery. Cisco’s architectural innovations and evolution of existing networks to meet the needs of new service models like IoT services pushing technology evolution such as mobile edge compute and widely distributed secured data centers introducing a new set of visibility and control elements to handle the evolved threats.  In order to properly secure the “full stack” that delivers a connected application, two fundamental elements are applied: visibility and control. Visibility refers to the ability to see and correlate information from the carrier cloud to baseline proper behavior and then to measure deviation from that norm. Simply said, “If you can’t measure it, you can’t manage it.” Sources of visibility come from traditional network measurements (netflow, open flow, etc.), but the need to measure all aspects of a flow, from all elements of the carrier cloud to the application to the end customer, has changed what data is collected and where we get it. An example of the new visibility includes the use of application level probes that are synthetically generated and travel through the network to get a clear picture of how an application is behaving. Another example is where the Path Computation Element, which has a near real time database representing the network topology, is queried programmatically to determine the impact of a potential mitigation action on critical service classes for DDoS. Once all of the telemetry is gathered, a security controller and workflow will analyze it and determine, based on policy, suggested mitigation and controls to be applied. Of course, we have an iterative loop of constant learning. The Cisco Talos research team keeps our customers ahead of the game by its threat research and deployment of mitigation rules into our full portfolio of products, removing that burden from the Service Provider allowing them to focus on their core competencies.  Control refers to the actions taken to mitigate an attack. Some controls are taken proactively while others are applied after an attack takes place. There are two types of attacks. Day zero attacks are threats that we don’t previously have a fingerprint for. Typically deviations in known good behavior of the carrier cloud and applications that request service and state from it, are identified by the security controller and some action is then taken to mitigate the attack or to get additional visibility, an action sometimes taken to properly identify the adversary. Day one attacks are threats that we have a signature or fingerprint for and, quite often, a mitigation strategy exists in advance to handle the attack. Controls take the form of modifications to the carrier cloud to apply quality of service changes in per hop behavior to minimize the impact of an attack and also take the form of physical and virtual security assets applied as close to the source of the threat as possible in order to minimize collateral damage.

The information that the operator has that delivers the application is vast. Innovation in the way that we apply the information we have, in a close loop iterative process, is a recent innovation in threat visibility and mitigation. This is where automation, orchestration and NFV meets security to solve today and tomorrow’s security needs. The three elements of the closed loop iterative process are: policy, analytics, and the application delivery cloud (the whole transaction from the application to the networks used to serve it).  Operators can now apply innovative methods to correlate geo-location information to behavioral analytics, compare those against policy in the context of a threat to the carrier cloud, and ascertain the nature of that threat and what to do about it with far greater clarity. Visibility and control properly applied to the advanced threats of today offer the carrier cloud a level of protection. We must continue to evolve, grow and get smarter to keep our networks safe and resilient in the time of attack.

There’s so much more to discuss on the rich topics of the evolution to 5G and the threat surface.  Please do join us, my co-author on this blog Pramod Nair and I, at Cisco Live and read our white paper, both referenced in the first paragraph of this blog.


Michael Geller

Principal Systems Engineer

Security and Threat Defense