Thoughts on the Protection of Key Information Infrastructure in Telecommunication Network

Wenhua Wei Technology Co., Ltd. China District Network Security and User Privacy Protection Department Feng Yunbo Li Jiazan Yao Qingtian

According to China's Network Security Law and Regulations on the Safety Protection of Key Information Infrastructure, key information infrastructure refers to "public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, etc.". And other industries that may seriously endanger national security, national economy and people's livelihood and public affairs once they are destroyed, lose their functions or have data leaked. Among them, the telecommunication network itself is the key information infrastructure, and it also provides network communication and information services for the key information infrastructure of other industries, and plays a fundamental supporting role in national economy, science and education, culture and social management. Telecommunication network is the foundation of key information infrastructure, and it is particularly important to protect the security of key information infrastructure of telecommunication network.

I. Scope of Key Information Infrastructure of Telecommunication Network

According to Article 9 of the Regulations on the Security Protection of Key Information Infrastructure, the competent department of the telecommunications industry shall formulate rules for the identification of key information infrastructure in the telecommunications industry in light of the actual situation of the industry and the field.

Different from the key information infrastructure of other industries, the telecommunication network (mainly CT system) carrying voice, data and messages is different from the key information infrastructure (mainly IT system) of most other industries, and the telecommunication network is much more complicated. Telecommunication network will involve many communication networks, such as mobile access network (2G/3G/4G/5G), fixed access network, transmission network, IP network, mobile core network, IP multimedia subsystem core network, network management support network and service support network. Any network attack will affect the voice or data services carried on the telecommunication network.

In the identification of key information infrastructure in the telecommunications industry, we can learn from the national key function set of the United States. 2065438+In April 2009, the National Risk Management Center of the National Cyber Security and Infrastructure Security Agency (CISA) under the US Department of Homeland Security released the National Key Function Set, which divided the key functions affecting the country into four areas: supply, distribution, management and connection. According to this classification, telecommunication networks belong to the connection category.

In addition to the above telecommunications networks and services, a large number of IT support systems supporting network operation, such as business support system (BSS) and network management support system (OSS), are also very important and should be considered to be included in the scope of key information infrastructure. For example, the network management system manages the network elements of the telecommunications network, and once it is invaded, it can control the core network, leading to network paralysis; Business support system (billing) supports the operation of telecommunication network and saves user data. Once it is invaded, it may lead to the disclosure of sensitive information of users.

Second, the protection objectives and methods of key information infrastructure of telecommunication network

Telecommunication network is the key infrastructure of digital wave, which plays a very important role and is related to the national economy and people's livelihood. Governments all over the world attach great importance to the security protection of key infrastructure, and have defined the protection objectives of key information infrastructure.

In 2007, the Department of Homeland Security (DHS) issued the National Homeland Security Strategy, which pointed out for the first time that it is necessary to ensure the flexibility of national infrastructure in the face of the challenge of uncertainty. 2065438+February 2003, Obama issued the "Administrative Instruction on Improving Network Security of Critical Infrastructure", whose primary strategy is to improve the security and flexibility of critical infrastructure, and requested the National Institute of Standards and Technology (NIST) to formulate a network security framework. The "Improving the Network Security Framework of Critical Infrastructure" (CSF) issued by NIST in April 20 18 proposed that the protection of critical infrastructure should focus on identification, protection, detection, response and recovery, establish a network security framework and manage network security risks. NIST CSF defines the IPDRR capability framework model around the network flexibility requirements of key infrastructure, and cites standards such as SP800-53 and ISO2700 1. IPDRR capability framework model includes five capabilities: risk identification, security defense, security detection, security response and security recovery, which are the initials of these five capabilities. In May, 20 18, DHS issued the Network Security Strategy, with the core goal of "improving the national network security risk management level by strengthening the security and flexibility of government networks and key infrastructure".

In March 2009, the European Commission passed a bill to protect the security and flexibility of European networks; 2065438+June 2006, the European Parliament issued "NISDIRECTIVE" to guide the national strategic design and legislation of key infrastructure in EU countries. On the basis of NIS directive, EU member states draw up national cyber security strategy with reference to the suggestions of European Cyber Security Agency (ENISA). In 20 16, ENISA issued a security technical guide for digital service providers (DSP), and defined 27 security technical objectives (SO). SO series clauses match NIST ISO 2700 1/CSF, and the network flexibility of key infrastructure becomes an important requirement.

Drawing lessons from international practices, the core objectives of the security protection of the key information infrastructure of China's telecommunications network should be: to ensure that the network is available, to ensure that the network is not paralyzed, to find and block attacks when attacked by the network, to quickly restore network services, and to achieve high network flexibility; At the same time, improve the level of telecommunication network security risk management and ensure the security of network data and user data.

Articles 5 and 6 of China's Regulations on the Security Protection of Critical Information Infrastructure stipulate that the state gives priority to the protection of critical information infrastructure, and on the basis of network security level protection, it takes technical protection measures and other necessary measures to deal with network security incidents, ensure the safe and stable operation of critical information infrastructure, and maintain the integrity, confidentiality and availability of data. China's National Cyberspace Security Strategy also proposes to establish and implement a key information infrastructure protection system focusing on identification, protection, detection, early warning, response and disposal.

Referring to the IPDRR capability framework model, it should be a methodology to establish the capabilities of asset risk identification (I), security protection (P), security detection (D), security incident response and disposal (R) and recovery (R) after being attacked in telecommunication networks. Referring to CSF issued by NIST, we can take seven steps to protect the telecommunication network security. First, determine the priority and scope, and determine the protection target and priority of telecommunication network units. The second is positioning, defining the relevant systems and assets that need to be included in key protection, and identifying the threats, loopholes and risks faced by these systems and assets. Third, according to the current security situation, create the current security configuration file. Fourthly, risk assessment is based on the whole risk management process or previous risk management activities. When evaluating, it is necessary to analyze the operating environment, judge whether there is a network security incident and evaluate the impact of the incident on the organization. The fifth is to create a target safety profile for the expected safety results in the future. Sixth, determine the gap between the current risk management results and the expected goals, prioritize them by analyzing these gaps, and then formulate a priority implementation action plan to eliminate these gaps. Seventh, implement the action plan and decide what actions should be taken to narrow the gap.

Three. Security Risk Assessment of Key Information Infrastructure in Telecommunication Network

To do a good job in the security protection of telecommunication network, we must first comprehensively identify the assets contained in telecommunication network and the security risks it faces, and formulate corresponding risk reduction schemes and protection schemes according to the risks.

1. Security risk assessment should be conducted for different telecommunication networks.

Different telecommunication networks have different structures, functions and technologies, and also face different security risks. For example, the security risks faced by optical transport networks and 5G core networks are significantly different. Optical transport network equipment is a data link layer equipment, which forwards user plane data traffic. The equipment is distributed, so it is difficult to attack transport network equipment from the user plane, and the security risks are mainly from the management plane. The 5G core network is the nerve center of the 5G network, which is concentrated on the cloud infrastructure. Due to the openness of the 5G network, there are not only risks from the management side, but also risks from the Internet. Once infiltrated, it has a great impact. For another example, the security risks faced by 5GRAN and 5CORE are also obviously different. The risks faced by 5G RAN mainly come from physical interface attacks, wireless air interface interference, pseudo base stations and management planes. Judging from the current practice of network operation and maintenance, the cases of RAN infiltration attacks are extremely rare and the risks are relatively small. The core of 5G is based on cloud, IT and service-oriented (SBA) architecture, and the risks of traditional IT systems are also introduced into telecom networks. The open network capability and the marginalization of UPF lead to the increase of interfaces and the expansion of exposure. Therefore, the security risks faced by the 5G core are objectively higher than those faced by the 5G RAN. After the scope of telecommunication network is determined, operators should conduct a comprehensive security risk assessment for each network element according to different network elements.

2. Do a good job in the security risk assessment of three planes of telecommunication network.

Telecommunication network is divided into three planes: control plane, management plane and user plane. The security risk assessment of telecommunication network should start from these three levels and analyze the possible security risks.

The communication between control plane network elements depends on signaling protocol, and there are also security risks. Take SS7 as an example. In 20 15, the Global Association for Mobile Communications (GSMA) announced that SS7 signaling was flawed, which might lead to illegal location inquiry, SMS theft and call eavesdropping of any user. If the signaling gateway has problems in parsing signaling, external attackers can directly interrupt key core network elements. For example, after 5G UPF sinks to the edge park, because the physical environment in which UPF is located is uncontrollable, if UPF is infiltrated, there is a risk of attacking the core network through UPF N4 port.

The operational risk of telecommunication network is the highest among the three levels. For example, the European Union ranks Mano risk as the highest level. The global telecommunication network security incidents show that the actual cases of telecommunication network being attacked are mainly realized through the attack management plane. Although operators have deployed unified security management platform solution (4A), fortress machine, secure operating system (SOC), multi-factor authentication and other security protection measures on the management plane, in the security protection inspection of communication networks, it is often found that the security domain of the management plane is unreasonable, the control strategy is lax, the security protection measures are not in place, and there are loopholes in remote access VPN equipment and 4A system, which leads to the easy penetration of the management plane system.

The user plane of a telecommunication network transmits user communication data, and the telecommunication network unit usually only forwards the communication content of the user plane without parsing or storing the user data. Under the condition of protecting the terminal and Internet interface, the security risks are relatively controllable. The main security risks of the user plane include: if the user plane information is not encrypted, it may be eavesdropped during network transmission; The access of a large number of user terminals may lead to a distributed denial of service attack (DDOS) of user plane traffic; The content transmitted by the user plane may contain malicious information, such as malicious software and telecom fraud information. The user interface of telecommunication network equipment may be attacked by the Internet.

3. Do a good job in safety risk assessment of internal and external interfaces.

When assessing the security risks of telecommunication networks, we should analyze the risks of external interfaces and internal interfaces between network elements from an end-to-end perspective, especially the risk assessment of external interfaces. Taking the 5G core network as an example, the 5G core network has the following external interfaces: N 1 interface with UE, N2 interface with base station, N4 interface with UPF, N6 interface with Internet, etc. , as well as roaming interface, capability open interface and management interface. Each interface is connected to a different security domain and there are different risks. According to the definition of 3GPP protocol standard, in the 5G Dependent Network (NSA), when a user roams to other networks, it is necessary to transfer the user's authentication, authentication and location registration between the roaming network and the home network. Roaming border interface is used for interconnection between operators and needs to be transmitted through public network. Therefore, these roaming interfaces are accessible public network interfaces, and the protocols used by these interfaces do not define authentication, encryption and integrity protection mechanisms.

4. Do a good job in security risk assessment of virtualization/container environment.

The mobile core network has been clouded. Compared with the traditional architecture, the cloud architecture introduces general hardware and runs network functions in virtual environment/container environment, which brings low-cost and rapid deployment of networks and services to operators. Virtualization makes it more difficult to attack near-end physical contact and simplifies disaster isolation and recovery under attack. The network function virtualization (NFV) environment is facing new security threats that traditional networks have never encountered, including physical resources breaking physical boundaries, a large number of open source vulnerabilities and risks introduced by virtualization layer and third-party software, layered multi-vendor integration making it more difficult to coordinate security responsibilities and security policies, and the traditional static security configuration strategy cannot cope with migration and expansion due to the lack of automatic adjustment ability. Typical security risks that network elements may face in the cloud environment include: eavesdropping or tampering with communication content of application layer through virtual network, attacking virtual storage, illegally accessing user data of application layer, tampering with image, attacking between virtual machines (VMs), and illegally attacking VMs through network function virtualization infrastructure (NFVI), resulting in unavailability of services.

5. Do a good job in safety risk assessment of exposed assets.

Telecommunication network is large in scale and involves many network elements. However, what are the assets exposed by the Internet? We should sort them out first. For example, in the 5G network, network elements such as the 5G base station (gNB), UPF, Secure Electronic Payment Protocol (SEPP), Application Function (AF) and Network Open Function (NEF) have interfaces with untrusted domain devices and should be regarded as exposed assets. Exposed equipment is easy to become a breakthrough to invade the network, so it is necessary to focus on risk assessment and security reinforcement of exposed assets.

Four. Suggestions for operators to strengthen the security protection of key information infrastructure in telecommunication networks.

Referring to the internationally accepted IPDRR method, operators should build the telecom network security protection capability in three stages according to the scenario security risks, namely, before, during and after, so as to achieve high network flexibility and high data security.

1. Building the asset and risk identification ability of telecommunication network.

Establish a telecom network asset risk management system, uniformly identify and manage all hardware, platform software, virtual VNF network elements, safety-critical equipment and software versions of the telecom network, and regularly scan assets and risks to realize asset and risk visualization. Safety-critical functional equipment is the key network element to implement network monitoring, such as MANO, virtualization choreographer, operation and maintenance management access fortress, firewall located at the boundary of security domain, active directory (AD) domain control server, operation and maintenance VPN access gateway, audit monitoring system, etc. Once the safety-critical equipment is illegally invaded, it will have a great impact on the telecommunications network. Therefore, it is necessary to identify the assets of safety-critical equipment and strengthen technical control.

2. Establish a network deep security protection system.

First, by dividing the network security domain, the deep security protection of telecommunication network is realized by hierarchical sub-domain. The system of user plane and control plane of telecommunication network can be divided into three categories: untrusted area, semi-trusted area and trusted area. The network management security domain (NMS) of the management plane has the highest level of security trust in the whole network. Internet third-party applications belong to the untrusted field; Exposed network elements (such as 5NEF and UPF) are placed in the semi-trust zone, and core network control network elements such as Access and Mobility Management Function (AMF) and network elements storing user authentication network data such as home subscriber server (HSS) and Unified Data Management (UDM) are placed in the trust zone for protection, providing special protection for user authentication network data encryption. The second is to strengthen the security protection of the external boundaries of telecommunications networks, including Internet boundaries and bearer network boundaries. Based on the security risk analysis of the boundary, different protection schemes are constructed, and security protection devices such as firewall, intrusion prevention system (IPS), anti-DDoS attack, signaling protection and total traffic monitoring (NTA) are deployed. Third, firewall, virtual firewall, IPS, virtual data center (VDC)/ virtual private network (VPC) are used for isolation. For example, firewalls can restrict most illegal network access, IPS can find network attacks and stop them according to traffic analysis, VDC can isolate physical resources in the cloud, and VPC can isolate them at the virtualization level. Fourthly, in the same security domain, virtual local area network (VLAN), micro-segmentation and VPC isolation are adopted to minimize the access rights of network elements and prevent lateral mobile attacks in the same security domain. Fifthly, based on the white list of communication matrix between network elements, fine abnormal traffic monitoring and access control are realized in the security domain boundary and security domain of telecommunication network.

3. Establish a comprehensive threat monitoring capability

The threat awareness capability of the network layer is deployed at the external boundary, security domain boundary and security domain of the telecommunication network. By deploying deep message detection (DPI) devices, network attacks can be found based on network traffic analysis. Based on the endogenous security detection capability of equipment vendors' network elements, the security risk detection capabilities of operating system (OS) intrusion, virtualization escape, network element business surface anomaly detection and network element operation and maintenance surface anomaly detection are constructed. Based on traffic monitoring, monitoring the endogenous security components of network elements, collecting and analyzing the logs of telecommunication network elements, a comprehensive threat security situation awareness platform is built to find all kinds of security threats, security incidents and abnormal behaviors in time.

4. Strengthen the security risk management and control of telecommunication network management.

Management has the highest risk and should be protected. In view of the risks of telecom network management, we should do a good job in network isolation of management surface, security control of operation and maintenance terminals, multi-factor authentication and authority control of administrator login equipment, and security audit of operation and maintenance operations. , to prevent unauthorized access, to prevent intrusion into the telecommunications network from the management plane, and to protect user data security.

5. Build intelligent and automated security incident response and recovery capabilities.

On the basis of network-level deep security protection system, a security operation management and control platform is established, and security access control policies such as border protection, inter-domain protection, access control list (ACL), micro-segmentation, VPC, etc. are uniformly arranged, and big data analysis is carried out based on security events reported by traffic, network element logs and endogenous components of network elements, so as to discover intrusion behaviors in time and automatically respond to attacks.

(This article was published in China Information Security magazine,No. 1 1, 20265438).