Network-Centric Security Assets

Security Threat Landscape

Traditional network environments are characterized by well-defined perimeters and trusted domains. Networks have been initially designed to create internal segments separated from the external world by using a fixed perimeter. The internal network was deemed trustworthy, whereas the external was considered potentially hostile. Perimeter devices, such as firewalls and intrusion detection systems, have been the traditional technologies used to secure the network.

Assets

A network asset is an asset that is part of a network. To provide a service, network assets are interconnected to each other. If a network asset is removed, the system or service may not function to full capacity. Also, network infrastructure can be considered as an asset, since it provides all hardware and software resources part of the network, enabling network connectivity, communication, operations and management of an enterprise network. An infrastructure asset provides the communication path and services between users, processes, applications, services, and external networks like the Internet. Network infrastructure devices include routers, firewalls, switches, servers, load-balancers, intrusion detection systems, domain name systems, and storage area networks.

The introduction of virtualization technology drives the digital transformation of the network, slightly changing the asset definition. The network functions virtualization concept virtualizes the majority of elements/assets of a network. In this way, entire classes of network node functions can be set up as building blocks that can be connected to create overall telecommunication networks referred to as “network slice”. Network slicing is an approach proposed with the advent of 5G to allow a single network to support services with completely different operational parameters and policies. The network is viewed as an asset pool of physical resources and virtual network functions (VNFs), connectivity, bandwidth, and computational capabilities. A network ‘slice’ combines these assets to form a virtual network. Different network slices will have different operational parameters and hence a different combination of assets. The slices may share network assets or may have assets specifically allocated to them, depending on the service policies.

In this context, it is not easy to provide a network asset taxonomy. However, a possible way to categorize network assets can be to group them based on their role, derived from the functions provided by the assets or network elements. For this purpose, the network has been divided into subdomains and network assets have been categorized accordingly to their provided functions (and inspired by ENISA, see Figure 1).[1]

  • Access network. It connects individual devices to other parts of a core network through radio or fixed connections.
  • Core network. It is the part of the network that offers services to the devices/customers who are interconnected by the access network. The core network also provides the gateway to other networks.
  • Infrastructure network/area network. It includes hardware and software resources of an entire network that enable network connectivity, mobility management, network operation, and management.
  • Peering points. They support the communications between the subscribers of one provider and the subscribers of another provider. We consider in this group also the IPX (Internet Provider Exchange) roaming network.
Figure 1 – Network asset categorization

Since some type of endpoint devices can also be considered as network assets a further group has been added to take them into account.

  • Endpoint network. It includes systems/devices that communicate back and forth with the network to which they are connected. IoT devices are an example of assets in this category. This asset type is included here because in some settings the network provider retains some control (and responsibility) over these assets.

Endpoint network assets can be summarized as follows:

  • Fixed subscriber asset – CPE (Customer Premises Equipment), authentication systems related to fixed-line CLI.
  • Mobile subscriber asset – USIM, eSIM, iSIM, devices.

Access network assets can be summarized as follows:

  • Fixed Network Access (FA) – Network elements placed in the access layer, which connects individual devices to other parts of the core network through fixed connections. This category includes assets such as cabinets, OLT (Optical Line Terminal), DSLAM (Digital Subscriber Line Access Multiplexer).
  • Radio Access Network (RAN) – Network elements placed in the access layer, which connects individual devices to other parts of the core network through radio connections. The main components that form a Base Station (BTS) site are – Base Band Unit (BBU), Remote Radio Head (RRH) and Antennae. Different deployments are possible today like Distributed Radio Access Network (D-RAN), where the 4G/5G radio at the macro site tower (or eNodeB/gNode) consists of a collocated Baseband Unit (BBU) at the base of the tower and a Remote Radio Head (RRH) at the top, interconnected by a fiber optic cable using the Common Protocol Radio Interface (CPRI). Thanks to the network cloudification Centralized Radio Access Network (CRAN) deployments are possible where the base station baseband processing (BBU) is centralized at the edge of the core network.
  • Fixed Wireless Access (FWA) – Network elements that connect stationary or ‘fixed’ user equipment (UE)—terminals, modems, routers—located at the edge of the communications network to the network core.

Core network assets can be summarized as follows:

  • Access & session management – Network elements handling access and session management. Examples of assets are MME (Mobility Access Management), AMF, SEAF (Security Anchor Function), SMF (Session Management Function).
  • User plane management – Network elements handling user plane traffic. Examples of assets are SGW-U, PDG (Packet Data Network).
  • Authentication subscriber management – Database holding subscriber authentication credentials and profile. The category includes assets like Authentication Server, Authentication credential Repository. 
  • Policy control management – Network elements handling policy control management.

Infrastructure network/area network assets can be summarized as follows:

  • Security asset – Security GW, Signaling Firewall.
  • Cloud – Cloud infrastructure includes an abstraction layer that virtualizes resources and logically presents them to users through application program interfaces and API-enabled command-line or graphical interfaces.

Peering points assets can be summarized as follows:

  • Interconnection to roamer partners – Network elements at the perimeter of the core network handling signaling security and control. This category includes assets like DRA (Diameter Router Agent), Security Gateway.

[1] Guideline on Threats and Assets Technical guidance on threats and assets https://www.enisa.europa.eu/publications/technical-guideline-on-threats-and-assets