Page 150 - Kaleidoscope Academic Conference Proceedings 2021
P. 150
2021 ITU Kaleidoscope Academic Conference
4.2.2 Hardware environment security
accordingly, providing secure operating environments and
security services for industry customers while ensuring the Hardware environment security includes physical
security of operators' networks. environment security, asset management requirements, and
device hardware security.
The 5G MEC security system includes infrastructure security
(hardware and virtualization security), network service • Physical environment security: The equipment room of
security, MEP security, application security, capability MEC systems should be equipped with an electronic
exposure security, and management security, as shown in access control system at the entrance/exit to control,
Figure 5. identify, and record people entering/leaving the
equipment room. The cabinets should have an electronic
anti-dismantle function, and anytime a cabinet is opened
or closed, this should be recorded and audited. MEC
systems should be trusted and protected against
unauthorized access.
• Asset management requirements: The infrastructure
should have physical asset and asset fingerprint
management capabilities.
• Device hardware security: The MEC server is booted and
runs securely with the TPM hardware root of trust,
ensuring the secure boot chain and preventing backdoors.
Figure 5 – 5G MEC security protection architecture 4.2.3 Virtualization security
Virtualization security includes host security technical
4.2 5G MEC security protection requirements requirements, image security, virtualization security,
container security.
4.2.1 Network service security
• Host security technical requirements: Unnecessary
Network service security includes networking security devices or functions must be disabled on hosts;
requirements and UPF security requirements. unnecessary system components must not be installed;
and unnecessary applications or services must not be
• Networking security requirements: In addition to the enabled.
UPF and MEP, 5G MEC requires the deployment of • Image security : VM images, container images,
third-party applications. In this context, there are four snapshots etc. should be securely stored to prevent
basic networking security requirements: three-plane unauthorized access. The infrastructure should ensure
isolation, security zone division, internet security access the integrity and confidentiality of these images. The
and UPF traffic isolation. 5G MEC networking security virtualization layer should support VM image integrity
is closely related to the locations of the UPF, MEP, and verification. The infrastructure should support the use of
applications, and depends on the MEC deployment protected images to create VMs and containers.
mode. • Virtualization security : To prevent data theft or
• UPF security requirements: Since core network malicious attacks between VMs and ensure that
functions are deployed at the 5G network edge along resources of a VM are not affected by other VMs, the
with the UPF, the core network faces increased security hypervisor should be able to isolate resources of
risks. To counter these, the UPF deployed at the edge of different VMs on the same physical server, including
the 5G network should provide carrier-class security vCPU scheduling isolation, storage resource isolation
defense capabilities. The UPF should comply with and intranet isolation.
3GPP security standards and industry security • Container security: Container security should cover the
specifications. The UPF deployed at the network edge entire life cycle of containers, and security protection can
should interoperate with mainstream core network be implemented during development, deployment, and
devices and their interfaces should be compatible. UPF operation.
security requirements include network security and
service security. The UPF should support the following 4.2.4 MEP security
network security requirements: isolation of different
security zones, built-in interface security functions and MEP security includes MEP system security, MEC service
traffic control of signaling data. The UPF should support authorization, service authentication and authorization
the following service security requirements: defense during application switching, and UE access security.
against DoS attacks initiated by mobile terminals,
protocol control, detection of bogus mobile terminal • MEP system security: In the MEC architecture, the MEP
addresses and UPF traffic control. is deployed based on the virtualization infrastructure,
which is required to provide security
– 88 –