Confidential | Do Not Distribute 1

Always Secure. Always Available.

迎接 5G 時代

5G 行動網路和多雲環境的安全性、可視性和自動化

A10 Networks 台灣區技術總監 Nick Chen

Confidential | Do Not Distribute 2 2

5G Evolution Path

1G 2G 3G 4G 5G

Year 1980s 1990s 2000s 2010s 2020s

Peak Speed 2 Kbps 100 Kbps 10 Mbps 1Gbps 10 Gbps +

語音通話 V V V V V

文字簡訊 V V V V

行動上網 V V V

音樂串流 V V V

影音串流 V V

4K/8K 影音串流 V

VR 直播 V

自駕車 / AIoT V

Confidential | Do Not Distribute 3 3

Major Features of 5G

Enhanced Mobile Broadband

高頻寬 High Throughput

• 4K/8K UHD

• VR/AR

Ultra Reliable Low Latency

Communication

低延遲 Low Latency

• SELF-DRIVING CAR

• REMOTE SURGERY

Massive Machine Type

Communication

多連線 Massive Connection Rates

• LOGISTICS TRACKING

• SMART CITY

• SMART METER

Confidential | Do Not Distribute 4 4

Native 4G (Standalone)

Native 5G (5G-SA) (Standalone)

Moving from 4G to 5G

eNB EPC

Internet

Hybrid Mode (5G-NSA) (Non Standalone)

EPC eNB

gNB

gNB 5G-Core

Internet Internet

Confidential | Do Not Distribute 5 5

MOBILE AND

IoT DEVICES

EVOLVED PACKET CORE (EPC)

Gi/SGi LAN

Internet

ROAMING PARTNER

SUBSCRIBERS ARE EXPOSED TO MALICIOUS

TRAFFIC

Gi/SGi LAN IS THE GATEWAY FOR GPRS/LTE NETWORK TO

THE INTERNET

ATTACKS FORM ROAMING POINTS OF

INTERCONNECT

APPS & SERVICES

EPC & Gi-LAN VULNERABLE TO DDoS ATTACKS

SGW/PGW

Why Security Is Important?

GTP FW

GiFW/CGN eNB

gNB GTP FW

Confidential | Do Not Distribute 6 6

Security on MEC

Edge Cloud

EPC

SGW PGW

MME

RAN

Core functions

Applications

Core functions

Applications

GTP FW GTP FW

GTP FW GTP FW

GTP FW

Core functions

Applications

Core functions

Applications

<1 ms >100 ms

Internet

Video

Application

Data Center Centralized

gNB

gNB

Confidential | Do Not Distribute 7 7

DDoS DST Zone : Web Server Farm

False Positive Prevention

Level 4–Wartime

Level 3–Wartime

Level 2–Wartime

Level 1–Wartime

Level 0–Peacetime

Final Countermeasures

Aggressive Countermeasures

Increase Countermeasures

Add Countermeasures

Establish Baseline

Basic (or No) Countermeasures

Threshold DST

Per-SRC

Tracking Mitigation Policies

Threshold DST

Per-SRC

Threshold DST

Per-SRC

Threshold DST

Per-SRC

Threshold DST

Per-SRC

IP & Protocol anomaly filter (default)

Pass through

+ Malformed request check

+ Source authentication

+ Per-connection rate limit

+ Per-type request rate-limit (DST/Per-SRC)

+ Per-SRC GLID

+ Destination rate-limit

+ Zero-day Attack Pattern Recognition (ZAPR)

Example Countermeasures

Mitigation Level?

Manual Mode

Confidential | Do Not Distribute 8 8

Automatic Attacks Pattern Creation

Legitimate Traffic

Attack Traffic

Collect and Analyze Flood Traffic

Identify Attack Vector & Pattern (ML)

Filter extraction • SRC IP, DST IP • IP ID, TTL, Length, Frag. • DST Port, SRC Port • TCP Flags, Window Size • Seq/Ack Numbers • UDP Length • DNS Flags, Resp.Code • and more…

Block Zero-day Flood Attack

Automatically created BPF filter

Zero-day protection powered by unsupervised Machine Learning (ML)

Confidential | Do Not Distribute 9 9

GTP FW for Roaming Interface (S8)

S11

S1-U eNodeB PGW

MME

HSS

GTP-U

GTP-C

VPLMN

S5

S8

SGW

SGW

HPLMN

GRX

???

GTP FW

EPC

GTP-C

Mandatory-ie-filtering (GTPv1/v2) • Create Session Request (GTPv2): APN, FTEID, RAT …

Protocol Anomaly Filtering (GTPv0/v1/v2)

• Reserved IE (0, 4-31) • Invalid TEID field (GTPv1/v2) (non-zero) • Invalid T flag Field (GTPv2 only) (0 or 1) • Invalid Reserved Field (GTPv1/v2) (0) • Out of order IE (GTPv1/v0)

Confidential | Do Not Distribute 10 10

Exploiting The Growing Encrypted Blind Spot

94% of all internet traffic is

encrypted

Almost half of cyber attacks use

encryption to evade security

Source: Google Transparency Report | Dark Reading

Confidential | Do Not Distribute 11 11

Decryption Scale and Security Problems Encrypted Internet Traffic Decrypted Internet Traffic

Each device must decrypt and re-encrypt its own traffic for full visibility

SWG

DLP/AV

ATP IPS NGFW

Separate decryption licenses required on each device

No single point of decryption policy control & key management

SSL/TLS decryption is extremely compute-intensive and adds latency

Expensive upgrades required to scale with rising demands

Confidential | Do Not Distribute 12 12

SWG DLP/AV ATP IPS NGFW

Improved user experience due to reduced latency

Enhance Performance with Secure Decrypt Zone

SECURE DECRYPT ZONE

Encrypted Internet Traffic Decrypted Internet Traffic

Centralized decryption, policy control and key management

Enhanced performance due to Decryption/Re-encryption offload

Confidential | Do Not Distribute 13 13

Clear Text Clear Text

A10 SSLi Solution

Internet

Internal Clients

Internet

Internal Clients

Clear Text Clear Text

Private Root CA

Private Root CA

Public Root CA

Public Root CA

Public Root CA Server Certificate & Key

Server Certificate & Key

Encrypted Data Encrypted Data

NG Firewall / ATP / IPS

SSL Encryption SSL Decryption

Confidential | Do Not Distribute 14 14

Challenge: Certificate Pinning (Reset by client)

Problem • Certificate Pinning validates against a key embedded in the certificate chain for a domain name

• Some Apps (ex. Twitter) contain a predefined list of ‘pinned certificates’, specifically designed to defeat SSLi type solutions

Solution o Apply SSLi-Bypass for Pinned-Cert Apps. There is no standard technique to decrypt such apps

o Bypass by SNI in client SSL hello or SAN/Issuer/subject in server certificate.

SSL Decryption SSL Encryption

Internet

Internal Clients

Confidential | Do Not Distribute 15 15

Selective Bypass Option For Compliance

Selective bypass option to Preserve privacy and compliance

Meet data privacy regulations (HIPAA, PHI, PCI/DSS etc..) by keeping sensitive data encrypted

Traffic can be bypass based on

A10 Web Classification Powered by Webroot

Domain Names

Server Name Indication (SNI)/ Certificate Issuer/ Certificate Subject

Source & Destination IP Addresses

AD User & User-Group

Physical Interface

Option for ssli exception list to intercept traffic for bypass category Allow to intercept a domain under a category even if that category is set to bypass

WEB CLASSIFICATION SERVICE

Note: A10 web classification Subscription is required

Confidential | Do Not Distribute 16 16

• Preventive security service

• Block access to known malicious and harmful content • Specific categories for K-12 user protection

• Block access based on security concerns (malware, phishing etc.)

• Stop users from bypassing security (proxies, VPNs)

• User-ID/Group-ID based filtering for granular control

URL and Web Filtering

Security

• Malware • Phishing • Proxy • Spyware/Adware • Botnets • Spam • Keyloggers/Monitoring

Employee Productivity +

• Social Networking • Internet Communication • Games • Shopping • Recreation & Hobbies

Network Speed + • Streaming Media • Shareware/Freeware • Peer to Peer

Legal / Compliance + • Financial Services • Legal • Educational Institutions • Web-based Email • Health & Medicine

Parental Controls + • Adult & Pornography • Abused Drugs • Gambling • Illegal • Hate & Racism • Violence • Cheating

Note: Web Classification service subscription is required

Confidential | Do Not Distribute 17 17

• Continuously classifies and scores 95% of the Internet, and monitors the entire IPv4, and in-use IPv6 address space

• Enhances security efficacy to cover a broad range of attacks originated by different IP threat categories

• Applied through Thunder CFW firewall rules

Threat Intelligence

27+ Billion URLs

600+ Million

Domains

4+ Billion

IP Addresses

15+ Billion

File Behavior Records

62+ Million

Mobile Apps

52+ Million

Connected Sensors

Note: Web Classification service subscription is required

Confidential | Do Not Distribute 20 20

• Customizable Dashboards

• Intuitive Widgets and Tiles • Grouped by service type

• Detailed Access Logs • Exportable logs

• Threat Investigator Integration

• Instantaneous Reports

Intuitive Dashboards and Detailed Visibility

SSL/TLS and other traffic statistics Web Classification widgets and Application Visibility tree chart More Application Visibility charts with detailed drill-downs SSLi, Access and Authentication logs with Threat Investigator integration

Screenshots Source: AppCentric Templates (ACT) v4

Confidential | Do Not Distribute 21 21

Across Clouds & Diverse Application Services

Per-App Visibility Across A10 ADCs Visibility and enhanced troubleshooting across all apps

Thunder

© A10 Networks, Inc. | Confidential

Multi-Cloud ADC Deployment

A10 Harmony Controller

Public Private Traditional

Thunder Thunder

App Insights

MG

MT

MG

MT

Confidential | Do Not Distribute 22 22

Cloud Bursting Management

Private

Centralized Management

IP : 60.250.157.11

APP1 APP2

Harmony Controller

Public

IP : 200.10.10.1

APP1 APP2

SLB+GSLB

Confidential | Do Not Distribute 23 23

Per-application Response Time Analysis

Time series distribution o Client SRTT o Server RTT o APP Latency o ADC Latency(In/Out)

Confidential | Do Not Distribute 24 24

Per-request Log Analysis

Time series distribution of

o Client SRTT o Server RTT o APP Latency o ADC Latency(In/Out)

Confidential | Do Not Distribute 25

Thank You

Always Secure. Always Available.

5G 行動網路和多雲環境的資安領導品牌