Professional Documents
Culture Documents
Secure The Ran - Security Gateway Solution For Evolving 5G Networks
Secure The Ran - Security Gateway Solution For Evolving 5G Networks
now require the backhaul for S1/X2 and N2/N3 interfaces to be network to multiple threats including
DDoS and fraud.
encrypted with IPsec, and recommend a security gateway to
authenticate radio access network (RAN) nodes and facilitate the SOLUTION
termination of IPsec encrypted tunnels. A10 Networks’ security gateway
authenticates RAN nodes to the 4G/5G
The A10 Networks security gateway complies with 3GPP
core to eliminate unauthorized access.
recommendations and provides authentication of RAN nodes and It further provides high performance
enables secure backhaul, thus ensuring the security of the RAN and and massive scale for the termination
of IPsec tunnels used to secure the
protection of the core network.
backhaul between the RAN and core
network.
RAN SECURITY CHALLENGES
BENEFITS
SUSTAIN SECURITY, LOW LATENCY, Operators can grow needed RAN
PERFORMANCE AND SCALE capacity for 5G traffic loads while
Mobile operators are rapidly deploying 5G radios and protecting the core network from
small cells throughout their networks to meet growing rogue nodes or malicious actors and
traffic demand, decrease latency and boost throughput maintaining subscriber confidentiality.
and connection rates. However, recent 3GPP specification
requirements now mandate authentication and encryption
between nodes and core and for the supporting backhaul
network. In addition, the specifications recommend the
deployment of a security gateway. Operators need a
1
high-performance security gateway that can provide high The secure gateway provides the following benefits:
throughput with IPsec decryption, as well as high connection
• Carrier-class throughput and scalability, with high
rates to rapidly authenticate nodes, establish tunnels and
connection rates
support failover.
• Low latency
• Carrier-grade scalability and reliability
THE A10 NETWORKS SECURITY • Included as part of the A10 Networks 5G security suite
Protocols supported:
HIGH-PERFORMANCE IPSEC TUNNEL • IPv4 and IPv6 ESP tunnels
TERMINATON AND AUTHENTICATION • IKE v1 and v2
The security gateway solution provides high-performance • OSPFv3, BGP 4+, BFD over IPsec tunnel
authentication of g/eNodeBs to the core network or edge • 64 ECMP routes
node, establishes tunnels and terminates IPsec tunnels on the • NAT traversal, Dead Peer Detection
S1 and X2 interfaces in 4G mobile networks and the N2/N3
• PKI with SCEP, CRL and OCSP
interfaces in 5G mobile networks.
• IKE v2 EAP
Crypto:
FEATURES AND BENEFITS • AES-128, AES-192, AES-256 CBC and GCM modes, 3DES,
The security gateway solution includes the following features: NULL
• Establishes and terminates IPsec tunnels • Diffie-Hellman Groups: 1,2,5,14,15, 16,18,19 (256 EC), 20
(384 EC)
• Provides high-performance firewall rule mechanisms
• Authentication methods: Pre-shared Key, RSA (8192),
• Decrypts IPsec tunnels between cell sites and the packet
ECDSA (256, 384) PKI Certificates
core or edge node
• Perfect Forward Secrecy (PFS)
• Certificate Management Protocol version 2 (CMPv2) for
• Cryptographic hardware acceleration on appliances
automatic enrollment and renewal
• DHCP-relay Performance and Scale
• Tunnel profiles – Provide a simplified gateway • 70 Gbps for single RU device
configuration that eliminates the need to configure • Tunnels set-up: 1,000 tunnels per second
multiple tunnels individually. • Concurrent tunnels: 64,000 concurrent tunnels
• IKE-CP (IKE Configuration Payload) configures VPN client
High Availability
with private IP address, netmask, and gateway
• Stateful Failover
• Reverse route injection – to dynamically control paths that
• Active-Standby
will be accessible via the IPsec tunnels
• Active-Active
• ToS/DSCP tunnel traffic marking – to allow for traffic
• N+M Redundancy
segregation, categorization and prioritization, an important
feature since IPsec traffic carries both user and control traffic • VRRP-a
The A10 Networks security gateway solution minimizes the Virtual Chassis
potential for traffic between the RAN nodes and the core • Central cluster management
network to be intercepted. This protects the network from
• 8 device cluster
malicious intrusion and ensures data confidentiality for the
subscriber.
2
MME
SGW PGW
INTERNET
EPC
Figure 1. In 5G NSA networks, the A10 Networks security gateway terminates IPsec tunnels to the core network
©2019 A10 Networks, Inc. All rights reserved. A10 Networks, the A10 Networks logo, ACOS, A10 Thunder, A10 Lightning,
LEARN MORE A10 Harmony and SSL Insight are trademarks or registered trademarks of A10 Networks, Inc. in the United States and
other countries. All other trademarks are property of their respective owners. A10 Networks assumes no responsibility
ABOUT A10 NETWORKS for any inaccuracies in this document. A10 Networks reserves the right to change, modify, transfer, or otherwise revise
this publication without notice. For the full list of trademarks, visit: www.a10networks.com/a10-trademarks.
CO NTACT US
a10networks.com/contact Part Number: A10-SB-19204-EN-01 NOV 2019