A zero trust framework helps protect network services at the edge.

In this era of 5G networks, the wireless industry is hedging the edge by implementing new zero trust network access (ZTNA) security standards to help protect their networks and services. ZTNA is one component of the secure access service edge (SASE—pronounced “sassy”) security architecture designed to provide safe remote access for applications, data, and services based on well-defined access control policies.

Prior security measures do not meet the need for dynamic connectivity required by next-generation networks because they were focused on centralized software architectures versus the disaggregated, distributed networks prevalent today. The goal of SASE is to create standards based on dynamic support and enhanced protection for network, security, and identity management elements and subscriber data at the network edge.

Elements of SASE

SASE deployments consist of four components:

• Next-generation firewall as a service (NGFWaaS): Firewalls hosted in the cloud as virtual network functions (VNFs) and offered as a service.
  Secure web gateway (SWG): On-premises or cloud-hosted network security technology that sits between subscribers and the internet to enforce enterprise usage policies and protect corporate web assets.
• Cloud access security broker (CASB): Delivers a complete security stack—everything from the cloud to managing access control, data protection, and threat prevention across connections heading to the internet, software as a service (SaaS), and private applications.
• Zero trust network access (ZTNA): Restricts remote access to an organization’s applications, data, and services based on parameters such as user identity, the context of use, device identity, and behavior across cloud boundaries based on clearly defined access-control policies with a zero trust approach.

Why the Zero Trust Approach

Within the SASE framework, operators are starting to implement zero trust philosophy primarily by embedding security policies within devices by way of application programming interfaces (APIs) to restrict and authenticate access for any subscriber’s location. A recent announcement from T-Mobile emphasized the significance of this initiative for businesses, government organizations, and the protection of 5G networks.

The zero trust security architecture provides protection from the cloud edge and evaluates all devices and software before connecting to network resources, hence reducing risk exposure across the 5G network. ZTNA provides a path for operators to hedge the edge with secure policies to protect the network, subscribers, and the overall security experience end to end. Implementing these standards will help organizations promote reliable security adoption and a successful and secure 5G network ecosystem.

Beyond Zero Trust: End-Through-End Mobile Network Security

For 5G and next-generation wireless networks, threat detection, mitigation, and traceback extend beyond zero trust edge authorization. Mobile networks have become the dominant means of accessing the internet, owing to their increased speeds, throughput, convenience, and reliability. Unfortunately, along with the growth in mobile traffic and the number of connected devices, mobile operators have experienced an increase in threat activity as these networks become indistinguishable from wireline networks. But monitoring this mobile traffic activity is complex due to the following challenges:

• Tunneling: The use of GPRS Tunneling Protocol (GTP) for traffic transiting the radio and core networks complicates the monitoring of user-plane traffic and threat detection in real time and at scale.
• Correlation and attribution: User-plane traffic must be correlated with users and devices in real time and at scale for effective attribution, mitigation, and traceback of threats.

How NETSCOUT Is Addressing the 4G/5G Security Challenge

Wireline internet service providers (ISPs) all over the world, of every shape and size, utilize NETSCOUT Arbor Sightline for traffic monitoring and reporting, threat detection, traceback, and mitigation. User-plane dynamic mapping of mobile IP addresses to identities (IMSI, MSISDN, device types, infrastructure endpoints, and so forth) is essential for extracting actionable insights in real time about both underlying traffic patterns and potential threats.

With its unique Adaptive Service Intelligence (ASI) technology and InfiniStream instrumentation along with scalable threat detection and network visibility for ISPs thanks to Arbor Sightline, NETSCOUT is the market-leading provider of network solutions that offer vendor-agnostic equipment visibility into 4G and 5G non-standalone and standalone networks. We have combined the essential building blocks (Smart Data for visibility; and Sightline for threat detection) to deliver a highly scalable solution for protecting the performance and availability of mobile data services.

NETSCOUT’s scalable deep packet inspection (DPI) in the form of MobileStream delivers comprehensive visibility in today’s multivendor 4G and 5G networks, extending the visibility, detection, and threat management capabilities of Arbor Sightline into the mobile network domain.

Learn more about NETSCOUT’s mobile network cybersecurity offerings.