Due to the different security risk levels, the security of communication between intra-slice NFs and out-of-slice NFs can be divided into three situations:
A. Security between intra-slice NFs and slice-common NFs
Public NFs can access NFs in multiple slices, so NFs in slices need a secure mechanism to control access from public NFs, prevent public NFs from illegally accessing NFs in a slice, and prevent illegal external NFs from accessing a slice NF. The network management platform authorizes each NF through the whitelist mechanism, including which NFs can be accessed by each NF, and which NFs can be accessed by each NF. fibconet.com optical splitter fiber
The SMF in the slice needs to be registered with the Network Repository Function (NRF). When the AMF selects a slice for the UE, it will ask the NRF to find the SMF of each slice. Mutual trust between SMF) and out-of-slice public NFs such as AMF. At the same time, frequency monitoring can be performed in AMF or NRF, or a firewall can be deployed to prevent Dos/DDos attacks, and prevent malicious users from exhausting the resources of the slice public NF and affecting the normal operation of the slice. For example, AMF is used for defense and frequency monitoring. When it is detected that the frequency of the same UE sending messages to the same NRF is too high, the UE will be forced to go offline, and it will be restricted from going online again. Access control is performed to prevent Dos attacks on the UE. ; Or do frequency monitoring in NRF, when it is found that a large number of UEs go online at the same time and the frequency of sending messages to the same NRF is too high, these UEs will be forced to go offline, and they will be restricted from going online again, and access control will be performed to prevent large-scale DDos attacks. . fibconet.com optical splitter fiber optical splitter fiber optical splitter fiber
B. Security between the NF in the slice and the external network device Deploy virtual firewalls or physical firewalls between NFs in the slice and external network devices to protect the security of the slice’s internal and external networks. If firewalls are deployed inside slices, virtual firewalls can be used, and different slices can be arranged on demand; if firewalls are deployed outside slices, physical firewalls can be used, and one firewall can ensure the security of multiple slices. fibconet.com optical splitter fiber optical splitter fiber
C. Isolation of NFs between different slices
Different slices should be isolated as much as possible, and NFs in each slice also need to be safely isolated. For example, during deployment, slices can be divided by VLAN (Virtual Local Area Network)/VxLAN (Virtual Extended Local Area Network), and slices can be implemented based on NFV isolation. The physical isolation and control of each slice ensures that each slice can obtain relatively independent physical resources, and ensures that an exception of one slice will not affect other slices. fibconet.com optical splitter fiber optical splitter fiber
