Shulou(Shulou.com)11/24 Report--

The three-tier distributed architecture of 5G telecom cloud network can carry various types of 5G vertical industry applications more efficiently. While SDN (Software Defined Network, Software defined Network) / NFV (Network function Virtualization) network cloud greatly improves the utilization of resources, it also provides the functions of automatic opening of business and intelligent operation and maintenance, realizing the rapid launch and flexible adjustment of business. Due to the significant advantages of 5G telecom cloud, operators are actively promoting the cloud transformation of the network.

With the continuous cloud evolution of the network, the security issue has attracted much attention. Security is not only one of the basic requirements of telecom network, but also the top priority of network construction. So is such a flexible and open 5G telecom cloud network really secure?

The risk brought by NFV NFV is a double-edged sword, which brings openness as well as security risks.

NFV realizes the decoupling of software and hardware by the way of network element function software running on x86 server, and makes the network architecture more open and service deployment more flexible by the way of hardware resource pooling. However, under the NFV architecture, in order to achieve all levels of interoperability, NFV components must be open, which will bring the security risk of component interaction.

In order to avoid these security risks and ensure the safe operation of virtual telecom cloud network system, effective security measures must be taken.

5G telecom cloud network security measures 5G telecom cloud networking has very strict security requirements, which are limited from the physical networking level to the business network level.

In the logical networking of 5G telecom cloud data center mentioned earlier, we mentioned that according to the different functions of the access server, the physical network (Underlay network) is divided into computing domain, storage domain and management domain. These three domains are deployed independently and combined with firewall technology to ensure the security of the network. This is actually the security measure at the physical networking level.

Generally speaking, physical networking requires strict networking isolation, and some operators even require multi-level isolation. It can also be seen that security plays a significant role in the telecom cloud. In practical application, the devices will be divided into different security domains according to different security risk levels in the 5G telecom cloud system. if the boundaries of different security domains visit each other, they need to pass through the firewall.

Similarly, business networks will also achieve hierarchical protection by dividing different security domains, and then through different types of firewalls between different areas.

Let's take a look at how security domains are divided and how to ensure the security of the network through sub-domain management.

Sub-domain management has a very detailed distinction between the concept of security domain, and we divide the security domain into different levels.

At the first level, the whole network is divided into computing (service) domain, storage domain and management domain. These three domains are physically isolated, realizing the isolation of business network, storage network and management network, and using firewalls to protect communications across different networks.

The second level, within the service network, is divided into exposure domain, non-exposure domain, core domain and management domain. Seeing this, careful students may wonder: why is there another management domain? Don't worry, the administrative domain here is different from the administrative domain at the first level.

The administrative domain at the first level manages the entire network and is necessary. The management domain in the business network manages the business, and sometimes according to the actual needs of customers, there may be no management domain, that is, unnecessary.

Different areas in the service network are protected by different types of firewalls. Different security domains contain different network elements.

When external hackers break into the exposed domain of the business network, it will not affect the data security of the non-exposed domain, core domain and management domain. Even if the non-exposed domain is breached, because the firewall between the non-exposed domain and the core domain, the firewall between the management domain and the breached firewall is heterogeneous, the network threat is most likely terminated in the firewall between the non-exposed domain and the core domain and the management domain, ensuring the security of the core domain and the management domain. Even if the entire business network is threatened, the storage domain and the management domain are protected by a storage / management firewall, and it is likely that the network threat only affects the running business, not the entire infrastructure.

In addition, the management domain and storage domain are divided into different logical network planes, and the exchange of visits between different network planes is strictly prohibited. Different roles set different permissions and divide powers and domains.

In fact, the division of various domains in the telecom cloud is similar to the construction of ancient cities, which facilitates management by distinguishing different functional areas and setting risk levels, and effectively controls the flow of people in different areas by building city gates. in order to achieve the purpose of safety and control.

Through sub-domain management, we can accurately and quickly deploy and control each regional module in the telecom cloud. Just like the city construction we mentioned above, it is very difficult for one person to manage so many people in the city. However, by dividing different areas and assigning special people to each area, the overall controllable goal can be easily achieved.

Firewall deployment understands the concept of domain management, so let's move on to the example above.

Usually in ancient times, every gate of a country was a symbol of boundaries. When there is no city gate, people can go in and out of each city at will, which is easy to produce all kinds of contradictions and disputes, and it is not convenient for coordination and management, so we set up city gates to control it. in this way, people in each city can only flow within a limited range, which not only improves the management efficiency, but also avoids all kinds of problems. The "city gate" here is similar to the concept of firewall.

At the telecom cloud level, firewalls are mainly used to isolate security domain boundaries. The isolation between the DC (Data Center, data center) service network and the external network generally uses a north-south firewall. The isolation of mutual visits between different security domains in DC generally uses a cross-domain east-west firewall.

In the east-west direction, the traffic security is isolated by distributed firewall (security group). VM (Virtual Machine, virtual machines) of the same security group can access each other, but VM of different security groups cannot access each other by default. Security groups are stateful, and tenants can set a VM to actively access other public network resources, but deny external active access.

North-south traffic security protection, the use of external hardware firewall for security isolation.

The east-west firewall deployed between security domains is connected to the gateway, and the traffic across the security domain is intercommunicated through the firewall.

At this point, we can see that the combination of domain management and firewall deployment of 5G telecom cloud can build layers of security barriers for 5G telecom cloud. This measure effectively ensures the smoothness and security of the network.

With the development of network, security will go with you. In the future, with the continuous expansion of the scale of 5G telecom cloud network, the security strategy will be more and more perfect.

The abbreviations involved in the article:

SDN (Software Defined Network, Software defined Network)

NFV (Network Functions Virtualization, Network function Virtualization)

EPC (Evolved Packet Core, evolved packet Core Network)

MANO (Management and Orchestration, Management and choreography)

VNFM (Virtualized Network Function Manager Virtualized Network function Management)

EMS (Element Management System, Network element Management system)

DC (Data Center, data center)

VM (Virtual Machine, virtual machine)

This article comes from the official account of Wechat: ZTE documents (ID:ztedoc)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.