DPI supporting SASE for 5G security

Tobias Roeder portrait

by Tobias Roeder
published on: 19.10.2021

Reading time: ( words)
Categories: Network security, 5G, SASE

The promise of unlimited bandwidth and unrivalled speeds is set to make 5G synonymous with cellular connectivity in the coming years. 5G will make a huge impact redefining industries and expanding the potential of emerging technologies. These technologies leverage new speeds and almost nonexistent latency to enable breakthrough applications. Central to most of the capabilities touted for 5G is network slicing. Network slicing enables operators to abstract a common physical infrastructure which they can use to create virtualized networks customized to specific use cases.

Use cases from network slicing are broadly classified into three distinct classes: enhanced mobile broadband (eMBB), which is an upgrade on 4G, ultra-reliable low-latency communications (URLLC), which provides lowest latency and highest speeds, and massive machine-type communications (mMTC), which is used for cohering IoT applications. These slices can be combined in different ways to create an industry-specific vertical fulfilling particular needs: autonomous vehicles with strict safety requirements will be skewed heavily toward implementing the URLLC service that offers very low latency; virtual reality (VR) and augmented reality (AR) will rely greatly on the higher speeds and bandwidths afforded by eMBB while also drawing upon URLLC; smart-city infrastructures will be dominated by the endpoint reach and coverage provided by mMTC, etc.[1]

(Not quite) private 5G networks

Companies with applications that require specific speeds, latencies, coverage and intensity will essentially rent a vertical that is best suited for their needs. This makes way for creating thousands of private networks built and managed by the operators on behalf of their corporate clients. In 5G, such networks extend to thousands of end nodes that make up IoT use cases or, in the case of remote workers, all the users accessing the private network from outside of the network perimeter. This is where the security of 5G networks becomes a key concern because noncorporate entities might try to gain access to a corporate network. This can result from poor configurations that lead to users being misdirected to networks they do not belong to, nefarious threat actors trying to break into a corporate network or free riders exploiting network loopholes to enjoy services they did not pay for.

The SASE way to 5G

Secure access service edge (SASE) is a cloud-based security model on the rise. 30 percent of digital businesses worldwide plan to adopt in the next year.[2] Essentially, it is a secure gateway at the edge of a network. It bundles network and security functions provided on demand as a cloud service, with data centers located close to remote users and devices. For example, SASE allows employees to work remotely by offering connectivity to their enterprise network while guarding it with cloud-based firewalls and zero-trust network access.

This matches perfectly with the capacities of enterprise private 5G networks. It allows a remote worker or device (e.g. a delivery truck) to connect to their enterprise network that another user on the same 5G network cannot, as authentication and authorization into different virtualized networks take place at the network edge. From there, retail customers use a common slice, while an enterprise's remote users and devices are able to access their sealed-off network. SASE ensures a secure access. Instead of tracing traffic back to the 5G network core for these security purposes, SASE offers an automatic verification and authentication gateway between the user and the enterprise. It allows all endpoints to seamlessly access private 5G networks. It authenticates users not only as they cross the enterprise boundary, but also verifies them based on authorization rules and hierarchy as they access each specific application.

Safe SASE with DPI

Deep packet inspection (DPI) is a network technology that offers in-depth visibility, not only into the basic information about data packets passing through a network but also the underlying applications and their services. An advanced DPI engine like R&S®PACE 2 identifies and classifies data through a network based on its associated application and protocol. It leverages a frequently updated library with the latest traffic signatures captured from the continuous analysis of global data traffic. On top of that, DPI provides traffic metadata covering quality-specific metrics, giving companies a comprehensive picture of what is going on in their networks.

With these capabilities, DPI can bolster the ability of SASE to authenticate traffic in an enterprise 5G network. It can identify the traffic source in real time. Real-time identification can ensure that only authorized remote users and remote devices have access to the enterprise network. By identifying only legitimate SIMs, fraudulent users and devices can be filtered out. This not only makes the network more secure but also speeds up the authentication that SASE offers. On top of that, real-time identification enables automatic login into the network, which is especially important for URLLC use cases.

R&S®PACE 2 in particular can also garner information about the number of devices behind network address translation (NAT) and identify the operating systems, protocols, applications and the services involved in tethering. Knowing how many and what kind of devices will be connected, a company can ensure that no unauthorized tethering takes place and that no connections are dropped.

Even if a device is legitimate, it could access the network for illegitimate purposes if hijacked by a third party or exploited by a user. That is where DPI can go a step further than SASE by identifying unusual traffic, application patterns and anomalies. DPI helps to identify malicious traffic being sent to the network, distributed denial-of-service (DDoS), botnet and man-in-the-middle attacks, data theft or unauthorized use of network capacity on expensive slices such as URLLC.

In general, DPI provides deeper insights into an enterprise network and reveals general trends within the traffic. This is all the more useful when the network users and endpoints are widely distributed and the network and application usage patterns are specific to their operations. These insights enable SASE to improve its authentication processes in the long run, refining its credential requirements, authentication frequency as well as continuous and point authentication policies to better reflect a company’s connectivity and security needs.

Fortifying 5G networks with SASE and DPI

SASE strengthens enterprise networks by building on innovations in cloud computing and network security. It leverages software-defined networking and creates secure perimeters in the cloud. However, while SASE is powerful, it is not perfect without DPI. A tool such as DPI offers detailed traffic awareness and adds the necessary visibility layer. Combined, DPI and SASE ensure that enterprises can massively enhance the efficiency and security of their 5G networks, bringing the benefits of 5G to more endpoints and users.

To learn more about how DPI-empowered real-time traffic classification supports 5G, download this whitepaper.

[1] 5G RAN slicing for verticals: Enablers and challenges - HAL archives-ouvertes.fr - 2019 - https://hal.archives-ouvertes.fr
[2] 64% of businesses are adopting or plan to adopt SASE in the next year - Security - 2021 - https://www.securitymagazine.com

Tobias Roeder portrait

Tobias Roeder

Contact me on LinkedIn

Tobias holds a degree in electrical engineering and has more than eight years of experience in product development. For a number of years, Tobias has been working as an application engineer for the deep packet inspection (DPI) software R&S®PACE 2 at ipoque, a subsidiary of the Rohde & Schwarz company. Tobias provides engineering services from the packet processing level up to the application level. In customer consulting, he identifies the optimal implementation to fulfill customer requirements and assists with the architectural decisions that go along with embedding DPI into network solutions. When he’s not at work, Tobias plays disc golf and enjoys doing CrossFit.

Related material

ipoque blog - discover the latest news and trends in IP network analytics

Sign up for our newsletter

Stay informed about the latest news and insights from ipoque