The inherent security of Open RAN

Why open the Radio Access Network?

Service providers are scaling their networks to support traffic demand from 5G, IoT and wired/wireline convergence.  Many operators are exploring disaggregation of the radio access network (RAN), coupled with the open interfaces defined by the O-RAN Alliance.

The disaggregation of the RAN comes with many benefits for network operators, including reduced capital investment, lower operating expenses, architectures built around use cases rather than around vendors, and a more robust supply chain. Network operators can promote supplier diversity by adopting industry standards like O-RAN, OpenRAN from Telecom Infrastructure Project, and OpenAirInterface. They can choose the optimum products to meet requirements and prioritize alliances with a vendor ecosystem that has local partners in the country of operations.

The Red Hat and Altiostar solution enables network operators to fully leverage the benefits of open RAN. It delivers full RAN functionality using network functions virtualization (NFV) infrastructure from Red Hat and RAN technology from Altiostar. This approach decouples baseband functions from the underlying hardware and creates a software fabric that spans both LTE and 5G networks. Network operators can more easily develop new applications and services, or leverage third-party, cloud-native applications. 

The disaggregation of the RAN increases the number of discrete elements and connections in the network, which has led to a misconception by some in the industry that open RAN is inherently insecure due to the increase in the network’s attack surface.

A closer examination of open RAN reveals that it is not inherently less secure than traditional network architectures. In reality, avoiding vendor lock-in is one of the best ways to lay the foundation for an intrinsically secure network. According to 451 Research, open RAN architectures offer improved security compared to single vendor systems, because they are more modular,  more visible and are less interdependent. 

How open RAN improves security

In traditional network architectures, a limited number of vendors can amplify the network impact of any security breach. Furthermore,  proprietary interfaces offer operators less visibility than open interfaces, putting service providers at the mercy of their vendors when it comes to detecting and mitigating threats. A single vendor oversight can have massive repercussions. This scenario played out in 2018, when software deployed with an expired certificate apparently took down networks in the UK and Japan, surprising two Tier 1 operators who had relied on their network equipment vendor to ensure that the software update was ready for the live networks. 

In an open RAN, network software is less interdependent on hardware, reducing the risk associated with upgrades or isolated security breaches. In addition, the enhanced modularity available with open interfaces makes it easier for operators to move towards a continuous integration/continuous delivery (CI/CD) operating model. This enables the seamless and effective patch management needed to fix any security vulnerability found in open RAN. In an open RAN, discrete software updates can be more transparent and less impactful on the overall network than software updates in a traditional network.

The O-RAN Alliance has specified open interfaces, thereby lowering security risk through standardization. In an open architecture, operators have more interfaces available to monitor, which can help detect incongruencies and enhance security. Defined interfaces between functional elements afford operators the ability to insert controls, further increasing their ability to secure the network. 

Operators that avoid vendor lock-in by choosing open RAN will also be better-positioned to leverage new security capabilities as they are developed. Supply chain flexibility gives them a new way to prioritize secure solutions, in addition to allowing them to pick best-of-class suppliers that meet their requirements.

Open RAN: Virtually the most secure choice 

Open RAN and vRAN go hand-in-hand. In an open, virtualized RAN (Open vRAN), the elements of the radio access network are disaggregated for flexibility, with standardized interfaces between them, and network functions are virtualized, as software is abstracted from the underlying infrastructure. This gives operators the ability to combine best-of-breed solutions in order to optimize network agility, performance, and security. 

Virtualization further enhances the security of the open vRAN architecture. It increases visibility because virtual hosts provide operational telemetry data about the functions they support. This data is isolated from the function’s execution environment, which decreases its vulnerability to attack. Isolating network functions adds greater operational awareness and limits the damage that one security threat can produce in the overall network. 

Virtualized RAN will also make it easier for network operators to offer private network solutions to enterprise customers because it lowers the cost of adding a network slice or on-premise radio. According to ACG Research, centralized vRAN architectures enable up to 44% lower TCO than conventional distributed RANs. When enterprises move to private networks, their data can be isolated from the public carrier networks, decreasing their security risk.

The traditional telecom ecosystem is embracing best practices to maximize vRAN security. According to a leading network equipment vendor, those developing and implementing vRAN solutions can reduce threats by following security  principles of Open Source software found at https://www.o-ran.org/ and https://o-ran-sc.org/.  In addition, operators are outlining similar steps that can be taken to minimize threats and leverage the inherent security of O-RAN and vRAN.

Red Hat and Altiostar are putting ORAN and vRAN to work for operators

In the Open vRAN solution architecture developed by Red Hat and Altiostar, virtualized baseband units (vDUs and vCUs) process and dynamically allocate resources to remote radio units (RUs) based on the current network needs. This disaggregation of functionality enables agility and improves network economics, but as explained above it does not increase the threat landscape. 

Architecturally, there are security benefits to a disaggregated and virtualized RAN. Disaggregated gNodeB architecture allows sensitive cryptographic material such as 3GPP Access Stratum security keys to be stored deep inside the network in a secure vCU which is hosted in a data center. In traditional network architectures, Access Stratum keys are potentially less secure because they are stored at the cell site, which makes them more vulnerable to various threats.

The solution developed by Red Hat and Altiostar enhances policy definition and control for operators. Red Hat Advanced Cluster Management for Kubernetes provides the out-of-the-box policy templates that enterprises use to enhance and apply the security check, and remediate any policy violation. Enterprises integrate third-party controls with Red Hat Advanced Cluster Management for Kubernetes governance by implementing custom policy controllers using the governance policy framework. 

Containers create the best outcomes                                                                                            

Operators gain security, flexibility and scalability when they move from hardware-based functions or virtual network functions (VNFs) to container network functions (CNFs).  Containers are sandboxed application processes on a shared Linux OS kernel. They package an application with all its dependencies and allow deployment to any environment within seconds.  Containerization started first in the core when 3GPP adopted microservices architecture with a Service Based Architecture for 5GC,  and is now being adopted in the RAN. 

CNFs enable operators to fully leverage separation of the control plane from the user plane (CUPS), which makes it easier to scale up in support of specific use cases. For example, a small set of users continually streaming large amounts of video would require user plane resources, while thousands of IoT devices executing transactions will drive control plane traffic. Segregating this traffic lets operators scale more economically, and also more securely. Operators want to extend connectivity to non-traditional IoT devices in order to monetize their network investments, and CUPS implemented with containers can enable this.

When the control plane and the user plane exist on different hardware, the attack surface can increase and containers can help operators maintain security. 5G Americas has outlined considerations related to the security implications of control and user plane separation. For example, the cloud native architecture should implement Zero-Trust with secure authentication and authorization on the control plane. In addition, developers are encouraged to practice a “shift up” strategy, ensuring flawless execution of applications inside containers. Containers offer operators a secure, simple, scalable and flexible way to leverage open RAN in general and CUPS in particular.

For years, telcos have deployed infrastructure running Red Hat OpenStack with applications from traditional network equipment vendors. Now they can convert network applications to microservices in containers using Red Hat OpenShift, the industry's most secure and comprehensive enterprise-grade container platform.

Altiostar’s Open vRAN solution is based on Containerized Network Functions and leverages several security industry best practices already used in the cloud computing industry. A “shift-left” strategy in the software development process integrates security controls and practices into every phase of development. DevSecOps is integrated into the CI/CD pipeline, bringing automation into secure code reviews and security testing. Automated tools are used to quickly detect and remediate vulnerabilities and network anomalies found at run-time in the live network. Every network element in the Open RAN network undergoes platform hardening as per well-known cloud-computing industry benchmarks such as those proposed by the Center for Internet Security (CIS), in addition to 3GPP’s Security Assurance Specifications.

Altiostar’s Open vRAN solution, based on containers, provides needed flexibility to support many network topologies, allowing operators to optimize the location and connectivity of all network components in order to maximize security. Co-engineering and tighter integration throughout the Red Hat software stack increases security across the NFV environment, as well as interoperability, reliability, performance, manageability, and policy definition and control.

Containers and security

Red Hat defines multiple elements of security for different layers of the container solution stack and different stages of the container life cycle.  

The first and perhaps most important element is the container host operating system. Containers should be created with the least privilege possible and should run as user, not root. Developers should make use of the multiple levels of security available in Linux. Red Hat Enterprise Linux includes five features for securing containers: Linux namespaces, Security-Enhanced Linus (SELinux), Cgroups, capabilities and secure computing mode (seccomp). 

SELinux is key because it provides an additional layer of security to keep containers isolated from each other and from the host. SELinux allows administrators to enforce mandatory access controls (MAC) for every user, application, process, and file. Typically, Linux users have had discretionary access control (DAC), meaning they could change permissions on their own files. But with MAC, there is an administratively set policy around access. MAC restricts the level of control that users (subjects) have over the objects that they create, adding additional labels, or categories, to all file system objects. Users and processes must have the appropriate access to these categories before they can interact with these objects. If a user accidentally or purposely breaks out of the namespace abstraction, SELinux is the brick wall that stops them. 

Other best practices for containerized solutions include using trusted sources for container content and selecting a private registry that helps you automate policies for the use of the container images stored there. Red Hat OpenShift includes a private registry that can be used to manage container images.

Red Hat’s Source-to-image (S2I) framework is another important security tool. It facilitates collaboration between development and operations teams so that the product of the build process is exactly what is deployed in production. If an image needs to be rebuilt in order to correct a vulnerability, OpenShift can detect the change and rebuild dependent images.

API access control (authentication and authorization) is critical for securing your container platform. The OpenShift master includes a built-in OAuth server. Developers and administrators obtain OAuth access tokens to authenticate themselves to the API. As an administrator, you can configure OAuth to authenticate using the identity provider of your choice, including Lightweight Directory Access Protocol (LDAP) directories.

Secret management is another important element of security. Kubernetes is extending Cluster Federation to include support for Federated Secrets, which automatically creates and manages secrets across all clusters in a federation, ensuring that these are kept globally consistent and up to date, even if some clusters are offline when the original updates are applied.

Other best practices include isolating applications from one another within a cluster and encrypting data in transit via https. When the right processes are in place, containerized solutions are inherently secure. 

The bottom line

Choosing the right software for an Open vRAN deployment maximizes security. The containerized RAN solution developed by Altiostar based on Red Hat OpenShift gives operators direct ownership of security processes within the RAN, along with policy definition and control. It combines the security of cloud computing with the best security practices of containerization. Open interfaces enable operators to monitor and control their networks in new ways, and open supply chains eliminate the security risks associated with vendor lock-in. The Open vRAN solution developed by Red Hat and Altiostar reduces risk, cost and complexity for customers.

The editorial staff had no role in this post's creation.