5G時代下應用的安全防禦研究

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":14}},{"type":"strong"}],"text":"摘要"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":14}}],"text":"4G時代，我們已經見證了不少互聯網的安全事故，例如OpenSSL水牢漏洞、WannerCry勒索病毒、Petya勒索病毒變種肆虐等。而在即將到來的5G時代，網絡安全同樣面臨很多挑戰。5G將賦能各行各業，也將承載更多的社會資產、生產和責任。近年來網絡安全成爲各行業數字化轉型中面臨的重要挑戰。5G作爲行業物聯網的首選網絡技術，需要給行業用戶提供安全、可靠和可信的清晰視圖，讓垂直行業有信心去積極擁抱5G，這是5G標準化工作的重中之重。隨着國際局勢的不斷變化，5G安全越來越成爲國家安全戰略的重要組成部分。5G時代下應用的安全防禦也將成爲重要課題。本文將圍繞着5G的6個方面，虛擬化、開放性、大連接、大數據、切片性、開源化。分別進行深入分析和探究，爲如何加強應用的防護提出建設性意見和建議。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":14}},{"type":"strong"}],"text":"背景"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":14}}],"text":"根據全球移動供應商協會（GSA）統計，截至 2019 年底，全球 119 個國家或地區的 348家電信運營商開展了 5G 投資，其中，61 家電信運營商已經推出 5G商用服務[1]。截至今日（2020年5月6日）我國5G基站數完成19.8萬個[2]，我國預計今年內完成50萬個5G基站的建設。5G基礎建設正在我國如火如荼的進行着，5G網絡的目標是爲增強的移動寬帶，大規模機器類型通信和實時控制提供無處不在的高速和低延遲連接。在由FuTURE論壇舉辦的“5G網絡發展戰略研討會”上[3]，中國工程院院士鄔賀銓表示，5G作爲新型基建設施的首選，被賦予應對疫情帶來的經濟下行壓力和經濟高質量可持續發展提供新引擎的重任，同時他指出，5G新基建將帶來技術、運維、產品、市場和"},{"type":"text","marks":[{"type":"size","attrs":{"size":14}},{"type":"strong"}],"text":"安全成熟性"},{"type":"text","marks":[{"type":"size","attrs":{"size":14}}],"text":"五大挑戰。5G的安全可靠性，將在5G的以下6個方面暴露其問題。包括：虛擬化、開放性、切片化、大連接、開源化、大數據。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":14}},{"type":"strong"}],"text":"正文"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":14}}],"text":"第三代合作伙伴計劃（3GPP）於2018年3月發佈了移動通信系統規範的第14版，爲第5代移動通信（5G）奠定了基礎。關於5G的標準，目前大家討論的是15版（3GPP-R15）。在這個標準中，將5G的建設分爲了兩步走，這兩步走得都很艱辛。第一步經過78次開會，無數的討價還價和妥協，最後在2018年年底總算是確定下來了。第二步，在2019年6月份才確定。受新冠病毒全球爆發的影響，國際通信標準組織3GPP再次延後了Release16版本的發佈時間，3GPP-R16版本作爲5G第二階段的標準版本主要關注垂直行業應用及整體系統的提升，主要功能包括面向智能汽車交通領域的5G V2X，在工業IoT和URLLC增強方面增加可以在工廠全面替代有線以太網的5G NR能力如時間敏感聯網等，包括LAA與獨立非授權的非授權頻段的5G NR，其他系統提升與增強包括定位、MIMO增強、功耗改進等。此前因爲受R15 Late drop版本凍結時間推遲的影響，R16規範凍結時間由原定的2019年12月推遲至2020年3月。這次，又繼續推遲了3個月。"}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/42/420e0521ded2d9f70ad72627ceeea2c2.png","alt":null,"title":"","style":[{"key":"width","value":"100%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","text":"更新後的3GPP版本時間表（圖片來源於：鮮棗課堂）"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":14}},{"type":"strong"}],"text":"5G的網絡架構"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":14}}],"text":"從網絡架構來看，5G 網絡整體延續 4G 特點，包括接入網、核心網和上層應用（如下圖）。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":14}}],"text":"爲滿足 5G 移動互聯和移動物聯的多樣化業務需求，5G 網絡在覈心網和接入網均採用了新的關鍵技術，實現了技術創新和網絡變革。"}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/6b/6b628eba27153ce4c6ef50a2c1b90bd5.png","alt":null,"title":"","style":[{"key":"width","value":"100%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","text":"5G的網絡架構圖"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":14}}],"text":"5G安全可靠面臨的挑戰如下："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":14}},{"type":"strong"}],"text":"虛擬化與開源化："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":14}}],"text":"未來5G網絡因爲頻段和業務的需求，將呈現出密集、複雜的網絡結構，基站數量和部署密度將遠超現有4G網絡。隨着SDN/NFV（Software Defined Network/Network Function Virtualization, 軟件定義網絡/網絡功能虛擬化）技術的不斷髮展，移動網絡核心側設備的虛擬化技術已經逐漸成熟，隨着軟硬件技術和能力的不斷增強，各大廠商和運營商也開始研究無線側虛擬化。爲了提供一個能夠面向應用、開放靈活、低成本和易維護的網絡，無線接入側網絡虛擬化研究成爲了業界研究的熱點。"}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/25/25f91888d7b23371092cc934ec37af3a.png","alt":null,"title":"","style":[{"key":"width","value":"100%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","text":"網絡資源虛擬化[12]"}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/d0/d0fbcb4f73ad8e3294f16281bb879827.png","alt":null,"title":"","style":[{"key":"width","value":"100%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","text":" 網絡功能虛擬化 NFV分層視圖[13]"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":14}}],"text":"存在的風險："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":14}}],"text":"5G引入虛擬化技術實現無線網靈活可控，然而虛擬化卻模糊了網絡的物理邊界，虛擬安全域會動態變化，傳統依賴物理邊界防護的安全機制難以奏效。控制系統易成爲網絡安全攻擊的對象，而底層網絡資源共享將挑戰安全隔離。開源軟件對第三方開源基礎庫過度依賴，加大了引入安全漏洞的風險。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":14}},{"type":"strong"}],"text":"技術應對措施:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":14}},{"type":"color","attrs":{"color":"#FF7021","name":"orange"}},{"type":"strong"}],"text":"可借鑑現有在 4G 核心網和 IT 行業應用中使用的雲化安全解決方案，並參考歐洲電信標準化協會（ETSI）制定的多個網絡虛擬化安全標準6。一是進行系統安全加固，對管理控制操作進行安全跟蹤和審計，提升防攻擊能力。二是提供端到端、多層次資源的安全隔離措施，對關鍵數據進行加密和備份。三是加強開源第三方軟件安全管理。[15]"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":14}},{"type":"strong"}],"text":"開放性"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":14}}],"text":"存在的風險："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":14}}],"text":"5G 開放給客戶自定義與調配業務，惡意第三方容易獲得對網絡的操控能力。5G採用通用互聯網協議代替傳統移動網專用協議，擴展了業務能力，但更容易受到外部攻擊。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":14}},{"type":"strong"}],"text":"技術應對措施："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":14}},{"type":"color","attrs":{"color":"#FF7021","name":"orange"}},{"type":"strong"}],"text":"一是加強 5G 網絡數據保護，強化安全威脅監測與處置。二是加強網絡開放接口安全防護能力，防止攻擊者從開放接口滲透進入運營商網絡。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":14}},{"type":"color","attrs":{"color":"#FF7021","name":"orange"}},{"type":"strong"}],"text":"從整體看，儘管 5G 網絡引入的網絡功能虛擬化、網絡切片、邊緣計算、網絡能力開放等關鍵技術，一定程度上帶來了新的安全威脅和風險，對數據保護、安全防護和運營部署等方面提出了更高要求，但這些技術的引入也是逐步推進和不斷迭代的，其伴生而來的安全風險，既可通過強化事前風險評估，也可在事中事後環節採取相應的技術解決方案和安全保障措施，予以緩解和應對[16]。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":14}},{"type":"strong"}],"text":"切片化"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":14}}],"text":"存在的風險："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":14}}],"text":"5G提供了網絡切片（R15定義架構，R16實現）將同一張移動網絡隔離爲不同的虛擬網絡，並在各切片中提供不同業務所需的差異化SLA及各切片之間的安全隔離性。切片的邏輯框架由RAN+TN+CN共同構成，由NSMF進行端到端管理。但考慮到不同領域實現切片的難度和必要性各有不同，又可以由各領域NSSMF對切片進行分段設計。其中由於核心網是業務交互的集中點，更需要儘早部署網絡切片。此外，貼近業務本地部署的MEC（R15）的引入，則進一步強化和保障了各切片中低時延的可獲得性。"}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/07/07a357edfd922c89886e90b394d494ff.png","alt":null,"title":"","style":[{"key":"width","value":"100%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","text":"網絡切片架構圖"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":14}}],"text":"切片間需要有效的安全隔離機制，以免某個低防護能力的網絡切片被攻擊以後成爲跳板波及其他切片。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":14}},{"type":"strong"}],"text":"技術應對措施："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":14}},{"type":"color","attrs":{"color":"#FF7021","name":"orange"}},{"type":"strong"}],"text":"針對上述安全風險，可使用雲化、虛擬化隔離措施，如物理隔離，虛機（VM）資源隔離、虛擬防火牆等，實現精準、靈活的切片隔離，保證不同切片使用者之間資源的有效隔離，同時要做好網絡切片運維和運營安全的管理，確保相應的技術措施得到落實"},{"type":"text","marks":[{"type":"size","attrs":{"size":14}}],"text":"[17]。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":14}},{"type":"strong"}],"text":"大連接與大數據"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":14}}],"text":"存在的問題："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":14}}],"text":"大連接永遠在線易成爲DDoS攻擊的跳板。防入侵能力又受限於低功耗算法。大連接認證會引發信令風暴，還會影響時延，車聯網還要求支持點到多點的V2V快速認證。大數據，若以失真的數據來訓練神經網絡，會使決策錯誤且因AI結果不可解釋性而難以發現。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":14}}],"text":"技術應對措施："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":14}},{"type":"color","attrs":{"color":"#FF7021","name":"orange"}},{"type":"strong"}],"text":"對 5G 典型大連接大數據應用場景安全風險，可採取如下應對措施：一是加強安全防護技術和設備的演進升級，有效適應和應對超大流量對現有防護手段帶來的衝擊。二是建立面向低時延需求的安全機制，統籌優化業務接入認證、數據加解密等環節帶來的時延，盡力提升低時延條件下安全防護能力。三是構建基於大規模機器類通信場景的安全模型，建立智能動態防禦體系應對網絡攻擊，防止網絡安全威脅橫向擴散。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":16}},{"type":"strong"}],"text":"結束語"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"size","attrs":{"size":14}}],"text":"5G時代已經到了，雖然面臨着諸多挑戰，尤其是對於萬物互聯的各種應用場景下,對於5G網絡環境提出了更高的要求，針對虛擬化、開源化、開放性、大連接、大數據、切片化等5G技術所存在問題，本文均提出了相關技術應對措施。我們應該秉持開放包容、平等互利、合作共贏的理念和原則，推動建立增強互信的雙邊或多邊框架，充分重視各方對 5G 安全問題的正當關切，積極在聯合國國際電信聯盟等多邊組織框架下探討 5G 安全相關國際政策和規則；增進各方戰略互信，進一步完善對話協商機制，加強 5G 網絡威脅信息的共享，有效協調處置重大網絡安全事件。探索最佳實踐，共同分享應對 5G 安全風險的先進經驗和做法。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"參考文獻"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"[1] 5G安全報告 http://www.caict.ac.cn/kxyj/qwfb/bps/202002/P020200204353105445429.pdf"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"[2] 環球網 https://tech.huanqiu.com/article/3y7iasObH9Q"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"[3] 5G新基建面臨五大挑戰 http://www.srrc.org.cn/article24463.aspx"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"[4] 王學靈 5G網絡架構與無線網虛擬http://www.txrjy.com/thread-1071035-1-1.html"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"[5] 5G 確定性網絡產業白皮書 https://www-file.huawei.com/-/media/corporate/pdf/news/5gdn-industry-white-paper-cn.pdf?la=zh"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}}]}