Migrating mobile

networks to 5G:
a smooth and
secure approach

positive-tech.com
 Migrating mobile networks to 5G

Contents
Introduction....................................................................................................................................... 3

How 5G networks are being built now................................................................................ 4

Why the 5G security architecture by itself is not enough..........................................7

How to protect 5G networks.................................................................................................. 10

2
 Migrating mobile networks to 5G

Introduction
Mobile operators are paying close attention to the network ar-
chitecture changes coming with the 5G migration. This evolu-
tionary advance over fourth-generation (4G/LTE) networks is
expected to enable a new level of service and features for cli-
ents. Advantages include exceptional bandwidth and minimal
latency. Most 5G subscribers will actually be Internet of Things
(IoT) devices.

Despite the interest of operators in upgrading to 5G, there have

been a few bumps along the way. Operators are still unsure
about how to deploy 5G networks and, most importantly, how
to secure them against information security threats.

To date, discussion of 5G safety and security has focused more

around human health. Testbed 5G networks in a number of
countries have sparked public concern over possible harm to
health. In some cases, mass protests led to destruction of base
stations for 5G and previous-generation (4G, 3G, 2G) networks:
not many people can visually distinguish a 5G base station from
a previous-generation one.

All the while, the information security of 5G networks remains

an open question. Telecom operators are already encountering
attacks and, in many cases, are not sure how to stop future at-
tempts. The deployment of 5G networks will create new risks for
operators due to far-reaching virtualization, more difficult ad-
ministration, and use of Internet protocols that are already well
known to hackers. In this article, we will outline how to safely
and systemically bring mobile networks up to 5G.

3
 Migrating mobile networks to 5G

How 5G networks
are being built now
The current approach to 5G by most operators and vendors consists of re-
lying on previous-generation 4G LTE networks with the Non-Standalone ar-
chitecture and opting for Option 3 NSA. This is a rapid way for operators to
provide subscribers with 5G access, since they do not need to build a new
core network and can instead focus on the 5G radio area network (RAN).

3 3a 3x

LTE Core 5G LTE Core 5G LTE Core 5G

(EPC) Core (EPC) Core (EPC) Core

3a 3x

LTE RAN 5G RAN LTE RAN 5G RAN LTE RAN 5G RAN

Figure 1. Three most popular 5G NSA scenarios

How does it work? User devices connect to the 5G radio system. But within
the operator network, everything still runs on the old LTE core network us-
ing 4G protocols. Of course, this approach does not offer any of the benefits
of the 5G core. All of the security issues with previous-generation networks
remain for 5G subscribers. On the other hand, operators get a reliable known
quantity that will not cause surprises or headaches.

After that, operators face the question of where to go from there. What is the
best way to get all the benefits of 5G and complete the migration, without
breaking anything that currently works?

One option offered by some telecom equipment vendors is to build a sep-

arate Standalone core network, connect a new gNodeB base station, and
do away with LTE entirely. But this option does not seem realistic. What will
operators do with old networks if many subscriber devices still don't support
5G? Updating devices to support 5G protocols and architectures on a mass
scale is not possible. Nor will 5G coverage be available everywhere.

That's why the more feasible route is CUPS (Control and User Plane
Separation), a strategy that lays the groundwork for integrating the 5G core
with existing 4G. CUPS separates the network elements responsible for user
data from the elements responsible for managing that data. This will allow
operators to flexibly scale their infrastructure, centralize or decentralize net-
work hosts, and minimize handling of user data (which, in 5G, will be present
in greater quantities than ever).

4
 Migrating mobile networks to 5G

The following diagrams illustrate this setup.

Current 4G architecture is as follows:

EPC

MME HSS PCRF

S-GW P-GW
Internet and
UE E-UTRAN data services
Сontrol plane User plane
UE — user equipment

Figure 2. EPC architecture: non-roaming

Note that between the S-GW and P-GW are both the Control Plane and the
User Plane (GTP protocol).

The 5G architecture is like this:

5GC

NEF PCF AF

NSSF NRF UDM

AUSF AMF SMF SMSF

UPF
Internet and
UE (R)AN
data services
Сontrol plane User plane
UE — user equipment

Figure 3. Service-based architecture of 5G Core: non-roaming

Here, the Control Plane is separate from the User Plane.

CUPS has been created as a bridge between the two:

EPC

MME HSS PCRF

S-GW-C P-GW-C

S-GW-U P-GW-U
Internet and
UE E-UTRAN
data services
Сontrol plane User plane
UE — user equipment

Figure 4. EPC architecture with CUPS: non-roaming

5
 Migrating mobile networks to 5G

The S5 interface is split into S5-C and S5-U, which means the operator can
attach 5GS to the EPC core. Thanks to this, operators can handle intraoper-
ator roaming between 5G and previous-generation networks.

This setup looks like this:

HSS IMS
UDM PCF

SGW SMF+ UPF+

PGW-C PGW-U

Internet and
MME AMF data services

E-UTRAN NG-RAN

Control Plane 4G
User plane 5G

Figure 5. Оperators can handle intraoperator roaming

PGW-C then can be upgraded to SMF, PGW-U to UPF, and HSS to UDM. The
AMF can be added in for certain MME functionality. The result is a hybrid net-
work that supports both LTE and 5G. With a maximum of simplicity, it enables
adding new 5G-capable subscribers while continuing to support older ones.

Existing EPC Existing EPC New 5G with interworking Dual-mode packet core

PGW PGW SMF+ PGW SMF+

S/PGW-C S/PGW-C

SGW SGW UPF+ SGW UPF+

S/PGW-U S/PGW-U

MME MME AMF MME AMF

E-UTRAN E-UTRAN NG-RAN E-UTRAN NG-RAN

4G 5G

Figure 6. Evolving from 4G to 5G

6
 Migrating mobile networks to 5G

Why the 5G security

architecture by itself
is not enough
Today's strategy for 5G roaming security relies on the Security Edge
Protection Proxy (SEPP).

With the SEPP, roaming should be something like:

HSS
UDM SEPP
5G roaming

SGW SMF+ UPF+

PGW-C PGW-U

Internet
MME AMF

E-UTRAN NG-RAN
4G 5G

Figure 7. Dedicated security function in 5G for control plane: SEPP

SEPP handles security for the Control Plane, which is more critical than the
User Plane. That's why originally there was no separate function for securing
the User Plane, although these days it can be (optionally) protected by in-
stalling an additional UPF IPUPS on the edge of the roaming network.

The secure 5G network then resembles the following:

HSS
UDM SEPP
5G roaming

SGW SMF+ UPF+ UPF IPUPS

PGW-C PGW-U

MME AMF

E-UTRAN NG-RAN Internet

4G 5G

Figure 8. Dedicated security function in 5G for user plane: UPF IPUPS

7
 Migrating mobile networks to 5G

We can also expect that the MME will ultimately be combined with the AMF:

HSS
UDM SEPP
5G roaming

SGW SMF+ UPF+ UPF IPUPS

PGW-C PGW-U

MME
AMF

E-UTRAN NG-RAN Internet

4G 5G

Figure 9. Network with combined MME/AMF

Remember that 5G networks in the years to come, instead of being "pure,"

Remember will rely on 4G. Therefore, operators need to place an interconnect from the
that 5G current (insecure) 4G network to the new (secure) 5G network.
networks in Putting 5G inside the current 4G roaming network exposes the next-genera-
the years to tion network to threats. Similarly, the MME often is placed on the GTP roam-
ing network and performs certain old SGSN functionality.
come, instead
Since networks are so intertwined, merely defending the 5G edge with SEPP
of being "pure,"
may not be enough. In order to support interconnect from the LTE network,
will rely on 4G a real-world operator network might look as shown here:

HSS
UDM SEPP
5G roaming

SGW SMF+ UPF+ UPF IPUPS

PGW-C PGW-U

MME
AMF

E-UTRAN NG-RAN Internet

4G 5G

LTE Roaming
Diameter

Figure 10. New Core: old roaming networks (Diameter/IPX)

In a case like that, any 5G-only security efforts will be pointless. The UDM
and AMF are on the old (and vulnerable) Diameter network, almost certainly
putting 5G subscribers at risk.

8
 Migrating mobile networks to 5G

As shown by our research, an attacker can exploit Diameter vulnerabilities

to cause denial of service, perform subscriber geolocation, get subscriber
profile information, obtain encryption keys, and commit fraud.

The same applies to other 5G network elements such as the SMF and UPF,
since with LTE roaming, the PGW-C is connected to the international inter-
connect over the S8 interface. So the SMF—which is supposed to be an inter-
nal operator device without direct outside access—may end up vulnerable to
old GTP vulnerabilities from the roaming network, as shown here:

HSS
UDM SEPP
5G roaming

SGW SMF+ UPF+ UPF IPUPS

PGW-C PGW-U

MME
AMF

E-UTRAN NG-RAN Internet

4G 5G

LTE Roaming
GTP

Figure 11. New Core: old roaming networks (GTP/GRX)

GTP attacks can enable denial of service, fraud, and disclosure of subscriber
connection information. Worse still, based on past telecom security audits,
we can expect cases when the MME may be on the roaming network, while
it fills the role of the AMF as well.

HSS
UDM SEPP
5G roaming

SGW SMF+ UPF+ UPF IPUPS

PGW-C PGW-U

MME
AMF

E-UTRAN NG-RAN Internet

4G 5G

LTE Roaming
GTP

Figure 12. Misconfiguration of old roaming network: threat for New Core

9
 Migrating mobile networks to 5G

How to protect 5G networks

Securing 5G networks with architecture-level protections alone is not possi-
ble. The new networks will be interacting heavily with old ones for intraop-
erator handover between 5G and LTE. This is especially true during the early
stages when 5G coverage is less extensive. Because of this, true 5G security
must go beyond the features built into the 5G architecture.

Protecting 5G starts with protecting 4G, which at most operators is vulnera-

ble to a range of threats. All previous-generation protocols must be secured.
The network must be carefully checked for configuration errors, requiring
regular assessment of the state of infrastructure security.

IP Firewall IDS Internet

LTE roaming
Diameter

Dual-mode packet core (4G/5G)

Signaling Signaling SEPP
IDS Firewall

LTE roaming 5G roaming

GTP
UPF IPUPS

Regular Security Assessment

Install additional defenses

Installed by design
Figure 13. How to make 5G secure

10
 Migrating mobile networks to 5G

Main recommendations:
1. Pay special attention to configuration of signaling networks. Internal
interfaces must not be accessible from external networks (such as the
Internet, IPX, and GRX). External pentesting allows identifying such issues.

2. Verify existing defenses (including STR and DEA): if properly configured,

they can close off many vulnerabilities.

3. Install additional defenses such as an IDS to monitor suspicious activity

and a signaling firewall to block attacks (this goes for all protocols: SS7,
Diameter, and GTP).

Only once these basic measures are in place does it make sense for operators
to transition to 5G and its architected protection mechanisms.

positive-tech.com
Migrating mobile networks_A4.ENG.0004.09
contact@positive-tech.com