Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x

Content for  TR 33.794  Word version:  19.0.0

Top   Top   Up   Prev   None
1…   5…
5 Security Analysis and Considerations6 Key issues7 Solutions8 ConclusionsA Known API Security Risks$ Change history

 

5  Security Analysis and Considerationsp. 10

5.1  Use cases for security evaluation and monitoringp. 10

5.1.0  Generalp. 10

5.1.1  Use case #1: Information on Malformed Messagep. 11

5.1.1.1  Descriptionp. 11

5.1.1.2  Relevant datap. 11

5.1.1.3  Evaluation of the identified datap. 11

5.1.2  Use case #2: Massive number of SBI Messagesp. 11

5.1.2.1  Descriptionp. 11

5.1.2.2  Relevant datap. 12

5.1.2.3  Evaluation of the identified datap. 12

5.1.3  Use case #3: Unauthorized/failed authentication NF service access requestp. 12

5.1.3.1  Descriptionp. 12

5.1.3.2  Relevant datap. 13

5.1.3.3  Evaluation of the identified datap. 13

5.1.4  Use case #4: Reconnaissancep. 13

5.1.4.1  Descriptionp. 13

5.1.4.2  Relevant datap. 14

5.1.4.3  Evaluation of the identified datap. 14

5.1.5  Use case #5: Abnormal SBI Call Flowp. 14

5.1.5.1  Descriptionp. 14

5.1.5.2  Relevant datap. 14

5.1.5.3  Evaluation of the identified datap. 15

5.1.6  Use case #6: API Security Risksp. 15

5.1.6.1  Descriptionp. 15

5.1.6.2  Relevant datap. 16

5.1.6.3  Evaluation of the identified datap. 16

5.1.7  Use case #7: Attacks on network slicesp. 16

5.1.7.1  Descriptionp. 16

5.1.7.2  Relevant datap. 17

5.1.7.3  Evaluation of identified datap. 17

5.2  Security mechanism for dynamic policy enforcementp. 17

5.2.0  Generalp. 17

5.2.1  Security policy enforcement Use Case #1: Access control decision enhancementp. 18

5.2.1.1  Descriptionp. 18

5.2.1.2  Scope of dynamic security policy enforcementp. 18

6  Key issuesp. 19

6.1  Key Issue #1: Data exposure for security evaluation and monitoringp. 19

6.1.1  Key issue detailsp. 19

6.1.2  Security threatsp. 19

6.1.3  Potential security requirementsp. 19

6.2  Key Issue #2: Security mechanisms for policy enforcement at the 5G SBAp. 20

6.2.1  Key issue detailsp. 20

6.2.2  Security threatsp. 20

6.2.3  Potential security requirementsp. 20

6.3  Mapping of Solutions to Key Issuesp. 20

7  Solutionsp. 21

7.1  Solution #1: Network assisted potential data collection and exposure for security evaluation and monitoringp. 21

7.1.1  Introductionp. 21

7.1.2  Solution detailsp. 21

7.1.3  Evaluationp. 23

7.2  Solution #2: Potential data collection and direct exposure for security evaluation and monitoringp. 24

7.2.1  Introductionp. 24

7.2.2  Solution detailsp. 24

7.2.3  Evaluationp. 25

7.3  Solution #3: New Data Collection NFsp. 26

7.3.1  Introductionp. 26

7.3.2  Solution detailsp. 27

7.3.2.1  Generalp. 27

7.3.2.2  SDPI registration and data collection rule configurationp. 27

7.3.3.2  Data Collectionp. 28

7.3.2.4  Data deliveryp. 29

7.3.3  Evaluationp. 30

7.4  Solution #4: Security data collection and exposure to enable detection of compromised NFs in SBA layerp. 30

7.4.1  Introductionp. 30

7.4.2  Solution detailsp. 31

7.4.3  Solution Evaluationp. 31

7.5  Solution #5: Security log events and counter collection for evaluation and monitoring.p. 32

7.5.1  Introductionp. 32

7.5.2  Solution detailsp. 32

7.5.3  Evaluationp. 33

7.6  Solution #6: Data Collection using DCCFp. 33

7.6.1  Introductionp. 33

7.6.2  Solution detailsp. 34

7.6.2.1  NF profile updatesp. 34

7.6.2.2  Data Collection Configurationp. 34

7.6.2.3  Data deliveryp. 35

7.6.2.4  Security datap. 35

7.6.3  Evaluationp. 35

7.7  Solution #7: Security data collection and exposure to enable detection of API security risksp. 36

7.7.1  Introductionp. 36

7.7.2  Solution detailsp. 36

7.7.3  Evaluationp. 37

7.8  Solution #8: Using security log events, counters and protocol signaling monitoringp. 38

7.8.1  Introductionp. 38

7.8.2  Solution detailsp. 38

7.8.2.1  Generalp. 38

7.8.2.2  Use case #1: Information on Malformed Messagep. 38

7.8.2.3  Use case #2: Massive number of SBI Messagesp. 38

7.8.2.4  Use case #3: Unauthorized/failed authentication NF service access requestp. 38

7.8.2.5  Use case #4: Reconnaissancep. 39

7.8.2.6  Use case #5: Abnormal SBI Call Flowp. 39

7.8.2.7  Use case #6: API Security Risksp. 39

7.8.3  Evaluationp. 39

7.9  Solution #9: Security Policy enforcement in SBAp. 39

7.9.1  Introductionp. 39

7.9.2  Solution detailsp. 39

7.9.3  Evaluationp. 40

7.10  Solution #10: Enhancement of SBA access control decision mechanismsp. 41

7.10.1  Introductionp. 41

7.10.2  Solution detailsp. 41

7.10.3  Evaluationp. 43

7.11  Solution #11: Dynamic Security Policy Enforcement Frameworkp. 43

7.11.1  Introductionp. 43

7.11.1.1  Indirect Policy Enforcementp. 43

7.11.1.2  Direct Policy Enforcementp. 43

7.11.2  Solution detailsp. 44

7.11.2.1  Dynamic Security Policy detailsp. 44

7.11.3  Evaluationp. 45

7.12  Solution #12: Policy enforcement using NRF configuration and short access token lifetimep. 45

7.12.1  Introductionp. 45

7.12.2  Solution detailsp. 45

7.12.2.0  Overviewp. 45

7.12.2.1  Policy Enforcement at the NF subject to an attackp. 47

7.12.2.2  Policy Enforcement at NF producersp. 47

7.12.2.3  Policy Enforcement at NF consumersp. 47

7.12.2.4  Policy Enforcement at the NRFp. 47

7.12.2.5  Policy Enforcement at the SCPp. 48

7.12.2.6  Summaryp. 48

7.12.3  Evaluationp. 48

8  Conclusionsp. 50

8.1  Key Issue #1: Data exposure for security evaluation and monitoringp. 50

8.2  Key Issue #2: Security mechanisms for policy enforcement at the 5G SBAp. 50

A  Known API Security Risksp. 51

A.1  Descriptionp. 51

A.1.1  Examples of data to be exposedp. 52

$  Change historyp. 54

Up   Top