| 摘要: |
| 5G移动通信网场景中缺乏针对网络内部东西向流量的有效监控手段,横向移动攻击难以防御。针对该问题,提出了一种内生微隔离机制。通过网元内建的轻量级微隔离插件,实时采集流量信息并上报给管理模块,由管理模块生成网络内部东西向流量的安全策略并下发给微隔离插件,使微隔离插件能够进行异常流量的识别、阻断和告警等,从而实现5G核心网内部东西向流量的细粒度访问控制,防止横向移动攻击。从理论和实验两方面分析了内生微隔离机制的有效性,通过性能测试验证了微隔离功能开启前后,网元虚拟机的CPU/内存利用率整体平稳,无较大波动;微隔离插件在安装和运行时的CPU/内存资源占用低。 |
| 关键词: 5G移动通信网 内生安全 微隔离 访问控制 |
| DOI:10.20079/j.issn.1001-893x.231008004 |
|
| 基金项目:国家重点研发计划(2022YFB2902203) |
|
| Endogenous Micro-segmentation Mechanism in 5G Mobile Communication Network |
| ZHANG Fanglei,ZHUANG Xiaojun,WANG Yue,SU Li,DU Haitao,ZHAO Hongwei |
| (1.China Mobile Research Institute,Beijing 100032,China;2.China Mobile Communications Group Co.,Ltd.,Beijing 100032,China;3.Hebei Branch,China Mobile Communications Group Co.,Ltd.,Shijiazhuang 050021,China) |
| Abstract: |
| In the scenario of 5G mobile communication network,there is no effective means to monitor the east-west traffic inside the network,which makes the lateral movement attack inside the 5G core network difficult to defend.To solve this problem,the authors propose an endogenous micro-segmentation mechanism.The lightweight micro-segmentation plug-in is built into the network element to collect real-time traffic information and report it to the management module.The management module generates security policies for east-west traffic inside the network and delivers them to the micro-segmentation plug-in,which supports the micro-segmentation plug-in to be able to identify,block,and alert abnormal traffic.Thus,it achieves fine-grained access control of the east-west traffic inside the 5G core network and prevents lateral movement attacks.The effectiveness of endogenous micro-segmentation mechanism is analyzed.The performance test verifies that before and after the micro-segmentation function is enabled,the overall CPU/memory utilization of the vitual machine is smooth without large fluctuations,and micro-segmentation plug-in has a low CPU/memory resource consumption during installation and operation. |
| Key words: 5G mobile communication network endogenous security micro-segmentation access control |
