Wireless security status progress

New private wireless technology aims to boost business confidence amid growing wireless security concerns

As businesses increasingly rely on wireless technology as the standard means of connectivity and communication for vital operations, security remains a growing concern.

Recent advances in private wireless networks leveraging cellular technology are boosting the confidence of businesses that require the highest level of security for critical applications and use cases that now depend on secure and reliable network connectivity.

Private wireless technology, or so-called 5G LAN, is a new type of wireless communication technology that operates on licensed and unlicensed cellular spectrum, typically within the less crowded mid-range bands 3,3 to 4, 9 GHz. These networks use cellular technology as a wireless local area network, hence the nickname 5G LAN.

Until recently, the use of cellular technology required companies to take advantage of public 4G/LTE or emerging 5G services offered by mobile network operators (MNOs). But concerns about the control and privacy of corporate data using third-party public cellular service have largely limited the use of cellular technology within the enterprise.

5G public privacy concerns

Confidentiality and privacy are routinely among the top security concerns when it comes to the use of public 5G for business connectivity. Concerns about a larger attack surface, lack of visibility, and limited inside knowledge are recurring themes cited by enterprises.

In 4G/5G public networks, the collective concern is that with faster and more capable networks, MNOs will simply have more access to more data, including corporate data through 5G-connected devices. In the absence of strict privacy and governance laws, users of public 5G networks are left at the mercy of the MNO over how their private data is used. Data and metadata are often monetized through data correlation and trend analysis for marketing purposes.

The new 5G LANs are being developed to address the privacy and confidentiality issues inherent in public cellular connectivity through tight integration of cellular access points and mobile network services within the corporate LAN footprint.

Key elements of private wireless security (Credit: Celona)

Some advanced private cellular networks can be configured by corporate IT network and security teams with any custom policies and traffic forwarding rules required at any time. This provides complete control over corporate data, management and accessibility across the Radio Access Network (RAN, a cellular version of a Wi-Fi network) and across the LAN. This means that your organization’s data is never made visible to anyone else.

All user and device data is protected and contained within the enterprise encrypted 5G LAN from the device to the core of the network. Only metadata and system performance metrics are sent securely to cloud-hosted management systems, giving application delivery teams and wireless network engineers visibility into critical application performance. This customer metadata is never used for monetization and never sold to third parties.

Ensure data confidentiality and integrity

5G technology offers secure 128-bit AES encryption over the air. 5G LANs can further extend security with 256-bit AES, offering robust quantum encryption that meets NSA’s CNSA 2.0 requirements. Additionally, 5G technology offers improvements in key derivation and rotation where the master key is never shared or exposed, and the identity of the device is hidden for greater privacy.

Furthermore, data can be protected in each segment of the 5G LAN infrastructure. Advanced traffic management policies in some systems allow enterprises not only to segment traffic granularly, but also to separately encrypt groups of devices or applications based on flow by IP. These policies can be mapped directly to corporate network segments, such as VLANs, VxLANs, firewall zones, or other enforcement points.

Identify and authenticate devices

A key challenge in protecting the volume of heterogeneous endpoints on any corporate network is proper device identification and classification, two tasks that must be completed before security controls can be implemented. Indeed, the first of five steps of the widely used Zero Trust Roadmap is to define the protected surface, which begins with a detailed inventory of assets.

The new 5G LANs combine the deterministic and immutable identities inherent in cellular technologies, such as the use of subscriber identity modules or SIMs, with enterprise LAN security controls, including device-specific policies and firewall rules. application service level requirements and VLAN segments.

Within private wireless networks, each endpoint has unique software and hardware identifiers and follows a secure provisioning method that the company fully controls. This gives businesses an accurate, real-time dynamic asset inventory.

Each SIM card embeds unique identifiers, such as the international mobile subscriber identity or IMSI used by 4G/LTE networks to authenticate users and protect their privacy.

Within the 5G world, these unique identifiers include SUPI (Subscription Permanent Identifier) ​​and SUCI (Hidden Subscription Identifier). a SUPI effectively replaces the IMSI used in the 4G network as the unique identifier for each subscriber in 5G. SUPI and SUCI are both identifiers used in mobile networks to authenticate users and protect their privacy.

The SUPI is a permanent identifier assigned to the user’s SIM card, while the SUCI is a temporary identifier derived from the SUPI and used to protect the user’s privacy. The SUPI is used by the network to identify and authenticate the user when connecting to the network.

The SUCI derives from the SUPI and is used to protect the user’s privacy when connecting to the network. The SUCI is generated by the user’s SIM card and is encrypted using a secret key known only to the user’s SIM card and home network. This makes it difficult for anyone to intercept or manipulate your SUCI and helps protect your privacy and security.

This effectively eliminates inconclusive endpoint profiling and guessing about what a device is, who owns it, or what applications it is running. Endpoint devices are uniquely identified with immutable identities tied to the physical SIM and/or embedded SIM (eSIM). Within 5G LANs, this identity is used to derive a unique LAN-compatible identity for each connected device, enabling device identification across both private cellular wireless and the corporate LAN.

Mitigate long-standing Wi-Fi security issues

While conventional Wi-Fi has been the wireless technology of choice for many years, enterprise Wi-Fi networks are vulnerable to a wide variety of attacks, including man-in-the-middle attacks, rogue access points, and sniffing of packages.

These attacks can allow hackers to intercept data, steal sensitive information, and even gain access to your entire network. While Wi-Fi can be quite secure, Wi-Fi protocol vulnerabilities persist, legacy security suites continue to be used, and misconfigurations are extremely common.

In contrast, cellular networks are more difficult to attack, as their default configuration equals the security of a well-designed 802.1X secured network based on the latest WPA3-Enterprise suite.

The new 5G LAN technology has opened up exciting new possibilities for businesses to help eliminate many of these security vulnerabilities. Support for Zero Trust strategies with strong device identification, mutual authentication, granular end-to-end segmentation and robust encryption, as well as API integrations are just a few examples.

5G LAN security framework (Credit: Celona)

Client access over a cellular network is widely believed to be more secure through the use of advanced media access methods, encryption technologies, strong authentication mechanisms, and the inherent security features of cellular networks. Mutual authentication is always enforced, ensuring that the network and the endpoint authenticate with each other, further reducing the chances of path attacks, spoofing, and rogue devices.

Unlike Wi-Fi, where clients constantly arbitrate or fight for access to the wireless medium, user access and airtime are centrally secured, scheduled, and coordinated by the network itself. This enables the organization to deliver even the most demanding and latency sensitive applications.

Additionally, 5G LAN infrastructure components will likely arrive already hardened and include the TPM-based certificates needed to create a trusted network. Device authentication protocols in 5G LANs often include 5G-AKA and EAP-AKA which bring more flexibility and security to the authentication process through translatable protocols appropriate for both cellular and Wi-Fi use and adding signaling and data integrity.

While IoT has been excluded from many Zero Trust scopes due to the complexity of managing non-user-based devices and the diversity of connectivity models, new 5G LAN technology now offers enterprises centralized visibility and control of managed cellular devices by the enterprise, non-traditional endpoints and IoT devices, along with traditional endpoints.

Through tight integration with existing corporate security policies, providing end-to-end traffic segmentation, mutual authentication between endpoints and 5G LAN infrastructure components, combined with robust device identification and encryption along the entire wired and wireless data path, organizations can now enjoy the most powerful private wireless security posture available today.