Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Towards Zero-Trust 6GC: A Software Defined Perimeter Approach with Dynamic Moving Target Defense Mechanism

Zeyad Abdelhay, Yahuza Bello, Ahmed Refaey

TL;DR

This paper tackles security gaps in the 6G core by proposing a Software Defined Perimeter (SDP) with Moving Target Defense (MTD) as a zero-trust alternative to VPNs for 5G/6G core networks. It articulates a detailed architectural blueprint (5G-SDP) and integrates NAS-based address mutation to dynamically expand the attack surface, while maintaining session continuity. A testbed comparing SDP against OpenVPN demonstrates SDP’s stronger resilience to port-scanning and DoS attacks, at the cost of higher initialization time and resource usage, but with feasible overheads for real deployments. The work underscores the practicality and potential of SDP-based zero-trust security for 6G, highlighting opportunities for future research in privacy, AI/ML-driven security, and interoperability with emerging 6G technologies.

Abstract

The upcoming Sixth Generation (6G) network is projected to grapple with a range of security concerns, encompassing access control, authentication, secure connections among 6G Core (6GC) entities, and trustworthiness. Classical Virtual Private Networks (VPNs), extensively deployed in Evolved Packet Core (EPC) network infrastructure, are notoriously susceptible to a variety of attacks, including man-in-the-middle incursions, Domain Name System (DNS) hijacking, Denial of Service (DoS) attacks, port scanning, and persistent unauthorized access attempts. This paper introduces the concept of Software Defined Perimeter (SDP) as an innovative solution, providing an alternative to VPNs with the goal of fostering a secure zero-trust milieu within the 6G Core networks. We capitalize on the SDP controller-based authentication and authorization mechanisms to secure the EPC network's control and data plane functions, conceiving an architecture that is expansible to the 6G network. Further, we augment the SDP zero-trust capabilities via the incorporation of a dynamic component, the Moving Target Defense (MTD). This enhances the network's resilience against attacks targeting traditionally static network environments established via VPNs. Following rigorous testbed analysis, our proposed framework manifests superior resilience against DoS and port scanning attacks when juxtaposed with traditional VPN methodologies.

Towards Zero-Trust 6GC: A Software Defined Perimeter Approach with Dynamic Moving Target Defense Mechanism

TL;DR

This paper tackles security gaps in the 6G core by proposing a Software Defined Perimeter (SDP) with Moving Target Defense (MTD) as a zero-trust alternative to VPNs for 5G/6G core networks. It articulates a detailed architectural blueprint (5G-SDP) and integrates NAS-based address mutation to dynamically expand the attack surface, while maintaining session continuity. A testbed comparing SDP against OpenVPN demonstrates SDP’s stronger resilience to port-scanning and DoS attacks, at the cost of higher initialization time and resource usage, but with feasible overheads for real deployments. The work underscores the practicality and potential of SDP-based zero-trust security for 6G, highlighting opportunities for future research in privacy, AI/ML-driven security, and interoperability with emerging 6G technologies.

Abstract

The upcoming Sixth Generation (6G) network is projected to grapple with a range of security concerns, encompassing access control, authentication, secure connections among 6G Core (6GC) entities, and trustworthiness. Classical Virtual Private Networks (VPNs), extensively deployed in Evolved Packet Core (EPC) network infrastructure, are notoriously susceptible to a variety of attacks, including man-in-the-middle incursions, Domain Name System (DNS) hijacking, Denial of Service (DoS) attacks, port scanning, and persistent unauthorized access attempts. This paper introduces the concept of Software Defined Perimeter (SDP) as an innovative solution, providing an alternative to VPNs with the goal of fostering a secure zero-trust milieu within the 6G Core networks. We capitalize on the SDP controller-based authentication and authorization mechanisms to secure the EPC network's control and data plane functions, conceiving an architecture that is expansible to the 6G network. Further, we augment the SDP zero-trust capabilities via the incorporation of a dynamic component, the Moving Target Defense (MTD). This enhances the network's resilience against attacks targeting traditionally static network environments established via VPNs. Following rigorous testbed analysis, our proposed framework manifests superior resilience against DoS and port scanning attacks when juxtaposed with traditional VPN methodologies.
Paper Structure (15 sections, 4 figures, 1 table, 1 algorithm)

This paper contains 15 sections, 4 figures, 1 table, 1 algorithm.

Table of Contents

  1. Introduction
  2. Theoretical Framework
  3. Fifth Generation Core (5GC)
  4. Virtual Private Network (VPN)
  5. Software Defined Perimeter (SDP)
  6. Moving Target Defense (MTD)
  7. Proposed 5G-SDP Architecture
  8. Testbed and Performance Evaluation
  9. Testbed Specification
  10. Adopted open source project
  11. Specs of the host servers and VMs
  12. Configuration of the SDP project
  13. Attack scenario and evaluation metrics
  14. Results and Discussions
  15. Discussion and Open Research Directions

Figures (4)

  • Figure 1: Proposed 5G-SDP architecture
  • Figure 2: Software defined perimeter versus virtual private network
  • Figure 3: CPU and Memory utilization Comparison under SDP and VPN
  • Figure 4: Heartbleed attack With SDP configurations