Building Deterministic, Service-Based and Endogenous Security Networks in Data-Centric Way

Enterprise Mobility, Mobile Infrastructure

Article | June 16, 2023

Emerging virtual and hybrid private 5G solutions are enabling communication service providers (CSPs) to address a large number of new consumer and enterprise edge use cases. Each of these edge use cases will require a specific network deployment model and edge user plane connectivity. That’s why we’ve designed our 5G edge user plane to tackle five distinct key capabilities: support of flexible network deployments, 3GPP dual-mode support, integrated Gi LAN services, integrated probing with edge analytics and edge exposure enablement. Let’s dive into this blog post to learn how the powerful 5G edge user plane is unlocking new 5G edge use cases. How technological innovation creates value and benefits society has always interested me, influencing my work as a mobile network technologist and sales professional. Since mobile data was introduced in late 90s, both mobile network technology and mobile consumer use cases have evolved enormously. Indeed, a rapid increase in connectivity speed and the introduction of smartphones have pushed the market to adopt mobile web and video and create thousands of new applications. However, sometimes ‘killer use cases’ require both business case and application ecosystem maturity. One example is video conferencing, one of the key services 3G was designed for but was only introduced when the over-the-top (OTT) vendors disrupted the content provider market and popularized social media. Creation of mobile technology has indeed its own innovation cycles and research feeds and therefore can't depend on market pull, but you can draw the conclusion that the time to value greatly benefits when the broad business and technology ecosystem in the value chain collaborate and co-create solutions. Precisely, what’s really exciting about 5G is that it coincides with the maturity of other two disruptive technology enablers for end applications: artificial intelligence (AI) and cloud edge computing. It also comes at a moment when there’s both an urgent need and huge financial support to digitalize society and industry. In fact, more than ever, we are witnessing a close collaboration between technology and business ecosystems. Over the past few years, there have been a large number of public-private consortiums to feed service requirements into 5G standards, explore and validate the value of 5G technology. For example, just to name few, the 5G alliance for connected Industries and automation (5G-ACIA) or European 5G infrastructure Public Private Partnership (PPP) projects. For years, 3GPP standards have been preparing to define advanced 5G connectivity solutions for edge computing and vertical digitalization use cases. In addition, all sorts of consumer and enterprise edge applications are being developed at the same pace in many areas such advanced video processing, AI analytics, immersive gaming, smart grid applications, automated guided vehicles (AGVs) controls or industry automation. The edge ecosystem is particularly complex and involves different players. One key pillar is the wireless connectivity service CSPs offer. 5G-ACIA introduced the concept of virtual private and hybrid private 5G solutions, two emerging solutions that CSPs are exploring to complement their private 5G network offerings. Such solutions allow CSPs to leverage their existing public networks and offer new services in an agile and cost-effective manner using new 5G capabilities such as network slicing. In order to address edge use cases, virtual and hybrid private 5G solutions need to bring the user plane connectivity to the edge by deploying 5G edge user plane functions. The 5G edge user plane supports flexible network deployments One key learning from industry experimentation with 5G is that each use case brings a unique combination of connectivity requirements, in terms of end-to-end performance (uplink and downlink latency, jitter, packet loss and throughput), data privacy and security, robustness, wide vs local area coverage and mobility. Latency and security requirements drive the selection of the edge location, which can be the enterprise premise, CSP access or regional data center or even the extended public edge such as content delivery networks (CDN) content provider or a hyper cloud provider’s (HCP) edge data center. For example, a mobile gaming application can be located in the CSP regional data center or HCP edge, whereas video processing and AI for a factory automation application is located on the factory premise. Also edge distribution can be accounted by CSP for those use cases which produce significant amount of data such as fixed wireless access (FWA) to optimize backhaul costs. Ericsson has a vast experience supporting and driving the ecosystem to realize time critical communication use cases at scale and has conducted detailed latency analysis for different type of deployments. The RAN deployment needs to be carefully planned according to the specific use case performance characteristics. Some use cases can be achieved with existing macro RAN environment -4G or non-standalone 5G-, with macro RAN standalone 5G with or without dedicated quality of service (QoS) profiles or even may require network slicing to partition macro RAN. In contrast, some other use cases will need dedicated RAN deployments. In addition, most use cases will benefit from a dedicated edge user plane function, as it provides a higher level of performance and robustness. In summary, the concrete edge use cases to be offered and CSP’s own solution preferences drive the type of network solution and deployment, which can be a private 5G network, a virtual or a hybrid 5G private network using existing macro or dedicated RAN, with or without network slicing. The edge 5G user plane function should allow for such deployment flexibility and enable the different edge use cases characteristics. Ericsson Local Packet Gateway (LPG) addresses this by: Supporting any access technology, radio deployment model and RAN vendor Seamlessly integrating with Ericsson’s existing dual-mode 5G Core. which is prepared for slicing, efficient routing to edge (also called edge breakout) and advanced QOS and many other 5G edge features described in more detail in next section. Supporting a fast time to service, deployment simplicity and a very low footprint enabling deployment at scale in any type of edge location, up to on enterprise premises. See our previous LPG 5G edge user plane: key requirements for success for details. Providing a high level of robustness and failure resilience by means of a cloud native user plane application designed for high availability and fault resilience, support of geo-redundancy and support of 3GPP control plane and user plane split (CUPS) interface which can be deployed in full mesh with multiple control planes. User plane can also be deployed as a dedicated function within a slice to secure further characteristics and isolation or as a shared function for various slices. 5G edge user plane should enable transition from 4G to more sophisticated 5G connectivity Most of CSPs are embracing edge opportunities. They are viewing the opportunities as an evolution of their existing offerings rather than a revolution, meaning existing 4G enterprise use cases will still need to be supported for some time as the ecosystem matures to support time-critical communications type of use cases. This means 5G edge user plane should be dual-mode and support such a wide breadth of technology. 5G edge user plane should support both 3GPP compliant serving/packet gateway user function (S/PGW-U) and user plane function (UPF) and evolve with advanced UPF features for time-critical communications, such as more stringent end to end QoS and transmission robustness for ultra-reliable low latency communications (URLLC) or Ethernet connectivity for advanced edge industrial use cases. It should also support 5G peak rates and do not degrade use cases performance characteristics. It should also support dynamic edge routing solutions which are efficient, deployable by multipurpose terminals and mobility proof such as dynamic network slice selection which is preferrable to UPF as uplink classifier as starting solution until standardization evolves. 5G edge user plane should work in conjunction with the CSP’s dual-mode core system, which supports dynamic slicing orchestration, dynamic slice selection, ultra-reliable low latency communications and advanced 5G edge connectivity features such as different service continuity and user plane re-anchoring modes depending on mobility and application resilience needs. Ericsson’s dual-mode 5G Core with Local Packet Gateway provides such advanced 5G connectivity in a pre-verified manner. In fact, the Ericsson Local Packet Gateway Cloud Native Function (CNF) is based on the same software as the Ericsson Packet Core Gateway (PCG), the market leading cloud-native user plane, which is deployed in 5G live networks today. Such deployment flexibility in edge user plane allows CSP to offer distinct use cases. For example, CSPs can offer mobile gaming service by deploying a cloud virtual reality (VR) gaming center application in their regional data centers. Connectivity with guaranteed low latency QoS can be provided by a dedicated 5G network slice with the dedicated Ericsson Local Packet Gateway, deployed close to the gaming application and connected to the CSP’s existing central core network. The mobile gaming application can use a portable device such as VR glasses or use a multi-purpose smartphone or tablet that supports dynamic slice selection. CSP can reuse their existing public network and macro 5G RAN. As another example, CSP can offer 5G edge connectivity to factories or logistic centers for augmented reality (AR) quality inspection. The AR application is deployed on the factory premise and needs an ultra-reliable and low-latency QoS connection to process in real time all the factory images. This is provided by a dedicated Ericsson Local Packet Gateway with ultra-reliable low latency QoS and redundant configuration being deployed on premises. Edge use cases will require user plane services beyond 3GPP There is a set of non-standardized user plane functions deployed in today’s networks (also called GI/N6 LAN functions) for mobile broadband service that would be also relevant for edge use cases. These functions can be categorized as: Traffic acceleration and optimization of access resources e.g., transport layer optimizers or advanced video traffic shapers Network services e.g., carrier grade NAT devices or external load balancers Service aware traffic monitoring and enforcements needed to realize customized CSP charging data plans or comply with some country regulatory such as content filters Network security functions protecting CSP infrastructure and UEs of security attacks such as subscriber firewalls or distributed denial (DDoS) mitigation systems, and Service chain policers and forwarders to chain and offload these GI/N6 LAN functions. Those can be integrated with operator policy framework to compose and program a unique data pipeline which addresses the specific connectivity needs of a given subscriber and application in the context of a certain use case The current GI/N6 LAN market is very fragmented and addressed by many different vendor specific user plane functions. These functions are deployed as separate appliances or virtualized functions, each with their management system, policy integration and cloud orchestration system which significantly increases CSP’s total cost of ownership (TCO) when deploying and managing them. As CSPs start their edge journey they will need to bring some of these GI/N6 functions to the edge. A very simple and cost-efficient strategy to consolidate these functions in one single edge user plane function. This approach is being adopted by Ericsson Local Packet Gateway: it integrates these functions, including advanced integrated Packet Core Firewall, together with the UPF/S/PGW-U functions. This dramatically reduces the TCO and provides a single hop to the end application, which reduces further the latency. Ericsson Local Packet Gateway also allows to compose and tune the set user plane functions applied to a given traffic in one configuration click, which allows to customize the connectivity for each edge use case. Another consideration is that these GI/N6 functions were designed for legacy mobile broadband. This means they will need to evolve to support 5G peak user throughput rates and new 5G segment requirements, e.g., traffic optimizations should focus on optimizing the throughput of uplink transmissions and reducing the overall jitter and latency. Service aware charging models will evolve as 5G gets monetized, security for edge enterprise connectivity will keep evolving as well. Technological innovation in this space is a must for any edge user plane vendor and should be holistic considering the entire ecosystem and end-to-end solution behavior. As one example, edge user plane can leverage 3GPP exposure interfaces for application detection, use collaborative solutions with content providers or RAN to optimize traffic delivery or even adapt traffic optimizations to new end to end rate adaptation mechanisms such as low latency low loss scalable throughput (L4S). Ericsson, as an end-to-end network provider and key contributor to 5G standardization, is working actively in this space. Edge connectivity needs to be monitored and assured CSPs need to monitor, troubleshoot, and assure the edge user plane connectivity. In many cases the CSP organizations dealing with enterprises services have their own analytic and management systems. Those systems need to evolve to provide visibility of the 5G encrypted communication, up to on enterprise premise and without compromising 5G security and provide advanced insights to meet the stringent service level agreements of edge use cases. Example of user plane data feeds are traffic packet and patterns statistics, key performance indicators at transport level or service quality of experience estimates per application, area of interest, slice and subscriber type. CSP analytic use cases will also evolve, meaning network assurance and service experience management use cases will increasingly adopt AI/ML models with distinct and very demanding UP data sets running in parallel. External probing solutions were not designed for these requirements. The cost of evolving and deploying such solutions to thousands of edges is unaffordable. Ericsson Local Packet Gateway addresses this challenge by supporting integrated dual-mode probing capabilities which includes rich, granular data with pre-processed data and advanced data collection profiles avoiding the need of deploying external taps, packet broker and probes at edge. Software probes are a unique Ericsson dual mode 5G Core feature – a feature that’s very popular with our customers for public network and enterprise solutions. CSP will also introduce network data analytics function (NWDAF) function to enable 5G analytics for further 5G automation, new exposure APIs for verticals and data efficiency. An NWDAF can collect edge user plane and public network data to provide real time analytics which can be consumed by the network functions or by the end edge application to improve further the edge connectivity. Example of those analytics are user mobility, network congestion, quality of service, service experience or abnormal user behavior. Ideally, the NWDAF should be distributed at the edge and deployed co-located to the edge user plane for data efficiency, security and lower actuation latency. Ericsson NWDAF supports such distributed and co-located deployment and analytics and can collect pre-standard data from the Local Packet Gateway data until 3GPP rel-18 specifies UPF event exposure. Edge exposure for advanced edge connectivity Exposure through APIs on the edge is becoming increasingly important for CSPs to enable new services, increase their relevance in the 5G ecosystem and become more attractive partners for hyperscale cloud providers, application ecosystems and other players. Edge applications will be able to consume network capabilities and data to provide advanced services and innovate. Data extracted from edge user plane function will be of high value. For example, to determine the exact UE sessions being anchored by a given edge user plane, the actual monitored QoS, etc. Such exposure capabilities in edge user plane allows application to adapt the content delivery or reconfigure dynamically the connectivity, e.g., change dynamically the negotiated QoS or influence edge routing. As mentioned previously, NWDAF user plane analytics can be also exposed for advanced edge use cases. Ericsson is already working with our customers to create new edge use cases using Ericsson Local Packet Gateway and Edge Exposure Server. Stay tuned! Summary: In this blog post we’ve explained the different considerations that need to be taken into account when selecting the 5G edge user plane, and how it enables flexible virtual private and hybrid 4G private solution deployments and address the user experience idiosyncrasy of myriads of edge use cases. The 5G edge user plane has to be small, cost efficient, easy to deploy but still extremely powerful and advanced in terms of dual connectivity and added value features. Ericsson Local Packet Gateway is designed with all these capabilities in mind and integrates seamlessly with existing CSP dual-mode 5G Core, delivering edge use cases was never that easy.

Unified Communications, Network Security

Article | July 10, 2023

The increasing use of mobile applications and digital payment services has not only paved the way for new banking models, but also highlighted the importance of user experience in digital banking. Banking applications are now developed completely on cloud, support multiple platforms, and use AI/ML extensively. Security, a critical aspect of digital banking, has transformed with innovative capabilities like self-service identity verification, passwordless access, risk-based multi-factor authentication (MFA), behavioral analytics, and encryption capabilities. The underlying reason for developing the above-mentioned capabilities is to provide consumers with a secure banking experience, where they can access their financial data without fear and conduct transactions with ease. For the bank employee, it is all about working with the latest digital services and securely accessing them from anywhere. It is important to understand that user experience, be it consumer or workforce, is all about providing convenience and establishing trust. Only then can a financial institution remain ahead of the competition.

5G

Article | May 18, 2023

There was a time when network security meant having servers on-site. A firewall would protect company data whenever internet traffic entered and exited the network. But, what about today? Modern businesses do not strictly function on-premise. With the COVID-19 pandemic, the number of people working off-site part-time or full-time increased enormously – and suddenly. This change compelled cybersecurity professionals to reconsider their security measures. Their online privacy solutions had to ensure that their most precious asset — their data — was secure regardless of where workers accessed it. Even when restrictions are lifted, businesses continue to use remote teams. As a result, more and more of a company's critical data and services are being housed in the cloud. These two criteria indicate that the need to examine network security on a regular basis is here to stay. The good news is that a VPN, or virtual private network, is one of the most simple and widely accessible network security solutions for remote worker internet access. Do VPNs Provide Reliable Business Security? A virtual private network is a kind of Internet security service that enables users to connect to the internet as if they were on a private network. VPNs utilize encryption to provide a secure connection across vulnerable Internet infrastructure. VPNs are one method for protecting business data and controlling user access to that data. The VPNs safeguard data as users interact with applications and websites through the Internet, and they can conceal specific resources. They are typically used for access control, although alternative identity and access management (IAM) systems can also assist with user access management. VPN Encryption Enhances Network Security Data is encrypted so that only authorized parties can view it. Anyone who manages to intercept it, whether a hacker, a fraudster, or another bad actor, is out of luck. Imagine an employee is working from a coffeehouse, shared workspace, hotel, or airport and has access to your company's business-grade VPN. (Please keep in mind that business-or enterprise-grade VPNs are not the same as free VPN services.) The employee can create an encrypted connection between both the user's device and your VPN by using a VPN client installed on their preferred device and a public Wi-Fi network. This device, as well as any others that connect to your VPN, will establish encryption keys on both sides of the network connection. These keys will then encrypt and decrypt the information being exchanged. The data of the person working at the coffeehouse is secured by the VPN after they create an encrypted VPN connection by utilizing the coffeehouse's Wi-Fi as a hotspot with a VPN client. Even if cybercriminals get access to the network of that coffeehouse, your employees and their data are secure within the VPN tunnel. Closing Lines Network security requires a VPN service from a trustworthy VPN provider. Our next-generation VPN enables enterprises to fully protect their assets in a dynamic, cost-effective, and scalable manner. A VPN solution enables you to connect private networks, devices, and servers quickly and simply to create a secure, virtualized, modern internet.

Article | August 9, 2021

Since my last blog post warning about those who were predicting a "new paradigm" of shortage in the semiconductor industry, the media have been shouting about the "chip crisis" alongside the typical daily news diet of disaster and calamity that we have come to expect in the time of COVID. The chip shortage coverage helped create a sense of national anxiety that we were all too reliant on China for semiconductors and, in general, that semiconductor supply was dwindling. The predictable response from governments around the world was to announce plans to stimulate their respective domestic semiconductor manufacturers into expanding chip production capacity. Fast forward a few months, and we are now finally seeing some light at the end of the chip shortage tunnel. Yet, in the wake of all the proclamations and commitments about investing in new chip capacity, we also now see manufacturers going forward with actually starting to build new plants that won't come online for another couple of years. The result, as I said in my last post: overcapacity.