The Time is Now For (MantisNet) 5G Observability
Forecasts through 2025 Show a 3x Increase in Global 5G Adoption, with 85% of Global Carrier Capex Spending Earmarked for 5G

According to recent market data from GSMA Intelligence (www.gsmaintelligence.com/) the tipping point for the global transition to 5G applications has been reached. As a result, the roll-out of 5G deployments is poised to dramatically accelerate over the next three years. In confirmation of these predictions, we’ve also seen numerous recent announcements about the acceleration of coverage and the 5G subscriber growth from carriers and service providers around the world around (see AT&T, Vodafone, Telefonica, and Deutsche Telekom).

Introduction 

In the security industry, visibility is everything.  As the old adage goes, you can’t stop what you can’t see.  This is why Palo Alto Networks created the Next Generation Firewall and why Mantisnet is seeing such incredible traction with its cloud-native tools in order to fully instrument control, management and dataplane messaging/traffic at the kernel level.  When Palo Alto Networks was created, most firewalls were “stateful firewalls”, and policies were created based on a “5-tuple”, where the 5-tuple was the source and destination address and port, and the protocol (TCP or UDP).  What happens though when you have multiple applications running on the same port?  How do you stop bittorrent on port 443, but allow HTTPS traffic to legitimate web sites?  Thus was born the Next Generation Firewall that could secure any application regardless of what port or protocol it was running on.

There are many aspects of 5G environments that are challenging for establishing visibility. The first example may be the most obvious- 5G is promising an extreme growth in the amount of data being generated. All forecasts for 5G environments indicate that there will be an explosive growth in data, full stop. Cutting edge smart use cases, the proliferation of IoT environments, and a growing reliance on mobile technology for communications and media consumption will all generate a massive amount of data that 5G networks will serve up and host. Given this incoming data storm, does it make sense moving forward with current visibility approaches? Current solutions largely center around the concept of “grab all packets”, or at the very least are "packet centric". Will this approach continue to be sufficient given the enormous amount of data within 5G?

Today’s cloud-native systems are built using containerized, distributed micro-services-based architectures. Accordingly, the Application Programming Interfaces (APIs) these systems utilize are the key to understanding the operations, status, and communications within those systems. Consequently, having deep API-Centric visibility is both critical and necessary for operations and security.

Taking a step back

When discussing the specific benefits and approaches of leveraging eBPF programs, it is very easy to head directly into a technical rabbit hole. The technology is very detailed and can be used for a wide variety of use cases. Consequently, conversations can quickly get wrapped around specifics while glossing over the fundamental elements of the technology. As is true with any newer technology, it is often helpful to level-set and take a step back to discuss the basics. This post will serve to do just that- provide a high level view into the fundamentals of an eBPF program, and more specifically, into an eBPF program being used for 5G SA visibility.

What is eBPF, and why is it so important?

The Extended Berkeley Packet Filter (eBPF) functions constitute a relatively new and powerful set of capabilities embedded in the Linux kernel. First released in 2014 (w/ Linux 3.18) we are seeing accelerating adoption of eBPF for very good reason.

The access that eBPF provides enables a variety of important use-cases in modern cloud-native environments. Use-cases span across application and network performance monitoring, service mesh, load balancing, continuous discovery, dynamic topology and anomaly detection for a variety of development, systems engineering, operations, cloud infrastructure, 5G / IoT, and cybersecurity applications. We discuss these in more detail further below.

As 5G stand alone (SA) environments are beginning to roll out in more earnest, there is an ongoing conversation about how to best support visibility of these container-centric platforms. Network function vendors, carriers, MNOs, and MVNOs all have skin in the game and are taking part in this conversation. At the core of the discussion is a very simple question- what is the best way to instrument and observe these complex and heavily containerized systems?

Traditional tools are no longer viable- this is common knowledge across the ecosystem. The days of deploying taps are long gone, and the days of relying on virtual taps for “cloud resources” have also faded away. We are now firmly in the era of “cloud-native”- the first major evolution of the cloud. Cloud-native has ushered in a new focus on how to best leverage virtual resources and distributed computing, with the core tenet being a shift from VMs and VNFs to containers and CNFs. The challenge now is determining how to best introspect these containerized environments.

How a cloud native packet capture platform can meet the DoD SCCA Requirement

Traditionally full packet capture systems exist to obtain the network communications between various hardware devices – servers, switches, routers – in a physical network environment. With the advent of Kubernetes and cloud native environments that type of traditional approach is no longer effective (or relevant) to provide information into ephemeral resources. Information from microservices and containers such as pod-to-pod, namespaces, and intra-pod communications, etc. are critical for continuous observability and forensic inspection for performance, security, and reliability engineering applications. The evolution of infrastructure and network communications has evolved into virtualized and cloud native architectures such that new technologies are needed to operate and monitor those systems.

Recently, we were approached to partner with a global cloud service provider (CSP) to meet the Department of Defense Secure Cloud Computing Architecture Functional Requirements PDF (DoD SCCA) for Full Packet Capture (FPC) by providing a cloud native FPC solution for their new environments.

How to Get Visibility into 5G SA Ephemeral and Cloud-native Network Resources 

Cloud native and containerized architectures are becoming the de facto design standard for 5G networks and applications. In the telecommunications industry, the players are focused on building out 5G Stand Alone (SA) deployments to deliver the promise of faster connection speeds to enable IoT, medical, autonomous use cases - not to mention improved communications, support the streaming of real-time content and the promise of a myriad of new applications and services. As we work with Tier 1 operators, MVNOs and analytics providers we are encountering a staggering issue: they can no longer adequately monitor, correlate, and measure critical network and application communications events at the container level and across the infrastructure.

The recently announced NSA "instructions for National Security System (NSS), Department of Defense (DoD) and Defense Industrial Base (DIB) system administrators on how to detect, prioritize and replace unauthorized or deprecated TLS protocols with ones that meet current standards.”

Encrypting communications is one of the most critical tools for protecting data. However, if older and out-of-date encryption protocols are in use, that presents a vulnerability that could be exploited to gain access to systems or networks. Updating to the latest TLS 1.3 and the heavily supported TLS 1.2 along with compliant cipher suites and strong authentication is recommended.