Building a Secure Cloud Core Network to Consolidate the Foundation of Digital Society

With the rapid development of information technologies, digital life has become a consensus and inevitable choice for the development of human society. The digital wave is profoundly changing the way of we produce and live. Mobile communication serves as the information base for the construction of digital society. Meanwhile, newly emerged mobile communication technologies are driving the development of a digital society. As the cornerstone of the mobile communications network, a secure and stable cloud core network is essential for information communication and transfer in a digital society. ZTE's Cloud Core Network products prioritize security, and aim to build, maintain, and operate a secure and stable core network from three aspects: high reliability, trustworthiness, manageability.

Highly-Reliable Network Ensures Security

A highly-reliable architecture and highly-reliable products are essential for secure network operations. ZTE's Cloud Core Network offers a highly-reliable and secure network from three aspects: intra-NE, inter-NE, and the network layer.

• Intra-NE Reliability

ZTE's Cloud Core Network equipment is built on a stateless architecture that separates services and data, enabling resource elasticity without service loss. During the elasticity process, user status data remains intact, ensuring service continuity. The service components also support N+M full load sharing, meaning that if one component fails, other components take over the services in real time to ensure that services are not affected. VMs or containers of the same type in an NE are deployed in anti-affinity mode, distributed across different physical hosts or bare machines. In the event of a host failure, the VMs or containers can perform local self-healing or remote regeneration to complete self-recovery.

• Inter-NE Reliability
  

The Cloud Core Network offers various backup modes, including inter-NE load sharing, 1+1 mutual backup, and 1+1 active/standby. The appropriate disaster recovery mode is determined based on the NE type. If a single NE fails, the system utilizes the NE's disaster recovery mechanism to implement recovery between NEs and ensure fast service recovery. If all the disaster recovery NEs of a certain type fail, the bypass function of the adjacent NE interface is activated. This allows for timely bypassing the faulty NE, ensuring maximum continuity of user services. For example, the AMF and SMF support UDM bypass function, and each NF supports NRF bypass function.

• Network-Level Reliability
  

In order to ensure the overall reliability of the Cloud Core Network, it is important to meet the eight-level disaster recovery requirements during network planning and construction. Additionally, the resource pool should be built according to the remote dual-DC solution. In the event of a resource pool fault or an equipment room fault, services can be quickly switched over to a remote equipment room for quick service takeover. With the deployment of the hot standby function of NEs such as AMF/MME, SMF/GW-C, and UPF/GW-U, the takeover efficiency of the Cloud Core Network can be further improved, realizing smooth takeover of terminals without the need for reconnection.

Sometimes, during the normal operation of the network, a fault may trigger a signaling storm where a large number of users access the network concurrently within a short period of time, exceeding the NE's ability to process signaling messages in a timely manner. In addition, when terminal access fails, it attempts to access the network repeatedly, resulting in network congestion.

To effectively prevent signaling storms, the core idea is to implement end-to-end flow control based on source control. The system accepts a proper number of users based on the end-to-end capability dynamically perceived by the source end. This ensures that the back-end NE can handle users within its capability range and avoids overload. To achieve this, the data domain AMF/MME and voice domain PSBC are used as the ingress NEs, and end-to-end flow control is jointly deployed based on the capabilities of the back-end UDM/HSS. This creates a solid barrier to prevent signaling storm.

Trustworthy Technologies Ensure Product Security

Although the Cloud Core Network is located in a trusted domain, it still faces certain information security threats. To address these threats, ZTE uses industry-leading trustworthy security technical standards and integrates trustworthy security into its products. This construction mode provides a stronger shield for the security of the Cloud Core Network, ensuring the trustworthy security of products.

• Data Compliance

ZTE attaches great importance to the security of its core network products. Data security is integrated into the product development lifecycle to ensure the provision of secure products and solutions. ZTE strictly adheres to the laws and regulations of each country and industry. In 2020, the company successfully

passed GSMA's Network Equipment Security Assurance Scheme (NESAS) audit for its development and product lifecycle processes. Additionally, ZTE has implemented more than 100 security activities based on the Building Security in Maturity Model (BSIMM). In 2021, ZTE's 5GC passed the BSIMM 11 security assessment and obtained the 27701 privacy protection certification from the British Standard Institution (BSI).

• Intrinsic Security

ZTE's Cloud Core Network products are designed to strengthen intrinsic security and provide active autonomous network asset security. These products leverage security capabilities across different layers, including infrastructure, virtualization, service, application, and management, to implement network security autonomy, automatic and intelligent analysis of network policies, and flexible orchestration. The goal is to establish an automated, self-defending, and self-adaptive integrated security protection system.

• Quick Response Mechanism

ZTE has established and improved its organizational structure based on three lines of defense to promote product security governance. The product security incident response team (PSIRT) effectively responds to security incidents, and security laboratories are set up to ensure the security, transparency, and trust of products and services.

Manageable Network Maintenance Ensures Reliable Network Operation

The complexity of the Cloud Core Network makes network maintenance challenging. To address this, ZTE provides efficient maintenance tools to reduce reliance on human intervention. By standardizing processes and tools, ZTE manages the quality of solutions and network changes, making network maintenance more transparent and controllable.  

• Visualized O&M

The Cloud Core Network utilizes the core network intelligent analysis (CNIA) system, equipped with health analysis and KPI dashboard features, to analyze various data including alarms, performance, logs, preventive maintenance, and dialing tests. By incorporating AI capabilities, the system generates device health report and visualizes the network operation status, helping to identify potential problems in advance and improve maintenance efficiency.

ZTE's NetScope and NetInsight can be flexibly deployed to display the vertical transport network topology for cross-layer monitoring and fault diagnosis. NetScope is an end-to-end delimiting and locating solution for IP network faults in a virtualized core network. NetInsight is a virtual-layer network O&M tool.

ZTE's EMS+ and the MagicEye tools facilitate horizontal service-domain problem delimiting and locating. EMS+ is a data service analysis tool while MagicEye is a voice service analysis tool. These tools bridge the gap between voice and data services, allowing for quick resolution of voice problems.

• High-Quality Solution

ZTE guarantees the overall quality of its cloud core network solution through integrated verification. The solution is jointly developed by the product service preparation team, integration team, and R&D team. It is then verified in real environments to ensure high quality. The integration team participates in the implementation of the solution to ensure network stability throughout its lifecycle and the availability and reliability of the integrated network solution.

ZTE's Network R&D Institute provides full-process management and control for the initial operation of the solution including compilation, testing, review, and operation support. The goal is to ensure the safe implementation of the solution without any negative impact on the existing network.

To avoid manual operation errors, tools are used to automate operations on complex solutions. For high-risk solutions, the solution test team conducts additional testing and verification, providing an extra layer of assurance for the solution's operation.  

• Automatic Operation

ZTE has established a dedicated team for network change solution automation, using the automatic operation tool integrated in CNIA to encapsulate various operation scenarios and replace manual operations with machines. This approach minimizes risks associated with uncontrollable operation factors caused by different operators and ensures network operation security through automation.

ZTE always prioritizes security, and implements an end-to-end collaborative workflow, both horizontally and vertically, to create a secure Cloud Core Network for users and enterprises. Moving forward, ZTE will continue to advance the cloud core network to be highly reliable, trustworthy, and controllable. This will enable the provision of seamless communications services anytime and anywhere, contributing to the development of a digital society.