Insight on Green Network Security in 5G
Insight on Green Network Security in 5G
NEC & Fortinet evaluation report for Security Gateway and Carrier-Grade NAT
With the evolution of LTE, 5G and Cloud, many new use cases emerged, from video-centric high-bandwidth consuming, traffic generating applications (5G use case: eMBB, live streaming, mobile healthcare), to massive IOT with billions of devices (5G use case: mMTC, smart meters...). All these “beyond connectivity” use cases make the user plane traffic become the key element of value-added services such as IOT or AR to name a few. The increase of user-plane traffic and number of devices requires high-performance processing in the network, which in turn translate to higher energy consumption. Ever-growing energy prices and infrastructure size led by these “beyond connectivity” services and traffic are severely impacting the balance sheet of the Telco Operators.
As shown below, we have seen a huge spike in energy prices recently, further exacerbating this trend. Under this trend, network security solutions are not an exception, and specially those requiring high performance capabilities such as security gateway and carrier-grade NAT, are becoming an increasing concern for operators in terms of operating expense.
What is Security Gateway?
For the 4G/5G RAN, Operators are in the process of deploying tens of thousands of radio sites to enable new services, and to handle the ever expanding traffic loads. Smaller cell sites with limited physical security, unlike the aggregation and core sites, are the most vulnerable points of a mobile network. The growing number of small cell deployments (femtocell, picocell, microcell eNBs, gNBs) increases the risk of breaches like rogue radio connections and man-in-the-middle (MiTM) attacks.
Owing to the fact that all IP-based networks (including mobile backhauls) have a risk of exposing mobile core elements to IP based attacks and exploitation, the Third-Generation Partnership Project (3GPP), defined specifications to protect 5G and 4G mobile packet core and RAN networks like IPSec encryption of signaling and user-plane traffic of S1/X2 and N2/N3 interfaces.
Today, Operators are implementing IPSec functionality using Security Gateways (SecGWs) with different deployment types based on their topologies and service needs to preserve data integrity, confidentiality and authentication, to prevent attacks and to protect 5G/4G mobile packet core and RAN networks.
What is Carrier-Grade NAT?
The exponential growth of cloud services, and connected devices and subscribers, in part due to the Internet of Things (IoT) ubiquity, is taking its toll on the availability of global IPv4 addresses making it impossible or too expensive for operators to buy or lease IPv4 addresses. Network Address Translation (NAT) solutions that decrease the need for the number of public IP addresses by sharing it among private IP addresses, are now the de facto feature for Service Providers against the IPv4 depletion threat to business continuity and growth, providing a short-term safety margin for the long-term plans to migrate to a IPv6 infrastructure. However, even on full IPv6 architectures, carrier-grade network address translation (CGNAT) will still be required in order to avoid the direct exposure of end-devices and customers to external threats.
Due to the sheer number of connected devices, this approach requires a solution with purpose-built Carrier-Grade IPv4/v6 Network service appliances, physical or virtual, with a robust set of CGNAT capabilities like Fortinet’s FortiGate Series.
SECGW & CGNAT Use Cases with Fortinet FortiGate & Savings Validated by NEC 5G Transport Network CoE
NEC has been working with Fortinet to advance the network security in the 5G era and as a global system integrator, implementing FortiGate for SECGW and CGNAT purposes for many large global Operators.
Fortinet’s FortiGate appliances have a strong advantage regarding power consumption and rack space per GB/s of bandwidth because of their use of NP7 ASICs. At the laboratory of 5G Transport Network Center of Excellence (CoE), NEC has compared the power consumption of FortiGate against the appliances of other vendors using publicly available data from their data sheets.
When compared against the FG-4800F appliance from Fortinet, the relative power consumption of these vendors ranges between 72% to 508% more consumption for the CG-NAT use case and between 156% to 406% more consumption for the SecGW use case.
In the following exercise we compare present and future requirements of a generic operator G in terms of SecGW and NAT capacity and quantify the savings and advantages using FortiGate appliances.
Total power consumption cost is calculated with the formula:
=[(hours-in-a-year * appliance-power-consumption) + (appliance-heat dissipation * power-used for cooling)]*kWh energy price
- ・KWh energy price = 0.18 euro *2
- ・Number of hours in a year: 8760
- ・Power used for cooling: 0.075Watt/(BTU/h) *3
Operator G - Today
Operator G today has 8 POPs with the following traffic and customers values:
- ・POPs: 8 Distributed
- ・Traffic: 1.6 Tbps, 200Gbps/POP
- ・Customers: 25 million, 3.125 million/POP
- ・IPsec Tunnels: 20K Cell Sites
Below you could find specifications of some of the FortiGate appliances:
Based on the previous per-POP user and traffic values, we have selected the following appliances per site for comparison, with a design principle that a single device failure does not cause any traffic outages:
・SecGW: 6x Dell R750 (6+1 redundancy, SR-IOV on)
・CGNAT: 6x Dell R750 (3+1 redundancy, SR-IOV off)
For a 5-year period, our calculations determine that the virtualized solution increases power consumption by about 293% and rack space usage by 120%.
Operator G - 5 Years Later
Global mobile data traffic assumptions show that within 5 years total traffic amount is going to be quintupled.
In this scenario, Operator G has merged with another operator resulting in 15 million new subscribers. Based on global forecasts and new users, traffic and customers' values are calculated as below:
- ・POPs: 8 Distributed
- ・Traffic: 12.8 Tbps, 1.6Tbps/POP
- ・Customers: 40 Million, 5M/POP
- ・IPsec Tunnels: 60K Cell Sites (new cell sites added)
In the table above you could find specifications of some of the FortiGate appliances.
Based on per POP user and traffic values below appliances are selected per site for comparison, with a design principle that single device failure does not cause any traffic outages:
・SecGW: 3x 4800F (n+1 redundancy =2+1)
・SecGW: 35x Dell R750 (45+1 redundancy, SR-IOV on)
For a 5-year period, our calculations determine that the virtualized solutions increase power consumption by about 452% and rack space usage by 528%.
Through several analysis for actual operators’ cases including the laboratory evaluation in 5G Transport Network CoE, NEC concludes that Fortinet appliances for SecGW and CGNAT scenarios, can achieve up to 452% energy savings and 528% rack-space savings when compared to equivalent virtualized solutions. Moreover, substantial gains can also be achieved when the same Fortinet appliances are compared to equivalent devices from other major players in the market. These results prove that the FortiGate solutions can help Operators to accelerate their green network security strategy.
At NEC, we will continue evaluating muti-vendor, multi-domain solutions at our CoE laboratory aimed to help operators find the right solutions to deploy and operate their networks. Together, we are committed to finding the answers to today’s challenges and build the networks for tomorrow as a global system integrator specialized in the telecom industry.
- ※1: Development of electricity prices for non-household consumers, EU 2008-2022: https://ec.europa.eu/eurostat/statistics-explained/index.php?title=Electricity_price_statistics#Electricity_prices_for_non-household_consumers
- ※2: KWh energy price = 0.18 euro: https://ec.europa.eu/eurostat/statistics-explained/index.php?title=Electricity_price_statistics#Electricity_prices_for_non-household_consumers
- ※3: Power used for cooling: 0.075Watt/(BTU/h): https://www.cedengineering.com/userfiles/HVAC%20Cooling%20Systems%20for%20Data%20Centers%20R1.pdf
- ※4: Global Mobile Network Traffic (EB Per Month): Ericsson Mobility Report | November 2022 Forecasts