TELCOSEC02-BP03 Segment and isolate telco network domains and slices

To maintain the security and resilience of a telco network in a cloud environment, segment and isolate the various domains within the network. The same understanding applies to the situation where multiple virtual network slices are hosted in a common environment. This approach assists to mitigate the risk of potential security breaches and minimize the impact of an incident.

Level of risk exposed if this best practice is not established: High

Implementation guidance

Establish logical isolation by creating distinct network environments for the various functional domains within the telco network, such as control plane, user plane, management plane, and signaling plane. Implement robust access controls and monitoring mechanisms to restrict and govern cross-domain communication. Achieve physical isolation by leveraging geographically separated infrastructure, if required, and enforce strict access control and identity management. Facilitate secure connectivity between the isolated network domains through encrypted and integrity-protected communication channels and manage the necessary certificates and keys centrally.

Implementation steps

Logical isolation:

Identify the distinct functional domains within the telco network, such as control plane, user plane, management plane and signaling plane.
Use AWS Virtual Private Cloud (VPC) to create distinct and isolated network environments for the different functional domains within the telco network, such as control plane, user plane, management plane, and signaling plane.
Implement network access controls using AWS security groups and network access control lists (NACLs) to restrict and monitor cross-domain communications.
Use AWS VPC Peering to enable secure connectivity between the isolated VPCs, if required.

Physical isolation:

Use AWS Availability Zones and Regions to physically separate the network domains, if needed.
Use AWS Outposts or AWS Local Zones to deploy dedicated infrastructure for specific network domains, maintaining physical isolation.
Integrate AWS Identity and Access Management to enforce strict access control and identity management for personnel and systems interacting with the isolated domains.

Secure connectivity:

Establish secure communication using AWS Direct Connect or Site-to-Site VPN for interconnecting the isolated network domains.
Use AWS Certificate Manager to manage and renew SSL/TLS certificates for secure communication.

Resources

Key AWS services:

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

TELCOSEC02-BP02 Implement features such as concealed or spoofed subscriber identities for signaling over the interfaces with access network

External interface security