DDoS Detection, Mitigation, Orchestration, and Threat Intelligence
Consolidated Security & CGNAT
TLS/SSL Inspection
Web Application Firewall
Application Security & Load Balancing
Analytics & Management
CGNAT & IPv6 Migration
The edge is getting crowded, and mobile operators, cloud providers and enterprises are staking a position to determine who will benefit from edge computing and capture revenues from new services. Amazon, Google, Microsoft, AT&T have already announced major edge strategies that include infrastructure for mobile edge computing that will complement or compete with operators for new low-latency 5G services.
IDC has estimated that by 2023, more than half of all worldwide GDP is predicted to be driven by products and services from digitally transformed industries. For organizations to stay competitive in this digital-first economy, services must be able to run anywhere and anytime – that is, become a “digital first” companyTo that end, more than half of all new enterprise infrastructure will be deployed at the edge, instead of in traditional, centralized data centers.
Mobile edge compute or multi-access edge computing (MEC) is part of that macro digital transformation and edge compute technology that will extend the digital reach of enterprise, cloud and service providers.
The evolution of the acronym MEC reflects the integration of mobile with edge technologies. Originally it was “mobile edge compute” as defined by ETSI and then it became “multi-access edge compute,” as it became clear that fixed as well as mobile access could be included. Now MEC often means mobile edge cloud and implies a new ecosystem that merges cloud and 5G mobile infrastructure and the corresponding industries.
So when mobile operators are planning and deploying their 5G networks and transforming their existing 4G /3G networks, they must consider not only how they can best meet the higher expectations of their subscribers, new devices, and new applications, but also how they can best participate in a new ecosystem that includes large cloud providers such as AWS and Microsoft who are also competing for the same enterprise revenue.
Mobile operators already have a number of technology transformations to manage, 4G to 5G, hardware to software, IPv4 to IPv6 migration, including MEC. Their business success depends upon their ability to successfully navigate all the technology changes to provide a seamless subscriber experience and to provide value to those enterprise creating new applications and services.
Here are some important considerations and challenges facing mobile network operators as they begin to deploy 5G and MEC nodes.
The primary value of mobile edge compute is the reduction in latency for subscriber services, but the definition of “edge” can include a few dozen aggregation points or thousands of cell site, depending upon the operator strategy.
The more distribution points, the closer to the user and therefore the lower the latency that can be derived.
5G services such as telemedicine and connected cars require very low latency levels that can only be reached when network traffic processing functions are moved very closer to the user.
Operators have many decisions to make for MEC, including how far to the edge to deploy, how many nodes, which functions to move to those nodes and what form factors they should use for those functions – physical appliances, VMs or containers.
While moving mobile processing functions to distributed data centers does provide low-latency benefits, MEC nodes are often power and space constrained. In the Gi-LAN portion of the core network, this can be especially challenging.
ETSI has defined deployment scenarios for 4G, 5G NSA and 5G SA MEC environments, including analysis of the functions provided in the MEC platform itself. However, in addition to those core network functions, there are a number of functions that operators must also consider for the MEC nodes. This includes functions that in 4G networks would be considered part of the Gi-LAN:
Any or all of these could also be deployed in the MEC nodes to provide security. Most operators have deployed physical appliances in their 4G networks and now must consider whether and how to replicate this in the MEC environment. We have estimated that in their 4G networks, most operators have 10-12 different devices, often from different vendors that they would have to replicate in each node.
So, if an operator has 1,000 nodes, that would end up being 10,000 devices, which of course, would become unmanageable. Most operators will choose to virtualize these functions as they build out their MEC networks.
The A10 Orion 5G Security Suite provides a consolidated approach that combines multiple functions within a single solution, either as a container, virtual function, or even as a physical appliance. A10 helps operators maintain high performance and low latency in constrained MEC nodes.
5G security is a top concern for operators and in MEC, security is even more critical.
DDos attacks that might have been lost in the noise in a centralized data center or EPC, can become lethal when targeting individual MEC nodes, 5G critical services or customers. Security in MEC environments, especially DDoS protection, is a growing challenge and it is much more difficult to ensure because of the number of locations and the evolving nature of DDoS attacks.
A10 tracks almost ten million DDoS weapons that are compromised IoT or other devices and are poised and available for malicious actors to use for DDoS attacks.
First, there will be dozens, hundreds or even thousands of these MEC locations, and each location will have its own protection. It’s just harder to monitor and defend multiple locations versus one central data center or EPC. Each node must be protected against DDoS attacks and other threats.
Second, the nature of DDoS attacks has been changing to become more frequent and smaller in size, and DDoS attacks pose a greater threat, not only to the availability of the MEC node itself, but also to the downstream customers it supports.
While we hear about the very large, volumetric attacks, the average DDoS attack in 2019 was only 12 Gbps. The smaller attacks, in the 5 Gbps range saw the greatest growth. That means that a MEC node that may be scaled to handle only six Gbps of traffic could be easily overwhelmed by the average DDoS attack.
While operators used to be able to continue to over-provision capacity or DDoS protection at a central location and outrun the DDoS attackers in capacity, that may not even be possible in a space/power constrained MEC node and it certainly wouldn’t be cost-effective across so many nodes.
Lastly, operators need to consider the downstream impact on critical 5G services and applications much more than they did with their 4G services. 5G will support many life-critical and public safety applications – services that will also be important new revenue sources for operators. Service providers now need to take a more active role in protecting both their own nodes and the applications of those new customers.
One of the objectives of 5G is to allow operators to more closely align network investment with revenue opportunity and provide capacity on demand. In MEC, this becomes more of a challenge because instead of a central data center or EPC, each node must be sized and scaled. Optimizing investment on a per-site basis is more difficult.
In addition, the services or service clusters that each node will support are often new and can vary quite a bit in traffic characteristic and volume. So, there are a lot of unknows in the number of subscribers, traffic type and demand on a per-site or per-node basis. Operators don’t want to over-provision, but of course, they also want to provide the quality-of-service needed for each area.
A10 Thunder® CFW provides a scale-out function that allows operators to share capacity across nodes and avoid over-provisioned or idle capacity for unexpected changes in traffic or subscribers. The Thunder CFW nodes are configured in a cluster to act as one, regardless of where they are actually located. If one area suddenly gets overwhelmed, traffic can automatically be redirected to another Thunder CFW node without service disruption.
Furthermore, our FlexPool® licensing allows operators to quickly reallocate licenses for virtual instances to different virtual machines based on changing demand.
These two capabilities help operators optimize their investment on a per-site basis, minimize idle capacity and expand their network more quickly.
Finally, automation is essential for mobile edge compute environments. Now the environment may have dozens, hundred, or thousands of locations to configure, deploy, turn up, monitor, and maintain. Manual processes that might have worked before will now require automation for all these processes.
A10 has a very robust set of APIs that make configuration and roll-out much simpler, eliminating many configuration or update errors.
In one case study, one customer, a fixed mobile operator, was able to spin up new A10 devices in their MEC nodes in just 20 minutes.
This entire transformation can take multiple years, so it’s important that the equipment operators deploy provides consistent functionality and performance throughout this process. While most operators will virtualize the core functions, they don’t always choose to virtualize all the related functions.
A10, for example, has a number of customers that are starting out with physical appliances for firewall, but plan to swap them out for virtual form factors or containers as they build their services and network and gain more experience with the new distributed architecture.
The flexibility that A10 solutions offer is highly valued in these very dynamic scenarios.
A10 provides scalability, 5G security and flexibility to help operators successfully manage their multiple network transformations.