White Paper - DISH lays the foundation for 5G network security.

DISH lays the

foundation for 5G
network security.
White Paper – April 8, 2021

This white paper describes the security posture and customer benefits
of DISH 5G — the nation’s first, cloud-native, 5G Open Radio Access Network.
White Paper - DISH lays the foundation for 5G network security. 2

Table of Contents
Executive Summary 3

The DISH Competitive Advantage 4

Foundational Security Strategy 9

Firewall, Cloud and Container Security 9

DDoS/UPP and Security as a Service 9

Integration and Orchestration 9

Conclusion 10
White Paper - DISH lays the foundation for 5G network security. 3

Executive Summary
As DISH builds the nation’s first, cloud-native, 5G Open To meet customers’ needs, DISH needed to design
Radio Access Network (O - RAN ), this white paper discusses and build an alternative, next-generation network
how the company is prioritizing network, system and end- and systems architecture that offers state-of-the-art
user security from the outset of network deployment. technology and security.

In today’s software-driven world, secure connectivity is As a result, DISH developed DISH 5G — a cloud-native
essential, enabling businesses to increase productivity, solution that integrates network security from the
transform the way they operate and generate a higher foundation up. To support DISH 5G, the company has
return on investment. 5G connectivity unlocks a new selected next-generation strategic partners that provide
level of innovation, supporting new business models and innovative and best-in-class security solutions,
delivering innovative services and products. giving much of the control back to the customer. With
these key strategic partners, DISH 5G offers customers
There are always challenges with the deployment of any
unprecedented visibility, APIs, tools and security
new technology. The cloud-native environment allows
capabilities to complement their existing security model.
for dynamic orchestration and optimization of workloads
in both private and public clouds. Secure mobile A key tenet of the DISH 5G security framework is a zero-
connectivity is essential for an increasingly diverse and trust model. Components of the company’s 5G security
distributed workforce. design include real-time threat identification and
correlation, 5G network slice-based security support with
DISH has been engaging with customers that require a
a software chain of trust and end-user controllability.
robust security solution. These customers are seeking
These components improve DISH 5G’s threat detectability
greater control over their networks, data and tools that
and the capability to automatically serve, act and adapt.
optimize resources supporting their businesses.
This white paper describes how DISH 5G’s network
Traditional wireless networks are challenged to adequately
security is more controllable, agile and scalable than
meet customers’ future security requirements and
traditional networks, and how the company’s strategic
expectations. This is because traditional wireless networks
security partners contribute to the security model of
are built upon vertically integrated proprietary systems,
DISH’s cloud-native, 5G O - RAN.
which are based on closed-network security models.
White Paper - DISH lays the foundation for 5G network security. 4

The DISH
Competitive Advantage
The timing of the deployment of DISH 5G puts the company at an advantage, providing it with the
opportunity to build a state-of-the-art, cloud-native network without the burden of traditional 2G,
3G and 4G systems. The technology DISH has chosen to deploy integrates a new level of threat
correlation, 5G network slice security, end-user visibility and customer control from day one, with
a zero-trust posture.

DISH evaluated whether to deploy a modern, cloud-native, While traditional networks may critique DISH 5G’s open
open 5G network or a traditional, monolithic network, network security, an open environment allows for security
considering the possible security ramifications of each hardening through independent software audits, code
approach. Traditional networks are commingled with validation, community testing and adaptation.
vertically integrated environments that create end-to-end
With traditional networks, every client traverses the same
security challenges and software supply chain security
network, inherently increasing the threat exposure and
risks. The global nature of software development and
attack surface.
the obscurity of the supply chain can allow malicious
code to be inserted during the software development By contrast, DISH 5G is using today’s cloud-native
process. This can enable the deployment of compromised technology, coupled with sophisticated, embedded
code within a vertically integrated network, into which a chipset security and open interfaces, to enable the
traditional service provider has no visibility throughout the adoption of a “best of breed” approach. This approach
supply chain. Therefore, DISH chose to pursue a modern, leverages a software supply chain of trust and a CI/CD
cloud-native 5G network. process for software development, testing and
deployment. DISH 5G allows components to be switched
DISH consulted with customers and numerous security
out, upgraded and specialized for specific use cases to
companies to begin architecting a 5G network that is
satisfy customers.
more secure than traditional networks. As a result, DISH
5G was born, addressing the need for a new security DISH is working closely with strategic partners that share
model and taking advantage of the industry shift toward its vision of a highly secure, open, cloud-native, intelligent,
a disaggregated, cloud-native architecture with security containerized and interoperable 5G network.
built into each layer of the network.
Containerization and virtualization provide the ability to
Management and transparency through all aspects of dynamically react at the speed of the software, allowing
the supply chain are critical to understanding the security for near-instantaneous identification, response, isolation,
posture and reducing the attack surface. While it’s fairly redirection and quarantine management models. Real-
straightforward to manage and monitor the supply chain time response rates are of utmost importance for security,
for physical assets, software is more challenging. As customer control and flexible consumption. Moreover,
part of a zero-trust security posture, transparency and virtualization technologies, including micro-services,
monitoring of the end-to-end software supply chain containerization and network slicing, provide enhanced
are mandatory to reduce security risks and vulnerabilities. security and isolation at every layer of the 5G network.
White Paper - DISH lays the foundation for 5G network security. 5

As DISH deploys the nation’s first, cloud-native, 5G O - RAN,

it supports customer-defined network slices, slice- Customer Empowerment Through Network
encrypted connections, containerized security, UPP to Slicing and Service Orchestration
protect against DDoS and botnet attacks, improved end- DISH 5G offers innovative ways to empower customers
user security control and policy management. on the network. Using the most advanced security
solutions, DISH 5G is free from the limitations of
traditional technology and gives customers more
The Zero-Trust Model control with access to on-demand secure network
Security is foundational and must be considered at the slices, encrypted connections and secure, immersive
beginning of any network deployment, from a hardware- experiences. A key enabler of this level of control is
based root of trust up through each software layer in the support for 5G secure slicing, providing customers with
network. Networks are only as strong as their weakest their own private 5G network.
link; therefore, security solutions need to continually
5G network slicing in a cloud-native, O - RAN environment
adapt to the threat environment, which is constantly
enables virtualized, logical networks to be interleaved
evolving and becoming more sophisticated.
on top of a common physical infrastructure, essentially
DISH 5G adopted a “secure by design” strategy based functioning as a next-generation VPN. Each network slice
on a zero-trust model. This model incorporates is provisioned logically as a separate end-to-end network,
certification and key management with advanced, multi- tailored to meet the unique requirements and SLAs for
factor client authentication, allowing DISH 5G to integrate customers’ applications. This network slicing leverages
best practices into its products while embracing security software-defined networking and the virtualization of 5G
design principles. With this construct in place, DISH 5G core network functions.
is able to rapidly respond to the ever-changing security
In addition to 5G network slicing, service orchestration
needs of network customers.
delivers customized, end-to-end services. Through
DISH 5G drives to continuously iterate, modify and the orchestration process, DISH 5G defines the
enhance the network at the speed of its customers customized configurations for customers’ unique
and the velocity of the attack area. applications. Here, wide-ranging security capabilities
will be added to ensure customers’ data — both in
As part of the zero-trust model, DISH 5G is taking the
motion and at rest — is safe and secure.
“never trust, always verify” approach. Zero-trust provides
threat prevention and more control for both DISH 5G’s Finally, rules, workflows and various physical components
internal operations and the customers on its network. lie underneath the orchestration canvas before
getting coupled together to form customer-specific
network slices.
Figure 1 on the following page illustrates DISH 5G’s
secure, state-of-the-art architecture and how it’s better
equipped to meet customer requirements and demands
than traditional networks.
White Paper - DISH lays the foundation for 5G network security. 6

Retrofitted 5G
Figure 1 • No Virtualization • Traffic Commingled
• Basic Security Until Traffic Reaches IP Edge • Lack of Security Control for the Customer
Retrofitted
Based 5G
on Legacy Networks
• No Virtualization
• Lack of Secure Edge Compute
• Basic Security Until Traffic Reaches IP Edge
• Traffic Commingled
• Not Enterprise-Ready
• Lack of Security Control for the Customer
Based on Legacy Networks • Lack of Secure Edge Compute • Not Enterprise-Ready

User Tower Hardware Evolved Packet Core IP Edge Data Network

Equipment
User •—• Tower Hardware •— Back Haul —• Evolved Packet Core •—• IP Edge •—• Data Network
Equipment
•—• •— Back Haul —• •—• •—•

• High Virtualization

5G • Security Applied at Every Stage • Security Control Empowering the Customer

• High Virtualization

5G
• Secure Edge Compute • Enterprise-Class Service
• Security Applied at Every Stage • Security Control Empowering the Customer
• Network Is Isolated Via Slicing • Software-Defined and Software-Driven
• Secure Edge Compute • Enterprise-Class Service
• Network Is Isolated Via Slicing • Software-Defined and Software-Driven

User Tower Distributed Secure Encrypted Transport 5G Core Network Data Network
Equipment Infrastructure
User •—• Tower •— Front Haul —• Distributed•—
Secure Encrypted
Mid Haul —• Transport
•— Back Haul —• 5G Core Network •—• Data Network
Equipment Infrastructure Mobile Edge NFV IP Edge
Virtualized Virtualized
•—• •— Front HaulDistributed
—• •— Mid HaulCentralized
—• •— Back Haul —• Compute •—•
Unit Unit
Virtualized Virtualized Mobile Edge NFV IP Edge
Distributed Unit Centralized Unit Compute

Leading IP Edge Virtualized Security Leading IP Edge

Anti-DDoS Protection Platform Security Orchestration Anti-DDoS Protection

Leading IP Edge Virtualized Security Leading IP Edge

Anti-DDoS Protection Platform Security Orchestration Anti-DDoS Protection
User Device
Protection and Control

IoT Device
User DeviceTraffic
Anomaly
Protectionand
andBotNet
Control
Protection
IoT Device Traffic
Anomaly and BotNet
Protection
White Paper - DISH lays the foundation for 5G network security. 7

Through automation and orchestration, DISH 5G provides

The Challenges for Traditional Networks the highest level of security at the speed of system
workloads, and the network allows for confidential
Upgrading to 5G from existing 2G, 3G and 4G networks computing at the edge. Customers have full security
will not deliver the advantages offered by DISH 5G. The control from the outset, including flexible UPP, policy
inherent limitations of 2G, 3G and 4G, over a diverse management and control with system-enabled self-
geographic landscape, become the burden of a traditional healing, made possible by AI and ML tools.
service provider.
DISH 5G supports customers that require control over
Some of the challenges of retrofitting 5G over traditional selected components of the RAN and core network
networks include inadequate security protections, functions.
inflexible infrastructure and lack of customer control.
DISH 5G is also adopting measurable, state-of-the-art
Traditional, one-size-fits-all networks cannot compare security standards beyond those currently found in
to the reliability, latency and flexibility of DISH 5G. the industry to provide a higher level of security for
its customers.
The DISH 5G Advantage Figure 2 on the following page shows how DISH 5G uses
The new capabilities offered by DISH 5G give customers network slicing to offer end-to-end network services,
never-before-seen data protection, security and network delivering applications customized to the end-user.
reliability. New business models demand networks that New verticals requiring massive connectivity, immersive
adapt with the speed and needs of the customer. DISH 5G experiences like VR/AR, machine-to-machine automation
moves the processing of data out of the traditional data and more are made possible with DISH 5G, enabling
center to the edge of the network, delivering ultra-low higher performance, improved predictability, lower cost
latency required by new applications. The advantages of and greater control over the customer experience.
DISH 5G are clear: secure edge computing, hardware and
chip-based security, unprecedented customer control and
a first-of-its-kind, enterprise-grade wireless infrastructure.
DISH 5G’s architecture provides end-to-end security,
advanced threat visibility and secure function isolation. It is
also elastic, providing bandwidth that dynamically adjusts
both temporally and spatially as customers’ needs change.
White Paper - DISH lays the foundation for 5G network security. 8

Figure 2

DISH 5G Network Slicing

With fully virtualized network slicing, DISH offers
end-to-end network services customized to the
specific requirements of each client.

Retrofitted 5G, Based on Traditional

Networks
Retrofitted legacy networks lack the flexibility to slice
end-to-end, fully virtual network segments.

Greenfield 5G allows for cloud-native, fully virtualized

networks, capable of dynamically supporting a multitude
of applications and device types.

Retrofitted 5G simply cannot compete.

White Paper - DISH lays the foundation for 5G network security. 9

Foundational
Security Strategy
To support DISH 5G, the company has partnered with an initial set of leading industry vendors to
provide the highest level of security for its network and customers. The services provided by this set
of foundational security partners include the following:

ensures protection against even the most sophisticated,

Firewall, Cloud and Container Security emerging DDoS and botnet attacks for both customer
devices and the network.
DISH 5G utilizes 5G-native, next-generation containerized
firewalls. These firewalls include real-time threat DISH has partnered with Allot, a key provider of innovative
correlation, 5G slice security and dynamic security network intelligence and security solutions, to support
enforcement. They integrate a high degree of automation DISH 5G in this critical area.
to manage security efficiently, and focus on controllable,
scalable, “as-a-service” offerings. Integration and Orchestration
With these services in place, DISH 5G is able to observe While traditional networks are segmented into commingled
and control security across all network layers and environments with a shared fate, DISH 5G leverages
locations, including the full stack of the containers and secure, dedicated network slicing to enable a zero-trust
infrastructure, providing comprehensive protection. security posture.
To manage vulnerabilities, ensure compliance and
protect containers at runtime, DISH 5G leverages cloud DISH has partnered with Nokia to help provide DISH 5G
workload protection capabilities, such as the Prisma with end-to-end security and orchestration, from the
Cloud Compute Edition. physical hardware level to each application. Nokia is a
leading technology and services company, supporting
DISH has chosen Palo Alto Networks, a cybersecurity mobile networks, cloud platforms and other access
leader, to deliver firewall innovation and enable the technologies, and provides the tools and solutions needed
secure digital transformation of DISH 5G. to enable DISH 5G to manage security operations.

DDoS/UPP and Security as a Service

DISH 5G is leveraging tools that provide end-to-end
UPP from cybersecurity threats for customers. These
tools protect DISH 5G and off-network activities against
all types of cyberattacks, such as malware, viruses,
ransomware and phishing attacks. The solution allows
customers to easily manage their cybersecurity policy and
settings, creating a unified experience on all their devices.
DISH 5G also provides customers with end-to-end user
UPP from the device to the network and back. UPP
White Paper - DISH lays the foundation for 5G network security. 10

Conclusion
In an agile world, traditional wireless networks present
significant roadblocks to meeting customers’ future
security requirements. A one-size-fits-all approach and
a “trust me” model are things of the past. The changing
business landscape demands new network technologies
and security solutions that push computing to the edge
of the network, provide support for new applications
and offer end-users more control and visibility. These
expectations are only being met by DISH 5G, as the
network is not burdened by any traditional technologies,
including 2G, 3G and 4G platforms.

DISH 5G secures its network for tomorrow’s customers,

providing intelligence and control beyond what is
available today. DISH 5G customers are able to focus
on their core business with assurance around security
and privacy, while having the prerequisite visibility and
network intelligence to rapidly respond to any threat.

DISH 5G customers are equipped to solve network

and wireless challenges of the future. DISH 5G has
surpassed the status quo by coupling powerful security
solutions with unprecedented customer control.

In short, the benefits of DISH 5G are limitless, providing

increased controls, 5G network slicing, unmatched threat
visibility and more for network customers.
White Paper - DISH lays the foundation for 5G network security. 11

Acronyms
2G 2nd Generation

3G 3rd Generation

4G 4th Generation

5G 5th Generation

AI Artificial Intelligence

API Application Programming Interface

CI/CD Continuous Integration/Continuous Delivery

DDoS Distributed Denial of Service

IoT Internet of Things

ML Machine Learning

MVNO Mobile Virtual Network Operator

NSA Non-Standalone

O - RAN Open Radio Access Network

RAN Radio Access Network

SLA Service Level Agreement

SMB Small- and Medium-Sized Business

UPP User Plane Protection

VPN Virtual Private Network

VR/AR Virtual Reality/Augmented Reality

White Paper - DISH lays the foundation for 5G network security. 12

About DISH
DISH Network Corporation is a connectivity company.
Since 1980, it has served as a disruptive force, driving
innovation and value on behalf of consumers. Through
its subsidiaries, the company provides television
entertainment and award-winning technology to millions
of customers with its satellite DISH TV and streaming
SLING TV services. In 2020, the company became a
nationwide U.S. wireless carrier through the acquisition
of Boost Mobile. DISH continues to innovate in wireless,
building the nation’s first, cloud-native, Open RAN-based
5G broadband network. DISH Network Corporation
(NASDAQ: DISH) is a Fortune 250 company.