Subscriber ID Security in a 4G Network
Table of Contents
10.0 (EoL)
Expand all | Collapse all
-
- Automatic Content Updates Through Offline Panorama
- Enhanced Authentication for Dedicated Log Collectors and WildFire Appliances
- Syslog Forwarding Using Ethernet Interfaces
- Increased Configuration Size for Panorama
- Access Domain Enhancements for Multi-Tenancy
- Enhanced Performance for Panorama Query and Reporting
- Log Query Debugging
- Configurable Key Limits in Scheduled Reports
- Multiple Plugin Support for Panorama
End-of-Life (EoL)
Subscriber ID Security in a 4G Network
Secure your 4G traffic with Security policy rules that
specify source subscriber identifiers.
4G/LTE mobile networks are used by billions
of subscribers worldwide, increasingly to connect the Internet of
Things. This evolution needs context-aware security in the network
to prevent financial and operational risks for service providers
and enterprise customers using private 4G networks. Malware that
infects User Equipment (UE), including smart phones, tablets, laptops
connected via a dongle, and cellular IoT devices, could prevent
the UE from accessing the mobile network and could be part of a
botnet launching an attack against the mobile network infrastructure.
The
impact of such malware to the customer includes battery exhaustion
damage to the device, degraded service, excessive billing, and more.
The impact to the service provider can include customer churn, help
desk calls, billing issues, excessive use of network resources by
infected subscribers and devices, and more. Detection of these threats
in 4G/LTE mobile networks requires identification of infected subscribers;
prevention requires the ability to apply network security based
on subscriber ID, which is an International Mobile Subscriber Identity
(IMSI).
You can now apply network security based on the subscriber
identity of a user who is trying to access your 4G network. Security
policy rules and correlation based on 4G IMSI are supported on:
- PA-7000 Series firewalls
- PA-5200 Series firewalls
- VM-700, VM-500, VM-300, and VM-100 firewalls
- Enable GTP security, commit, and reboot the firewall.
- Enable inspection of 4G GTPv2-C control packets and content inspection of GTP-U packets; create a Mobile Network Protection profile.
- Create address objects for the IP addresses assigned to the network elements in your topology, such as in deployment option 1: the MME on the S11 interface, the eNB on the S1-U interface, and the SGW on the S1-U and S11 interface; or deployment option 2: the SGW on the S5/S8 interface and PGW on the S5/S8 interface.
- (Optional) Create an External Dynamic List (EDL) of Type Subscriber Identity List; the Source of the list provides access to a server that provides identifiers of subscribers connected to the 4G network, for which you want to allow traffic.
- Create a Security policy rule that applies your Mobile Network Protection profile to
application traffic.
- Select PoliciesSecurity and Add a Security policy rule.
- For Source Address, Add the address objects for the 4G network elements you want to allow.
- Add Destination Addresses for the 4G network elements you want to allow.
- Add the Applications to allow, such as gtp-u for the user plane and gtpv2-c for control plane traffic.
- Select Action to Allow; select the Mobile Network Protection profile you created.
- Create another Security policy rule based on Subscriber
ID. Most notably:
- Add one or more Source
Subscriber IDs in any of the following formats (if you
configured an EDL, specify that EDL in this step):
- IMSI (14 or 15 digits)
- Range of IMSI values separated by a hyphen. In a range, only the 11th digit through the 15th digit of the IMSI can change from the start of the range to the end of the range; for example, 111111111111122-111111111119999.
- IMSI prefix of six digits, with an asterisk (*) as the wildcard after the prefix; for example, 926789*
- External dynamic list (EDL) that specifies IMSIs
- Add the Applications to allow, for example, youtube, facebook, linkedin, and twitter.
- Add one or more Source
Subscriber IDs in any of the following formats (if you
configured an EDL, specify that EDL in this step):
- Commit.