CN-Series
5G Traffic Testing
Table of Contents
5G Traffic Testing
Where Can I Use
This? | What Do I Need? |
|---|---|
|
|
Securing the network edge requires balancing
traffic inspection and control (security requirements) with high
bandwidth, low latency, and real-time access (user experience).
These issues are exponentially more difficult if traffic is processed
by many firewalls, if applications are hosted on edge sites, or
if the network edge is an aggregation point for IoT data. Additionally,
the separation of the user and the control plane in 5G networks
makes it difficult to apply security policy at the subscriber or
device level and lacks context-based visibility for threats. Firewalls
placed with N3 and N4 interface provide:
- Signaling level visibility between connected devices
- Stateful inspection of PFCP & GTP-U
- Correlate subscriber ID/ Equipment-ID /Slice-ID with GTP-U traffic vulnerabilities
The following are the 5g traffic use
cases for CN-Series HSF:
The following diagram illustrates
an enterprise that uses a private 5G network. The 5G core functions
are cloud-based or in the central site of the service provider.
The connection between the 5G access and the UPF uses the N3 interface.
The GTP-U tunnels carry the user plane traffic on the N3 interface.
The connection between the UPF and the Session Management Function
(SMF) uses the N4 interface. The PFCP protocol exchanges packet forwarding
rules using UDP exchanges on the N4 interface.
This diagram illustrates MEC in a 5G network where
the User Plane Function (UPF) is at the edge or MEC location and
the 5G core functions are cloud-based or at the central site of
the service provider. The connection between the 5G access and the
UPF uses the N3 interface and the GTP-U tunnels carry the user plane
traffic over the N3 interface. The connection between UPF and the
SMF uses the N4 interface and the PFCP protocol exchanges packet
forwarding rules using UDP over the N4 interface.
5G Security with N3+N4 Visibility and Correlation Policy
This test case evaluates the ability of the
CNF cluster to inspect and secure the traffic from N3+N4 interfaces.
- As a first step towards inspecting and securing the traffic from N3+N4 interfaces, you will need to enable GTP Security.
- Log in to the firewall web interface.
- Select and SelectGTP-U Security.
- ClickOK.
- Committhe change.
- Select andReboot Device.
- Create a Mobile Network Protection Profile and enable GTP-U inspection.
- Select .
- Adda profile and enter aName, such as5G_Mobile_Network_Protection.
- On thePFCPtab, enableStateful Inspection.
- Select which state checks you want the firewall to perform on PFCP traffic and the action you want the firewall to take if a state check is not successful.
- Determine the state checks you want to use.
- Check Association Messages—Checks for any PFCP association messages that are out of order or that have been rejected.
- Check Session Messages—Checks for any PFCP session messages that are out of order or that have been rejected; verifies that all PFCP session messages match an existing PFCP association; alerts or drops PFCP session messages that arrive before the PFCP association is set up.
- Check Sequence Number—Confirms that the sequence number in the PFCP response matches the sequence number in the preceding PFCP request message.
- Select the action you want the firewall to take if a state check is not successful.
- allow—Allow the traffic and do not generate a log entry in the GTP log.
- block—Block the traffic and generate a high-severity log entry in the GTP log.
- alert—(Default) Allow the traffic and generate a high-severity log entry in the GTP log.
- (Optional) Configure logging for PFCP inspection.
- Select when you want the firewall to generate a log entry.
- Log at PFCP association start
- Log at PFCP association end
- Log at PFCP session start
- Log at PFCP session end
- Enable the Other log settings for PFCP and GTP-U messages
- On theOther Log Settingstab, select the type ofPFCP Allowed Messagesyou want to include in the logs.Enable these options for troubleshooting only.
- Session Establishment—These PFCP messages set up the session, including establishing the GTP-U tunnel.
- Session Modification—These PFCP messages are sent if the session ID or PDR ID changes (for example, as a result of moving from a 4G to a 5G network. It includes messages such as PFCP Session Modification Request and PFCP Session Modification Response.
- Session Deletion—These PFCP messages terminate the PFCP session, including releasing associated resources.
- Create two security policies with source and destination as N3 and N4 interfaces, Application as GTP-U and PFCP respectively.
- Select andAdda Security policy rule byName.
- SelectSourcetab andAddaSource Zoneor selectAny.
- ForSource Address,Addthe address objects for the 5G element endpoints on the N3 interface.
- ForDestination,AddtheDestination Addressaddress objects for the 5G element endpoints on the N3 interface.
- AddtheApplicationsto allow, such as the user plane, which isGTP-UandPFCP.
- On theActionstab, select theAction, such asAllow.
- Select theMobile Network Protectionprofile you created.
- Select other profiles you want to apply, such asVulnerability Protection.
- Select Log Settings, such asLog at Session StartandLog at Session End.
- ClickOK.
- Similarly, create another security policy for N4 interface.
- (Optional)Create another Security policy rule based on Equipment ID/Subscriber ID/Network Slice ID, based protection by entering the EDL information in source.
- Select andAdda Security policy rule byName, for example, Equipment ID Security.
- SelectSourcetab andAddaSource Zoneor selectAny.
- Addone or moreSource EquipmentIDs in any of the following formats:
- 5G Permanent Equipment Identifier (PEI) including IMEI
- IMEI (15 or 16 digits)
- IMEI prefix of eight digits for Type Allocation Code (TAC)
- EDL that specifies IMEIs
- (Optional) You can addSource SubscriberandNetwork Slicenames to this Security policy rule to make the rule more restrictive.
- SpecifyDestination Zone,Destination Address, andDestination DeviceasAny.
- AddtheApplicationsto allow, for example,ssh,ssl,radmin, andtelnet.
- On theActionstab, select theAction, such asAllow.
- Select profiles you want to apply, such asAntivirus,Vulnerability Protection, andAnti-Spyware.
- Select Log Settings, such asLog at Session StartandLog at Session End.
- ClickOK.Expected Test Result:
- Verify the GTP-U logs in the monitor section.
- Verify the details section of the log, for visibility into subscriber, equipment, network slice information.
- Observe that the Rule hitcount increases.
Inbound/Oubound Protection with Application Identification
and Threat Inspection
This test case evaluates the ability for the
CNF cluster to inspect and secure the inbound and outbound traffic
on N6 interface.
The N6 interface carries clear text traffic
over TCP/UDP towards the internet. Now, with the VM-Series firewall
deployed on the N6 interface, you can get complete visibility into
application usage. .The firewall can implement security with CDSS
subscription like - TP, Adv-URL Filtering, Wildfire, DNS security
on allowed traffic.
The following steps are an outline to
execute this test case. For details on executing individual steps,
see 5G Security with N3+N4 Visibility and Correlation Policy.
- Create a security policy for N6 interface with appropriate zones and interface.
- Use the default security profiles or create a custom category for URL filtering, wildfire, vulnerability protection and so on.
- (Optional) Create a custom profile for allowed URL Under the URL category.
- (Optional) Create multiple security policies matching different criterias. While creating the security policy, select the profiles created in step 3.
- Send Traffic.
- Send malicious traffic in inbound / outbound directions and verify if the traffic is blocked.Expected Result:
- Hit count of the policy increases.
- Check the appropriate logs for URL filtering, Traffic, and threat logs.