: 5G Equipment ID and Subscriber ID Security
Focus
Focus

5G Equipment ID and Subscriber ID Security

Table of Contents
End-of-Life (EoL)

5G Equipment ID and Subscriber ID Security

Information about 5G equipment ID and subscriber ID security.
5G is the next generation mobile technology. New use cases, services, and applications in 5G are in the areas of enhanced Mobile Broadband (eMBB), Ultra-Reliable and Low Latency Communications (URLLC), and massive IoT (MIoT). High value assets and critical processes run on 5G networks. Early adopters of 5G technology are enterprises focused on smart manufacturing, transport and logistics, critical infrastructure, oil, gas, and mining. 5G will accelerate the evolution of IoT as more devices become connected.
The attack surface increases in 5G. One major concern is a greater number of devices connected to 5G networks, which increases the number of opportunities for attackers to exploit the vulnerability of a device. For example, the increased number of devices connected to 5G networks makes it easier to launch a DDoS attack. Most of these devices likely lack robust security and software update mechanisms. Compromised devices can also impact service of the 5G network.
Security is one of the top concerns of organizations planning to adopt 5G. Network security capabilities are required, with the ability to identify and prevent the attack with the granularity of device or equipment identifier and subscriber or user identifier.
Detection of these threats in 5G mobile networks requires identification of compromised equipment, devices, subscribers, and users. Prevention requires the ability to apply network security based on equipment ID, which is a Permanent Equipment Identifier (PEI) including International Mobile Equipment Identity (IMEI), and subscriber ID, which is Subscriber Permanent Identifier (SUPI) including International Mobile Subscriber Identity (IMSI).
5G network functions communicate with each other using the HTTP/2 protocol; HTTP/2 messages carry various mobile network identifiers, such as PEI. Traffic from IoT devices is carried in GTP-U tunnels in the 5G network. The firewall is positioned in N3 and N11 interfaces to inspect both HTTP/2 and GTP-U traffic, and it correlates the mobile network identifier information with the IP traffic inside the GTP-U tunnels in a 5G network.
You can apply network security based on the equipment identity of any device or equipment or the subscriber identity of any subscriber or user that is trying to access your 5G network.
You can investigate a security event related to a piece of equipment in a 5G network when you have the PEI including IMEI, or a security event related to a subscriber when you have the SUPI including IMSI. You can look at the traffic, threat, URL filtering and WildFire® logs and reports.
You can apply the following per equipment ID or subscriber ID: application control, Antivirus, Anti-Spyware, URL filtering, intrusion prevention, and advanced threat prevention with WildFire based on an IMEI, IMSI, or a group of IMEIs or IMSIs.
PAN-OS® supports HTTP/2 control messages on an N11 interface.
5G equipment ID and subscriber ID security support an additional Radio Access Technology (RAT) not supported in 4G, and that is New Radio (NR).
When deciding which firewall model to purchase, consider the total number of 3G, 4G, and 5G network identifiers (Subscriber IDs and Equipment IDs) you need to include as EDL entries or static entries. The following table provides capacities of EDL entries and static entries for each firewall model:
Firewall Model
Total 3G, 4G, and 5G Network Identifiers Supported by Dynamic EDL
Total 3G, 4G, and 5G Network Identifiers Supported by Static Entries
PA-7080
10,000,000
100,000
PA-7050
6,000,000
60,000
PA-5280
2,000,000
20,000
PA-5260
1,000,000
10,000
PA-5250
250,000
5,000
PA-5220
125,000
5,000
VM-700
300,000
5,000
VM-500
75,000
1,000
VM-300
20,000
500
VM-100
2,000
200