RAN Security
Table of Contents
RAN Security
GTP deployment on a firewall includes Radio Access Network
(RAN) security.
When you deploy a firewall for Radio
Access Network (RAN) security, the firewall inspects the traffic
that flows between the (BH) Backhaul and the EPC. The firewall is
deployed mostly on S1-U and S11 interfaces to inspect both GTPv2-C
and GTP-U traffic.
When you configure GTP security for RAN,
you should also configure SCTP security for RAN as described in SCTP Use Cases.
If you deploy the firewall for RAN security in a mobile
network that uses both 3G and 4G/LTE technologies, the firewall
supports a deployment option that enforces GTP security in network
topologies that contain a combo node of a Serving Gateway (SGW)
and Packet Gateway (PGW) known as S-PGW. In this network topology,
the S5 interface is not exposed, so to support migration between
3G and 4G/LTE, PAN-OS uses the Gn (SGSN-MME) interface.
GTP security supports the following procedures as defined in 3GPP TS 23.401 version 15.12.0:
- MME to 3G SGSN combined hard handover and SRNS relocation procedure
- 3G SGSN to MME combined hard handover and SRNS relocation procedure
- Routing Area Update
- Gn/Gp SGSN to MME Tracking Area Update
- E-UTRAN to GERAN A/Gb mode Inter RAT handover
- GERAN A/Gb mode to E-UTRAN Inter RAT handover
To view the GTP messages that the firewall generates to support
this capability when you enable Tunnel Management for GTPv1-C
allowed messages, refer to GTP Message Type.
In the following network topology, to apply security policy to
user and control traffic, the firewall must be positioned on the
4G/LTE interfaces, including the Control Plane (S11) and User Plane
(S1-U), as well as the 3G interfaces which include the Control Plane
(Gn [SGSN-MME]) and the Control and User Plane (Gn [SGSN-GGSN]).
You must enable enable GTP Security for
complete subscriber level and equipment level visibility and policy
control for threat and traffic in their network.
