Configure Intelligent Security using PFCP for User Equipment to IP Address Correlation
Table of Contents
11.0 (EoL)
Expand all | Collapse all
End-of-Life (EoL)
Configure Intelligent Security using PFCP for User Equipment to IP Address Correlation
For networks using control plane and user plane separation (CUPS) architecture for 5G
migration, learn how to correlate user equipment (UE) to IP addresses using Intelligent
Security.
As mobile service providers migrate from 4G/LTE to 5G, management plane (also referred to as the
control plane) and user plane separation (CUPS) architecture is a common deployment
in 4G networks. With CUPS architecture, the user plane function (UPF) is closer to
the enterprise (either on the edge service or in an on-premises location) while the
management plane remains in a central location, such as a data center.
Subscriber ID (IMSI) and equipment ID (IMEI) correlation requires inspection of both management
plane and user plane traffic by the same firewall. During migration to a CUPS
architecture, UEIP Correlation (also referred to as Intelligent Security) provides a
way to ensure uninterrupted Security policy enforcement through correlation of the
subscriber ID and equipment ID to user equipment (UE) IP-based traffic and GTP-U
content inspection.
For a solution for 5G networks,
refer to 5G Multi-access Edge Computing
Security.
The firewall monitors traffic for PFCP control messages at the Sxb interface and extracts the
User Equipment IP address (UE_IP) and Mobile User Identification (User_ID), which it
uses to map the UE_IP to the IMEI, the IMSI, or both. It adds the mapping to a
database and uses the mapping to perform GTP-U content inspection. You can query the
database for the UE_IP to view the correlated Mobile User information for the UE
Internet Protocol traffic inside the GTP-U tunnels that comprise the CUPS
architecture.
If you enable UEIP Correlation, the following options are
not available in the same Mobile Network Protection Profile:
- GTP-C
- 5G-C
- Packet Forwarding Control Protocol (PFCP)
The following diagram represents
a possible configuration for correlation for a 4G MEC topology using
CUPS architecture:
S1-U represents a 3GPP interface that connects a 4G radio access network (RAN) to the serving
gateway user plane (SGW-U) and PDN gateway user plane (PGW-U) combo node using the
GTP-U protocol. The management plane (Sxb) is a 3GPP interface that connects the
PGW-U in the MEC location to the PGW-C in the 4G core at the central location (such
as a public cloud or on-premises data center) using the PFCP protocol.
The
SGI is also a 3GPP interface that connects the PGW-U to the external
network (such as the internet or enterprise IT data center) using
traditional IP-based interfaces.
In this topology, you can
deploy the firewall as external to the MEC host in a hardware form
factor or deploy the firewall on an MEC host in a virtual or container
form factor.
To enforce Security policy based on subscriber ID or equipment ID for a 4G MEC-based enterprise,
position the firewall on the user plane (S1-U) and management plane (Sxb) interfaces
at the MEC location.
The firewall inspects the management plane to extract information for correlation with the user
plane, providing subscriber and equipment-level visibility, as well as policy
control for vulnerabilities, malware, viruses, URLs, C2, and applications at the
SP’s MEC location.
To support correlation, the
PFCP control message must contain the UE_IP and related User ID
IE (Information Element).
- Select ObjectsSecurity ProfilesMobility Network Protection.Add or Edit a profile.Select Correlation and enable UEIP Correlation.Select the handling Mode to define the action if a query for the correlated information isn't successful.
- Loose—(Default) When the firewall detects GTP-U inner traffic, it queries the source or destination address to find the correlated IMEI or IMSI information. If there are no results, the firewall forwards the traffic.
- Strict—Drops the traffic if the GTP-U query does not return any results.
Select the Source that you want the firewall to use correlate the management plane and user plane information for subscriber-level and equipment-level Security policy enforcement. The firewall inspects traffic for the source type you select to process and extract 5G/4G identity information, such as subscriber ID (SUPI or IMSI), equipment ID (PEI or IMEI), and the IP address of the user equipment (UE), to correlate with 5G/4G subscriber IP traffic.- PFCP— Inspect PFCP traffic. For deployments using CUPS, select PFCP.
(Optional but recommended) Select whether you want to log UEIP correlation events when the firewall allocates an IP address to the UE (Log At Ueip Start), when the firewall releases the allocated IP address (Log At Ueip End), or both.The firewall logs the following GTP events during correlation that you can view by going to MonitorLogsGTP:- UEIP mapping start
- UEIP mapping end
The logs contain the following user information:- Subscriber Identity (including IMSI and SUPI)
- Equipment Identity (including IMEI and PEI)
- End User IP address allocated to UE
Click OK to save your changes.(Optional but recommended) To configure security policy for the control or management plane (Sxb) interface using the Mobile Network Protection Profile, enable stateful inspection for GTP traffic.Confirm that the profile is Enabled (PoliciesSecuritySecurity Policy RuleActionsProfile SettingMobile Network Protection) to attach it to the security policy for the user plane external (S1U) interface and Commit the changes.To configure security policy for inner traffic from applications, use App-IDs to configure the Mobile Network Protection Profile in a Security policy and allow the necessary traffic to correlate the IP address with the subscriber ID and equipment ID.- Using App-ID, configure a Security policy rule for the Sxb interface that allows PFCP traffic between the Sxb nodes (PGW-C and PGW-U) and select the Mobile Network Protection Profile you configured as the Profile Setting (traffic can originate from either endpoint).Using App-ID, configure a Security policy rule for the S1-U interface that allows GTP-U traffic between the S1-U nodes (eNodeB and SGW-U) and select the Mobile Network Protection Profile you configured as the Profile Setting (traffic can originate from either endpoint).