Equipment ID Security in a 4G Network
Table of Contents
Equipment ID Security in a 4G Network
Secure your 4G/LTE traffic with Security policy rules
that specify source equipment identifiers.
4G/LTE mobile networks are used by billions
of subscribers worldwide, increasingly to connect the Internet of
Things. This evolution needs context-aware security in the network
to prevent financial and operational risks for service providers
and enterprise customers using private 4G networks. Malware that infects
User Equipment (UE), including smart phones, tablets, laptops connected
via a dongle, and cellular IoT devices, can prevent the UE from
accessing the mobile network and can be part of a botnet launching
an attack against the mobile network infrastructure.
The impact
of such malware to the customer includes battery exhaustion damage
to the device, degraded service, excessive billing, and more. The
impact to the service provider can include customer churn, help
desk calls, billing issues, excessive use of network resources by
compromised subscribers and devices, and more. Detection of these
threats in 4G/LTE mobile networks requires identification of compromised
equipment; prevention requires the ability to apply network security based
on equipment ID, which is an International Mobile Equipment Identity (IMEI).
You
can now apply network security based on the equipment identity of
any device or equipment that is trying to access your 4G network.
You can secure such things as:
- Internet of small/sensing things
- An area of Massive IoT (smart metering, smart waste management, anti-theft, and asset management)
- Critical IoT (such as health care), wireless payments, home control, vehicle communication, phone, and tablet
Security
policy rules and correlation based on 4G IMEI are supported on:
- PA-7000 Series firewalls
- PA-5200 Series firewalls
- VM-700, VM-500, VM-300, and VM-100 firewalls
- Enable GTP Security, commit, and reboot the firewall.
- Enable inspection of 4G GTPv2-C control packets and content inspection of GTP-U packets; create a Mobile Network Protection profile.
- Create address objects for the IP addresses assigned to the network elements in your topology, such as in deployment option 1: the MME on the S11 interface, the eNB on the S1-U interface, and the SGW on the S1-U and S11 interface; or deployment option 2: the SGW on the S5/S8 interface and PGW on the S5/S8 interface.
- (Optional) Create an External Dynamic List (EDL) of TypeEquipment Identity List; theSourceof the list provides access to a server that provides identifiers of devices connected to the 4G network, for which you want to allow traffic.
- Create a Security policy rule that applies your Mobile Network Protection profile to application traffic.
- Select andAdda Security policy rule.
- ForSource Address,Addthe address objects for the 4G network elements that you want to allow.
- AddDestination Addressesfor the 4G network element you want to allow.
- AddtheApplicationsto allow, such asgtp-ufor user plane andgtpv2-cfor control plane traffic.
- SelectActiontoAllow; select theMobile Network Protectionprofile you created.
- Create another Security policy rule based on Equipment ID. Most notably:
- Addone or moreSource EquipmentIDs in any of the following formats (if you configured an EDL, specify that EDL in this step):
- IMEI (15 or 16 digits)
- IMEI prefix of eight digits for Type Allocation Code (TAC)
- External dynamic list (EDL) that specifies IMEIs
- AddtheApplicationsto allow, such asssh,ssl,radmin, andtelnet.
- Commityour changes.