Equipment ID Security in a 5G Network

Secure your 5G traffic with Security policy rules that specify source equipment identifiers.
Detection of threats in 5G mobile networks requires identification of compromised equipment and devices. Prevention requires the ability to apply network security based on equipment ID, which is a Permanent Equipment Identifier (PEI) including International Mobile Equipment Identity (IMEI).
You can now apply network security based on the equipment identity of any device or equipment that is trying to access your 5G network. Security policy rules and correlation based on 5G PEI including IMEI are supported on:
  • PA-7000 Series firewalls that use the PA-7000-100G-NPC-A, and the PA-7050-SMC-B card or PA-7080-SMC-B card, and the PA-7000-LFC card (the firewall must use all three cards)
  • PA-5200 Series firewalls
  • VM-700, VM-500, VM-300, and VM-100 firewalls
When deciding which firewall model to purchase, consider the total number of 3G, 4G, and 5G network identifiers (Subscriber IDs and Equipment IDs) you need to include as external dynamic list (EDL) entries or static entries. Each firewall model supports a number of EDL entries and static entries.
  1. Enable GTP Security, commit, and reboot.
  2. Enable inspection of 5G HTTP/2 control packets and content inspection of GTP-U packets; create a Mobile Network Protection profile.
    1. Select
      Objects
      Security Profiles
      Mobile Network Protection
      .
    2. Add
      a profile by
      Name
      , for example, 5G Mobile security.
    3. On the
      GTP Inspection
      tab, select
      5G-C
      .
    4. Enable
      5G-HTTP2
      to enable inspection of 5G HTTP/2 control packets.
      5g-http2-checkbox.png
    5. Select
      GTP-U
      and enable
      GTP-U Content Inspection
      .
    6. Click
      OK
      .
  3. Create address objects for the IP addresses assigned to the network elements in your topology, such as the AMF on the N11 interface, the gNB on the N3 interface, the SMF on the N11 interface, and the UPF on the N3 interface.
  4. (
    Optional
    ) Create an External Dynamic List (EDL) of Type
    Equipment Identity List
    ; the
    Source
    of the list provides access to a server that provides identifiers of devices connected to the 5G network, for which you want to allow (or deny) traffic.
  5. Create a Security policy rule that applies your Mobile Network Protection profile to application traffic.
    1. Select
      Policies
      Security
      and
      Add
      a Security policy rule.
    2. For
      Source Address
      ,
      Add
      the address objects for the 5G element endpoints on the N3 and N11 interfaces that you want to allow.
      5g-sec-pol-sources.png
    3. For
      Destination
      ,
      Add
      the
      Destination Address
      address objects for the 5G element endpoints on the N3 and N11 interfaces that you want to allow.
    4. Add
      the
      Applications
      to allow, such as the user plane, which is
      gtp-u
      and
      web-browsing
      , which has HTTP/2.
    5. On the
      Actions
      tab, select the
      Action
      , such as
      Allow
      .
    6. Select the
      Mobile Network Protection
      profile you created.
      5g-actions-mobile-net-protection.png
    7. Click
      OK
      .
  6. Create another Security policy rule based on Equipment ID.
    1. Select
      Policies
      Security
      and
      Add
      a Security policy rule by
      Name
      , for example, Equipment ID Security.
    2. Select
      Source
      tab and
      Add
      a
      Source Zone
      or select
      Any
      .
    3. Add
      one or more
      Source Equipment
      IDs in any of the following formats (if you configured an EDL, specify that EDL in this step):
      • 5G Permanent Equipment Identifier (PEI) including IMEI
      • IMEI (11 to 16 digits)
      • IMEI prefix of eight digits for Type Allocation Code (TAC)
      • EDL that specifies IMEIs
      5g-equipment-id-edl.png
    4. Specify destinations.
    5. Add
      the
      Applications
      to allow, for example,
      ssh
      ,
      ssl
      ,
      radmin
      , and
      telnet
      .
    6. On the
      Actions
      tab, select the
      Action
      , such as
      Allow
      .
    7. Click
      OK
      .
  7. Commit
    .

Recommended For You