Network Slice Security in a 5G Network
Secure a 5G network slice by configuring Security policy
rules with source network slice SST names (standardized or operator-specific).
Network operators need tools to investigate
security events related to enterprises and industry verticals served
by network slices in a fifth generation (5G) cellular wireless network.
A network slice comprises dedicated, shared, or both types of resources
(for example, processing power, storage, and bandwidth), and has
isolation from other network slices.
You can now apply network
security based on network Slice/Service Type (SST). 5G network functions
communicate with each other using the HTTP/2 protocol over service-based
interfaces. Traffic from User Equipment (UE) and IoT devices is
carried in GTP-U tunnels in the 5G network.
The Security policy
rules for 5G network slice are based
on Network SST in two categories—standardized and operator-specific:
- Network Slice SST - Standardized—Three predefined slices, which PAN-OS®delivers to you in dynamic content updates:
- eMBB(enhanced Mobile Broadband)—For faster speeds and high data rates, such as video streaming.
- URLLC(Ultra-Reliable Low-Latency Communication)—For mission-critical applications that are sensitive to latency, such as applications for health care, wireless payments, home control, and vehicle communication.
- MIoT(Massive Internet of Things)—For IoT traffic, such as smart metering, smart waste management, anti-theft, asset management, and location tracking.
- Network Slice SST—Operator-specific—You determine the name for and specify the slice.
You can apply the following security
per network slice or per group of network slices: application control,
Antivirus, Anti-Spyware, URL filtering, intrusion prevention, and
advanced threat prevention with WildFire
®
. You can see
the Network Slice ID SST in traffic, threat, URL filtering, and
WildFire submissions as well as in data filtering, GTP, and unified
logs; and you can see the Network Slice ID SD in traffic, GTP, and
unified logs to help you investigate a security event related to
the enterprise or customer.Security policy rules and correlation
based on 5G Network Slice are supported on the following firewalls:
- PA-7000 Series firewalls that use the following three cards:
- The PA-7000-100G-NPC
- The PA-7050-SMC-B card or the PA-7080-SMC-B card
- The PA-7000-LFC card
- PA-5200 Series firewalls
- VM-700, VM-500, VM-300, and VM-100 firewalls
- Enable GTP Security,Commit, and reboot.
- Enable inspection of 5G HTTP/2 control packets; create a Mobile Network Protection profile.
- Select and add a profile byName.
- On theGTP Inspectiontab, select5G-C.
- Enable5G-HTTP2to enable inspection of 5G HTTP/2 control packets.
- SelectGTP-Uand enableGTP-U Content Inspection.
- ClickOK.
- Create address objects for the IP addresses assigned to the network elements in your topology, such as the AMF on the N11 interface, the gNB on the N3 interface, the SMF on the N11 interface, and the UPF on the N3 interface.
- Create a Security policy rule that applies your Mobile Network Protection profile to application traffic.
- Select andAdda Security policy rule.
- ForSource Address,Addthe address objects for the 5G element endpoints on the N3 and N11 interfaces that you want to allow.
- ForDestination,AddtheDestination Addressobjects for the 5G element endpoints on the N3 and N11 interfaces that you want to allow.
- AddtheApplicationsto allow, such as the user plane, which isgtp-u, andweb-browsing, which has HTTP/2.
- On theActionstab, select theAction, such asAllow.
- Select theMobile Network Protectionprofile you created.
- ClickOK.
- Create another Security policy rule based on Network Slices to allow, for example, applications for a standardized or operator-specific SST.
- Select andAdda Security policy rule byName.
- SelectSourceandAddone or moreNetwork Slicesin either of the following formats:
- Standardized SST (selecteMBB,MIoT, orURLLC).
- Operator-specific SSTs in the format oftext,number(number range is 128 to 255 in decimal).
- SpecifySource Zone,Source Address,Source User, andSource Deviceor use the defaultAnysetting for each.
- SpecifyDestination Zone,Destination Address, andDestination Deviceor use the defaultAnysetting for each.
- ForApplications, select, for example,modbusandweb-browsing.
- On theActionstab, select theAction, such asAllow.
- Select profiles you want to apply, such asAntivirus,Vulnerability Protection,Anti-Spyware,URL Filtering,File Blocking, andWildFire Analysis.
- ClickOK.
- Commityour changes.
