Network Slice Security in a 5G Network

Secure a 5G network slice by configuring Security policy rules with source network slice SST names (standardized or operator-specific).
Network operators need tools to investigate security events related to enterprises and industry verticals served by network slices in a fifth generation (5G) cellular wireless network. A network slice comprises dedicated, shared, or both types of resources (for example, processing power, storage, and bandwidth), and has isolation from other network slices.
You can now apply network security based on network Slice/Service Type (SST). 5G network functions communicate with each other using the HTTP/2 protocol over service-based interfaces. Traffic from User Equipment (UE) and IoT devices is carried in GTP-U tunnels in the 5G network.
The Security policy rules for 5G network slice are based on Network SST in two categories—standardized and operator-specific:
  • Network Slice SST - Standardized
    —Three predefined slices, which PAN-OS
    ®
    delivers to you in dynamic content updates:
    • eMBB
      (enhanced Mobile Broadband)—For faster speeds and high data rates, such as video streaming.
    • URLLC
      (Ultra-Reliable Low-Latency Communication)—For mission-critical applications that are sensitive to latency, such as applications for health care, wireless payments, home control, and vehicle communication.
    • MIoT
      (Massive Internet of Things)—For IoT traffic, such as smart metering, smart waste management, anti-theft, asset management, and location tracking.
  • Network Slice SST—Operator-specific
    —You determine the name for and specify the slice.
You can apply the following security per network slice or per group of network slices: application control, Antivirus, Anti-Spyware, URL filtering, intrusion prevention, and advanced threat prevention with WildFire
®
. You can see the Network Slice ID SST in traffic, threat, URL filtering, and WildFire submissions as well as in data filtering, GTP, and unified logs; and you can see the Network Slice ID SD in traffic, GTP, and unified logs to help you investigate a security event related to the enterprise or customer.
Security policy rules and correlation based on 5G Network Slice are supported on the following firewalls:
  • PA-7000 Series firewalls that use the following three cards:
    • The PA-7000-100G-NPC
    • The PA-7050-SMC-B card or the PA-7080-SMC-B card
    • The PA-7000-LFC card
  • PA-5200 Series firewalls
  • VM-700, VM-500, VM-300, and VM-100 firewalls
  1. Enable GTP Security,
    Commit
    , and reboot.
  2. Enable inspection of 5G HTTP/2 control packets; create a Mobile Network Protection profile.
    1. Select
      Objects
      Security Profiles
      Mobile Network Protection
      and add a
      profile by
      Name
      .
    2. On the
      GTP Inspection
      tab, select
      5G-C
      .
    3. Enable
      5G-HTTP2
      to enable inspection of 5G HTTP/2 control packets.
      5g-http2-checkbox.png
    4. Select
      GTP-U
      and enable
      GTP-U Content Inspection
      .
    5. Click
      OK
      .
  3. Create address objects for the IP addresses assigned to the network elements in your topology, such as the AMF on the N11 interface, the gNB on the N3 interface, the SMF on the N11 interface, and the UPF on the N3 interface.
  4. Create a Security policy rule that applies your Mobile Network Protection profile to application traffic.
    1. Select
      Policies
      Security
      and
      Add
      a Security policy rule.
    2. For
      Source Address
      ,
      Add
      the address objects for the 5G element endpoints on the N3 and N11 interfaces that you want to allow.
      5g-sec-pol-sources.png
    3. For
      Destination
      ,
      Add
      the
      Destination Address
      objects for the 5G element endpoints on the N3 and N11 interfaces that you want to allow.
    4. Add
      the
      Applications
      to allow, such as the user plane, which is
      gtp-u
      , and
      web-browsing
      , which has HTTP/2.
    5. On the
      Actions
      tab, select the
      Action
      , such as
      Allow
      .
    6. Select the
      Mobile Network Protection
      profile you created.
      5g-actions-mobile-net-protection.png
    7. Click
      OK
      .
  5. Create another Security policy rule based on Network Slices to allow, for example, applications for a standardized or operator-specific SST.
    1. Select
      Policies
      Security
      and
      Add
      a Security policy rule by
      Name
      .
    2. Select
      Source
      and
      Add
      one or more
      Network Slices
      in either of the following formats:
      • Standardized SST (select
        eMBB
        ,
        MIoT
        , or
        URLLC
        ).
      • Operator-specific SSTs in the format of
        text,number
        (number range is 128 to 255 in decimal).
      5g-src-network-slice-miot.png
    3. Specify
      Source Zone
      ,
      Source Address
      ,
      Source User
      , and
      Source Device
      or use the default
      Any
      setting for each.
    4. Specify
      Destination Zone
      ,
      Destination Address
      , and
      Destination Device
      or use the default
      Any
      setting for each.
    5. For
      Applications
      , select, for example,
      modbus
      and
      web-browsing
      .
      5g-sec-pol-apps.png
    6. On the
      Actions
      tab, select the
      Action
      , such as
      Allow
      .
    7. Select profiles you want to apply, such as
      Antivirus
      ,
      Vulnerability Protection
      ,
      Anti-Spyware
      ,
      URL Filtering
      ,
      File Blocking
      , and
      WildFire Analysis
      .
    8. Click
      OK
      .
  6. Commit
    your changes.

Recommended For You