Describes the new mobile infrastructure security features
in PAN-OS 10.0.
New Mobile Infrastructure Security Features
Description
Session persistence during rate limiting
for GTP and SCTP brute force attack signatures
(
Available
with PAN-OS® 10.0.2 and later 10.0 releases
)
To provide more intelligent and flexible traffic
control while protecting against flooding attacks for GTP or SCTP
(including Diameter-S6a and S1AP) messages, the firewall now keeps
existing sessions open if the number of SCTP or GTP packets exceeds
the specified threshold and the
Action
for
the brute force signature is
drop
. If the
number of SCTP packets exceeds the threshold, the firewall nullifies
the data chunks that match the context in the child signature for
the remaining duration of the threshold. If the number of GTP packets
exceeds the threshold, the firewall drops the packets that match
the context in the child signature but the session remains open, which
allows other GTP traffic for the remainder of the specified interval.
Network Slice Security in a 5G Network
Network operators lack tools to investigate
security events related to enterprises and industry verticals served
by network slices in 5G. Also, they are unable to offer customizable,
advanced network security capabilities that can be dynamically created
per network slice. You can now apply context-aware network security
to an enterprise or customer from a vertical industry that is using
a 5G network by creating Security policy rules based on network
Slice/Service Type (SST). The firewall supports standardized SSTs
and operator-specific SSTs.
Equipment ID Security in a 5G Network
In 5G, HTTP/2 replaces the GTP-C and Diameter
protocols; therefore, existing network security technologies relying
on GTP-C and Diameter protocols for extracting context, such as
equipment ID or International Mobile Equipment Identity (IMEI),
will not work in 5G. Network operators lack tools in 5G to investigate
security events related to equipment and devices. Because the majority of
IP addresses assigned to equipment and devices connected to 5G networks
are dynamic, context-aware security capability based on Equipment
ID is required to secure them and protect the network from compromised
or disallowed equipment and devices. You can now apply Security
policy rules based on the equipment identity (Permanent Equipment Identifier
[PEI] including IMEI) of a device, such as an IoT device, phone,
or tablet, in your 5G network.
Subscriber ID Security in a 5G Network
In 5G, HTTP/2 replaces the GTP-C and Diameter
protocols; therefore, existing network security technologies relying
on GTP-C and Diameter protocols for extracting context, such as
subscriber ID or International Mobile Subscriber Identity (IMSI),
will not work in 5G. Network operators lack tools in 5G to investigate
security events related to subscribers and users. Because the majority
of IP addresses assigned to subscribers and users connected to 5G
networks are dynamic, context-aware security capability is required
to secure them and protect the network from compromised or disallowed
subscribers and users. You can now apply Security policy rules based
on the subscriber ID (Subscription Permanent Identifier [SUPI] including
IMSI) of a subscriber or user in your 5G network.
Equipment ID Security in a 4G Network
Because the majority of IP addresses assigned
to equipment and devices connected to 4G/LTE networks are dynamic, context-aware
security capability based on equipment identity is required to secure
them and protect the network from compromised or disallowed equipment
and devices. You can now apply Security policy rules based on the International
Mobile Equipment Identity (IMEI) of a device, such as an IoT device,
phone, or tablet, in your 4G/LTE network.
Subscriber ID Security in a 4G Network
Because the majority of IP addresses assigned
to subscribers and users connected to 4G/LTE networks are dynamic,
context-aware security capability based on subscriber identity is
required to secure them and protect the network from compromised
or disallowed subscribers and users. You can now apply Security
policy rules based on the International Mobile Subscriber Identity
(IMSI) of a subscriber or user in your 4G/LTE network.