To provide more intelligent and flexible traffic control while protecting against flooding attacks for GTP or SCTP (including Diameter-S6a and S1AP) messages, the firewall now keeps existing sessions open if the number of SCTP or GTP packets exceeds the specified threshold and the

Action

for the brute force signature is

drop

. If the number of SCTP packets exceeds the threshold, the firewall nullifies the data chunks that match the context in the child signature for the remaining duration of the threshold. If the number of GTP packets exceeds the threshold, the firewall drops the packets that match the context in the child signature but the session remains open, which allows other GTP traffic for the remainder of the specified interval.

Network operators lack tools to investigate security events related to enterprises and industry verticals served by network slices in 5G. Also, they are unable to offer customizable, advanced network security capabilities that can be dynamically created per network slice. You can now apply context-aware network security to an enterprise or customer from a vertical industry that is using a 5G network by creating Security policy rules based on network Slice/Service Type (SST). The firewall supports standardized SSTs and operator-specific SSTs.

In 5G, HTTP/2 replaces the GTP-C and Diameter protocols; therefore, existing network security technologies relying on GTP-C and Diameter protocols for extracting context, such as equipment ID or International Mobile Equipment Identity (IMEI), will not work in 5G. Network operators lack tools in 5G to investigate security events related to equipment and devices. Because the majority of IP addresses assigned to equipment and devices connected to 5G networks are dynamic, context-aware security capability based on Equipment ID is required to secure them and protect the network from compromised or disallowed equipment and devices. You can now apply Security policy rules based on the equipment identity (Permanent Equipment Identifier [PEI] including IMEI) of a device, such as an IoT device, phone, or tablet, in your 5G network.

In 5G, HTTP/2 replaces the GTP-C and Diameter protocols; therefore, existing network security technologies relying on GTP-C and Diameter protocols for extracting context, such as subscriber ID or International Mobile Subscriber Identity (IMSI), will not work in 5G. Network operators lack tools in 5G to investigate security events related to subscribers and users. Because the majority of IP addresses assigned to subscribers and users connected to 5G networks are dynamic, context-aware security capability is required to secure them and protect the network from compromised or disallowed subscribers and users. You can now apply Security policy rules based on the subscriber ID (Subscription Permanent Identifier [SUPI] including IMSI) of a subscriber or user in your 5G network.

Because the majority of IP addresses assigned to equipment and devices connected to 4G/LTE networks are dynamic, context-aware security capability based on equipment identity is required to secure them and protect the network from compromised or disallowed equipment and devices. You can now apply Security policy rules based on the International Mobile Equipment Identity (IMEI) of a device, such as an IoT device, phone, or tablet, in your 4G/LTE network.