Mobile Infrastructure Security Features

Describes the new mobile infrastructure security features in PAN-OS 10.0.
New Mobile Infrastructure Security Features
Description
Session persistence during rate limiting for GTP and SCTP brute force attack signatures
(
Available with PAN-OS® 10.0.2 and later 10.0 releases
)
To provide more intelligent and flexible traffic control while protecting against flooding attacks for GTP or SCTP (including Diameter-S6a and S1AP) messages, the firewall now keeps existing sessions open if the number of SCTP or GTP packets exceeds the specified threshold and the
Action
for the brute force signature is
drop
. If the number of SCTP packets exceeds the threshold, the firewall nullifies the data chunks that match the context in the child signature for the remaining duration of the threshold. If the number of GTP packets exceeds the threshold, the firewall drops the packets that match the context in the child signature but the session remains open, which allows other GTP traffic for the remainder of the specified interval.
Network Slice Security in a 5G Network
Network operators lack tools to investigate security events related to enterprises and industry verticals served by network slices in 5G. Also, they are unable to offer customizable, advanced network security capabilities that can be dynamically created per network slice. You can now apply context-aware network security to an enterprise or customer from a vertical industry that is using a 5G network by creating Security policy rules based on network Slice/Service Type (SST). The firewall supports standardized SSTs and operator-specific SSTs.
Equipment ID Security in a 5G Network
In 5G, HTTP/2 replaces the GTP-C and Diameter protocols; therefore, existing network security technologies relying on GTP-C and Diameter protocols for extracting context, such as equipment ID or International Mobile Equipment Identity (IMEI), will not work in 5G. Network operators lack tools in 5G to investigate security events related to equipment and devices. Because the majority of IP addresses assigned to equipment and devices connected to 5G networks are dynamic, context-aware security capability based on Equipment ID is required to secure them and protect the network from compromised or disallowed equipment and devices. You can now apply Security policy rules based on the equipment identity (Permanent Equipment Identifier [PEI] including IMEI) of a device, such as an IoT device, phone, or tablet, in your 5G network.
Subscriber ID Security in a 5G Network
In 5G, HTTP/2 replaces the GTP-C and Diameter protocols; therefore, existing network security technologies relying on GTP-C and Diameter protocols for extracting context, such as subscriber ID or International Mobile Subscriber Identity (IMSI), will not work in 5G. Network operators lack tools in 5G to investigate security events related to subscribers and users. Because the majority of IP addresses assigned to subscribers and users connected to 5G networks are dynamic, context-aware security capability is required to secure them and protect the network from compromised or disallowed subscribers and users. You can now apply Security policy rules based on the subscriber ID (Subscription Permanent Identifier [SUPI] including IMSI) of a subscriber or user in your 5G network.
Equipment ID Security in a 4G Network
Because the majority of IP addresses assigned to equipment and devices connected to 4G/LTE networks are dynamic, context-aware security capability based on equipment identity is required to secure them and protect the network from compromised or disallowed equipment and devices. You can now apply Security policy rules based on the International Mobile Equipment Identity (IMEI) of a device, such as an IoT device, phone, or tablet, in your 4G/LTE network.
Subscriber ID Security in a 4G Network
Because the majority of IP addresses assigned to subscribers and users connected to 4G/LTE networks are dynamic, context-aware security capability based on subscriber identity is required to secure them and protect the network from compromised or disallowed subscribers and users. You can now apply Security policy rules based on the International Mobile Subscriber Identity (IMSI) of a subscriber or user in your 4G/LTE network.

Recommended For You