Mobile Network Security Support on New Mid-Range Hardware Platforms

Private 5G networks and multi-access edge computing (MEC) can present security concerns for enterprises and can increase the attack surface for malicious actors. As a wider range of enterprises, including manufacturing, energy, utilities, logistics, real estate, and healthcare, transition to private 5G technologies, the need for enterprise-grade security that can deploy zero-trust architecture in 5G increases.
You can now protect your MEC and private 5G environments with the industry’s only 5G-native security using the Palo Alto Networks next-generation firewall. On the latest mid-size next-generation firewalls, Palo Alto Networks now supports mobility protocols with mobile identifiers like subscriber ID (the International Mobile Subscriber Identifier or IMSI) and equipment ID (the International Mobile Equipment Identifier or IMEI) for enhanced visibility and security policy enforcement. This allows enterprise IT security teams to extend their enterprise-grade security to their 5G or 4G/LTE mobile networks.
The new firewalls support the following mobility security features for MEC and private 5G network deployments:
The following diagrams depict a selection of supported scenarios that highlight some of the potential applications for this new capability.
In the following deployment scenario of a private 4G/LTE network, the 4G core is located on-premises. To enforce security policy for user and control traffic, the firewall must be positioned on the 4G/LTE interfaces, including the User Plane (S1-U) and the Control Plane (S11).
For complete subscriber-level and equipment-level visibility and security policy control for network traffic threats, enable GTP Security.
The second firewall in this diagram is positioned on the perimeter (the SGI interface connected to the internet and the enterprise IT datacenter).
In the following private 5G network deployment scenario, only the User Plane Function (UPF) is located on-premises. The 5G Core is located remotely in a central core site or public cloud. To enforce security policy for user and control traffic, the firewall must be positioned on the 5G interfaces, including the User Plane (N3) and Control Plane (N4).
For complete subscriber-level and equipment-level visibility and security policy control for network traffic threats, enable GTP Security.
The second firewall in the diagram is positioned on the perimeter (the N6 interface connected to the internet and the enterprise IT datacenter).
In the following private 5G network deployment scenario, the 5G Core, including the User Plane Function (UPF), is located on-premises. The 5G Core includes network functions (NFs) such as Session Management (SMF) and Access and Mobility Management Function (AMF), as well as others. To enforce security policy for user and control traffic, the firewall must be positioned on the 5G interfaces, including the User Plane (N3) and the Control Plane (N4).
For complete subscriber-level and equipment-level visibility and security policy control for network traffic threats, enable GTP Security. Apply security policy to the Control Plane (N2) between the 5G RAN and the 5G Core for signaling protection by enabling SCTP Security.
The second firewall in the diagram is positioned on the perimeter (the N6 interface connected to the internet and the enterprise IT datacenter).
In the following private 5G network deployment scenario, only the Radio Access Network (RAN) is located on-premises.
To apply security policy to user traffic, enable Tunnel Content Inspection.
The firewall must be positioned on the 5G interface for the User Plane (N3).
In the following 5G MEC deployment scenario, the User Plane Function (UPF) is located on the MEC in the service provider’s edge location or on the public cloud edge and the 5G Core is located remotely in a central core site or the public cloud. To enforce security policy for user and control traffic, the firewall must be positioned on the 5G interfaces, including the User Plane (N3) and the Control Plane (N4).
For complete subscriber-level and equipment-level visibility and security policy control for network traffic threats, enable GTP Security.
The second firewall in the diagram is positioned on the perimeter (the N6 interface connected to the internet and the enterprise IT datacenter).

Recommended For You