Cellular IoT Security

Cellular Internet of Things (CIoT) security allows you to secure CIoT traffic, gain visibility into CIoT and device-to-device traffic, and support 3GPP Release 15 protocols.
Cellular Internet of Things (CIoT) security allows you to protect your mobile network and CIoT traffic from attacks and provides visibility into CIoT communications in your network. If you are a mobile network operator (MNO) or a mobile virtual network operator (MVNO), you can secure CIoT traffic. An example is a utility company that focuses on oil, gas, or energy and operates as an MVNO. As networks evolve with new technologies and you deploy firewalls in different locations, the firewall supports these CIoT technologies (S11-U tunnels and narrow-band IoT [NB-IoT]). The firewall also supports device-to-device (D2D) communications over your network.
Cellular IoT security includes:
  • Support for CIoT Evolved Packet System (EPS) optimization.
    • GTP Stateful Inspection of S11 and S11-U tunnels.
    • GTP-U Content Inspection of S11-U tunnels (inspect the content of inner IP sessions of S11 GTP-U tunnels).
  • Filtering traffic from IoT devices that connect a mobile network using EUTRAN-NB-IoT (Radio Access Network for NB-IoT). For example, allowing only devices that use NB-IoT access to the network.
  • Displaying and reporting on D2D communication to see the Remote User ID and Remote User IP address of devices sending traffic.
  • Support for 3GPP TS 29.274 up to Release 15.2.0 for GTPv2-C protocol
  • Support for 3GPP TS 29.060 up to Release 15.1.0 for GTPv1-C protocol
gtp_ciot.png
The preceding CIoT security deployment graphic illustrates the S11-U data tunnel, which carries encapsulated data messages using GTP-U. If mobile-originated or mobile-terminated data is transported in control plane CIoT EPS Optimization with PGW connectivity, the MME and SGW use an S11-U tunnel.
You can protect your mobile network and CIoT traffic that uses 3GPP technologies.
  • After you enable GTP Security, create a GTP Protection profile to enable GTPv2-C Stateful Inspection.
    gtp_ciot_protection_profile.png
  • On the GTP-U tab, enable GTP-U Content Inspection.
    gtp_pp_gtp_u_content_inspection.png
    GTP-U Content Inspection allows you to view Remote User ID (international mobile subscriber identity [IMSI]) and Remote User IP address data for GTP-U packets.
  • If you use narrow-band IoT (NB-IoT) as Radio Access Technology (RAT), filter GTP traffic generated for IoT devices to safely allow only NB-IoT traffic from trusted services.
    gtp_rat_filtering.png
  • Attach the GTP Protection profile to a Security policy rule and apply the rule on network elements that use GTP, such as between an MME and SGW.
  • Monitor GTP or Unified log messages (MonitorLogsGTP or MonitorLogsUnified) and display the Remote User ID and Remote User IP address. The following is an example of viewing details of Remote user equipment (UE) using 3GPP D2D technology.
    gtp_monitor_logs.png
  • Generate custom reports (MonitorManage Custom Reports) from the GTP Summary or GTP Detailed database and display Remote User ID and Remote User IP addresses. You can also select Filter Builder and add a log filter based on Remote User ID and Remote User IP address.
    gtp_log_remote_user.png
  • Forward logs (ObjectsLog Forwarding) and when you create a log forwarding profile, for the gtp log type, use Filter Builder to create a filter based on the Remote User IP address and Remote User ID attributes.
    gtp_log_forwarding_filter.png
  • While forwarding logs, if the Forward Method is Email, Syslog, or HTTP, add an Email Server Profile, Syslog Server Profile, or HTTP Server Profile respectively, and in the Custom Log Format tab, select GTP and remote_user_id or remote_user_ip to include either (or both) in the log format.
    gtp_log_format.png

Related Documentation