Configure 4G Subscriber ID Security
Table of Contents
Expand all | Collapse all
Configure 4G Subscriber ID Security
Secure your 4G traffic with Security policy rules that
specify source subscriber identifiers.
Configure network security based on the subscriber
identity of a user who is trying to access your 4G network.
Before
you begin configuring 4G Subscriber ID Security, gather
the IP addresses of the following devices in your topology so that
you can use them as source and destination addresses in Security
policy rules controlling traffic to and from these devices:
- eNodeB (eNB)
- Mobility Management Entity (MME)
- Serving Gateway (SGW)
- Packet Gateway (PGW)
- Enable GTP Security.
- Select. SelectDeviceSetupManagementGeneral SettingsGTP Security.
- ClickOK.
- Committhe change.
- SelectandDeviceSetupOperationsReboot Device.
- Enable inspection of 4G GTPv2-C control packets and content inspection of GTP-U packets; create a Mobile Network Protection profile.
- Select.ObjectsSecurity ProfilesMobile Network Protection
- Adda profile byName, for example, 4G Mobile security.
- Enter aDescription.
- On theGTP Inspectiontab, selectGTP-C.
- EnableGTPv2-C Stateful Inspectionto enable inspection of GTPv2 control packets.
- SelectGTP-Uand enableGTP-U Content Inspectionto correlate context from 4G GTPv2-C control packets (Subscriber IDs and Equipment IDs) to IP user traffic inside a GTP-U tunnel.
- SelectFiltering OptionsandRAT Filtering; for example, you can allowUTRAN,GERAN,HSPA EVOLUTION,EUTRAN,EUTRAN-NB-IOT, andLTE-Mand block other RATs.
- (Optional) SelectOther Log SettingsandLog User Location.
- (Optional) To troubleshoot, selectOther Log Settingsand select GTPv2-C Allowed Messages forTunnel Management,Path Management, andOthers. You can also enable GTP-U Allowed Messages forTunnel Management,Path Management, andG-PDU.
- ClickOK.
- Create address objects for the IP addresses assigned to the network elements in your topology, such as in deployment option 1: the MME on the S11 interface, the eNB on the S1-U interface, and the SGW on the S1-U and S11 interface; or deployment option 2: the SGW on the S5/S8 interface and PGW on the S5/S8 interface.
- (Optional) Create an External Dynamic List (EDL) of TypeSubscriber Identity List; theSourceof the list provides access to a server that provides identifiers of users connected to the 4G network, for which you want to allow traffic.
- Create a Security policy rule that applies your Mobile Network Protection profile to application traffic.
- SelectandPoliciesSecurityAdda Security policy rule byName.
- SelectSourcetab andAddaSource Zoneor selectAny.
- ForSource Address,Addthe address objects for the 4G network elements that you want to allow.
- ForDestination,AddtheDestination Addressaddress objects for the 4G network elements that you want to allow.
- AddtheApplicationsto allow, such asgtp-ufor user plane andgtpv2-cfor control plane traffic.
- On theActionstab, select theAction, such asAllow.
- Select theMobile Network Protectionprofile you created.
- Select Log Settings, such asLog at Session StartandLog at Session End.
- ClickOK.
- Create another Security policy rule based on Subscriber ID.
- SelectandPoliciesSecurityAdda Security policy rule byName, for example, Subscriber ID Security.
- SelectSourcetab andAddaSource Zoneor selectAny.
- Addone or moreSource SubscriberIDs in any of the following formats (if you configured an EDL, specify that EDL in this step):
- IMSI (14 or 15 digits)
- Range of IMSI values separated by a hyphen. In a range, only the 11th digit through the 15th digit of the IMSI can change from the start of the range to the end of the range; for example, 111111111111122-111111111119999.
- IMSI prefix of six digits, with an asterisk (*) as the wildcard after the prefix; for example, 926789*
- External dynamic list (EDL) that specifies IMSIs
- (Optional) You can addSource Equipmentidentities to this Security policy rule to make the rule more restrictive.
- SpecifyDestination Zone,Destination Address, andDestination DeviceasAny.
- AddtheApplicationsto allow, for example,youtube,facebook,linkedin, andtwitter.
- On theActionstab, select theAction, such asAllow.
- Select profiles you want to apply, such asAntivirus,Vulnerability Protection, andAnti-Spyware.
- Select Log Setting, such asLog at Session End.
- ClickOK.
- Commit.