This blog written by Mitch Rappard (Palo Alto Networks) and Efrat Harari (OneLayer)

Palo Alto Networks and OneLayer Joint Private 5G Security Offering

Private 5G has quickly become the “industrial-grade” wireless option for industries such as utilities, oil & gas, mining and advanced manufacturing.  A large part of its success is due to its ability to offer deterministic latency, predictable QoS under heavy load, wider RF reach across sprawling facilities, and SIM-based access control that fits OT processes better than passwords or certificates. These key features let engineers push time-sensitive SCADA traffic, mobile worker video, AGVs/AMRs and thousands of sensors onto one converged, spectrum-controlled network without sacrificing availability or performance.

Yet the same architectural shifts that make private 5G attractive also reshape and enlarge the cyber attack surface and add complexity and visibility challenges that must be dealt with.  While there are numerous challenges, today we will discuss some of the most pressing pain points as organizations take the journey to modernize their network and embrace private 5G. These challenges include:

• Asset Visibility - As devices are brought on and off the network, and as new device types are deployed, understanding the current inventory as well as the risks and behavior of these devices is crucial.  There are also often legacy non-cellular devices which are attached via cellular routers, which must also be fully known and secured.
• Device Lifecycle Management - As organizations migrate to new cellular devices, automating activation and keeping track of device status, ensuring only allowed devices are on the network can be a complex challenge. Manual processes often result in increased risk of unauthorized access. Streamlining this process with automated, secure onboarding is essential. By ensuring devices are provisioned, validated, and continually monitored throughout their lifecycle, organizations can keep device inventories up-to-date, enforce strict access controls, and reduce the risk of unapproved or outdated devices remaining on the network.
• Implementing Zero Trust - Most organizations agree that a Zero Trust security architecture is important, but have questions or challenges when it comes to implementing Zero Trust.  New devices and applications are constantly being introduced.  Security solutions that are continuously monitoring and updating to constantly prevent Implicit Trust is of paramount importance.  
• Preventing Malicious Payloads - Known malware is malicious software that has been previously identified, cataloged, and can usually be detected using existing signatures or threat intelligence.  Unknown malware is harder to detect and is new, modified, or obfuscated malicious code that has not yet been seen or analyzed, making it undetectable by traditional signature-based tools.  Both types of malware need to be detected, along with exploit attempts, DNS related threats and various other attack types. 

Securing Private 5G

In order to enable effective security within private 5G environments, it is important that the challenges above are addressed.  This blog will discuss the ways that Palo Alto Networks and OneLayer partner to meet and exceed the requirements necessary to address the challenges listed above, and in doing so help achieve best in class security for cellular mission critical networks.

Feature Ownership

In order to help provide clarity around how our partnership works and which vendor brings which capability, we have made the table below that attempts to break this down. This table focuses on feature ownership for this solution, and is not a comprehensive list of vendor features.  For instance, Palo Alto Networks can also offer Device Fingerprinting, but OneLayer is providing that functionality in this joint solution.

As you can see, both companies offer key capabilities necessary for a holistic security offering.  Below we will dive into the challenges listed above, and discuss how specifically we work together to address them. 

Asset Visibility 

Before you look to secure the devices on your network, you need to know exactly which devices are present, and the characteristics of those devices.  Security teams must understand the device make, model, OS, device identifiers (for mobile devices this includes the IMSI, IMEI and ICCID) of all attached devices.  This also includes legacy non cellular devices which are attached via cellular gateways.   

Within an organization regulators and auditors can treat asset inventories as hard evidence of due diligence. Standards such as IEC 62443 for industrial controls and NIS 2 in Europe require operators to demonstrate least-privilege access, timely remediation, and incident-response readiness—all of which begin with a defensible list of “everything that touches the network.”

Below are some examples of the types of information required for effective asset visibility in mobile networks. 

Palo Alto Networks and OneLayer have partnered to provide the visibility mentioned above, so that organizations can easily understand the devices, both cellular and non-cellular, attached to the network. In this solution, OneLayer provides comprehensive visibility into all connected assets, whether cellular or non-cellular. This visibility encompasses device discovery, identifier correlation, fingerprinting (device profiling), and detailed network properties.

Device Lifecycle Management

OneLayer’s Device Lifecycle Management automates and streamlines the entire process of onboarding, activating, monitoring, and retiring cellular devices within private networks. By continuously tracking device status, configuration changes, and compliance with security requirements, OneLayer makes sure that only authorized and up-to-date devices remain connected. This automated approach reduces manual workload, closes security gaps, and provides organizations with real-time visibility and control over every stage of a device's lifecycle.

Implementing Zero Trust

If you ask any organization if Zero Trust is important for effective security, most if not all of them will respond in the affirmative.  But when you start to talk about exactly what Zero Trust means and the detailed methods and techniques they will employ to adhere to Zero Trust principles, the conversation often gets a bit less certain. 

One of the foundational pillars of Zero Trust is network segmentation.  While traditional tools such as subnets and VLANs can help here, to truly segment your network effectively, additional characteristics such as the protocol used, the sending and receiving device types as well as the specific device identifiers are required to eliminate implicit trust, which is the enemy of zero trust. 

In the same way that asset visibility must also extend to legacy non cellular devices, so should an organization's zero trust policies.  Rogue devices attached to cellular routers should be detected and acted upon.  If multiple devices are attached to a cellular router, then advanced segmentation should also be applied at the edge.  

Palo Alto Networks and OneLayer have partnered to enable a zero trust security posture across all parts of the network.  From the edge, to the core, to the application and service domain, whether on site or in the cloud.  

In some cases legacy devices will be brought on the network via cellular connected “gateway” routers.  If multiple devices are connected to a single edge router, then it is important that zero trust principles are applied to the traffic originating from the non cellular devices.  Using Palo Alto Network’s PA-400 series NGFWs, which have cellular connectivity built in, organizations are able to securely attach legacy devices to the network without compromising on security.  Our partnership with OneLayer facilitates that visibility of these devices is extended to OneLayer Bridge as well.

Preventing Malicious Payloads

Once traffic is allowed via a security policy, network defenders must also inspect the payload in an effort to detect any malicious content. To do so, further analysis is needed.  Palo Alto Networks leverages a signatureless, inline detection and a prevention engine that uses machine learning, deep packet inspection, and protocol decoding to block zero-day threats in real time—before they can infiltrate networks or devices. Unlike traditional IPS solutions that rely heavily on known signatures, Palo Alto Networks delivers behavioral threat detection at line-rate performance.  This intelligence extends to DNS as well, which is rife with attack vectors, and often acts as a mechanism for data exfiltration and DoS attacks.  

Conclusion

Up above we displayed how Palo Alto Networks and OneLayer partner together to offer key capabilities needed for world class security in private 5G networks.  If we now take those same key capabilities and map them to the challenges discussed, we see a table like the one below.

As you can see, together, Palo Alto Networks and OneLayer offer a comprehensive and perhaps just as important, seamlessly integrated solution that allows organizations to confidently deploy their 5G networks with the knowledge that their network and devices are secure. For more technical information on this partnership and integration, please visit the Palo Alto Networks Tech Partner page which offers a Solution Brief and Integration Guide.