PANCast Episode 46: 5G Security with Palo Alto Networks NGFW

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L2 Linker
No ratings

 

Episode Transcript:

 

John: Welcome back PANCasters. Today we have Jagrut with us to talk to us about mobile technology, specifically 5G and how Palo Alto Networks can help in mobile technology environments. Welcome Jagrut. Jagrut Vaishnav, a PCNSE-certified professional, currently serves as a Resident Engineer at Palo Alto Networks. With a strong technical background, he brings a wealth of experience from his previous role in the company's Technical Assistance Center, where he specialized as a Subject Matter Expert (SME) in 5G technologies, advanced networking, and Layer 7 (L7) protocols. Jagrut is now focused on helping customers design and implement robust security infrastructures, providing expert advice on the optimal deployment of Palo Alto Networks' products and solutions. His expertise ensures that clients can efficiently secure their networks while adopting cutting-edge technologies like 5G. Jagrut Holds a Bachelors degree in Electronics and Communications Engineering from RK University Gujarat, India.Jagrut Vaishnav, a PCNSE-certified professional, currently serves as a Resident Engineer at Palo Alto Networks. With a strong technical background, he brings a wealth of experience from his previous role in the company's Technical Assistance Center, where he specialized as a Subject Matter Expert (SME) in 5G technologies, advanced networking, and Layer 7 (L7) protocols. Jagrut is now focused on helping customers design and implement robust security infrastructures, providing expert advice on the optimal deployment of Palo Alto Networks' products and solutions. His expertise ensures that clients can efficiently secure their networks while adopting cutting-edge technologies like 5G. Jagrut Holds a Bachelors degree in Electronics and Communications Engineering from RK University Gujarat, India.

Jagrut: Thank you for inviting me, John. It's my first time on PANCast and I'm really excited to contribute and share my knowledge to our listeners. I've been with palo alto networks for 4 years now and have good experience working on Telco and specifically 5G Security. I'm excited to share insights on 5G security, a crucial aspect of next-gen mobile networks.
  

John: So, what exactly is 5G?

Jagrut: 5G is the fifth generation of mobile network technology, designed to connect virtually everyone and everything together. It promises blazing fast speeds, ultra-low latency, and the ability to connect massive numbers of devices simultaneously. However, these advancements bring new security challenges..
 

John: Thanks Jagrut. What are the key security concerns with 5G?

Jagrut: The primary issue is the increased attack surface due to the millions of connected devices, each a potential entry point for cyberattacks.
  

Then there’s **network slicing**, a feature that allows operators to create multiple virtual networks within a single physical 5G network. While this offers flexibility, it also means that if one slice is compromised, it could potentially impact others if not properly isolated and secured.
  

And let’s not forget about the Internet of Things, or **IoT**. 5G will connect billions of IoT devices, many of which have weak security measures, making them attractive targets for hackers.

 

Palo Alto Networks as Next Generation Firewall, provides security features to inspect 5G Traffic that can be ideally used to protect users from these attacks.
  

John: Got it and what are the challenges faced by implementing 5G Networks?

Jagrut: With 5G, we’re seeing a shift towards **Software-Defined Networks (SDN)**, which centralize control functions. This centralization can become a single point of failure if not adequately protected against attacks.
  

Moreover, the integration of **virtualization and cloud technologies** in 5G networks introduces additional vulnerabilities. Protecting data and ensuring the integrity of virtualized environments are critical concerns.
  

With the world moving faster towards IoT, Many IoT devices have limited computing power for strong security measures, which leads to use weaker authentication and encryption algorithms. Different IoT manufacturers and standards make it hard to enforce uniform security practices.
  

5G's low latency requirements demand real-time processing, which can limit the complexity of security measures and raises concerns regarding, Balancing the need for fast data processing with the need for thorough security checks.

 

John: So  how does Palo Alto Networks fit into this picture?

Jagrut: Palo Alto Networks have looked at the broader picture here, Palo Alto Next Generation Firewalls provides 5G Security solutions and also offer 3G, 4G (SCTP and PFCP) Security Solutions. Palo Alto Networks Firewalls are designed to support the low latency requirements of 5G networks by providing several key features such as High performance hardware models, application-aware traffic management to prioritize critical 5G applications and services, Distributed Security Architecture, integration with automation and orchestration tools that are essential in 5G networks.

The Palo Alto Networks Mobile Network Protection Profile is a security framework designed to address the specific challenges of securing mobile networks. It is part of the broader suite of security solutions offered by Palo Alto Networks, which focuses on providing comprehensive protection across various network environments, including mobile, cloud, and on-premises networks.

Palo Alto Next Generation Firewalls offer various security solutions for protecting 3G/4G/5G networks, which we will now explore. First up is GTP Security:

1) GTP Security:

The GPRS Tunneling Protocol (GTP) is a critical component in the architecture of mobile networks, particularly in the context of 5G. It is used to enable the transmission of data between different nodes in the network and is essential for supporting mobility, session management, and data transport across the network. In simple language it is like a tunnel that allows your mobile data to travel smoothly and securely from your phone to the internet, ensuring a stable connection even when you're on the move.

Palo Alto Networks Next Generation Firewalls Provides stateful inspection for examining the GTP Traffic and upon enabling stateful inspection it keeps the track of a GTP Session. It also checks and validates the order of the different types of GTP Messages that are used to establish a GTP tunnel.

 

2) SCTP Security (3G/4G Security):

 

Second we are going to discuss about SCTP Securoty. SCTP, or Stream Control Transmission Protocol, is a way for computers to talk to each other over a network, like the internet. Think of it as a kind of "postal service" for data that is reliable in delivery, connection oriented and can deliver multiple packages at once.

In 3G networks, it serves as the transport protocol for the interfaces in the Radio Network Subsystem (RNS)
 

Palo Alto Networks firewalls provide a multilayered approach to protect your SCTP traffic    and the applications transported over SCTP from known and unknown attacks and information leakage.

The firewalls apply SCTP security at the transport layer of the OSI model by performing stateful inspection and by enforcing your configuration for validating data packets, SCTP flood protection, and Security policy rules based on the SCTP application.

The firewall also applies SCTP security on upper-layer protocols that run on top of SCTP, typically at the application layer.

 

3) PFCP Security:
  

Third is PFCP Security. PFCP is primarily used in 5G networks as part of the Control and User Plane Separation architecture. This architecture enhances network flexibility and efficiency by decoupling the control and user planes, which allows operators to independently scale and manage the network components responsible for signaling and data transport.

As enterprises migrate their networks to 5G, this transition provides the potential for vulnerability to some of the security risks associated with 5G. As an unprecedented number of devices connect to enterprise and government networks, this increases the potential for attacks and other threats.
 

To address these concerns, networks need to provide simplified and holistic network security that employs zero-trust policies that cover each user, device, application, and piece of data.
  

Palo Alto Networks' Intelligent Security feature provides threat identification and policy enforcement capabilities for our

 

  • Subscribers
  • Users 
  • Equipment 
  • Devices 
  • Network slices
     

This enables network administrators to extend zero-trust policies for their 5G and 4G networks by consistently verifying all subscribers, equipment, applications, and data based on content and subscriber activity.

 

4) Network Slice Security:

Fourth is Network Slice Security. Network slicing security is crucial because it helps protect the integrity, privacy, and reliability of the different services and applications that rely on a shared 5G network infrastructure.

Palo Alto firewalls provide network slice security by inspecting HTTP/2 Messages in a 3GPP 5G Service Based Architecture.
 

Palo Alto firewalls also provide a way to secure dedicated network slices for IoT customers. Customers can configure Security policy rules for a 5G network based on Network Slice/Service Type (SST) in two categories within a single rule: standardized and operator-specific.

The above features can be added using our Mobile Network Protection and SCTP Protection Security Profile located under Objects > Security Profiles. The main limitation of implementing these features is that our firewalls cannot perform stateful inspection on existing ongoing telco traffic. To enable stateful inspection, a new session would need to be initiated, which causes disruption by requiring additional downtime to restart the current telco traffic—a process that is particularly challenging for telco customers.

We have detailed documentation discussing these features and the links to these documents are available on the transcript.

 

John: Good info, thanks Jagrut. What are the other key features that Palo Alto Networks NGFW are focusing on?

 

Jagrut: We primarily focus on three key features, starting with Threat Prevention. Identifying and blocking both known and unknown threats is crucial in a 5G environment. Palo Alto Networks employs AI-driven threat intelligence to stay ahead of potential attacks by applying necessary security profiles blocking threats in security policies for the 5G Network.
  

Second is secure access. With 5G, securing access becomes even more critical. Palo Alto Networks ensures only authorized users and devices can access the network by implementing its UEIP feature and IMSI Filtering.

UEIP is correlation and mapping of the subscriber ID and equipment ID to the User Equipment (Mobile) IP address, whereas IMSI is the unique identification associated with a subscriber in 3G/4G and 5G Networks.
  

Third is Data Protection. Encryption and data leakage prevention keep sensitive information secure, even as data volumes increase exponentially.

 

Episode Takeaways

 

John: Really interesting info, thanks Jagrut. Can you tell us the key takeaways for today?


Jagrut: In this episode, we explored the transformative potential of 5G technology, which promises to deliver faster speeds, lower latency, and the ability to connect a vast number of devices seamlessly. The benefits are clear: 5G is an affordable and scalable solution that can revolutionize industries, from healthcare to smart cities, by enabling innovations like remote surgery and autonomous vehicles.

However, with these advancements come significant security concerns. The complexity of 5G networks introduces new vulnerabilities, making them attractive targets for cyberattacks.

To fully harness the potential of 5G, it's essential to proactively tackle security challenges by implementing robust cybersecurity measures. This includes leveraging features like Palo Alto Networks' NGFW Mobile Network Protection, which secures 5G traffic, alongside other NGFW capabilities such as SSL Decryption, Tunnel Content Inspection, and the optimization of security policies tailored specifically to 5G traffic. Additionally, implementing relevant threat protection not only safeguards the 5G network but also allows customers to adapt to the evolving threat landscape, gaining a deeper understanding of how firewalls can continue to protect their 5G infrastructure as the technology advances.

John: Thanks again Jagrut. PANCasters, as always you can find the transcript and related articles at live.paloaltonetworks.com.

 

Useful links

Below are the few solutions from Palo Alto Networks that help secure the 5G network in an efficient manner with more robust security.

 

  1. SCTP - This document gives a brief introduction on SCTP and also provides steps for configuring SCTP Security using Palo Alto Networks firewalls.
  2. GTP - This document provides a brief overview of GTP Protocol, further categorized into type of GTP Deployments including RAN Security, Roaming Security and Cellular IOT Security, Configuration GTP Security profile and how do we monitor GTP Traffic using Palo Alto Next-Gen Firewalls.
  • 5G Security - This document summarizes the importance of network slicing, how to implement network slicing and how Palo Alto Networks firewalls help securing network slicing.
  • PFCP Security - Palo Alto NGFWs have inline intelligent security using PFCP which helps customer gathering information such as:The Subscriber ID, such as the International Mobile Subscriber Identity (IMSI) or 5G Subscriber Permanent Identifier (SUPI) the Equipment ID, such as the International Mobile Equipment Identity (IMEI) or Permanent Equipment Identifier (PEI) for User Equipment (UE) and mobile devices that are critical for a zero trust security policy in 5G and 4G/LTE mobile networks.

 

Rate this article:
(1)
Comments
L2 Linker

I like this topic and how we can leverage 5G capabilities and be fully aware of the challenges to secure the environment.

  • 665 Views
  • 1 comments
  • 1 Likes
Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎10-24-2024 02:21 PM
Updated by: