What is a GTP firewall

What is important in a 5G-compatible firewall

5G-capable next-generation firewalls

, Munich / Vienna / Zurich, Palo Alto Networks | Author: Herbert Wieler

Field-tested security advisories from Palo Alto Networks

The 5G network promises transformative advances in mobile solutions by offering an improved mobile broadband experience and by greatly driving industrial digitization. The new types of services and applications will offer new revenue opportunities. However, due to the enormous growth in the number of potential gateways for attackers, the potential for cyber threats will change with 5G. An important component in secure IT infrastructures will therefore be 5G-compatible firewalls. What distinguishes them and what to look out for is explained Martin Schauf, Senior Systems Engineering Manager at Palo Alto Networks.

Mobile network operators are already confronted with new security incidents that can be traced back to malware and that endanger the network availability and the end devices of the subscribers. In addition, the operators observe significant changes in network traffic characteristics due to the exponential growth of roaming and signaling traffic. This is accompanied by new threat vectors that increase the risk of service disruptions by malicious actors who can overload the signaling infrastructure.

Robust, prevention-oriented security strategy required

“These growing threats and vulnerabilities that previously focused on the SGi interface can now exploit the application layer on other cellular interfaces. This could impair the quality of service, create challenges in terms of network performance and the network operators' turnover could suffer, ”explains Martin Schauf. To prevent this, a robust, prevention-oriented security strategy is required that takes advantage of transparency at the application level and encompasses the entire 4G / 5G network - including IoT, RAN (Radio Access Network), Mobile Backhaul, EPC (Evolved Packet Core) and interfaces to other networks. This applies across all levels, including user, control and administrative levels.

The first 5G-capable next-generation firewalls that have recently been on the market were specially developed for the provision of cellular networks by service providers, with the focus on the security requirements of 5G and IoT. On the one hand, these firewalls have to meet the growing demands on throughput due to the increasing amounts of application-, user- and device-generated data. On the other hand, state-of-the-art threat prevention capabilities are required to stop advanced cyberattacks and protect mobile network infrastructures, subscribers and services.

The new firewalls already achieve a throughput of up to 1 Tbit / s by using dedicated processing and storage resources for networks, security, threat protection and management. They can be configured to meet the different security and throughput requirements of network operators. This makes these firewalls suitable for protecting existing 4G networks as well as future 5G and IoT implementations. It is crucial for 5G-enabled firewalls that they can be used on all current network interfaces in order to achieve scalable, complete protection with consistent management and application transparency.

In-depth transparency and detailed control over the network landscape

In general, the decisive factors for modern 5G-capable firewalls are in-depth transparency and detailed control over the network landscape. This includes complete transparency at all levels, including signaling, data and control levels, with visibility at application level in mobile tunnels.

The IMSI and IMEI correlation with threats to identify infected participants and devices provides meaningful insights for faster resolution of security problems. IMSI (International Mobile Subscriber Identity) stands for international mobile subscriber identification and IMEI (International Mobile Equipment Identity) is used to identify end devices.

An automated, cloud-based threat analysis based on machine learning and artificial intelligence enables a fast reaction in real time to threats in networks on a global level. This includes identifying and analyzing unknown malware based on hundreds of malicious behaviors, combined with automated protection measures. Data-driven threat defense that provides contextual security results is effective in preventing tiered attacks and anomalies.

A cloud-enabled security platform - with the same functions in physical and virtualized implementations - ensures consistent security monitoring at all locations. Also important is support for an open API that offers operational simplicity, ease of use and the ability to integrate with NFV (Network Functions Virtualization) ecosystems and Software Defined Networks (SDN). The vertical and horizontal scaling of VNFs (Virtual Network Functions) ensures more agility and flexibility.

Special security functions for cellular networks

“A 5G-capable firewall offers additional special security functions for modern cellular networks. The hoped-for results can be achieved within the scope of various application scenarios, each of which contributes its part to an overall improvement in the security situation, ”reports Martin Schauf.

Roaming security is about protecting the cellular network from signal storms, including various tunneling and application layer attacks that are carried out via the GRX / IPX networks (GPRS Roaming Exchange, IP Exchange) on S8, S6a / S6d interfaces. It is just as important to ensure the security of the radio access network / RAN (Radio Access Network): The 5G-capable firewall provides complete content monitoring of subscriber traffic in GTP tunnels at all levels. Control, signaling and data layers with application visibility help prevent suspicious signaling events in the access network. GTP (GPRS Tunneling Protocol) belongs to a group of IP-based tunneling protocols that are used in cellular networks. GTP-U is used to transport user data and GTP-C to transport control data. The inspection of GTP-U content and GTP-C status is intended to prevent attacks from devices and stop suspicious signaling events.

Another topic is radio cell-based IoT security: the cellular network must be protected against attacks by NB-IoT devices “armed” with malware. NB-IoT (Narrowband IoT) is a connectivity standard for LPWA (Low Power Wide Area) networks. Comprehensive transparency and detailed control over NB-IoT traffic, combined with automated security measures, enables rapid response to threats. In-depth transparency and detailed control over NB-IoT traffic helps to detect attacks from known and unknown threats and to prevent command-and-control communication, denial-of-service attacks and other malicious activities. Visibility and prevention functions at multiple levels of signaling traffic, including SCTP, SIGTRAN, Diameter and SS7, ensure that it is handled securely. A comprehensive, prevention-oriented security strategy also uses the advantages of transparency at the application level for the Gi / SGi interface in favor of Gi / SGi security.

When 5G goes into operation, security measures must already be in place

If these necessary security functions are available in 5G networks, network operators can optimally protect their own network elements. At the same time, they can provide differentiated network security services for companies, which can then transform their business operations in a secure manner with new 5G applications. It is also clear that the mobile network operators have to take action so that the security measures are active as soon as the first 5G networks go into operation.

“Attackers will also rely on automation to find weak points in the networks that they can exploit for their own purposes. A modern, integrated security platform, based on a 5G-capable next-generation firewall, helps mobile network operators to cope with the coming security challenges as a result of the 5G structure and the IoT expansion, "concludes Martin Schauf. "A contemporary solution of this kind provides the necessary comprehensive visibility in the network to prevent the installation and successful execution of malware."