Mobile Network Operator

Infrastructure Security Solution

Agenda:
• LTE Architecture 101
• Security Challenges for MNO
• MNO Security Solutions
• Call to action
HPLMN Diameter
S1-AP
HSS SCTP
IP
SCTP
S6a Diameter
IP
TCP
MME PCRF IP
S1-MME
S11 Gx
Uu
UE eNB SGW PGW Internet
S1-U S5 SGi

GTP-U
UDP
IP GTP-C GTP-U
UDP UDP GTP-C
IP IP UDP
IP

Signaling

User Data

3 | © 2018, Palo Alto Networks. All Rights Reserved.

GTP-U In Action
HSS
S6a

MME PCRF
• Mobile
• IoT Devices S1-MME
• PC S11 Gx
Uu
UE eNB SGW PGW Internet
S1-U S5 SGi
HTTP HTTP HTTP HTTP
TCP TCP TCP TCP
IP IP IP IP
GTP-U GTP-U
UDP UDP
IP IP

malware

Exploit

4 | © 2018, Palo Alto Networks. All Rights Reserved.

HPLMN
HSS Diameter
SCTP
IP Diameter
S6a SCTP
GTP-U
S1-MME IP
UDP
IP MME PCRF
S11 Gx
S6a
GTP-CUu
UE UDP
eNB SGW PGW Internet
S1-U S5 SGi
IP S8

S6a IPX S9
S8
Uu
UE eNB SGW PGW Internet
S1-U S5 SGi
S1-MME S11 Gx
VPLMN MME HSS PCRF
S6a
5 | © 2018, Palo Alto Networks. All Rights Reserved.
Agenda:
• LTE Architecture 101
• Security Challenges for MNO
• MNO Security Solutions
• Call to action
Security Activity among TelCo Operators
https://www.enisa.europa.eu/publications/signalling-security-in-telecom-ss7-diameter-5g

Attack Frequency per year

5G Security Survey

Total 103 CSP and The largest CSP (Carrier Service Provider)
sample was from the U.S. (48%), followed by Asia Pacific
(19%), Central/Eastern Europe (15%), Western Europe (7%),
Canada (6%), Central/South America (4%), and Africa (1%).

Source: Heavy Reading’s 2019 5G Security Survey

 Layer-7 Inspection inside 5G Networks is critical for Security

MEC cloud

Importance of full Gi/SGi interface

content inspection to
gain insight into attacks Roaming

& vulnerabilities Layer-7 Inspection inside 5G mobile networks really Matters!

5G NGC Core

5G NR RAN

0% 10% 20% 30% 40% 50%

Somewhat important Important Extremely important

Source: Heavy Reading’s 2019 5G Security Survey

9 | © 2015, Palo Alto Networks. Confidential and Proprietary.

 5G Security Use Case Priorities – IMSI/IMEI Correlation is Most important

Survey: How important are the following 5G Security Offerings?

HTTP/2 based web-API security for NEF (Network Exposure TOP 3

Functions) for 5G service based architectures
PRIORITIES
Detection and prevention of Mirai-type malware

Device (IMEI), correlation to threats, vulnerabilities, and attacks

2
Automated and cloud-based proactive security for known and
unknown attacks

Secure applications and services on the mobile edge

Subscriber (IMSI) correlation to threats, vulnerabiliites, and attacks 1

Application visibility and control for IoT services
3
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Somewhat / Not Important Extremely Important / Important

Source: Heavy Reading’s 2019 5G Security Survey

10 | © 2018 Palo Alto Networks, Inc. All Rights Reserved.

 Signaling Attacks on the Rise, across 4G/5G Networks

~2.3X
50%
Rise in Service Disruption
Due to Signaling Attacks from 2014 87%
40%
Signaling security between inter-
30%
operator networks (Roaming) will be
20% crucial in 5G
10%

0%
Less than 1 - 2 times 3 - 5 times More than
once per per month per month 10 tim e per
month month

2014 2019

Source: Heavy Reading’s 2019 5G Security Survey

11 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Current Security Challenges for Mobile Network Operators

WEAPONIZED SIGNALING/CONTROL & MOBILE MALWARE &

IoT DEVICES APPLICATION-LAYER ATTACKS ANDROID EXPLOITS

3X
increase in malware targeting
59%
signaling-level disruptions once
101%
year-over-year growth in
IoT/mobile devices1 or more per month2 malicious android files3

1 Kaspersky Lab Research

2 Heavy Reading Report
3 Palo Alto Networks Unit 42 Threat Research

12 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Example Issue: Mirai/Gafgyt/(aka) attack stages and mitigation See also (google): Recorded Future
“Mirai-Variant IoT Botnet Used to Target
PANW NG FW can stop this attack at every stage 1-5 ! Financial Sector in January 2018”

~400,000 IoT devices, 1.7Tbps

(IoT) Botnet
https://resources.infosecinstitute.com/mirai-botnet-evolution-since-its-source-code-is-available-online/#gref

Botnet C&C Report Loader

order “Attack-as-a-Service” owner

Smokescreen attack,
Blackmail,
… … …
other motivation …
(Stage 2 and 4) (Stage 3)
C2 communication Download
Bots with C&C servers (Stage 1) DISCOVERY Malware/Payload
DDoS Scanning for vulnerable devices to device
Victim
V
B B V
V
B B V
… …
Bots IoT Devices
( Stage5) DDoS Attack from IoT devices
Infected IoT devices turn into new bots
13

scanning
How Attack Lifecycle Works and Impact to Mobile Network Infrastructure

Botnet
Infrastructure

Attack on Mobile Network Infrastructure

C&C Loaders

Attacker

EVOLVED
PACKET CORE

STAGE-1 STAGE-2 STAGE-3 STAGE-4 ATTACK STAGE

Attacker Gathers Device Attacker Delivers Malware Attack is Launched

intelligence Compromise Malware to Devices Communicates from the Devices
with Attacker

17 | © 2018, Palo Alto Networks. All Rights Reserved.

 Imagine Billions Compromised Things Doing This ...
Signaling storms … DIAMETER
SCTP
S1-AP IP
SCTP Lower
IP Layers
Lower S1-MME S6a
Layers

eNodeB
X
vMME
X
vHSS

Connected Things
UE Attach Request
Update Location Request/
Response
UE Attach Request
Update Location Request/
Response
UE Attach Request.
. Update Location Request/
Response
.
15 | © 2018, Palo Alto Networks, Inc. Confidential and Proprietary. Internal Use Only .
Today’s Mobile Network Security Architecture
Stopping attacks from
the outside
All-IP 4G/5G Networks

(S)Gi
Interfaces
Radio Network
Mobile Users Interfaces Internet
(RAN) Mobile
Service Provider
Handsets/Tablets
Networks

Roaming
Interfaces

Roaming
IoT Devices WiFi Networks
(Trusted/Untrusted)
Industrial IoT
CGNAT ≠ Security
IPSec ≠ Security
WiFi Networks Layer 4 protection ≠ Security

1 2 3
L3/L4 Firewall Disparate systems and lack of coordinations Perimeter Security

16 | © 2018, Palo Alto Networks. All Rights Reserved.

Lack of Visibility
Exponential increase in application
usage and Android exploits Open All-IP 4G/5G Networks

(S)Gi
Interfaces
Radio Network
Mobile Users Interfaces Internet Application-Oriented
(RAN) Mobile
Threat Vectors
Service Provider
Networks

Signaling-Oriented
Roaming Threat Vectors
Interfaces
Signaling Oriented
Threat Vectors Roaming
IoT Devices WiFi Networks

Volume of Infected Industrial Untrusted roaming traffic increasing

IoT devices increasing

WiFi Networks

1 2 3
Advanced threats & infected devices are Legacy, manual, & fragmented security Security gap is widening with complex and
evading & impacting mobile networks mechanisms are not able to keep up non-adaptable security architectures

17 | © 2018, Palo Alto Networks. All Rights Reserved.

Lack of Visibility
Exponential increase in application
usage and Android exploits Open All-IP 4G/5G Networks

Signaling Storm (S)Gi

Interfaces
Radio Network
Mobile Users Interfaces Internet Application-Oriented
(RAN) Mobile
Threat Vectors
Fraud – Application ProxyProvider
Service
Networks

Signaling-Oriented
Exfiltrate Sensitive Network Info (IMSI, Location, etc) Roaming Threat Vectors
Interfaces
Signaling Oriented
Threat Vectors Roaming
IoT Devices WiFi Networks

Volume of Infected Industrial Untrusted roaming traffic increasing

IoT devices increasing

WiFi Networks

1 2 3
Advanced threats & infected devices are Legacy, manual, & fragmented security Security gap is widening with complex and
evading & impacting mobile networks mechanisms are not able to keep up non-adaptable security architectures

18 | © 2018, Palo Alto Networks. All Rights Reserved.

 Real World Example SS7 + IP-based Attack

VICTIM HLR SMSC BANK Attacker

Example:
https://motherboard.vice.com/en_us/article/mbzvxv/criminals-hackers-ss7-uk-banks-metro-bank

android malware, phishing mail, interactive attack

IT based component of the Attack IT type of attack
(Phase 1)
§ Need to know: Victim MSISDN and online banking data MSISDN, online-banking login, password
> Standard “IT Attack” to online banking (phising, malware, XSS/XSRF)
> Steal online banking login & password
MAP UpdateLocation (MSISDN)
> To do banking transaction, TAN/token is needed (receive via SMS) SS7 attack
attacker acts as MSC (Phase 2)
MAP UL puts
Mobile Network Attack Component: Redirect TAN SMS victim offline and
wrong LA into
HLR www.bank.com
§ Send e.g. UpdateLocation to HLR for victim MSISDN (i.e. do this at night) cash-out
SMPP e.g. buy bitcoins (Phase 3)
§ Incoming SMS from victim’s bank will be directed to rogue
SRI SM FWD TAN
location, which is controlled by the attacker wrong LA
informed
§ In combination with online banking access, the stolen 2-factor
element received by SMS closes loop to initiate an illegal attacker receives
TAN for
money transaction at cost of the victim transaction

§ Other options: e.g. Compromised SMSC

19
Agenda:
• LTE Architecture 101
• Security Challenges for MNO
• MNO Security Solutions
• Call to action
 Palo Alto Networks Security Framework

REDUCE PREVENT PREVENT

COMPLETE
ATTACK KNOWN UNKNOWN
VISIBILITY
SURFACE THREATS THREATS

• All applications • Enable “good” • Exploits • Dynamic

• All users (+ IMSI apps • Malware analysis
and IMEI) • Limit app function • C&C • Static analysis
• All content • Limit file types • Malicious websites • Attack
• Signaling layers • Allow “good” • Bad domains techniques
• Cloud websites • Signaling storms • Anomaly
• Mobile Networks • Allow “trusted” • Inside tunnels detection
signaling layers • Roaming/RAN/EPC • Analytics

21 | © 2018 Palo Alto Networks, Inc. Confidential and Proprietary.

Palo Alto Networks Mobile Core Security Solution

HSS PCRF
RAN Security
S6a
S6a
S6a IMS
MME Gx

S1-MME S/Gi Security

S11 S9 SGi
Mobile Users
S1-U S5
SGW PGW PDN /
Internet

S8 S8

IoT Devices Roaming Security Non—3GPP Access S2b

S2a ePDG
Security
Trusted
Non-3GPP
GRX/IPX
Untrusted
Non-3GPP

22 | © 2018, Palo Alto Networks. All Rights Reserved.

 Complete Visibility to Prevent a Successful Attack

HSS PCRF
S6a
S6a
S6a IMS
MME Gx

S1-MME
S11 S9 SGi
Mobile Users
S1-U S5
SGW PGW PDN /
Internet

S8 S8

S2b
Some Key Features –IoT Devices
S2a ePDG

• GTP tunnel inspection give completes L7 application visibility Trusted

Non-3GPP
• Mobile network protection – GTP-C and GTP-U stateful
GRX/IPX
inspection Untrusted

• IMSI, IMEI & IP Address correlation per mobile device Non-3GPP

• Mobile signaling security including Diameter and SS7 filtering

23 | © 2018, Palo Alto Networks. All Rights Reserved.
 Requirement Palo Alto Networks Solution:
RAN Security Signaling storm protection SCTP stateful inspection
Reduce over provisioning Protocol validations
MME & SGW CPU overload S1-AP Paging flood protection
HSS S1-AP UE Attach Request flood protection
Diameter 3GPP ULR and AIR message flood
Prevent message Floods and SCTP INIT flood and reconnaissance
reconnaissance attempts protection
SCTP Associations S6a SCTP and Diameter-based Application
Diameter-over-SCTP Application

MME
GTP-C (S11) and GTP-U (S1-U) Tunnels
S1-MME
S11
Mobile Users
S1-U
SGW PGW PDN / Internet

Requirement Palo Alto Networks Solution:

IoT Devices GTP monitoring and enforcement GTPv2-C, GTPv1-C and GTP-U protocol stateful
inspection
Protection against GTP attacks, vulnerabilities floods, IoT based DoS GTPv2-C, GTPv1-C and GTP-U protocol validations
and reconnaissance attempts
Reduce attack surface IMSI, IMSI-prefix, RAT filtering

Real-time IMSI, IMEI and IP correlation GTP-C and GTP-U inspection and correlations

Visibility into GTP-U tunnel per end user device GTP-U tunnel inspection and correlation with GTP-C

Handset and IoT protection Protection from malware, exploits, spyware, virus. Prevent
C2 traffic and overbilling detection
24 | © 2018, Palo Alto Networks. All Rights Reserved.
Roaming Security
Requirement

Home PLMN Protection against GTP attacks, vulnerabilities floods, IoT based DoS
and reconnaissance attempts
GTP monitoring and enforcement
PGW HSS EIR H-PCRF SS7
Reduce attack surface
S8 S6a S13 S9 SIGTRAN Real-time IMSI, IMEI and IP correlation

Visibility into GTP-U tunnel per end user device

Diameter / SCTP
GTP-C and Detect infected roaming device
GTP-U Tunnels MAP/TCAP/
SCCP/M3UA/SCTP Palo Alto Networks Solution

SCTP stateful inspection

Diameter filtering and flood protection
GRX / IPX SS7 filtering
GTPv2-C, GTPv1-C and GTP-U protocol stateful inspection
GTPv2-C, GTPv1-C and GTP-U protocol validations
GTPv2-C, GTPv1-C and GTP-U protocol stateful inspection

IMSI, IMSI-prefix, RAT filtering

GTP-C and GTP-U inspection and correlations

SGW MME V-PCRF SS7
GTP-U tunnel inspection and correlation with GTP-C

Protection from malware, exploits, spyware, virus. Prevent C2 traffic

Visited PLMN and overbilling detection

25 | © 2018, Palo Alto Networks. All Rights Reserved.

 Use Case #1:
Securing SCTP Signaling (S1-MME, S6a, SIGTRAN)
IMS
OSS OCS
DNS HSS PCRF
OFCS

eNodeB
Safe Networking S6a S6a
Security Platform Gx S9
MME

X2 S1-MME
S11 GGSN / P-GW SGi
S6a
S5
S1-U Gi/SGi
RAN
Security Platform S-GW Gi/SGi
S8 Gp/S8
Security Platform
eNodeB

EPC
BH Roaming Security Platform

IPX/GRX
Note: Not all 3G and 4G interfaces are shown
 GTP/SCTP Attack
Disclosure of Subscriber Sensitive Information
S11 via MME Gn
DNS
S10 Malicious GTP message mitigation

GGSN MME HSS § All remote GTP nodes defined in Policy

SGW
§ IP:PORT (Service Object/Group)
§ GTP Protocol version

inside 1 rule
§ GTP Message Type Filters per Policy Rule
§ Selected message types and req<>resp direction
§ Only external messages from external interfaces

§ GTP Stateful Inspection

DIAMETER AIR (needs Session-ID)
§ Every message must match regular flow with TEID
§ 6-Tupel SIP:SP:DIP:DP:PROTO:TEID
send S6a Authentication info req [318]
if Session-ID known will return AVs § Non-matching TEID packets violate stateful inspection
HPLMN can be used to decrypt traffic/recording § GTP-C additional Seq-Nbr check
GRX

TEID guessing
Malicious DIAMETER message mitigation
GTP context request (needs GUTI)
send GTP-U and increment TEID
wrong TEID should send back error
send “context request S10” [130/131] § All remote DIAMETER nodes defined in Policy
if GUTI known will return IMSI
correct TEID should inject data can be used to focus other attacks § IP:PORT (Service Object/Group)
As scanning attempt not useful: § SCTP association stateful inspection
wrong TEID WILL NOT result in error
GTP context request (needs P-TMSI)
because wrong TEID PDU is discarded § DIAMETER protocol sanity check
send “SGSN context request” [50]
if (T)IMSI known will return crypto keys
§ DIAMETER Application ID match SCTP + MSG context
can be used to decrypt traffic/recording § Command Code + used AVPs match MSG context

27 | © 2018 Palo Alto Networks. All Rights Reserved.

DISCLOSURE OF NW-ELEMENT SENSITIVE INFORMATIONGTP/SCTP Attack

S11 via MME Gn

DNS
S10 Malicious GTP Scan mitigation
HSS § All remote GTP nodes defined in Policy

inside 1 rule
SGW GGSN MME
§ IP:PORT (Service Object/Group)
§ GTP Protocol version

§ GTP Message Type Filters per Policy Rule

§ Selected message types and req<>resp direction
§ Only external messages from external interfaces

SCTP and IP based scan DIAMETER Base Protocol + DNS

Malicious SCTP & UDP/IP Scan mitigation
send
send CER (capability exch. request)
Automated scans for IP ranges (AS)
peer discovery with DNS SRV / NAPTR
§ NW & transport layers scan & flood protection
SCTP INIT scans
UDP port scans might even succeed § IP/UDP/TCP/SCTP packet- & scan attack protection
HPLMN § SCTP-INIT flood protection
GTP echo scan GRX DNS based discovery / brute force § Track SCTP association status

send GTP echo requests

send queries for internal topology, Malicious DIAMETER & DNS mitigation
zone transfers, DNS SW details…
if peer answers you found a GTP port
easy to scan entire AS from anywhere Exploitation of DNS vulnerabilities § Vulnerability signatures to protect SW stacks
§ DNS & DIAMETER implementation vuln. signatures
NW initiated Session S11
§ DNS traffic pattern attack detection (Vuln. Profile !)
NW initiated session
send Downlink Data for UE to PGW act as SGW and send DL Data Notific. § Protocol sanity check
no TEID or context needed all IEs option or conditional - TAMPER
might even succeed § Filtering any malformed messages (double AVP,
SGW buffer & initiate session (23.401)
known malicious source domain/IP, …)

28 | © 2018 Palo Alto Networks. All Rights Reserved.

 Use Case #2:
Securing GTP-C Signaling (S11, S8, Gp)
IMS
OSS OCS
DNS HSS PCRF
OFCS

eNodeB
Safe Networking S6a S6a
Security Platform Gx S9
MME

X2 S1-MME
S11 GGSN / P-GW SGi
S6a
S5
S1-U Gi/SGi
RAN
Security Platform S-GW Gi/SGi
S8 Gp/S8
Security Platform
eNodeB

EPC
BH Roaming Security Platform

IPX/GRX
Note: Not all 3G and 4G interfaces are shown
… but how can anyone access the GRX/IPX network …?

Aftermath of the Belgacom / BICS incident … and the question what/who else is connected to GRX/IPX

30 | © 2018 Palo Alto Networks. All Rights Reserved.

BACKUP SLIDE
GTP Scanning Attack
EPC

S-GW P-GW

Home BH
PLMN

Scanning with GTP-C Echo Request

Messages

GRX/ IPX
Malicious
Network Node

Roaming Partner 1 Roaming Partner 2

31 | © 2015, Palo Alto Networks. Confidential and Proprietary.

GTP Echo Request Flood Attack
EPC

S-GW P-GW

Home BH
PLMN

GTP-C Echo Request Flood

GRX/ IPX
Malicious
Network Node

Roaming Partner 1 Roaming Partner 2

32 | © 2015, Palo Alto Networks. Confidential and Proprietary.

GTPv2-C Create Session Flood
GTPv2-C Create Session Request Flood
EPC
MME
2
S-GW 2 P-GW

Home BH
PLMN

Attach Request
Infected
Subscribers

1 Malicious
GRX/ IPX Network Node

1
Roaming Partner 1 Roaming Partner 2

33 | © 2015, Palo Alto Networks. Confidential and Proprietary.

 Causes of GTP-C Flood –
Failure of a Network Element

HSS
OCS

PDN-GW
MMEContext Request Flood
Create PDP
EPC

Create PDP Context Request Flood

S-GW

H-PCRF
X
PDN-GW

Gi/SGi
Create PDP Context Request Flood PDN-GW L4 FW

34 | © 2018, Palo Alto Networks, Inc. Confidential and Proprietary. Internal Use Only
 Use Case #3:
Securing GTP-U & Consequences of UEs Malware Penetration (S1-U, S8)

IMS
OSS OCS
DNS HSS PCRF
OFCS

eNodeB
Safe Networking S6a S6a
Security Platform Gx S9
MME

X2 S1-MME
S11 GGSN / P-GW SGi
S6a
S5
S1-U Gi/SGi
RAN
Security Platform S-GW Gi/SGi
S8 Gp/S8
Security Platform
eNodeB

EPC
BH Roaming Security Platform

IPX/GRX
Note: Not all 3G and 4G interfaces are shown
PACKET RELAYING (E.G. GTP-IN-GTP) GTP Attack

NOTE: step 3 could

A) Go anywhere including back to own NW
B) Not every attack needs a response packet
C) Use any other encapsulated than GTP
(ICMP, DNS, BGP/OSPF, NTP, SNMP, …)

36 | © 2018 Palo Alto Networks. All Rights Reserved.

 Overbilling Attack (IP Spoofing)
2
Subscriber packet
Subscriber packet src.ip(10.10.10.102), src.port(2000)
src.ip(10.10.10.102), src.port(2000) dst.ip(6.6.6.6), dst port(1500)
dst.ip(6.6.6.6), dst port(1500)
GTP-U
sends spoofed
packets (target B) IP/ UDP

A
EPC Malicious Server
Malicious IP: 6.6.6.6
Subscriber Listens on port 1500
P-GW SGI FW NAT
GTP-U Tunnel of Subscriber A
BH
GTP-U Tunnel of Subscriber B

Sends high volume

3 of response packets
1
B
IP Allocation
Subscriber packet by PGW
receives high volume src.ip(6.6.6.6), src.port(1500)
of response packets dst.ip(10.10.10.102), dst port(2000)
(overbilled) Subscriber A IP: 10.10.10.101
4 GTP-U Subscriber B IP: 10.10.10.102
IP/ UDP

37 | © 2015, Palo Alto Networks. Confidential and Proprietary.

 Use Case #4:
Data & Monetary Theft (Fraud)
Example: From Mobile Operator PoC
• Prevent Data & Monetary Theft (i.e. billing systems attacks) Impact from one Single Psiphon Application

• Limit Over-Provisioning of the Network

• Prevent Loss of Revenue (example … Toll-Free Tunneling)

Lost Revenue /
Network Congestion

38 | © 2017, Palo Alto Networks. All Rights Reserved.

Bypass Charging with Tunneling Fraud Application
 Billing avoidance by tunneling

Example: Slow DNS

Can bypass Charging and Content Filters, hides true final receiver of a packet

End-user phone Operator Gi DNS Operator FW DNS tunnel

(subscriber) INTERNET VPN endpoint
(recursive) (DNS is FoC) endpoint

1. User install & configure APP 2. Operator DNS “not authoritative” 3. DNS server for .z84.in (example)
§ APP acts like VPN client § Forward “query” to authoritative server § Open DNS query
§ Encapsulate all traffic into DNS § This “query” passes FW § Unveil VPN packet from TXT record
§ Additional VPN “inside” DNS § This “query” normally bypasses Charging (obscure data payload/protocol)
§ Operator sees “regular DNS query” § Forward to “DNS-VPN” endpoint

4. Any response from VPN

endpoint
§ Can go back to subscriber
§ free Internet access !

§ Could also go anywhere else

Powered by: § Reply packets appear as query
§ http://www.magictunnel.net/ responses
§ http://slowdns.com/
§ https://www.vpnoverdns.com/
… and surely many, many more ….
PANW mitigates this by App-ID

40
5G-Ready NGFW Positioning for Mobile Network Operators

NEXT-GEN CORE NETWORK

INTERNET

4G
LTE Mobile / IoT

Control and user plane

functions ROAMING NETWORKS
Service specific network slices

Virtualized 5G core

5G Cellular IoT
NR Edge cloud

Advanced Security across the RAN, Roaming, EPC, Signaling, NB-IoT security

Application Layer Security at Gi/SGi

High Throughput Use cases at Gi/SGi

41 | © 2018 Palo Alto Networks, Inc..

Agenda:
• LTE Architecture 101
• Security Challenges for MNO
• MNO Security Solutions
• Call to action
Seamless Assessment Roaming Security - Tap
H-EPC SGSN/MME
eNodeB S11
ME
S 1 -M S-GW GGSN/ P-GW
S5 Gi/SGi
S1-U
X2 Gx DIAMETE
DIAMETE
GTPv Gp R
R
SCTP
1-C S8 SCTP
HSS GTP-
U
GTPv2-
hPCRF IP
eNodeB IP C
UDP GTP-U
Lower
Lower IP UDP Layers
Layers S6d/S6a Lowe
H-BH r
Layer
IP

s Lower S9
Roaming Security Layers

HPMN Platform

VPMN
vPCRF

eNodeB ME Gx
S 1 -M S11
vSGSN/vMME
X2 S5
S1-U Gi/SGi
vS-GW vGGSN/vP-GW
eNodeB HSS
V-EPC
V-BH
Note: Not all 3G and 4G interfaces are shown
 Seamless Assessment RAN/EPC Security - Tap
DIAMETER
SCTP
IP

Lower
Layers

RAN S6a
Security Platform HSS

eNodeB S1AP

SCTP

IP

Lower
Layers

X2 S1-MME
GGSN / P-GW
EPC Border Router,
S11 MME
could act as SecGW Gi/SGi
eNodeB
GTPv2-C

UDP S1-U S5
GTP-U

BH
IP
UDP S-GW MNO EPC
Lower IP
Layers

Lower
Layers

Note: Not all 3G and 4G interfaces are shown

Security Assessment and Analysis Report
THANK YOU