Securing 5G Core Applications on AWS Snowball Edge with Palo Alto Networks

By Girum Haile, Sr. Solutions Architect – AWS
By Mark Nguyen, Principal Solutions Architect – AWS
By Mitch Rappard, Solutions Architect, Service Provider – Palo Alto Networks

Palo Alto Networks

Zero trust is a security framework centered on the idea that all users, devices, and services—whether in or outside the organization’s network—need to be authenticated, authorized, and continuously validated for security regardless of where they reside.

Zero trust assumes there is no traditional network edge and requires every user or assigned role to strongly prove their identities and trustworthiness. It enforces fine-grained identity-based authorization rules before allowing users to access applications, data, and other systems.

The Zero Trust Architecture (ZTA) is a shift from the framework of “trust but verify” to “never trust, always verify.” In this model, no user, server, or device is trusted to access a resource until their identity and authorization are verified. The user’s identity is verified again even if they have accessed the network previously.

The security pillar of the AWS Well-Architected Framework describes how to take advantage of cloud technologies to protect data, systems, and assets in a way that improves security posture. The security pillar doesn’t just apply to Amazon Web Services (AWS) regions and Availability Zones (AZs) but also to hybrid cloud solutions on premises.

In this post, we will focus on security using AWS Snowball Edge and how Palo Alto Network’s VM-Series firewall is deployed and configured to secure access to a 5G core application providing cellular 5G connectivity for AWS customers.

Palo Alto Networks is an AWS Security Competency Partner and AWS Marketplace Seller that helps customers accelerate cloud migration initiatives with inline and API-based security offerings that complement native AWS security features.

Security on AWS Snowball Edge

Conforming to the AWS Shared Responsibility Model, which includes regulations and guidelines for data protection, AWS Snowball Edge protects your data when importing or exporting data into Amazon Simple Storage Service (Amazon S3), when you create a job, and when your device is updated. Data transferred to a device is protected by secure sockets layer (SSL) encryption over the network. To protect data at rest, Snowball Edge uses server-side encryption (SSE).

Every AWS Snowball job must be authenticated, and job authentication is done by creating and managing AWS Identity and Access Management (IAM) users in the AWS account. Using IAM locally, the admin creates and manages users and permissions in AWS. Access to AWS Snowball also requires credentials to authenticate your requests. Those credentials must have permission to access AWS resources, such as Amazon S3 bucket or an AWS Lambda function.

Each Snowball Edge job has a set of credentials you must get from the AWS Snow Family console or the job management API to authenticate your access to the Snowball device. These credentials are an encrypted manifest file and an unlock code. The manifest file contains important information about the job and the permissions associated with it.

The Palo Alto Networks VM-Series firewall is the virtual form factor of a next-generation firewall deployed in AWS regions and hybrid cloud solutions. The firewall enables you to securely implement a cloud-first methodology while transforming your data center into a hybrid architecture that combines the scalability and agility of AWS with your enterprise network resources.

The VM-Series protects applications and data with next-gen security features that deliver superior visibility, precise control, and threat prevention at the application level. Automation features and centralized management allow you to embed security in your application development process, ensuring security is keeping pace with the speed of the cloud.

Palo Alto Networks and Security

Palo Alto Networks is a thought leader in zero trust. In 2021, NIST selected Palo Alto Networks as a private sector collaborator at the National Cybersecurity Center of Excellence to help build zero trust reference architectures using industry-leading technology capabilities.

Through the National Security Telecommunications Advisory Committee (NSTAC), Palo Alto Networks also co-chaired a study tasked by the White House that provided industry guidance on how the government will effectively implement the federal Office of Management and Budget (OMB) Zero Trust Strategy.

Additionally, the NGFW meets the National Institute of Standards and Technology (NIST) requirements for a policy enforcement point (PEP) specified in Special Publication 800-207, and the Palo Alto Networks VM-Series is eligible to be used as a Stateful Packet Filter Firewall component in a CSfC solution.

The Palo Alto Networks VM-Series firewall runs as Amazon-EC2 compatible instance on the Snowball Edge.

The following diagram shows how the 5G core packet core workload is deployed without the firewall. Traffic from the user endpoints (UEs) is sent by the gNB to the router, which is connected to the Snowball Edge via an 802.1q trunk and capable of carrying multiple VLANs.

Figure 1 – 5G traffic without firewall.

The use of a Direct Network Interface (DNI) enables multiple interface attachments to the 5GC instance, each with its own VLAN enabling traffic to be forwarded to its intended destination across its respective VLAN.

In the example shown in Figure 1, traffic from/to the radio network (N2 and N3 interfaces) uses VLAN 10 to reach eth1. The UPF decapsulates the GTP traffic from the RAN and then sends it out to the internet via eth2. Traffic from the internet to the UE is similarly redirected by the external router to the 5G core’s eth2.

The integration of the 5G core without any firewall exposes the 5G core to security vulnerabilities such as DNS hijacking, signaling attacks, denial-of-service (DoS) attacks, exploit attempts, and GTP traffic flooding.

To protect 5G users and core workloads from these types of attacks, the firewall is deployed as illustrated below.

Figure 2 – Protecting 5G traffic with VM-series firewall.

The radio traffic from the gNB in the above case is steered to the VM-Series firewall by the external router. Traffic segregation is again facilitated by the use of VLANs on the Snowball Edge. When the firewall receives the traffic, it applies various security policies to protect the 5G core. The firewall provides a multi-layered approach to protecting radio traffic coming from the RAN. The two common areas of attack on the radio side are SCTP and GTP attacks.

SCTP Traffic Protection

Stream Control Transmission Protocol (SCTP—protocol number 132) is an IP transport-layer protocol in addition to TCP and UDP. The firewall SCTP security policies are applied at the transport layer of the OSI model by performing stateful inspection and by enforcing your configuration for chunk validation and SCTP INIT flood protection.

The firewall also applies SCTP security to upper-layer protocols that run on top of SCTP, typically at the application layer, when you filter PPIDs, diameter applications, or SS7 chunks.

To configure SCTP security:

• Block or allow SCTP packets in a zone to/from various IP addresses.
• Perform SCTP stateful inspection. The firewall automatically begins stateful inspection even if the profile has no specific settings.
• Validate SCTP packets by identifying unknown or malformed chunks, chunks with an invalid length, and chunks with non-compliant chunk flags.
• Apply SCTP security on upper-layer protocols that run on top of SCTP by filtering the payloads of SCTP data chunks, depending on your use case:
  • Block, allow, or generate alerts regarding Payload Protocol Identifiers (PPIDs).
  • Block, allow, or generate alerts regarding diameter chunks to filter diameter applications and messages.
  • Block, allow, or generate alerts regarding SS7 chunks to filter applications that use SCTP signaling.
• Configure SCTP INIT Flood Protection to protect a zone against flooding of SCTP INIT chunks.

Another area of vulnerability on the radio path (N2 and N3) traffic is the GPRS Tunneling Protocol (GTP). GTP allows 5G users to maintain a connection to the 5G core for internet access and other anchored applications running on the SBE while on the move.

The GTP feature on the NGFW allows you to statefully inspect, validate, filter, and perform security checks on GTPv2-C, GTPv1-C, and GTP-U protocol messages. Without GTP traffic protection, the 5G core will be exposed to attacks such as malformed GTP packets, DoS, out-of-state GTP messages, spoofed IP packets, and overbilling attacks.

GTP Traffic Protection

GTP protection on the firewall is enabled using the following steps.

Step 1: Enable GTP Security

• Log in to the firewall web interface.
• Select Device >Setup >Management > General Settings.
• Select GTP Security.
• Click OK.
• Commit the change.
• Select Device >Setup Operations and Reboot Device.

Step 2: Create a Mobile Network Protection Profile to Inspect GTP Traffic

• Select Objects >Security Profiles >Mobile Network Protection and Add a new profile.
• Give the profile a descriptive Name.
• Set up Mobile Network Protection Profile for the GTP version(s) you want to inspect, and configure the available options for filtering, overbilling protection, and logging of GTP messages.

Step 3: Create a Security Policy Rule Allowing GTP Traffic on Your Network

• Select Policies Security and Add a descriptive name for the rule in the General tab.
• In the Source tab, add the Source Zone.
• In the Destination tab, add the Destination Zone.
• In the Application tab, add the applications that correspond to the network services you want to safely allow (GTP-v1, GTP-v2, GTP-u).
• In the Service/URL Category tab, change the Service from application-default to any to ensure GTP traffic is detected even if it’s present on non-standard ports.
• In the Actions tab, set the action to Allow.
• Attach the Mobile Network Protection profile to the Security policy rule. For Profile Type, select Profiles and select the Mobile Network Protection profile you set up earlier.
• Verify that Log at Session End is enabled. GTP session start and GTP session end events are logged only when you enable Log at Session Start and Log at Session End in a Security policy rule.
• Click OK.
• Commit policies to the firewall’s running configuration.

Step 4: Monitor GTP Traffic to Verify Setup of GTP Inspection

For traffic protection on the user plane from the internet, the firewall applies common internet user traffic security policies based on the customer’s requirements. In addition to customized requirements, the firewall has defined best practices for internet gateway deployments (an N6 firewall and internet gateway firewall will have a similar security posture).

Additional details can be found in the Palo Alto Networks documentation, but in summary all of the security features of the NGFW are recommended, such as File Blocking, Antivirus Protection, Vulnerability Protection, Anti-Spyware (DNS) Security, URL Filtering, and Wildfire for unknown malware detection.

In use cases where the 5G control traffic and user traffic are deployed separately and communication between the SMF and UPF is exposed, the firewall monitors the N4 interface where the PFCP protocol is used. The following diagram shows the deployment of control and user plane traffic in separate locations.

Figure 3 – Protecting 5G traffic with VM-series CUPS architecture.

In this diagram, the firewall is deployed in the AWS region and Snowball Edge. The control plane traffic is monitored by the firewall in the region, while the user plane traffic is monitored on the SBE.

When the firewall sees N4 traffic, it allows for GTP-U tunnel inspection of the traffic. This is beneficial since it allows the firewall to log the IMSI and IMEI for each session and use this information in any threat logs.

Furthermore, it’s possible to create policies per IMSI (or IMSI group) or per IMEI (or IMEI group) for granular security postures. For example, you could enable one set of applications for a specific device like a robot on a factory floor, and another set of applications for the plant manager’s tablet.

Conclusion

AWS Snowball, in combination with the Palo Alto network security solution and AWS security services, provides a way to apply zero trust framework to your 5G core workloads, protecting both 5G core and user traffic from malicious attacks.

To learn more, check out these resources:

• Getting started with mobile network infrastructure
• Securing the 5G network on AWS with Palo Alto Networks
• Understanding direct network interfaces on AWS Snow Family

.

.

Palo Alto Networks – AWS Partner Spotlight

Palo Alto Networks is an AWS Security Competency Partner that helps customers accelerate cloud migration initiatives with inline and API-based security offerings that complement native AWS security features.

Contact Palo Alto Networks | Partner Overview | AWS Marketplace | Case Studies