| CPC H04L 63/0263 (2013.01) [H04L 61/5007 (2022.05); H04L 63/10 (2013.01); H04L 63/1458 (2013.01); H04L 63/1466 (2013.01); H04L 63/20 (2013.01); H04W 12/122 (2021.01); H04W 24/08 (2013.01); H04L 2463/141 (2013.01); H04W 80/02 (2013.01); H04W 84/04 (2013.01)] | 11 Claims |
|
1. A system, comprising:
a processor configured to:
monitor network traffic on a mobile network at a security platform to identify a Packet Forwarding Control Protocol (PFCP) message associated with a new session, wherein the mobile network includes a 4G network or a 5G network;
extract parameters from monitored PCFP traffic to build sessions based on a 5-tuple related to a PFCP association at the security platform, comprising to:
parse a PFCP message of the monitored PCFP traffic to extract a Node ID, a source IP address, Session Endpoint Identifier (SEID) 1, a destination IP address, SEID 2, and the protocol in use related to a PFCP association;
extract parameters from the monitored PFCP traffic to build a PFCP session state machine at the security platform;
enforce a security policy to only allow PFCP session related messages from a control plane (CP) to a user plane (UP) function matching an ‘ACTIVE’ session corresponding to an existing PFCP association; and
enforce a security policy to perform a sequence number check, wherein the enforcing of the security policy to perform the sequence number check comprises to:
check a sequence number in a PFCP request message and a sequence number in a PFCP response message; and
a memory coupled to the processor and configured to provide the processor with instructions.
|