Search

US-20260129455-A1 - MULTI-SERVICE SECURITY SLICE MANAGEMENT FOR CELLULAR NETWORKS

US20260129455A1US 20260129455 A1US20260129455 A1US 20260129455A1US-20260129455-A1

Abstract

Technologies for security service management of a cellular network are described. The cellular network includes a multi-service security slice including a set of security services. One method includes identifying a first user identifier associated with a first communication received from first user equipment associated with a first user. The method further includes determining, based on the first user identifier, a first subset of security services of the multi-service security slice authorized for use by the first user. The method further includes causing generation of a first user security policy to enable the first communication to access each security service of the first subset of security services of the multi-service security slice.

Inventors

  • Matthew Kniess
  • Dale Drew

Assignees

  • DISH WIRELESS L.L.C.

Dates

Publication Date
20260507
Application Date
20241105

Claims (20)

  1. 1 . A method comprising: identifying, by a processing device of a cellular network comprising a multi-service security slice comprising a set of security services, a first user identifier associated with a first communication received from first user equipment associated with a first user; determining, based on the first user identifier, a first subset of security services of the multi-service security slice authorized for use by the first user; and causing generation of a first user security policy to enable the first communication to access each security service of the first subset of security services of the multi-service security slice.
  2. 2 . The method of claim 1 , further comprising providing information identifying the first subset of security services authorized for use by the first user to a firewall of the multi-service security slice, wherein the firewall generates the first user security policy based on the information.
  3. 3 . The method of claim 1 , wherein the first user identifier comprises a data network name identifier associated with the first user equipment.
  4. 4 . The method of claim 1 , further comprising: identifying a second user identifier associated with a second communication received from second user equipment associated with a second user; determining, based on the second user identifier, a second subset of security services of the multi-service security slice authorized for use by the second user; and causing generation of a second user security policy to enable the second communication to access each security service of the second subset of security services of the multi-service security slice.
  5. 5 . The method of claim 4 , wherein the first subset of security services and the second subset of security services comprise a first security service.
  6. 6 . The method of claim 5 , wherein the first communication and the second communication access the first security service concurrently.
  7. 7 . The method of claim 1 , further comprising adding an additional security service to the set of security services of the multi-service security slice.
  8. 8 . One or more non-transitory, computer-readable storage media having computer-readable instructions thereon which, when executed by one or more processing devices of a cellular network comprising a multi-service security slice comprising a set of security services, cause the one or more processing devices to perform operations comprising: identifying a first user identifier associated with a first communication received from first user equipment associated with a first user; determining, based on the first user identifier, a first subset of security services of the multi-service security slice authorized for use by the first user; and causing generation of a first user security policy to enable the first communication to access each security service of the first subset of security services of the multi-service security slice.
  9. 9 . The one or more non-transitory, computer-readable storage media of claim 8 , the operations further comprising providing information identifying the first subset of security services authorized for use by the first user to a firewall of the multi-service security slice, wherein the firewall generates the first user security policy based on the information.
  10. 10 . The one or more non-transitory, computer-readable storage media of claim 8 , wherein the first user identifier comprises a data network name identifier associated with the first user equipment.
  11. 11 . The one or more non-transitory, computer-readable storage media of claim 8 , the operations further comprising: identifying a second user identifier associated with a second communication received from second user equipment associated with a second user; determining, based on the second user identifier, a second subset of security services of the multi-service security slice authorized for use by the second user; and causing generation of a second user security policy to enable the second communication to access each security service of the second subset of security services of the multi-service security slice.
  12. 12 . The one or more non-transitory, computer-readable storage media of claim 11 , wherein the first subset of security services and the second subset of security services comprise a first security service.
  13. 13 . The one or more non-transitory, computer-readable storage media of claim 12 , wherein the first communication and the second communication access the first security service concurrently.
  14. 14 . The one or more non-transitory, computer-readable storage media of claim 8 , the operations further comprising adding an additional security service to the set of security services of the multi-service security slice.
  15. 15 . A system comprising memory and a processing device coupled to the memory, wherein the processing device is configured to perform operations comprising: identifying a first user identifier associated with a first communication received from first user equipment associated with a first user; determining, based on the first user identifier, a first subset of security services of a multi-service security slice authorized for use by the first user; and causing generation of a first user security policy to enable the first communication to access each security service of the first subset of security services of the multi-service security slice.
  16. 16 . The system of claim 15 , the operations further comprising providing information identifying the first subset of security services authorized for use by the first user to a firewall of the multi-service security slice, wherein the firewall generates the first user security policy based on the information.
  17. 17 . The system of claim 15 , wherein the first user identifier comprises a data network name identifier associated with the first user equipment.
  18. 18 . The system of claim 15 , the operations further comprising: identifying a second user identifier associated with a second communication received from second user equipment associated with a second user; determining, based on the second user identifier, a second subset of security services of the multi-service security slice authorized for use by the second user; and causing generation of a second user security policy to enable the second communication to access each security service of the second subset of security services of the multi-service security slice.
  19. 19 . The system of claim 18 , wherein the first subset of security services and the second subset of security services comprise a first security service; and wherein the first communication and the second communication access the first security service concurrently.
  20. 20 . The system of claim 15 , the operations further comprising adding an additional security service to the multi-service security slice.

Description

BACKGROUND Telecommunication networks, such as cellular networks, have various resources that produce data and metadata concerning operations of the cellular network. A customer, such an enterprise customer, of a cellular network does not have access to the data and metadata generated by the network resources of the cellular network. Status reports, including error codes, may be generated which are indicative of deficiencies in operations of the network. One type of cellular network is a Fifth generation (5G) wireless network. In a 5G wireless network, a 5G Standalone Core Network (5G SA core) is responsible for managing and routing data traffic, providing various network resources and services, and supporting the core functionalities of a 5G network. The term “SA” stands for “Stand-Alone,” indicating that this core network operates independently of any existing 4G (LTE) infrastructure. 5G wireless networks have the promise to provide higher throughput, lower latency, and higher availability compared with previous global wireless standards. The cellular network may include a number of network slices, where each network slice includes an independent end-to-end logical communications network that includes a set of logically separated virtual network functions. Network slicing may allow different logical networks or network slices to be implemented using the same compute and storage infrastructure. Therefore, network slicing may allow heterogeneous services to coexist within the same network architecture via allocation of network computing, storage, and communication resources among active services. A network slice may be configured to provide user equipment with access to one or more security-related services or applications. A user associated with user equipment subscribes to one or more security services to enable those services to be provisioned to the user. To provide access to the subscribed security services, a network slice is provided in the cellular network which includes a selected set of security services that are pre-configured and customized on a per-user basis. In such cellular networks, each user-specific network slice is built to include only the one or more security services which the user has purchased. To provide the appropriate security services to each individual user, the cellular network must maintain multiple user-specific security slices, with each security slice customized specifically for a particular user. Accordingly, building and managing multiple customized security slices results in a large expenditure of overhead and inefficient provisioning of security services. BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS The present disclosure is illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings. FIG. 1 is a block diagram of a cellular network system including a security slice manager to manage a multi-service security slice, according to some embodiments. FIG. 2 is a block diagram depicting operations of a cellular network including a security slice manager, according to some embodiments. FIG. 3 is a block diagram depicting an example including processing of a communication by a security slice manager managing a multi-service security slice of a cellular network, according to some embodiments. FIG. 4 is a flow diagram of a method for managing a multi-service security slice, according to various embodiments. FIG. 5 illustrates a block diagram illustrating an exemplary computer device, in accordance with implementations of the present disclosure. DETAILED DESCRIPTION Technologies for managing a multi-service security slice to provide security services to users of a telecommunications network, such as a cellular network (e.g., 5G wireless network, 6G wireless network), are described. The following description sets forth numerous specific details, such as examples of specific systems, components, methods, and so forth, in order to provide a good understanding of several embodiments of the present disclosure. It will be apparent to one skilled in the art, however, that at least some embodiments of the present disclosure may be practiced without these specific details. In other instances, well-known components or methods are not described in detail or presented in simple block diagram format to avoid obscuring the present disclosure unnecessarily. Thus, the specific details set forth are merely exemplary. Particular implementations may vary from these exemplary details and still be contemplated to be within the scope of the present disclosure. Various user equipment (UE) associated with multiple different users communicate via a cellular network (i.e., user-initiated network traffic) to access one or more applications or systems. However, as described above, a customized network slice is built and managed for each user, where the user-specific network slice including one or more security services or applications which a particular