* [Blog](https://www2.paloaltonetworks.com/blog)
* [Cloud Security](https://www2.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Posture Security](https://www2.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/)
* Creating A Secure 5G Serv...

# Creating A Secure 5G Service Based Architecture: Part 1 － Vulnerability Management

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fseo-5g-sba-vulnerability%2F)  
[](https://twitter.com/share?text=Creating+A+Secure+5G+Service+Based+Architecture%3A+Part+1+%EF%BC%8D+Vulnerability+Management&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fseo-5g-sba-vulnerability%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fseo-5g-sba-vulnerability%2F&title=Creating+A+Secure+5G+Service+Based+Architecture%3A+Part+1+%EF%BC%8D+Vulnerability+Management&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/cloud-security/seo-5g-sba-vulnerability/&ts=markdown)  
\[\](mailto:?subject=Creating A Secure 5G Service Based Architecture: Part 1 － Vulnerability Management)  
Link copied  
By [Mitch Rappard](https://www.paloaltonetworks.com/blog/author/mitch-rappard/?ts=markdown "Posts by Mitch Rappard")  
Jun 07, 2022  
7 minutes  
[Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown)  
[Vulnerability Exposed](https://www.paloaltonetworks.com/blog/category/vulnerability-exposed/?ts=markdown)  
[5G](https://www.paloaltonetworks.com/blog/tag/5g/?ts=markdown)  
[API](https://www.paloaltonetworks.com/blog/tag/api/?ts=markdown)  
[Containers](https://www.paloaltonetworks.com/blog/tag/containers/?ts=markdown)  
[Kubernetes](https://www.paloaltonetworks.com/blog/tag/kubernetes/?ts=markdown)  
[Network Functions](https://www.paloaltonetworks.com/blog/tag/network-functions/?ts=markdown)  
[NF](https://www.paloaltonetworks.com/blog/tag/nf/?ts=markdown)  
[Packet Core](https://www.paloaltonetworks.com/blog/tag/packet-core/?ts=markdown)  
[SBA](https://www.paloaltonetworks.com/blog/tag/sba/?ts=markdown)  
[security](https://www.paloaltonetworks.com/blog/tag/security/?ts=markdown)  
[Service Based Architecture](https://www.paloaltonetworks.com/blog/tag/service-based-architecture/?ts=markdown)  
[VNF](https://www.paloaltonetworks.com/blog/tag/vnf/?ts=markdown)

The move to 5G for wireless networks has brought about a fundamental shift in how we view and manage the core of the network where all the network functions (NFs) reside. Moving from bare metal and virtual machines (VMs) to micro services is a huge paradigm shift, requiring a new architecture. For 5G networks this new architecture where NFs communicate with each other is called the "Service Based Architecture" (SBA). This service-based paradigm means new risks and requires new approaches to cyber security.

To enable effective [5G](https://www.paloaltonetworks.com/cyberpedia/what-is-5g-security) security in a new SBA world, operators and enterprises will need to leverage cloud native tools that were made to work with [cloud native](https://www.paloaltonetworks.com/cyberpedia/what-is-cloud-native-security) applications.

Deployment models will vary, so the ability to secure infrastructure, applications, data, and entitlements in massive deployments over thousands of nodes in public, private and hybrid environments will be critical. Key capabilities for effective 5G security include:

1. [Vulnerability management](https://www.paloaltonetworks.com/blog/prisma-cloud/open-source-vulnerability-management/) for comprehensive coverage and monitoring, identifying, and preventing risks to all the hosts, images, and functions in your environment.
2. Layer 7 visibility and security for [web applications and API](https://www.paloaltonetworks.com/cyberpedia/what-is-web-application-and-api-protection)s on any cloud native architecture.
3. Powerful runtime defenses that apply automated protection against unwanted activity and threats.
4. Compliance enforcement with pre-built compliance checks for centrally viewing and enforcing your own or industry compliance standards.
5. [Shift left security](https://www.paloaltonetworks.com/cyberpedia/shift-left-security) with [CI/CD](https://www.paloaltonetworks.com/cyberpedia/what-is-the-ci-cd-pipeline-and-ci-cd-security), repository, registry, and Open Policy Agent integrations to secure workloads across the [software development lifecycle (SDLC)](https://www.paloaltonetworks.com/cyberpedia/sdlc-software-development-lifecycle).

Without these key features, significant gaps in visibility and security of your 5G network will exist. While it may seem overwhelming, I'm here to let you know that it doesn't have to be. In this blog and others, we'll start to look at practical ways we can begin to secure our 5G core, leveraging some of the features above. Specifically, we will look at how we can address the risks below using the corresponding remedies listed.

|----------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Risk**                                                                                           | **Remedy**                                                                                                                                                          |
| 5G NF images (e.g., AMF, SMF, etc.) with libraries containing vulnerabilities                      | Vulnerability management of container images to catch images with high-risk libraries before they are deployed in production                                        |
| API abuse of 5G service-based interfaces (SBIs)                                                    | Web application and API security to ensure valid API calls and prevent DoS attacks                                                                                  |
| Anomalous activity of containers, including potential "low and slow" reconnaissance after a breach | Autonomous learning every time a new image is detected in an environment. Detection and/or prevention of activity outside the learned model of a running container. |

Let's take a few of these many features and apply them now to a 5G Service Based Architecture (SBA). The remainder of this blog post will focus on [vulnerability management](https://www.paloaltonetworks.com/cyberpedia/what-Is-vulnerability-management) and how we can use it to detect vulnerabilities in container images. Subsequent blogs will look at API security and runtime defense.

### Vulnerability Insights

Understanding the risks and potential vulnerabilities within a [container](https://www.paloaltonetworks.com/cyberpedia/what-is-a-container) or host image is paramount to 5G security. The last thing any operator or enterprise wants to do is deploy a 5G microservice that has a critical CVE associated with it. With Prisma Cloud, you can quickly gain insight into what risks images, running and not yet running, pose to your network.

If you were to deploy Prisma Cloud after you had a 5G network already up and running, one of the first things you would want to do is see the Radar view of your environment. Radar is showing you what is up and running in your network through a simple and intuitive interface. With the Radar view, we are able to see all the images, their network communication, running container counts and relevant namespaces in one screen. Below is what we see for an open source 5G core I have running based on the [Open Air Interface](https://openairinterface.org/oai-5g-core-network-project/) project.
![Prisma Cloud helps you manage risk across images, hosts, containers and serverless functions in a single dashboard](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/06/graphical-user-interface-application-teams-desc.png)
Prisma Cloud helps you manage risk across images, hosts, containers and serverless functions in a single dashboard.

Using this view, we can quickly ascertain which running images have risks associated with them, which [microservices](https://www.paloaltonetworks.com/cyberpedia/what-are-microservices) have web interfaces and whether those web interfaces are unprotected. See below for a cheat sheet of the icons shown.
![The legend of icons shown in Prisma Cloud radar view as shown above](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/06/graphical-user-interface-application-description.png)
The legend of icons shown in Prisma Cloud radar view as shown above

If we want to know more about any of the risks associated with any 5G NF we can click on the image icon. This gives us additional information about that image, including vulnerabilities and compliance alert summaries. For example, if we click on the network repository function (NRF) image, below is what we see.h
![A view of the risks associated with a particular network repository function (NRF) as displayed by Prisma Cloud](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/06/graphical-user-interface-website-description-aut.png)
A view of the risks associated with a particular network repository function (NRF) as displayed by Prisma Cloud

The vulnerabilities are ordered from the most critical risk to low risk, helping you prioritize risk. The green icons show no current runtime or WAAS issues. Under the risk summary we can see that Prisma Cloud has detected an unprotected web application (e.g., the SBI interface) and is encouraging us to enable WAAS rules for this container, which we will discuss in a later blog.

To get more information about this high-risk vulnerability, we can simply click on the "High Risk" text to get more details on what these risks are.

On the next screen there is quite a bit of information about the risk. We can see what the CVE is, what version library the risk exists in, and when it is fixed. At the time of writing this, we can see that this openssl vulnerability is very new (only 2 days old). Furthermore, Prisma Cloud provides details describing the nature of the vulnerability and what the specific risks are.
![Prisma Cloud provides details describing the nature of the vulnerability and what the specific risks are](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/06/graphical-user-interface-text-application-email.png)
Prisma Cloud provides details describing the nature of the vulnerability and what the specific risks are

The other high severity vulnerability for cyrus-sasl2 is a bit older, and does have a fix for it, which Prisma Cloud gives you details around. This is significant since the operator or enterprise can now go back to the developer of the NF and point out specifically what the issue is, and which version they'd like the developer to use instead.

![Details for the vulnerability cyrus-sasl2 and how it is fixed](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/06/graphical-user-interface-text-application-email-1.png)
Details for the vulnerability cyrus-sasl2 and how it is fixed

Remember, Radar is showing us issues for already deployed containers. What if we wanted to detect these earlier, before the container was deployed? Suppose we had a new version of the NRF from a vendor and wanted to understand the risk associated with deploying it. Fortunately, this is possible as well. To do so we would simply need to point Prisma Cloud to our registry (in my case it is in Amazon's Elastic Container Registry) and then view its findings. If I filter on the NRF container image, which is what I was viewing in Radar, below is what I see. From here, just as in Radar, I can click on the line item to get additional information.
![A filter on the NRF container image, displaying the risks associated with it](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/06/graphical-user-interface-text-application-descr.png)
A filter on the NRF container image, displaying the risks associated with it

Getting this information before an image is deployed is critical in keeping the 5G core free from insecure containers, or, at the very least, understanding what risks they pose before they are deployed.

With an ever-changing environment where containers are frequently spun up and spun down, this sort of visibility is crucial to running a secure 5G core. With this information, operators and enterprises can understand the risk associated with each 5G NF running in their network and take appropriate actions to mitigate or eliminate that risk.

In upcoming blogs on securing the 5G SBA, we'll look at API security and runtime defense.

*** ** * ** ***

## Related Blogs

### [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)

[#### Creating A Secure 5G Service Based Architecture: Part 2 － API Security](https://www2.paloaltonetworks.com/blog/cloud-security/seo-5g-sba-api/)

### [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)

[#### Creating a Secure 5G Service-Based Architecture: Part 3 － Runtime Defense](https://www2.paloaltonetworks.com/blog/cloud-security/seo-5g-sba-runtime-defense/)

### [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [Compliance](https://www.paloaltonetworks.com/blog/cloud-security/category/compliance/?ts=markdown)

[#### Reduce Your Risk with the Kubernetes CIS Benchmark and Prisma Cloud](https://www2.paloaltonetworks.com/blog/cloud-security/secure-kubernetes-cis-benchmark/)

### [Announcement](https://www.paloaltonetworks.com/blog/cloud-security/category/announcement/?ts=markdown), [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Event](https://www.paloaltonetworks.com/blog/category/event/?ts=markdown)

[#### Join Prisma Cloud at KubeCon North America in Chicago](https://www2.paloaltonetworks.com/blog/cloud-security/kubecon-na-2023/)

### [Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-infrastructure-entitlement-management/?ts=markdown), [Cloud Network Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-network-security/?ts=markdown), [Cloud Security Posture Management](https://www.paloaltonetworks.com/blog/category/cloud-security-posture-management/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)

[#### 6 Common Kubernetes and Container Attack Techniques and How to Prevent Them](https://www2.paloaltonetworks.com/blog/cloud-security/6-common-kubernetes-attacks/)

### [Cloud Native Application Protection Platform](https://www.paloaltonetworks.com/blog/category/cloud-native-application-protection-platforms/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)

[#### Zero Trust for Applications Best Practices: Securing Cloud Workloads](https://www2.paloaltonetworks.com/blog/cloud-security/zero-trust-cloud-workloads/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language