Abstract: In one implementation, a method is disclosed comprising: determining, by a process, a network topology of a particular computer network and capabilities of particular devices within the network topology; determining, by the process, a logical framework of the particular computer network; mapping, by the process, access control and segmentation features of the particular devices to the logical framework based on the capabilities of the particular devices; and causing, by the process, mapped access control and segmentation features to be implemented to enforce the logical framework within the network topology.

Abstract: Provided herein are techniques to facilitate multi-level performance tracing for a mobile network environment. In one instance, a method may include obtaining, by a mobile network, a trigger from an enterprise to initiate an underlay-level trace for a wireless device of the enterprise, wherein the trigger includes a correlation identifier that correlates the underlay-level trace with an enterprise-level trace for the wireless device and providing the underlay-level trace for a session of the wireless device by including a first trace flag for IP packets for the session and including a second trace flag for encapsulations of the IP packets for the session in which the first and second trace flag are unique to the session of the wireless device and enable elements of the mobile network to provide underlay trace information for the underlay-level trace for the session of the wireless device to a trace.

Abstract: Provided herein are techniques to facilitate multi-level performance tracing for a mobile network environment. In one instance, a method may include obtaining, by a mobile network, a trigger from an enterprise to initiate an underlay-level trace for a wireless device of the enterprise, wherein the trigger includes a correlation identifier that correlates the underlay-level trace with an enterprise-level trace for the wireless device and providing the underlay-level trace for a session of the wireless device by including a first trace flag for IP packets for the session and including a second trace flag for encapsulations of the IP packets for the session in which the first and second trace flag are unique to the session of the wireless device and enable elements of the mobile network to provide underlay trace information for the underlay-level trace for the session of the wireless device to a trace.

Abstract: A method to counter vulnerabilities associated with user equipment in operating via a 5G core architecture. The method includes monitoring a session between a user equipment and an endpoint, obtaining a vulnerability score for a vulnerability affecting the user equipment, selecting, based on the vulnerability score, a selected user plane function and a security service, accessible via the selected user plane function, to counter the vulnerability affecting the user equipment, and causing a packet flow of the session to be steered to the security service via the selected user plane function.

Abstract: In one embodiment, a device associates available 5G functions stored by a network repository function with contextual information, wherein the contextual information maps each of the available 5G functions with a layer of a hierarchical security model for an industrial network. The device receives a request from a user equipment endpoint to communicate via the industrial network. The device selects a particular user plane function from among the available 5G functions for use by the user equipment endpoint based in part on the layer of the hierarchical security model associated with the particular user plane function. The device causes the user equipment endpoint to communicate via the industrial network using the particular user plane function.

Abstract: Provided herein are techniques to facilitate slice assignment for a wireless device based on Manufacturer Usage Description (MUD) parameters associated with the wireless device. In one instance, a method may include obtaining, by a provisioning server of a mobile network, a usage description object for a wireless device that has a session via an onboarding network slice of the mobile network in which the usage description object comprises usage parameters associated with the wireless device. The method may further include identifying, based on the usage parameters associated with the wireless device, a particular network slice that is to host the session for the wireless device and causing the session of the wireless device to be moved from the onboarding network slice to the particular network slice.

Abstract: In one embodiment, a device in a local network obtains discovery data for a node in the local network. The device provides the discovery data to a device management service. The device receives, based on the discovery data, a brokerage configuration for the node from the device management service. The device configures the node with the brokerage configuration to publish data generated by the node to one or more data brokerage services.

Abstract: In one embodiment, a device receives discovery data generated by a plurality of networking devices in a network. The device determines, based on the discovery data, a hierarchy of layers of the network. The device receives a request by a client that is external to the network to access remotely a particular endpoint in the network. The device configures, and in response to the request, a proxy chain of remote access agents executed by a subset of networking devices from the plurality of networking devices to allow the client to access remotely the particular endpoint, each of those networking devices proxying traffic between different layers of the network.

Abstract: In one embodiment, a device determines a hierarchy of layers of a network comprising a plurality of networking devices. The device configures, in response to a request by a client to access remotely a particular endpoint in the network, a proxy chain of remote access agents executed by a plurality of networking devices in the network to allow the client to access remotely the particular endpoint. Each of those networking devices proxies traffic between different layers of the hierarchy. The device determines an access policy for the particular endpoint indicative of which commands may be sent to the particular endpoint by the client, based in part on where the particular endpoint is in the hierarchy. The device controls, based on the access policy, whether a command sent by the client is transmitted via the proxy chain to the particular endpoint.

Abstract: In one illustrative example, a controller for use in a private mobile network may determine network service requirements for an industrial device. The controller may select, from a set of network slices, a subset of network slices having network service requirement configurations that most closely support the network service requirements. Each network slice of the set may be associated with an affinity ranking value that is indicative of a service performance of the network slice for industrial device operation in a cell or a zone associated with a zone or security level value assigned to the industrial device. The controller may identify, from the subset of network slices, a selected network slice associated with a best affinity ranking value for the zone or security level value assigned to the industrial device. The controller may assign the selected network slice and associated service parameters for the communications of the industrial device.

Abstract: In one illustrative example, a controller may operate to send a request message towards a user equipment (UE) which operates to communicate traffic in a session in a mobile network. In response, the controller may receive, from a user plane function which anchors the session of the UE, a response message which includes an identifier of the user plane function. The controller may verify whether a zone or security level value that is assigned to the user plane function matches a zone or security level value that is assigned to the UE. If the controller identifies a discrepancy between the zone or security level values, the controller may provide a notification indication to indicate the discrepancy. The UE may be an industrial Internet of Things (IIoT) device and the zone or security level values may be based on International Electrotechnical Commission (IEC) 62443.

Abstract: In one embodiment, a device receives discovery data generated by a plurality of networking devices in a network. The device determines, based on the discovery data, a hierarchy of layers of the network. The device receives a request by a client that is external to the network to access remotely a particular endpoint in the network. The device configures, and in response to the request, a proxy chain of remote access agents executed by a subset of networking devices from the plurality of networking devices to allow the client to access remotely the particular endpoint, each of those networking devices proxying traffic between different layers of the network.

Abstract: A method includes determining a corresponding level of a security model associated with each device of a plurality of devices connected to a network, each level of the security model having a corresponding tag; applying, to each of the plurality of devices, the corresponding tag based on the corresponding level of the security model with which each of the plurality of devices are associated; receiving, over a network connection, network traffic from at least one of the plurality of devices and the corresponding tag; analyzing the corresponding tag associated with the network traffic; determining a destination for the network traffic; applying one or more security measures to the network traffic based on the corresponding tag for the at least one device and a corresponding tag of the destination for the network traffic; and sending the network traffic to the destination with the corresponding tag of the destination.

Abstract: In one embodiment, an illustrative method herein may comprise: detecting, by a device, a new asset in a network with a media access control address; monitoring, by the device, the new asset to learn one or more contextual attributes of the new asset in the network; generating, by the device, a profile of the new asset based on the media access control address and the one or more contextual attributes; and using, by the device, the profile to define access and control over the new asset in the network.

Abstract: A system and method of performing multi-layer client assurance in a private cellular network includes a plurality of assurance points within the network. The method includes receiving, by a network entity, a plurality of parameter sets from the plurality of assurance points. Each of the plurality of assurance points can be configured to obtain measurements from a portion of the private cellular network corresponding to a client assurance layer in a client assurance stack. The method can include combining a first parameter set from the plurality of parameter sets with a second parameter set from the plurality of parameter sets. The first parameter set can be associated with a first client assurance layer and the second parameter set is associated with a second client assurance layer. The method can include determining, based on the combined parameter set, a network service level corresponding to the client device.

Abstract: In one embodiment, an illustrative method herein may comprise: determining, by a device, a profile of an asset in a network, the profile identifying a type of the asset and a particular activity of the asset; determining, by the device, a specific context of the asset within the network; assigning, by the device, a risk score for the profile based on one or more risk factors associated with the profile and a comparison of the profile to an expected behavior of the type of the asset within the specific context; and performing, by the device, one or more mitigation actions based on the risk score.

Abstract: A method includes determining a corresponding level of a security model associated with each device of a plurality of devices connected to a network, each level of the security model having a corresponding tag; applying, to each of the plurality of devices, the corresponding tag based on the corresponding level of the security model with which each of the plurality of devices are associated; receiving, over a network connection, network traffic from at least one of the plurality of devices and the corresponding tag; analyzing the corresponding tag associated with the network traffic; determining a destination for the network traffic; applying one or more security measures to the network traffic based on the corresponding tag for the at least one device and a corresponding tag of the destination for the network traffic; and sending the network traffic to the destination with the corresponding tag of the destination.

Abstract: In one embodiment, a primary server receives, from a client device, a first request to mitigate an external attack on the client device. The primary server sends, to a plurality of secondary servers, a second request to mitigate the external attack, wherein each one of the plurality of secondary servers has associated mitigation resources, and receives from at least one of the plurality of secondary servers an indication that it has mitigation resources capable of mitigating the external attack. The primary server sends, to the client device, a list including the secondary servers having mitigation resources capable of mitigating the attack, and receives, from the client device, an indication that a subset of the list is selected to mitigate the external attack. In response, the primary server sends a request for mitigation services to one of the secondary servers in the subset selected to mitigate the external attack.

Abstract: In one embodiment, a primary server receives, from a client device, a first request to mitigate an external attack on the client device. The primary server sends, to a plurality of secondary servers, a second request to mitigate the external attack, wherein each one of the plurality of secondary servers has associated mitigation resources, and receives from at least one of the plurality of secondary servers an indication that it has mitigation resources capable of mitigating the external attack. The primary server sends, to the client device, a list including the secondary servers having mitigation resources capable of mitigating the attack, and receives, from the client device, an indication that a subset of the list is selected to mitigate the external attack. In response, the primary server sends a request for mitigation services to one of the secondary servers in the subset selected to mitigate the external attack.

Abstract: A system for enforcing policy in a communication network includes a policy server which is operable to receive a request to invoke an application, receive a policy profile for a network user, and decide a proper allocation of network users based on the policy profile, the application, and available network resources. The policy server is further operable to communicate with a non-SIP application. The system also includes a network resource manager operably associated with the policy server and operable to monitor available network in the resources in the communication network. In addition, the network resource manager is functional to allocate network resource amongst a plurality of network users. The system also contains an application control point which is operably associated with the policy server and operable to communicate with a SIP application. The system is operable to use policy peering between the home and visited network to enable user-specific policies to be enforced while roaming.