The BroadForward Diameter Firewall (BroadForward DFW) is a complete and advanced software-based solution that protects 4G networks against potential attacks, unauthorized senders, malformed messages, overload situations and much more. The BroadForward DFW supports the relevant FS.19 GSMA guidelines for Signaling Firewalls of the Diameter protocol and can be deployed with the BroadForward SS7 Firewall (SS7FW).
Latest Firewall requirements
Firewall technology has been undergoing a major shift from a limited fixed-rules (black box) function to an integrated security solution that can cover multiple access technologies and enables flexibility to adapt its firewall rules.
Many security solutions however do not offer a solution that works across 2G, 3G, 4G and 5G network technologies. They also often lack the features (and the flexibility) required to be compliant to the latest industry security recommendations. In the wake of a growing number of attacks, governments and regulators all over the world are demanding mobile operators to adopt more stringent security measures. Industry representative bodies (e.g. ENISA, GSMA) have published additional security recommendations – such as GSMA specifications FS.11 and FS.19 – which are designed to counter threats that are exposing design weaknesses in the security of legacy networks. Of these recommendations, the ability to detect implausible location changes is the single most important factor to establish mobile identity theft (MSISDN/IMSI), but also the most complex one to mitigate properly. New specifications are often open to (implementation) interpretation, which requires solutions to offer flexibility to adapt security rules on the fly. And the complexity and interdependencies of security measures increase operators’ need to be able to perform non-intrusive testing of rules effectiveness on a live network.
BroadForward Diameter Firewall
The BroadForward Diameter Firewall (DFW) is in use with leading mobile operators around the world. The DFW provides operators with a default set of firewall rules that implement the GSMA specifications FS.19. None of the firewall rules in the system are ‘hard-coded’ and can therefore be adapted for/by the operator as required.
The DFW reduces the window of opportunity for criminals to exploit a breach on their mobile network. It detects and blocks duplicated SIM or SIM swap fraud in real-time by performing velocity tracking. This unique feature automatically determines – with a high degree of accuracy – whether roaming location changes are plausible in terms of the speed normally required to bridge that distance (‘time-distance plausibility’).
The easy-to-use Graphical User Interface provides full control of firewall rules and insight into signaling traffic. It gives extensive flexibility to configure, adapt, enable or disable firewall rules that can be deployed across all supported access technologies. The use of readily available templates means operators do not require vendor involvement, scripting or coding to manage or customize firewall rules.
Furthermore, the solution will detail the effectiveness of rules enforcement in Event Detail Record reporting, enabling significant improvement in roaming management and subsequent rules enforcement (IR.21 / IR.88 / NG.113 for 5G). The DFW BroadForward firewall can be deployed with other BroadForward functions such as the SS7 Firewall, STP, DEA and 5G SEPP.
Each mobile network has their own specific security requirements and it is challenging for implementation teams to ensure firewall security rules are truly effective and without any negative side effects. The BroadForward Firewall has a unique feature to verify if security rules are actually effective and correctly implemented. The DFW offers a “transparent mode” feature allowing engineers to perform rule testing and fine tuning on the mobile network without impacting the live traffic. When introducing new firewall rules first in “transparent mode”, there will not be a blocking effect on traffic until they are fully tested in the live network and proven to block the fraud they are created for.
GSMA FS.19 categories
The GSMA regularly releases updates to its guidelines for “Diameter Interconnect Security” also known as the FS.19 recommendations. In general, these recommendations define the following four categories:
- Category 0: Low-Layer Format filtering is to detect very simple spoofing attempts to relay messages into the network. It corresponds to low level (base) Diameter screening without the need to fully understand upper applications or decode specific AVPs, typically based on all lower-level information such as IP, host and realm screening as well as Diameter message format screening.
- Category 1: corresponds to Application ID and Command Code screening without the need to decode specific AVPs. Category 1 filtering focuses on interface misuse (important to prevent external access to internal interfaces), hijacking interfaces and consistencies inside the message.
- Category 2: corresponds to detailed AVP level screening e.g. using IMSI, MSISDN (User-Name AVPs). Such messages should not target internal subscribers from international interconnect. Receipt of these message needs to be permitted to support inbound roamers. Filtering is typically performed based on the User-Name AVP for this category, but it may extend to other AVPs. The User-Name AVP should only appear once in a message to avoid bypassing filtering.
- Category 3: Practice for Category 3 filtering is to deny all Diameter messages except those expressly required for a given interface. Only the interface(s) required to support the MNO usage scenarios should be activated on the DRA. Messages that indicate an unusually rapid change of location (measured by consecutive Location Updates from non-bordering countries within a short period) should be filtered.
BroadForward DFW features
The BroadForward DFW will improve the operator’s effectiveness in dealing with unexpected (fraudulent) behavior and significantly increases roaming security. The BroadForward DFW offers major differentiators compared to traditional firewall products:
- Unrivaled flexibility. Routing, screening and filtering on any message parameter. Freedom to create, adapt and deploy security rules at any time without need for coding or scripting or vendor dependency.
- Transparent mode support. Unique, live – non-intrusive – effectiveness testing of security rules while logging Event Detail Records for off-line evaluation.
- Velocity check support. Advanced location tracking function (GSMA FS.19 Category 3 compliant), including global neighboring country lists and velocity checks for location change plausibility checking.
- Fully compliant with the relevant GSMA FS.19 recommendations.
- Security suite combination support. 2G/3G/4G and even 5G Firewall support in a single engine software design.
- Flexible deployment models. Standalone DFW or in combination with e.g. SS7FW (and later 5GFW), using shared location tracking, common GUI interface, single capacity license.
- Completely GUI based. All configuration, rules orchestration, monitoring and management can be done using the graphical user interface.
- Active anomaly detection support. Provides reporting/notification interfaces (such as HTTP, SMS & SNMP).
- Carrier grade. Highly scalable, high available, geo-redundant solution.
- Optional support for:
Hardware-agnostic solution, supporting virtualized deployments
The BroadForward DFW runs on any off-the-shelf hardware or in a virtualized environment. It is a 100% software-based solution, hardware-agnostic and supports virtualization and cloud deployment as well as containerized application deployment. The DFW does not rely on specialist hardware or proprietary operating systems. The ability to deploy the BroadForward DFW on a common (shared) platform (e.g. with the BroadForward DRA/DEA) supports operators and vendors in migrating away from proprietary based appliance systems to a standards-based, hardware agnostic, software only, infrastructure.