The BroadForward Next Generation Diameter Firewall (DFW) is the first single-engine software solution designed to work across signaling protocols. The solution protects networks against potential attacks, unauthorized senders, malformed messages, overload situations and much more. The BroadForward DFW supports the relevant FS.19 GSMA guidelines for Signaling Firewalls of the Diameter protocol.
Firewall functionality across access networks
There is a growing realization that the traditional approach to secure signaling per access technology and protocol no longer suffices. Many security products today are designed on the assumption that securing a single protocol technology is sufficient. SS7 is still the dominant protocol technology in use, and although Diameter adoption is growing, 5G will introduce HTTP/2 to the Mobile core. Never before were Mobile networks so vulnerable to attacks from the connected world. It is clear the telecoms industry needs to rethink how to deal with these new threats. Mobile network technologies and the protocols that support them are evolving rapidly and so are the criminals looking for ways to exploit them. In the design of 2G/3G networks, which rely on SS7 signaling, security wasn’t a high priority. Back then there was no foresight about how pervasive mobile would become and what type of security challenges hyper-connectivity would bring. Moreover, today our daily life depends on reliable (mobile) connectivity, for messaging, healthcare, banking, social interaction and much, much more. We have reached phenomenal penetration of mobile subscribers that rely on high profile services, and hyper-connectivity for devices is set to grow exponentially (IoT).
Next Generation Diameter Firewall
The BroadForward Next Generation Diameter Firewall (BroadForward DFW) protects Diameter networks against potential attacks, unauthorized senders, malformed messages, overload situations and much more.
On the road to 5G, firewall technology will undergo major changes, as service providers have to secure services across 2G/3G, 4G and 5G for many years to come. In conjunction with the introduction of IT protocol in the 5G mobile core, security solutions require a fundamentally different – converged – approach. The BroadForward DFW is the first single-engine software solution designed to work across signaling protocols. BroadForward considers a threat to one domain as a threat to all domains. The BroadForward DFW provides service providers with a path to gradual migration to a converged security architecture across Diameter, SS7 and HTTP – required for 5G signaling operations.
GSMA FS.19 categories supported
In 2017 the GSMA released its latest guidelines for “Diameter Interconnect Security” (FS.19). The BroadForward Diameter Firewall supports: Category 0 (Fundamental Anti-Spoofing), Category 1 (Basic Application ID and Command Code filtering), Category 2 (Robust AVP level filtering) as well as Category 3 (Advanced location based filtering) for Diameter.
High capacity, high performant solution
Using standard (commercially off-the-shelf) servers or virtual machines, the BroadForward Diameter Firewall supports 10,000’s of transactions per second on a single machine. It supports scaling up and scaling out, without any technical limitations. The BroadForward DFW stateful storage function (for Advanced location based filtering) is multi-node aware, using a distributed storage model. In case of a node or site failure, the data is processed by the redundant (other) node or site without any interruption or loss of volatile location data.
Unique, single engine Diameter Firewall
The BroadForward DFW offers major differentiators compared to traditional firewall products:
- Extensive firewall functionality based on a signaling framework with integrated security functions independent of signaling technology
- Multi-protocol support, including Diameter, HTTP and SS7
- Routing, screening and filtering on any parameter from M3UA, SCCP and TCAP layer, and/or specific parameters in MAP/INAP via the application peeking functionality
- Compliant with relevant GSMA FS.19 recommendations
- Active anomaly detection reporting/notification interface (HTTP, SMS & SNMP)
- Common GUI based management and configuration
- Template driven – no need for scripting or development
- Completely GUI based configuration and signaling orchestration
- Central logging point (EDR-registration)
- Carrier grade, highly scalable, high available, geo-redundant solution
- On-board (optional) support for:
Hardware-agnostic solution, supporting NFV
The BroadForward DFW runs on any off-the-shelf hardware or in a virtualized environment. It is a 100% software based solution, supporting virtualization and cloud deployment (VMware, KVM, OpenStack, Amazon etc.) as well as containerized application deployment (Docker, Kubernetes). The DFW does not rely on specialist hardware or proprietary operating systems. The ability to deploy the BroadForward DFW on a common (shared) platform (e.g. with the BroadForward SS7 Firewall) supports operators and vendors in migrating away from proprietary based appliance systems to a standards based hardware and cloud based infrastructure.