Firewall functionality across access networks
Access technologies and the protocols that support them are evolving rapidly. This has fundamentally altered the type of threats that converging networks are facing. Security wasn’t a high priority in the design of 2G/3G networks, which rely on SS7 signaling. At the time there was no foresight about how pervasive mobile would become and about the type of security challenges that would be introduced.
In addition, high penetration of mobile subscribers and high profile services coupled with an exponential growth of the Internet Of Things (IoT), require the industry to rethink security. There is a growing realization that the traditional approach to secure signaling per access technology and protocol no longer suffices.
Next Generation Diameter Firewall
The BroadForward Next Generation Diameter Firewall (BroadForward DFW) protects Diameter networks against potential attacks, unauthorized senders, malformed messages, overload situations and much more. The BroadForward DFW supports the relevant FS.19 GSMA guidelines for Signaling Firewalls of the Diameter protocol.
On the road to 5G, firewall technology will undergo major changes, as service providers have to secure services across 2G/3G, 4G and 5G for many years to come. In conjunction with the introduction of IT protocol in the 5G mobile core, security solutions require a fundamentally different – converged – approach. The BroadForward DFW is the first single-engine software solution designed to work across signaling protocols. BroadForward considers a threat to one domain as a threat to all domains. The BroadForward DFW provides as service providers with a path to gradual migration to a centralized security architecture across Diameter, SIP, SS7 and HTTP – required for 5G signaling operations.
GSMA FS.19 categories supported
In 2017 the GSMA released its latest guidelines for “Diameter Interconnect Security” (FS.19). The BroadForward Diameter Firewall supports: Category 0 (Fundamental Anti-Spoofing), Category 1 (Basic Application ID and Command Code filtering), Category 2 (Robust AVP level filtering) as well as Category 3 (Advanced location based filtering) for Diameter.
High capacity, high performant solution
Using standard (commercially off-the-shelf) servers or virtual machines, the BroadForward DFW supports 10,000’s of transactions per second on a single machine. It supports scaling up and scaling out, without any technical limitations. The BroadForward DFW stateful storage function (for Advanced location based filtering) is multi-node aware, using a distributed storage model. In case of a node or site failure, the data is processed by the redundant (other) node or site without any interruption or loss of volatile location data.
Unique, single engine Firewall
The BroadForward DFW offers major differentiators compared to traditional firewall products:
- Extensive firewall functionality based on a signaling framework with integrated security functions independent of signaling technology
- Multi-protocol support, including Diameter, HTTP, SIP and SS7
- Routing, screening and filtering on any parameter in any Diameter message as well as message source or context
- Compliant with relevant GSMA FS.19 recommendations
- Fully integrated with Diameter Edge Agent (DEA) functionality
- Active anomaly detection reporting interface (HTTP, SMS & SNMP)
- Common GUI based management and configuration
- Extendable with SS7, SIP and HTTP firewall functions on same engine
- Template driven – no need for scripting or development
- Completely GUI based configuration and signaling orchestration
- Central logging point (EDR-registration)
- Carrier grade, highly scalable, high available, geo-redundant solution
- Extendable with multi-protocol EIR Function (SS7, Diameter and/or HTTP)