The BroadForward Next Generation Diameter Firewall (BroadForward DFW) is a converged software solution which protects 4G networks against potential attacks, unauthorized senders, malformed messages, overload situations and much more. The BroadForward DFW supports the relevant FS.19 GSMA guidelines for Signaling Firewalls of the Diameter protocol.
Firewall functionality across access networks
There is a growing realization that the traditional approach to secure signaling per access technology and protocol no longer suffices. Many security products today are designed on the assumption that securing a single protocol technology is sufficient. SS7 is still a dominant protocol technology in use, and Diameter adoption is growing, while 5G will introduce HTTP/2 to the Mobile core. Never before were Mobile networks so vulnerable to attacks due to rapidly increasing connectivity. It is clear the telecoms industry needs to rethink how to deal with these new threats. Mobile network technologies and the protocols that support them are evolving rapidly and so are the criminals looking for ways to exploit them. In the design of 2G/3G networks, which rely on SS7 signaling, security wasn’t a high priority. Back then there was no foresight about how pervasive mobile would become and what type of security challenges hyper-connectivity would bring. Moreover, today our daily life depends on reliable (mobile) connectivity, for messaging, healthcare, banking, social interaction and much, much more. We have reached phenomenal penetration of mobile subscribers that rely on high profile services, and hyper-connectivity for devices is set to grow exponentially (IoT).
Next Generation Diameter Firewall
4G will continue to drive the majority of operators’ revenues for years to come. The GSMA expects LTE’s share of the global subs to rise to 56% by 2025. BroadForward DFW is a Next Generation Diameter Firewall, a unique 100% software designed, intelligent signaling solution.
The BroadForward DFW provides operators with an extensive set of tools offering unrivalled flexibility to integrate with systems across networks, adapt and deal with attacks, unauthorized senders, malformed messages, overload situations and much more.
GSMA FS.19 categories supported
The latest guidelines for “Diameter Interconnect Security” (FS.19 version 8.1) were released in 2020. The BroadForward Diameter Firewall supports: Category 0 (Fundamental Anti-Spoofing), Category 1 (Basic Application ID and Command Code filtering), Category 2 (Robust AVP level filtering) as well as Category 3 (Advanced location based filtering) for Diameter.
Converged Firewall and the transition to 5G
The BroadForward DFW is the first single-engine software solution designed to work across signaling protocols and network technologies. The BroadForward DFW not only secures 4G networks but also provides service providers with a path to gradual migration to a converged security architecture across Diameter, SS7 and HTTP – required for 5G signaling operations. Firewall technology needs to be able to secure services across 2G/3G, 4G and 5G for many years to come. The GSMA points out that “with even more entities gaining access to core networks in the 5G era (due to network slicing and other features), we can expect that the attackers active on 2G, 3G and 4G will seek to execute the same types of attacks over 5G“. The BroadForward converged software architecture is designed assuming a threat to one domain to be a threat to all domains.
High capacity, high performant solution
Using standard (commercially off-the-shelf) servers or virtual machines, the BroadForward Diameter Firewall supports 10,000’s of transactions per second on a single machine. It supports scaling up and scaling out, without any technical limitations. The BroadForward DFW stateful storage function (for Advanced location based filtering) is multi-node aware, using a distributed storage model. In case of a node or site failure, the data is processed by the redundant (other) node or site without any interruption or loss of volatile location data.
Unique, single engine Diameter Firewall
The BroadForward DFW offers major differentiators compared to traditional firewall products:
- Extensive firewall functionality based on a signaling framework with integrated security functions independent of signaling technology
- Multi-protocol support, including Diameter, HTTP and SS7
- Routing, screening and filtering on any parameter
- Compliant with relevant GSMA FS.19 recommendations
- Active anomaly detection reporting/notification interface (HTTP, SMS & SNMP)
- Common GUI based management and configuration
- Template driven – no need for scripting or development
- Completely GUI based configuration and signaling orchestration
- Central logging point (EDR-registration)
- Carrier grade, highly scalable, high available, geo-redundant solution
- Optional (on-board) support for:
Hardware-agnostic solution, supporting virtualized deployments
The BroadForward DFW runs on any off-the-shelf hardware or in a virtualized environment. It is a 100% software based solution, supporting virtualization and cloud deployment (VMware, KVM, OpenStack, Amazon etc.) as well as containerized application deployment (Docker, Kubernetes). The DFW does not rely on specialist hardware or proprietary operating systems. The ability to deploy the BroadForward DFW on a common (shared) platform (e.g. with the BroadForward SS7 Firewall) supports operators and vendors in migrating away from proprietary based appliance systems to a standards based, hardware agnostic, software only, infrastructure.