The BroadForward Next Generation SS7 Firewall (SS7FW) is the first single-engine software solution designed to work across signaling protocols. The solution protects networks against potential attacks, unauthorized senders, malformed messages, overload situations and much more. The BroadForward SS7FW supports the relevant FS.11 GSMA guidelines for Signaling Firewalls of the SS7 protocol.
Firewall functionality across access networks
There is a growing realization that the traditional approach to secure signaling per access technology and protocol no longer suffices. Many security products today are designed on the assumption that securing a single protocol technology is sufficient. SS7 is still the dominant protocol technology in use, and although Diameter adoption is growing, 5G will introduce HTTP/2 to the Mobile core. Never before were Mobile networks so vulnerable to attacks from the connected world. It is clear the telecoms industry needs to rethink how to deal with these new threats. Mobile network technologies and the protocols that support them are evolving rapidly and so are the criminals looking for ways to exploit them. In the design of 2G/3G networks, which rely on SS7 signaling, security wasn’t a high priority. Back then there was no foresight about how pervasive mobile would become and what type of security challenges hyper-connectivity would bring. Moreover, today our daily life depends on reliable (mobile) connectivity, for messaging, healthcare, banking, social interaction and much, much more. We have reached phenomenal penetration of mobile subscribers that rely on high profile services, and hyper-connectivity for devices is set to grow exponentially (IoT).
Next Generation SS7 Firewall
The BroadForward Next Generation SS7 Firewall (BroadForward SS7FW) protects SS7 networks against potential attacks, unauthorized senders, malformed messages, overload situations and much more.
On the road to 5G, firewall technology will undergo major changes, as service providers have to secure services across 2G/3G, 4G and 5G for many years to come. In conjunction with the introduction of IT protocol in the 5G mobile core, security solutions require a fundamentally different – converged – approach. The BroadForward SS7FW is the first single-engine software solution designed to work across signaling protocols. BroadForward considers a threat to one domain as a threat to all domains. The BroadForward SS7FW provides as service providers with a path to gradual migration to a centralized security architecture across Diameter, SS7 and HTTP – required for 5G signaling operations.
GSMA FS.11 categories
In 2019 the GSMA released its latest guidelines for “SS7 Interconnect Security” (FS.11) which defines the following three categories:
- Category 1: Messages that should only be received from within the same network and/or are unauthorised at interconnect level, and should not be sent between operators unless there is an explicit bilateral agreement.
- Category 2: Messages that should only be received from visiting subscribers home network. These should normally only be received from an inbound roamer’s home network and require intra-packet logic to be applied to detect anomalies on packets either inbound or outbound.
- Category 3: Messages that should only be received from the subscriber’s visited network. Specifically MAP packets that are authorised to be sent on interconnects between mobile operators. These require additional, advanced inter-packet logic to be applied to detect anomalies.
The BroadForward SS7 Firewall supports message screening and filtering for SCCP, TCAP, INAP and MAP messages according to FS.11.
High capacity, high performant solution
Using standard (commercially off-the-shelf) servers or virtual machines, the BroadForward SS7 Firewall supports 10,000’s of transactions per second on a single machine. It supports scaling up and scaling out, without any technical limitations. The BroadForward SS7FW stateful storage function (for advanced location based filtering) is multi-node aware, using a distributed storage model. In case of a node or site failure, the data is processed by the redundant (other) node or site without any interruption or loss of volatile location data.
Unique, single engine SS7 Firewall
The BroadForward SS7FW offers major differentiators compared to traditional firewall products:
- Extensive firewall functionality based on a converged signaling framework providing integrated security functions independent of signaling technology
- Multi-protocol support, including SS7, Diameter and HTTP
- Supports message screening and filtering for SCCP, TCAP, INAP and MAP messages
- Compliant with relevant GSMA FS.11 recommendations
- Not dependent on specific hardware
- Active anomaly detection reporting/notification interface (HTTP, SMS & SNMP)
- Extendable with Diameter and HTTP firewall functions on same engine
- Template driven – no need for scripting or development
- Completely GUI based configuration and signaling orchestration
- Central logging point (EDR-registration)
- Carrier grade, highly scalable, high available, geo-redundant solution
- Optional extension with support for SMS Firewall functions
- Optional (on-board) support for:
Hardware-agnostic solution, supporting virtualized deployments
The BroadForward SS7FW runs on any off-the-shelf hardware or in a virtualized environment. It is a 100% software based solution, supporting virtualization and cloud deployment (VMware, KVM, OpenStack, Amazon etc.) as well as containerized application deployment (Docker, Kubernetes). The SS7FW does not rely on specialist hardware or proprietary operating systems. The ability to deploy the BroadForward SS7FW on a common (shared) platform (e.g. with the BroadForward Diameter Firewall) supports operators and vendors in migrating away from proprietary based appliance systems to a standards based, hardware agnostic, software only, infrastructure.