The BroadForward Next Generation SS7 Firewall (SS7FW) is a converged software solution which protects 2G and 3G networks against against potential attacks, unauthorized senders, malformed messages, overload situations and much more. The BroadForward SS7FW supports the relevant FS.11 GSMA guidelines for Signaling Firewalls of the SS7 protocol.
Firewall functionality across access networks
There is a growing realization that the traditional approach to secure signaling per access technology and protocol no longer suffices. Many security products today are designed on the assumption that securing a single protocol technology is sufficient. SS7 is still the dominant protocol technology in use, and although Diameter adoption is growing, 5G will introduce HTTP/2 to the Mobile core. Never before were Mobile networks so vulnerable to attacks from the connected world. It is clear the telecoms industry needs to rethink how to deal with these new threats. Mobile network technologies and the protocols that support them are evolving rapidly and so are the criminals looking for ways to exploit them. In the design of 2G/3G networks, which rely on SS7 signaling, security wasn’t a high priority. Back then there was no foresight about how pervasive mobile would become and what type of security challenges hyper-connectivity would bring. Moreover, today our daily life depends on reliable (mobile) connectivity, for messaging, healthcare, banking, social interaction and much, much more. We have reached phenomenal penetration of mobile subscribers that rely on high profile services, and hyper-connectivity for devices is set to grow exponentially (IoT).
Next Generation SS7 Firewall
According to the GSMA (source: GSMA Mobile Economy 2020) since 2015, an additional 900 million people have been covered by a 3G network (in 2020 90% global coverage). The continued importance of SS7 for global telecommunications should not be underestimated. The BroadForward Next Generation SS7 Firewall (BroadForward SS7FW) is a unique 100% software designed, intelligent signaling solution.
The BroadForward SS7FW provides operators with an extensive set of tools offering unrivalled flexibility to integrate with systems across networks, adapt and deal with attacks, unauthorized senders, malformed messages, overload situations and much more.
GSMA FS.11 categories
The GSMA regularly releases updates to its guidelines for “SS7 Interconnect Security” also known as the FS.11 recommendations. In general these recommendations define the following three categories:
- Category 1: Messages that should only be received from within the same network and/or are unauthorized at interconnect level, and should not be sent between operators unless there is an explicit bilateral agreement.
- Category 2: Messages that should only be received from visiting subscribers home network. These should normally only be received from an inbound roamer’s home network and require intra-packet logic to be applied to detect anomalies on packets either inbound or outbound.
- Category 3: Messages that should only be received from the subscriber’s visited network. Specifically, MAP packets that are authorized to be sent on interconnects between mobile operators. These require additional, advanced inter-packet logic to be applied to detect anomalies.
Screening, filtering and SMS Firewall
The BroadForward SS7 Firewall supports message screening and filtering for SCCP, TCAP, INAP and MAP messages according to FS.11. In addition, for SMS fraud prevention the BroadForward SS7FW can be extended with SMS anti-fraud firewall rules to prevent:
Converged Firewall and the transition to 5G
The BroadForward SS7FW is the first single-engine software solution designed to work across signaling protocols and network technologies. The BroadForward SS7FW not only secures 2G and 3G networks but also provides service providers with a path to gradual migration to a converged security architecture across Diameter, SS7 and HTTP – required for 5G signaling operations. Firewall technology needs to be able to secure services across 2G/3G, 4G and 5G for many years to come. The GSMA points out that “with even more entities gaining access to core networks in the 5G era (due to network slicing and other features), we can expect that the attackers active on 2G, 3G and 4G will seek to execute the same types of attacks over 5G“. The BroadForward converged software architecture is designed assuming a threat to one domain to be a threat to all domains.
High capacity, high performant solution
Using standard (commercially off-the-shelf) servers, virtual machines or cloud based (Containerized) deployment technologies, the BroadForward SS7 Firewall supports 10,000’s of transactions per second on a single machine. It supports scaling up and scaling out, without any technical limitations. The BroadForward SS7FW stateful storage function (for advanced location based filtering) is multi-node aware, using a distributed storage model. In case of a node or site failure, the data is processed by the redundant (other) node or site without any interruption or loss of volatile location data.
Unique, single engine SS7 Firewall
The BroadForward SS7FW offers major differentiators compared to traditional firewall products:
- Extensive firewall functionality based on a converged signaling framework providing integrated security functions independent of signaling technology
- Multi-protocol support, including SS7, Diameter and HTTP
- Supports message screening and filtering for SCCP, TCAP, INAP and MAP messages
- Support blacklist and whitelist functions.
- Compliant with relevant GSMA FS.11 recommendations
- Not dependent on specific hardware
- Active anomaly detection reporting/notification interface (HTTP, SMS & SNMP)
- Extendable with Diameter and HTTP firewall functions on same engine
- Template driven – no need for scripting or development
- Completely GUI based configuration and signaling orchestration
- Central logging point (EDR-registration)
- Carrier grade, highly scalable, high available, geo-redundant solution
- Optional extension with support for SMS Firewall functions according IR.70/IR.71
- Optional (on-board) support for:
Hardware-agnostic solution, supporting virtualized deployments
The BroadForward SS7FW runs on any off-the-shelf hardware or in a virtualized environment. It is a 100% software based solution, hardware-agnostic and support virtualization and cloud deployment (VMware, KVM, Amazon, Azure etc.) as well as containerized application deployment (Docker, Kubernetes, OpenShift). The SS7FW does not rely on specialist hardware or proprietary operating systems. The ability to deploy the BroadForward SS7FW on a common (shared) platform (e.g. with the BroadForward Diameter Firewall) supports operators and vendors in migrating away from proprietary based appliance systems to a standards based, hardware agnostic, software only, infrastructure.