The Next Generation Diameter Firewall (DFW) is the first single-engine software solution designed to work across signaling protocols. The solution protects networks against potential attacks, unauthorized senders, malformed messages, overload situations and much more. The DFW supports the relevant FS.19 GSMA guidelines for Signaling Firewalls of the Diameter protocol.
Firewall functionality across access networks
There is a growing realization that the traditional approach to secure signaling per access technology and protocol no longer suffices. Many security products today are designed on the assumption that securing a single protocol technology is sufficient. SS7 is still the dominant protocol technology in use, and although Diameter adoption is growing, 5G will introduce HTTP/2 to the Mobile core. Never before were Mobile networks so vulnerable to attacks from the connected world. It is clear the telecoms industry needs to rethink how to deal with these new threats. Mobile network technologies and the protocols that support them are evolving rapidly and so are the criminals looking for ways to exploit them. In the design of 2G/3G networks, which rely on SS7 signaling, security wasn’t a high priority. Back then there was no foresight about how pervasive mobile would become and what type of security challenges hyper-connectivity would bring. Moreover, today our daily life depends on reliable (mobile) connectivity, for messaging, healthcare, banking, social interaction and much, much more. We have reached phenomenal penetration of mobile subscribers that rely on high profile services, and hyper-connectivity for devices is set to grow exponentially (IoT).
Next Generation Diameter Firewall
The Next Generation Diameter Firewall protects Diameter networks against potential attacks, unauthorized senders, malformed messages, overload situations and much more. It supports the relevant FS.19 GSMA guidelines for Signaling Firewalls of the Diameter protocol.
On the road to 5G, firewall technology will undergo major changes, as service providers have to secure services across 2G/3G, 4G and 5G for many years to come. In conjunction with the introduction of IT protocol in the 5G mobile core, security solutions require a fundamentally different – converged – approach. The DFW is the first single-engine software solution designed to work across signaling protocols. considers a threat to one domain as a threat to all domains. The DFW provides as service providers with a path to gradual migration to a centralized security architecture across Diameter, SIP, SS7 and HTTP – required for 5G signaling operations.
GSMA FS.19 categories supported
In 2017 the GSMA released its latest guidelines for “Diameter Interconnect Security” (FS.19). The Diameter Firewall supports: Category 0 (Fundamental Anti-Spoofing), Category 1 (Basic Application ID and Command Code filtering), Category 2 (Robust AVP level filtering) as well as Category 3 (Advanced location based filtering) for Diameter.
High capacity, high performant solution
Using standard (commercially off-the-shelf) servers or virtual machines, the Diameter Firewall supports 10,000’s of transactions per second on a single machine. It supports scaling up and scaling out, without any technical limitations. The DFW stateful storage function (for Advanced location based filtering) is multi-node aware, using a distributed storage model. In case of a node or site failure, the data is processed by the redundant (other) node or site without any interruption or loss of volatile location data.
Unique, single engine Diameter Firewall
The DFW offers major differentiators compared to traditional firewall products:
- Extensive firewall functionality based on a signaling framework with integrated security functions independent of signaling technology
- Multi-protocol support, including Diameter, HTTP, SIP and SS7
- Routing, screening and filtering on any parameter in any Diameter message as well as message source or context
- Compliant with relevant GSMA FS.19 recommendations
- Fully integrated with Diameter Edge Agent (DEA) functionality
- Active anomaly detection reporting interface (HTTP, SMS & SNMP)
- Common GUI based management and configuration
- Extendable with SS7, SIP and HTTP firewall functions on same engine
- Template driven – no need for scripting or development
- Completely GUI based configuration and signaling orchestration
- Central logging point (EDR-registration)
- Carrier grade, highly scalable, high available, geo-redundant solution
- Extendable with multi-protocol EIR Function (SS7, Diameter and HTTP)