Protection for Mobile Network Signaling

Securing SCTP, GTP, Diameter, SIP, DNS and "Internet Stack" for 4G/5G

The Need for Control Plane (Signaling) Security

The mobile network's ability to provide services and drive innovation is dependent on its ability to safeguard both the availability and integrity of its control plane. The need to secure core signaling protocols, interfaces, and reference points has always been crucial and will only increase in its criticality with 5G. Innovative new functionalities and services are completely dependent on the ability to instantiate and orchestrate on-demand services, service chains, and complex ecosystems at both the core and the edge of mobile networks. The following main signaling protocols play a major role in 4G and some 5G control-plane operations:

  • Stream Control Transmission Protocol (SCTP): Transport protocol used across multiple Evolved Packet Core (EPC). 

  • GPRS Tunneling Protocol (GTP): Set of protocols (control and user planes) used to carry both user-plane and control-plane traffic.

  • Diameter: Authentication, authorization, and accounting (AAA) protocol. 

  • Session Initiation Protocol (SIP): Used for controlling multimedia sessions and services.

  • Domain Name System (DNS): Not a signaling protocol, but DNS is a foundational element of any carrier network and key for the operation of the network.

 

From 4G to 5G Signaling - From Protocols to API Calls

5G introduces a fundamental change in core signaling with the move from a point-to-point, monolithic signaling protocol architecture to a service bus architecture (BSA). This facilitates agility and flexibility in network functions and services deployment and availability as outlined below:

4G SIGNALING

5G SIGNALING

Point-to-point communication with the core network

"Everyone-to-everyone" (bus) communication

Different and multiple signaling protocols

Replacing signaling messages with API calls

Monolithic conception of network functions

Service consumer/producer deployment model

Tightly coupling of network functions and statically-configured security

Defined interfaces on a uniform protocol stack

5G's uniform protocol stack is based on Internet stack with the replacement of core signaling protocols such as SCTP by TCP or Diameter by HTTP/2. According to this ENISA report, the use of common "Internet" protocols like HTTP and TLS, as well as REST APIs will create a situation where "the grace period between vulnerability discovery and real exploitation will become much shorter compared to SS7 and Diameter." It’s clear that 5G deployments will leverage security capabilities in the Internet realm with the given latency, scale, and automation required by carrier and mobile operators.
 

Safeguarding Signaling Integrity Throughout The Mobile Infrastructure: RAN/EPC/5G-NGC/Roaming/IMS/PD

FortiGate delivers a wide set of scalable security capabilities to safeguard signaling interfaces and protocols across 4G and 5G (RAN, EPC/5G-NGC, IMS, roaming, PDN):

SIP

  • Carrier-grade SIP security
  • SBC substitute
  • SIP NAT, HNT
  • Multi-tenancy
  • IPsec termination
  • SIP/TLS inspection
  • Fuzzing protection
  • Intrusion prevention

SCTP

  • Stateful SCTP firewall
  • Solution to RFC5062 SCTP threats
  • SCTP over IPsec VPN
  • SCTP NAT

DNS

  • DNS Tunneling Protection
  • High-performance DNS validation

 

GTP

  • Stateful GTP-C and GTP-U security control
  • Granular GTP profile enforcement and filtering
  • Validation and anomaly detection, full header field check
  • Content and anti-malware inspection for GTP-U
  • Rich GTP logging

Diameter

  • Passively monitor SCTP/TCP traffic carrying Diameter Application on S6a interface
  • Analyze and correlate Diameter messages for fraud activity
  • Correlate GTP, Diameter, and other protocols


FortiGate next-generation firewall (NGFW) capabilities ensure maximum 5G "Internet stack" security for TCP/UDP, HTTP, SSL/TLS, and more. Additional security granularity is supported with capabilities such as antivirus and application control.

 

file

Physical Appliance (PNF) or Virtual Network Function (VNF) Implementations

FortiGate signaling and Internet security features can be implemented as a PNF with high availability (HA) and the highest proven scalability. Fortinet’s custom security processors provide hardware acceleration to meet today and tomorrow’s traffic and session volume with minimum latency and very high performance.

The same capabilities are provided by FortiGate virtual machines (VMs) acting as VNFs, with the industry’s smallest footprint and fastest boot time. It provides unique consolidated security NGFW & UTM VNF for 4G/4.5G and 5G environments. Dynamic and massive auto scaling is achieved via proven integration with software-defined networking (SDN) and European Telecommunications Standards Institute (ETSI) NFV management and orchestration (MANO) platforms such as Amdocs, Ciena’s Blue Planet, HPE, Ericsson, Nokia platforms such as Amdocs, Ciena’s Blue Planet, HPE, Ericsson, Nokia, Cisco, more.

file

SDN Integration

Fortinet technology and Fabric-Ready Partner programs ensure SDN integration via Fortinet SDN Connectors and Fortinet APIs (available via the Fortinet Developer Network). These include integration with Nuage Networks, Cisco ACI, and VMware NSX.