The BroadForward SS7 Firewall (SS7FW) is a complete and advanced software-based solution that protects 2G and 3G networks against potential attacks, unauthorized senders, malformed messages, overload situations and much more. The BroadForward SS7FW supports the FS.11 GSMA guidelines for Signaling Firewalls of the SS7 protocol and can be deployed with the BroadForward Diameter Firewall (DFW).
Latest Firewall requirements
Firewall technology has been undergoing a major shift from a limited fixed-rules (black box) function to an integrated security solution that can cover multiple access technologies and which enables adaptation of its firewall rules.
Many security solutions however do not offer a solution that works across 2G, 3G, 4G and 5G network technologies and often lack the features (and the flexibility) required to be compliant to the latest industry security recommendations.
In the wake of a growing number of attacks governments and regulators all over the world are demanding mobile operators adopt more stringent security measures. Industry representative bodies (e.g. ENISA, GSMA) have published additional security recommendations – such as GSMA specifications FS.11 and FS.19 – which are designed to counter threats that are exposing design weaknesses in the security of legacy networks. Of these recommendations the ability to detect implausible location changes is the single most important factor to establish mobile identity theft (MSISDN/IMSI) and most complex to mitigate properly.
New specifications are often open to (implementation) interpretation, which requires solutions to offer flexibility to adapt security rules on the fly. And as the complexity and interdependencies of security measures increase operators need to be able to perform non-intrusive rules effectiveness testing on a live network.
BroadForward SS7 Firewall
The BroadForward SS7 Firewall (SS7FW) is in use with leading mobile operators around the world. The SS7FW provides operators with a default set of firewall rules that implement the GSMA specifications FS.11. None of the firewall rules in the system are ‘hard-coded’ and can therefore be adapted for/by the operator as required.
The SS7FW reduces the window of opportunity for criminals to exploit a breach on their mobile network. It detects and blocks duplicated SIM or SIM Swap fraud in real-time by performing velocity tracking. This unique feature automatically determines – with a high degree of accuracy – whether roaming location changes are plausible in terms of the speed normally required to bridge that distance (‘time-distance plausibility’).
The easy-to-use Graphical User Interface provides full control of firewall rules and insight into signaling traffic. It gives extensive flexibility to configure, adapt, enable or disable firewall rules that can be deployed across all supported access technologies. The use of readily available templates means operators do not require vendor involvement, scripting or coding to manage or customize firewall rules.
Furthermore, the solution will detail the effectiveness of rules enforcement in Event Detail Record reporting, allowing significant improvement in roaming management and subsequent rules enforcement (IR.21 / IR.88 / NG.113 for 5G). The SS7FW firewall can be deployed with other BroadForward functions such as the Diameter Firewall, STP, DEA and 5G SEPP.
Transparent Mode
Each mobile network has their own specific security requirements and it is challenging for implementation teams to ensure firewall security rules are truly effective and without any negative side effects. The BroadForward Firewall has a unique feature to verify if security rules are actually effective and correctly implemented. The SS7FW offers a “transparent mode” feature allowing rule testing and fine tuning on the mobile network without impacting the live traffic. When introducing new firewall rules first in “transparent mode”, there will not be a blocking effect on traffic until they are fully tested in the live network and proven to block the fraud they are created for.
GSMA FS.11 categories
The GSMA regularly releases updates to its guidelines for “SS7 Interconnect Security” also known as the FS.11 recommendations. In general these recommendations define the following three categories:
- Category 1: Messages that should only be received from within the same network and/or are unauthorized at interconnect level, and should not be sent between operators unless there is an explicit bilateral agreement.
- Category 2: Messages that should only be received from visiting subscribers home network. These should normally only be received from an inbound roamer’s home network and require intra-packet logic to be applied to detect anomalies on packets either inbound or outbound.
- Category 3: Messages that should only be received from the subscriber’s visited network. Specifically, MAP packets that are authorized to be sent on interconnects between mobile operators. These require additional, advanced inter-packet logic to be applied to detect anomalies. Messages that indicate an unusually rapid change of location (measured by consecutive Location Updates from non-bordering countries within a short period) should be filtered.
Screening, filtering and SMS Signaling Firewall
The BroadForward SS7 Firewall supports message screening and filtering for SCCP, TCAP, INAP and MAP messages according to FS.11. In addition, for SMS fraud prevention, the BroadForward SS7FW can be extended with SMS anti-fraud signaling firewall rules to prevent:
- MO-Spoof
- MT-Fake
- MO-GT-Scanning
- MT-Flooding
BroadForward SS7FW features
The BroadForward SS7FW will improve the operator’s effectiveness in dealing with unexpected (fraudulent) behavior and significantly increases roaming security. The BroadForward SS7FW offers major differentiators compared to traditional firewall products:
- Unrivaled flexibility. Routing, screening and filtering on any parameter of SCCP, TCAP, INAP and MAP messages. Freedom to create, adapt and deploy security rules at any time without need for coding or scripting or vendor dependency.
- Transparent mode support. Unique, live – non-intrusive – effectiveness testing of all security rules while logging Event Detail Records for off-line evaluation.
- Velocity check support. Advanced location tracking function (GSMA FS.11 Category 3 compliant), including global neighboring country lists and velocity checks for location change plausibility checking.
- Fully compliant with the relevant GSMA FS.11 recommendations.
- Security suite combination support. 2G/3G/4G (and in the future 5G) Firewall support in a single engine software design.
- Flexible deployment models. Standalone SS7FW or in combination with e.g. Diameter FW (and later 5GFW), using shared location tracking, common GUI interface, single capacity license.
- Completely GUI based. All configuration, rules orchestration, monitoring and management can be done using the graphical user interface.
- Active anomaly detection support. Provides reporting/notification interfaces (such as HTTP, SMS & SNMP).
- Carrier grade. Highly scalable, high available, geo-redundant solution.
- Optional support for:
Hardware-agnostic solution, supporting virtualized deployments
The BroadForward SS7FW runs on any off-the-shelf hardware or in a virtualized environment. It is a 100% software-based solution, hardware-agnostic and support virtualization and cloud deployment as well as containerized application deployment. The SS7FW does not rely on specialist hardware or proprietary operating systems. The ability to deploy the BroadForward SS7FW on a common (shared) platform (e.g. with the BroadForward Diameter Firewall) supports operators and vendors in migrating away from proprietary based appliance systems to a standards based, hardware agnostic, software only, infrastructure.