TITAN.IUM Signaling Firewall (SFW)

The Challenge

Industry experts have been sounding the alarm for some time about the security vulnerabilities of the SS7 protocol widely used as the signaling basis for fixed and mobile (2G/3G) networks.  The emergence of 4G has not reduced the level of alarm.  

It is true that 4G has driven widespread adoption of Diameter and SIP as the new primary signaling mechanisms for mobile networks.  However, rather than resolving signaling security concerns, this has amplified those concerns, driven by the All-IP nature of Diameter & SIP.  This All-IP aspect makes Diameter & SIP vulnerable to a wide range of security exploits over and above those besetting SS7.  Fraudsters worldwide are gleefully, creatively and vigorously exploiting this fact. 

In response, operators need to secure their SS7, Diameter & SIP signaling architectures in a way that addresses not only already known vulnerabilities, but also protects their networks in real time against newly emerging threats in a manner that allows them to react in real time without waiting for a vendor-provided solution. 

The NetNumber Solution

NetNumber’s TITAN.IUM Signaling Firewall (SFW) provides a highly scalable Multi-Protocol Signaling Firewall that can be used to protect operator networks and their subscribers from today’s security threats as well as those that will inevitably emerge tomorrow. The same SFW can be used to protect SS7, Diameter and/or SIP signaling networks.  The TITAN.IUM SFW can statefully monitor both individual protocol dialogs and cross protocol parameter congruency, allowing it to incorporate all available information when evaluating signaling messages for plausibility, possible fraud and many other use cases. 

Despite covering all of SS7, Diameter and SIP, the TITAN.IUM SFW can dive down to operate upon any parameter of any message, even parameters in nested Diameter AVPs.  Operations can include message screening, message modification and message rate limiting, which can be applied to all or to just specific messages.  If security violations are detected, the SFW can be configured to silently discard such messages, or raise configurable error messages and/or alerts.  Taken together, these capabilities allow the SFW to protect downstream network elements from overload, enforce SLA limits and protect against fraud. 

The TITAN.IUM SFW is designed to detect and protect against attack scenarios defined by the GSMA Fraud and Security Group (FASG), as described in GSMA FS.07 (SS7 and SIGTRAN Network Security), GSMA FS.11 (SS7 Interconnect Security Monitoring and Firewall Guidelines), GSMA FS.19 (Diameter Interconnect Security), GSMA FS.21 (Interconnect Signaling Security Recommendations) and GSMA FS.38 (SIP Network Security) papers. The SFW can also be configured to detect and protect against Wangiri fraud and robocalling fraud. 

With three highly flexible deployment models, Signaling Firewall can be deployed into almost any network topology, often without disruption to existing routing plans.  SFW can be overlaid onto existing signaling elements, deployed in front or behind existing nodes, or can be integrated with other NetNumber-supplied elements. 

As a member of the TITAN.IUM Container-Native family of products, the SFW affords a highly scalable, geo-redundant solution, also providing for close interworking with 5G Signaling Edge Protection Proxy (SEPP) integrated HTTP/2 based Firewall functions. 

rm for some time about the security vulnerabilities of the SS7 protocol widely used as the signaling basis for fixed and mobile (2G/3G) networks.  The emergence of 4G has not reduced the level of alarm.  

It is true that 4G has driven widespread adoption of Diameter and SIP as the new primary signaling mechanisms for mobile networks.  However, rather than resolving signaling security concerns, this has amplified those concerns, driven by the All-IP nature of Diameter & SIP.  This All-IP aspect makes Diameter & SIP vulnerable to a wide range of security exploits over and above those besetting SS7.  Fraudsters worldwide are gleefully, creatively and vigorously exploiting this fact. 

In response, operators need to secure their SS7, Diameter & SIP signaling architectures in a way that addresses not only already known vulnerabilities, but also protects their networks in real time against newly emerging threats in a manner that allows them to react in real time without waiting for a vendor-provided solution. 

Feature Highlights

For two decades, NetNumber has been a leader in fixed and mobile signaling, routing and security. Key Signaling Firewall capabilities include:

  • Multi-protocol Firewall supporting SS7, Diameter & SIP signaling in a common solution.
  • Seamless interworking with 5G SEPP integrated Firewall functions.
  • Message Screening / Rate Limiting.
  • Stateful & Stateless Firewall functions.
  • GSMA Fraud & Security Group (FASG) Attack Protection.
  • Diameter End-to-End Security (DESS) Phase1 Support.
  • Programmable Dissector-based Rules Engine.
  • Programmable Security Violation event response.
  • Flexible Deployment: Overlay, In-Line & Integrated deployment modes. Rich Monitoring & Observability framework (Tracing, KPIs & TDRs).
  • NetNumber SFW Audit, Correction & Penetration Testing Services (optional).
  • NetNumber TITAN.IUM Traffic Analytics (optional).
Benefits

Key TITAN.IUM Ut-Proxy benefits include:

  • Increased Success Rate of SMS & Voice Calls.
  • Reduced Latency of SMS Delivery & Voice Call Setup.
  • Accurate Low-Cost Routing saves SMS & Voice Termination costs.
  • One contract, One connection & One unified data access format in all 90+ countries with number portability implemented.
  • Incorporates powerful award-winning Dissector-based Rules Engine enabling flexible customer programmability.
  • Part of the TITAN.IUM InterGENerationalTM Cloud-Native Framework interworking HTTP2, DIAMETER, SIP & SS7 signaling.
  • “Deploy anywhere” installation on premises or in the cloud via Containers, Virtual Machines or Bare Metal.

For further information, please refer to the TITAN.IUM Signaling Firewall (SFW) Product Data Sheet, and also associated TITAN.IUM 5G Security Edge Protection Proxy (SEPP) Product Data Sheet & TITAN.IUM Signaling Firewall Services Suite Product Data Sheet.