SCTP Security Measures on the Firewall
Firewalls provide multilayer SCTP security by validating
packets and chunks; filtering PPIDs, Diameter apps, and SS7 chunks;
protecting against SCTP INIT floods.
Palo Alto Networks® firewalls provide a multilayered
approach to protect your SCTP traffic and the applications transported
over SCTP from known and unknown attacks and information leakage. The
firewalls apply SCTP security at the transport layer of the OSI
model by performing stateful inspection and by enforcing your configuration
for chunk validation, SCTP INIT flood protection, and Security policy
rules based on the SCTP application. The firewall also applies SCTP
security on upper-layer protocols that run on top of SCTP, typically
at the application layer, when you filter PPIDs, Diameter applications,
or SS7 chunks.
Block or allow SCTP packets in a zone to or from various
IP addresses, for example, by creating a Security policy rule that
specifies the SCTP application.
Perform SCTP stateful inspection, which begins when you attach
an SCTP Protection profile to a Security policy rule for a zone.
Even if the profile has no specific settings, the firewall automatically
begins stateful inspection; it checks SCTP four-way handshakes,
starts receiving SCTP-specific information in logs, and validates
SCTP associations, timeouts, and association closings.
Validate SCTP packets by identifying unknown or malformed
chunks, chunks with an invalid length, and chunks with non-compliant
chunk flags. An unknown chunk in an SCTP packet is a chunk not defined
in
RFC3758,
RFC 4820,
RFC 4895,
RFC 4960,
RFC 5061, or
RFC 6525.
Apply SCTP security on upper-layer protocols that run on
top of SCTP by filtering the payloads of SCTP data chunks, depending
on your use case:
Block, allow, or generate alerts
about PPIDs.
Block, allow, or generate alerts about Diameter chunks to
filter Diameter applications and messages. The Diameter base protocol,
RFC 6733, is an SCTP application (an upper-layer protocol) that
provides authentication, authorization, and accounting (AAA) in
roaming and local environments. Diameter replaces other AAA protocols,
such as TACACS and RADIUS, to provide more advanced authentication
capabilities. Diameter applications run on top of the Diameter base
protocol and have an IANA-assigned application ID. Each Diameter
command and corresponding answer share a Command Code.
Block, allow, or generate alerts about SS7 chunks to filter
applications that use SCCP signaling and messages of Mobile Application
Part (MAP) and Customized Applications for Mobile networks Enhanced
Logic (CAMEL) Application Part (CAP).
View logs of SCTP packets and events, such as for chunks
that initiate an
SCTP
Association or for all control chunks.