Focus
Focus
Table of Contents

SCTP Use Cases

Palo Alto Networks firewalls can inspect SCTP traffic in roaming and radio access network (RAN) security use cases.
When deploying a Palo Alto Networks® firewall to inspect SCTP traffic in a mobile network, you must determine the connection points or 3GPP interfaces in the network that you want the firewall to secure. SCTP is used across various evolved packet core (EPC) signaling interfaces, such as N2, S1-MME, S6a/S6d, S13/S13’ and S9. You can Configure SCTP Security on supported Palo Alto Networks firewall models by creating an SCTP Protection profile, which you attach to a Security policy rule for a zone; the SCTP Protection profile enforces the SCTP security capabilities.
A mobile network operator’s most common use cases for SCTP security are roaming security and radio access network (RAN) security. GTP Deployments also include roaming security and RAN security. The best practice is for you to configure both GTP and SCTP security when you have a roaming or a RAN security use case.
As a best practice, deploy the firewalls in a high availability (HA) active/passive configuration; SCTP security is not supported in an HA active/active configuration.
In this roaming security use case, the firewall inspects SCTP traffic that is exchanged between home and visitor networks, as shown in the following figure. (A legend of acronyms follows the figures.)
The dashed lines indicate an SCTP Association:
  • In the case of the firewall located between the HSS and MME (orange dashed connection), the protocol in use is Diameter-3GPP-S6a over SCTP.
  • The blue dashed connection uses Diameter-3GPP-S13 over SCTP between the MME and EIR network nodes. An EIR database contains lists of IMEI numbers associated with handsets.
  • The green dashed connection is from the Home PCRF through the firewall to the Visited PCRF and it uses Diameter S9 over SCTP.
In each roaming association, a mobile network operator communicates with its roaming partners over a GSMA, GRX, or IPX network.
In the RAN security use case, the firewall inspects SCTP traffic that is exchanged over S1-MME and S6a interfaces, as shown in the following figure.
The orange dashed connection represents an SCTP association over an S1-MME interface between eNodeB and MME, and SCTP transports S1AP. The blue dashed connection represents an SCTP association over an S6a interface between MME and HSS, and SCTP transports the Diameter S6a application.
The green dashed connection represents an SCTP association over an N2 interface between 5G RAN and AMF, and SCTP transports NG Application protocol (NGAP).
Acronyms in the Topology Figures
AMF
Access and Mobility Management Function
MME
Mobile Management Entity
BH
Backhaul
PCRF
Policy and Charging Rules Function
EIR
Equipment Identity Register
PDN
Packet Data Network
EPC
Evolved Packet Core
PGW
Packet Gateway
GPRS
General Packet Radio Service
PLMN
Public Land Mobile Network
GRX
GPRS Roaming Exchange
RAN
Radio Access Network
GSMA
Global System for Mobile Communications Association
SGW
Serving Gateway
HSS
Home Subscriber Server
SMF
Session Management Function
IMEI
International Mobile Equipment Identity
UE
User Equipment
IPX
Internetwork Packet Exchange
UPF
User Plane Function