SCTP Use Cases
Table of Contents
Expand all | Collapse all
SCTP Use Cases
Palo Alto Networks firewalls can inspect SCTP traffic
in roaming and radio access network (RAN) security use cases.
When deploying a Palo Alto Networks® firewall
to inspect SCTP traffic in a mobile network, you must determine
the connection points or 3GPP interfaces in the network that you
want the firewall to secure. SCTP is used across various evolved
packet core (EPC) signaling interfaces, such as N2, S1-MME, S6a/S6d,
S13/S13’ and S9. You can Configure
SCTP Security on supported Palo Alto Networks firewall models
by creating an SCTP Protection profile, which you attach to a Security
policy rule for a zone; the SCTP Protection profile enforces the
SCTP security capabilities.
A mobile network operator’s most common use cases for SCTP security
are roaming security and radio access network (RAN) security. GTP Deployments also include
roaming security and RAN security. The best practice is for you
to configure both GTP and SCTP security when you have a roaming
or a RAN security use case.
As a best practice, deploy the firewalls in a high availability
(HA) active/passive configuration; SCTP security is not supported
in an HA active/active configuration.
In this roaming security use case, the firewall inspects SCTP
traffic that is exchanged between home and visitor networks, as
shown in the following figure. (A legend of acronyms follows the
figures.)
The dashed lines indicate an SCTP
Association:
- In the case of the firewall located between the HSS and MME (orange dashed connection), the protocol in use is Diameter-3GPP-S6a over SCTP.
- The blue dashed connection uses Diameter-3GPP-S13 over SCTP between the MME and EIR network nodes. An EIR database contains lists of IMEI numbers associated with handsets.
- The green dashed connection is from the Home PCRF through the firewall to the Visited PCRF and it uses Diameter S9 over SCTP.
In each roaming association, a mobile network operator communicates
with its roaming partners over a GSMA, GRX, or IPX network.
In the RAN security use case, the firewall inspects SCTP traffic
that is exchanged over S1-MME and S6a interfaces, as shown in the
following figure.
The orange dashed connection represents an SCTP association over
an S1-MME interface between eNodeB and MME, and SCTP transports
S1AP. The blue dashed connection represents an SCTP association
over an S6a interface between MME and HSS, and SCTP transports the
Diameter S6a application.
The green dashed connection represents an SCTP association over
an N2 interface between 5G RAN and AMF, and SCTP transports NG Application
protocol (NGAP).
Acronyms in the Topology Figures | |||
---|---|---|---|
AMF | Access and Mobility Management Function | MME | Mobile Management Entity |
BH | Backhaul | PCRF | Policy and Charging Rules Function |
EIR | Equipment Identity Register | PDN | Packet Data Network |
EPC | Evolved Packet Core | PGW | Packet Gateway |
GPRS | General Packet Radio Service | PLMN | Public Land Mobile Network |
GRX | GPRS Roaming Exchange | RAN | Radio Access Network |
GSMA | Global System for Mobile Communications Association | SGW | Serving Gateway |
HSS | Home Subscriber Server | SMF | Session Management Function |
IMEI | International Mobile Equipment Identity | UE | User Equipment |
IPX | Internetwork Packet Exchange | UPF | User Plane Function |