SCTP Security

Firewalls allow you to secure SCTP traffic by inspecting messages; by filtering SCTP, Diameter, and SS7 chunks; and by protecting against SCTP INIT packet flooding.
Stream Control Transmission Protocol (SCTP) is a reliable message-based transport protocol (number 132) that sends multiple streams of signaling, voice, and other data simultaneously. Mobile networks use SCTP to transport signaling traffic on various interfaces, such as S1-MME, S6a, and X2.
You use the multilayered approach of your firewall to secure your SCTP traffic. You can filter SCTP traffic based on payload protocol IDs (PPIDs). You can apply granular-level filtering on Diameter traffic over SCTP and SS7 traffic over SCTP. You can validate SCTP packets to ensure they comply with RFC4960. You can also protect against flooding of SCTP initiation (INIT) packets. In the case of mobile networks, these SCTP security measures help to prevent attackers from causing network congestion and outages that disrupt data and voice services of mobile subscribers and IoT devices connected to these networks. Additionally, you can view SCTP logs, ACC information, and reports to verify configurations and gain visibility into the SCTP events and traffic between two endpoints.
Only PA-5200 Series and VM-Series firewall support SCTP security in PAN-OS 8.1 releases.
  1. Enable SCTP security.
    1. Select DeviceSetupManagement and edit the General Settings to enable SCTP Security.
    2. Click OK.
  2. Create an SCTP Protection profile and specify the checks and filters you want to apply to SCTP traffic.
    1. Add a profile by Name (ObjectsSecurity ProfilesSCTP Protection).
    2. Select SCTP Inspection to configure the action the firewall takes on unknown chunks, non-compliant chunks, and chunks of invalid length. Generating a log to alert you and blocking packets that have invalid chunks help you secure your SCTP traffic.
  3. Select the Log Settings for the profile—options to generate SCTP logs for allowed chunks, association start or end, and state failure events.
  4. Select Filtering Options for the profile so you can filter protocols running on top of SCTP.
    1. Add SCTP filters to allow, block, or generate an alert for PPIDs.
    2. Add Diameter filters to allow, block, or generate an alert for Diameter Application IDs, Command Codes, and Attribute/Value Pairs.
    3. Add SS7 filters to allow, block, or generate an alert for SS7 chunks based on SCCP Calling Party SSN, SCCP Calling Party GT, and Operation Codes.
  5. Apply the SCTP Protection profile to a security policy rule.
    1. Select PoliciesSecurity and select a Security policy rule.
    2. Select Actions and in the Profile Setting section, select the SCTP Protection profile you created. Configure the rest of the Security policy rule and save it.
  6. Allocate SCTP log storage on the firewall if you want to capture SCTP logs.
    Select DeviceSetupManagement, edit the Logging and Reporting Settings, and select Log Storage. Enter quota percentages for SCTP, SCTP Summary, and the SCTP hourly, daily, and weekly summaries.
  7. View information about your SCTP traffic.
    1. Select MonitorLogsSCTP to view the SCTP logs and detailed logs.
    2. Select MonitorLogsTraffic and select the Detailed Log View ( detail_log_view_icon.png ) for a log where the Application is sctp to view a detailed traffic log for an SCTP association.
    3. Select ACCMobile Network Activity to view SCTP events and association activity.
    4. View predefined reports about SCTP events and errors by selecting DeviceSetupManagement. Edit the Logging and Reporting Setting section and, for Predefined Reports, select any of the SCTP reports.
    5. Create a custom report on SCTP events by selecting MonitorManage Custom Reports and adding a custom report that uses the SCTP database.

Related Documentation