SCTP Security

Firewalls allow you to secure SCTP traffic by inspecting messages; by filtering SCTP, Diameter, and SS7 chunks; and by protecting against SCTP INIT packet flooding.
Stream Control Transmission Protocol (SCTP) is a reliable message-based transport protocol (number 132) that sends multiple streams of signaling, voice, and other data simultaneously. Mobile networks use SCTP to transport signaling traffic on various interfaces, such as S1-MME, S6a, and X2.
You use the multilayered approach of your firewall to secure your SCTP traffic. You can filter SCTP traffic based on payload protocol IDs (PPIDs). You can apply granular-level filtering on Diameter traffic over SCTP and SS7 traffic over SCTP. You can validate SCTP packets to ensure they comply with RFC4960. You can also protect against flooding of SCTP initiation (INIT) packets. In the case of mobile networks, these SCTP security measures help to prevent attackers from causing network congestion and outages that disrupt data and voice services of mobile subscribers and IoT devices connected to these networks. Additionally, you can view SCTP logs, ACC information, and reports to verify configurations and gain visibility into the SCTP events and traffic between two endpoints.
Only PA-5200 Series and VM-Series firewall support SCTP security in PAN-OS 8.1 releases.
  1. Enable SCTP security.
    1. Select
      Device
      Setup
      Management
      and edit the General Settings to enable
      SCTP Security
      .
    2. Click
      OK
      .
  2. Create an SCTP Protection profile and specify the checks and filters you want to apply to SCTP traffic.
    1. Add
      a profile by
      Name
      (
      Objects
      Security Profiles
      SCTP Protection
      ).
    2. Select
      SCTP Inspection
      to configure the action the firewall takes on unknown chunks, non-compliant chunks, and chunks of invalid length. Generating a log to alert you and blocking packets that have invalid chunks help you secure your SCTP traffic.
  3. Select the Log Settings for the profile—options to generate SCTP logs for allowed chunks, association start or end, and state failure events.
  4. Select
    Filtering Options
    for the profile so you can filter protocols running on top of SCTP.
    1. Add SCTP filters to allow, block, or generate an alert for PPIDs.
    2. Add Diameter filters to allow, block, or generate an alert for Diameter Application IDs, Command Codes, and Attribute/Value Pairs.
    3. Add SS7 filters to allow, block, or generate an alert for SS7 chunks based on SCCP Calling Party SSN, SCCP Calling Party GT, and Operation Codes.
  5. Apply the SCTP Protection profile to a security policy rule.
    1. Select
      Policies
      Security
      and select a Security policy rule.
    2. Select
      Actions
      and in the Profile Setting section, select the
      SCTP Protection
      profile you created. Configure the rest of the Security policy rule and save it.
  6. Allocate SCTP log storage on the firewall if you want to capture SCTP logs.
    Select
    Device
    Setup
    Management
    , edit the Logging and Reporting Settings, and select
    Log Storage
    . Enter quota percentages for SCTP, SCTP Summary, and the SCTP hourly, daily, and weekly summaries.
  7. View information about your SCTP traffic.
    1. Select
      Monitor
      Logs
      SCTP
      to view the SCTP logs and detailed logs.
    2. Select
      Monitor
      Logs
      Traffic
      and select the Detailed Log View ( ) for a log where the
      Application
      is
      sctp
      to view a detailed traffic log for an SCTP association.
    3. Select
      ACC
      Mobile Network Activity
      to view SCTP events and association activity.
    4. View predefined reports about SCTP events and errors by selecting
      Device
      Setup
      Management
      . Edit the Logging and Reporting Setting section and, for Predefined Reports, select any of the SCTP reports.
    5. Create a custom report on SCTP events by selecting
      Monitor
      Manage Custom Reports
      and adding a custom report that uses the SCTP database.

Recommended For You