SCTP Security Measures on the Firewall
Firewalls provide multilayer SCTP security by validating packets and chunks; filtering PPIDs, Diameter applications, and SS7 chunks; and protecting against SCTP INIT floods.
Palo Alto Networks® firewalls provide a multilayered approach to protect your SCTP traffic and the applications transported over SCTP from known and unknown attacks and information leakage. The firewalls apply SCTP security at the transport layer of the OSI model by performing stateful inspection and by enforcing your configuration for chunk validation, SCTP INIT flood protection, and Security policy rules based on the SCTP application. The firewall also applies SCTP security on upper-layer protocols that run on top of SCTP, typically at the application layer, when you filter PPIDs, Diameter applications, or SS7 chunks.
- Block or allow SCTP packets in a zone to or from various IP addresses, for example, by creating a Security policy rule that specifies the SCTP application.
- Perform SCTP stateful inspection, which begins when you attach an SCTP Protection profile to a Security policy rule for a zone. Even if the profile has no specific settings, the firewall automatically begins stateful inspection; it checks SCTP four-way handshakes, starts receiving SCTP-specific information in logs, and validates SCTP associations, timeouts, and association closings.
- Apply SCTP security on upper-layer protocols that run on top of SCTP by filtering the payloads of SCTP data chunks, depending on your use case:
- Block, allow, or generate alerts about PPIDs.
- Block, allow, or generate alerts about Diameter chunks to filter Diameter applications and messages. The Diameter base protocol, RFC 6733, is an SCTP application (an upper-layer protocol) that provides authentication, authorization, and accounting (AAA) in roaming and local environments. Diameter replaces other AAA protocols, such as TACACS and RADIUS, to provide more advanced authentication capabilities. Diameter applications run on top of the Diameter base protocol and have an IANA-assigned application ID. Each Diameter command and corresponding answer share a Command Code.
- Block, allow, or generate alerts about SS7 chunks to filter applications that use SCCP signaling and messages of Mobile Application Part (MAP) and Customized Applications for Mobile networks Enhanced Logic (CAMEL) Application Part (CAP).
- Configure SCTP INIT Flood Protection to protect a zone against flooding of SCTP INIT chunks.
- View logs of SCTP packets and events, such as for chunks that initiate an SCTP Association or for all control chunks.
Firewalls allow you to secure SCTP traffic by inspecting messages; by filtering SCTP, Diameter, and SS7 chunks; and by protecting against SCTP INIT packet flooding. ...
Palo Alto Networks® firewalls allow you to inspect SCTP traffic, validate messages, filter SCTP payload protocol IDs, Diameter applications, and SS7 chunks, and protect against ...
SCTP Packets and Chunks
An SCTP packet contains a header and data chunks; data chunks have a payload protocol ID. ...
Configure SCTP Security
SCTP security features allow you to inspect and filter SCTP packets. Allocate SCTP log storage so the firewall can store SCTP log information. ...
Objects > Security Profiles > SCTP Protection
Objects > Security Profiles > SCTP Protection Create a Stream Control Transmission Protocol (SCTP) Protection profile to specify the ways in which you want the ...
SCTP Log Fields
SCTP Log Fields Format: FUTURE_USE, Receive Time, Serial Number, Type, FUTURE_USE, FUTURE_USE, Generated Time, Source Address, Destination Address, FUTURE_USE, FUTURE_USE, Rule Name, FUTURE_USE, FUTURE_USE, FUTURE_USE, ...
Monitor SCTP Security
Monitor SCTP traffic by viewing logs, ACC displays generated from SCTP logs, and predefined and custom reports. ...
Stream Control Transmission Protocol (SCTP)
Palo Alto Networks firewalls support SCTP security so that you can inspect, validate, and filter your SCTP traffic. ...
An SCTP client initiates an association; either endpoint can end the association. Session timeouts control when the firewall ends an association. ...