SCTP Security Measures on the Firewall

Firewalls provide multilayer SCTP security by validating packets and chunks; filtering PPIDs, Diameter applications, and SS7 chunks; and protecting against SCTP INIT floods.
Palo Alto Networks® firewalls provide a multilayered approach to protect your SCTP traffic and the applications transported over SCTP from known and unknown attacks and information leakage. The firewalls apply SCTP security at the transport layer of the OSI model by performing stateful inspection and by enforcing your configuration for chunk validation, SCTP INIT flood protection, and Security policy rules based on the SCTP application. The firewall also applies SCTP security on upper-layer protocols that run on top of SCTP, typically at the application layer, when you filter PPIDs, Diameter applications, or SS7 chunks.
  • Block or allow SCTP packets in a zone to or from various IP addresses, for example, by creating a Security policy rule that specifies the SCTP application.
  • Perform SCTP stateful inspection, which begins when you attach an SCTP Protection profile to a Security policy rule for a zone. Even if the profile has no specific settings, the firewall automatically begins stateful inspection; it checks SCTP four-way handshakes, starts receiving SCTP-specific information in logs, and validates SCTP associations, timeouts, and association closings.
  • Validate SCTP packets by identifying unknown or malformed chunks, chunks with an invalid length, and chunks with non-compliant chunk flags. An unknown chunk in an SCTP packet is a chunk not defined in RFC3758, RFC 4820, RFC 4895, RFC 4960, RFC 5061, or RFC 6525.
  • Apply SCTP security on upper-layer protocols that run on top of SCTP by filtering the payloads of SCTP data chunks, depending on your use case:
    • Block, allow, or generate alerts about PPIDs.
    • Block, allow, or generate alerts about Diameter chunks to filter Diameter applications and messages. The Diameter base protocol, RFC 6733, is an SCTP application (an upper-layer protocol) that provides authentication, authorization, and accounting (AAA) in roaming and local environments. Diameter replaces other AAA protocols, such as TACACS and RADIUS, to provide more advanced authentication capabilities. Diameter applications run on top of the Diameter base protocol and have an IANA-assigned application ID. Each Diameter command and corresponding answer share a Command Code.
    • Block, allow, or generate alerts about SS7 chunks to filter applications that use SCCP signaling and messages of Mobile Application Part (MAP) and Customized Applications for Mobile networks Enhanced Logic (CAMEL) Application Part (CAP).
  • Configure SCTP INIT Flood Protection to protect a zone against flooding of SCTP INIT chunks.
  • View logs of SCTP packets and events, such as for chunks that initiate an SCTP Association or for all control chunks.

Related Documentation