Firewalls provide multilayer SCTP security by validating
packets and chunks; filtering PPIDs, Diameter applications, and
SS7 chunks; and protecting against SCTP INIT floods.
Palo Alto Networks® firewalls provide a multilayered
approach to protect your SCTP traffic and the applications transported
over SCTP from known and unknown attacks and information leakage.
The firewalls apply SCTP security at the transport layer of the
OSI model by performing stateful inspection and by enforcing your
configuration for chunk validation, SCTP INIT flood protection,
and Security policy rules based on the SCTP application. The firewall
also applies SCTP security on upper-layer protocols that run on
top of SCTP, typically at the application layer, when you filter
PPIDs, Diameter applications, or SS7 chunks.
Block or allow SCTP packets in a zone to or from various
IP addresses, for example, by creating a Security policy rule that
specifies the SCTP application.
Perform SCTP stateful inspection, which begins when you attach
an SCTP Protection profile to a Security policy rule for a zone.
Even if the profile has no specific settings, the firewall automatically
begins stateful inspection; it checks SCTP four-way handshakes,
starts receiving SCTP-specific information in logs, and validates
SCTP associations, timeouts, and association closings.
Validate SCTP packets by identifying unknown or malformed
chunks, chunks with an invalid length, and chunks with non-compliant
chunk flags. An unknown chunk in an SCTP packet is a chunk not defined
in RFC3758, RFC 4820, RFC 4895, RFC 4960, RFC 5061, or RFC 6525.
Apply SCTP security on upper-layer protocols that run on
top of SCTP by filtering the payloads of SCTP data chunks, depending
on your use case:
Block, allow, or generate alerts
Block, allow, or generate alerts about Diameter chunks to
filter Diameter applications and messages. The Diameter base protocol,
RFC 6733, is an SCTP application (an upper-layer protocol) that
provides authentication, authorization, and accounting (AAA) in roaming
and local environments. Diameter replaces other AAA protocols, such
as TACACS and RADIUS, to provide more advanced authentication capabilities.
Diameter applications run on top of the Diameter base protocol and
have an IANA-assigned application ID. Each Diameter command and
corresponding answer share a Command Code.
Block, allow, or generate alerts about SS7 chunks to filter
applications that use SCCP signaling and messages of Mobile Application
Part (MAP) and Customized Applications for Mobile networks Enhanced
Logic (CAMEL) Application Part (CAP).