F5 GTP Firewall - stop intruders at EPC edge

In previous post “The rising threat of GTP attacks - are you protected?” I discussed various threats posed by a potential attacker through snooping into and controlling of your IPX/GRX S8 roaming traffic. Today I will review F5 GTP Firewall Solution and methods it uses to address many possible GTP attack vectors

F5 has a portfolio of products and solutions made specifically for Service Providers - S/Gi Firewall, Context-aware Policy Enforcement (PEM), DNS Solutions, Diameter signaling solutions, CGNAT and TCP Optimization help Service Providers around the globe secure and optimize their Packet Core networks. GTP Firewall Solution is now part of the offering that enables MNOs to further secure their network edge.

Solution Components

GTP Firewall Solution is based on the F5 TMOS and offers a variety of deployment options ranging from standalone appliances and F5 Viprion blade chassis to public and private cloud VEs. GTP FW comprises the following components:

  • Network Firewall
  • GTP Intrusion Prevention System
  • GTP Plausibility checks via LTM iRules

By combining AFM with GTP Plausibility checks via LTM iRules, GTP Firewall achieves L3-L7 capabilities necessary to perform an effective GTP analysis and manipulation.


Pic 1. F5 GTP Firewall

Network Layer Security

GTP Firewall uses AFM to secure network edge to IPX/GRX and perform IP filtering. Only known roaming partners can send GTP traffic to local SGWs and PGWs. Access Control List and Message Filtering secure the network further by allowing only certain message types to be accepted from IPX/GRX. For instance, only S8 messages would be allowed while S5 messages would be blocked. DoS/DDoS profiles are used to detect attack vectors and block violating traffic.

Pic 2. Block disallowed messages

Plausibility of GTP messages

Part of Layer 7 GTP Firewall inspects GTP messages and analyzes certain parameters to detect anomalies. Plausibility checks include:

  • IP Address validation in GTP messages
  • Cross-Layer checks
  • Validity of information in IE representing Roaming Partner and/or Subscriber
  • GTP-in-GTP encapsulation detection
  • Protection against manipulated and fake GTP messages

Plausibility checks help prevent Layer 7 attacks that exploit network’s inability to block malicious GTP messages that pose as legitimate requests. GTP Firewall can use the flexibility of LTM iRules to query external databases and confirm the validity of GTP IE. This functionality allows for agile and customized deployments of F5 GTP Firewall solution


Pic 3. Plausibility checks


Intrusion Prevention System and Layer 7 GTP Firewall

AFM Intrusion Prevention System has been enhanced to fully support GTP protocol. IPS makes it easy to perform tens if not hundreds of checks of GTP messages and configure rules according to the customer’s specific requirements. From limiting APNs to blocking ports to IP blacklisting - IPS is highly regarded for its flexibility in defining a virtually unlimited number of check combinations. Here are some commonly used rules that can be configured in GTP Intrusion Prevention System:

  • Protocol conformance
  • Signature conformance on known security issues
  • Filter GTPv2-C IE by message type. 100+ types in DB, can blacklist/whitelist specific fields
  • APN verification (wildcards can be used) for Create Session Requests
  • Throttle by RAT Type, PDN Type (v4/v6), User Location Info, Aggregate Max Bit Rate, QoS
  • IP blacklisting of tunneled packets
  • DoS vectors for tunneled packets and GTP-in-GTP
  • Map Radio QoS to Network QoS
  • Throttling per user or per roaming partner
  • Log enrichment: TEID, APN, IMSI etc

By combining traditional Layer 4 Firewall capabilities with F5’s Intrusion Prevention System and LTM iRules GTP Firewall Solution has become the most advanced MNO network protection offering that can successfully deal with many GTP attacks and protect critical Network Elements like PGWs and SGWs while optimizing security costs.

Published Sep 10, 2018
Version 1.0

Was this article helpful?