In previous post “The rising threat of GTP attacks - are you protected?” I discussed various threats posed by a potential attacker through snooping into and controlling of your IPX/GRX S8 roaming traffic. Today I will review F5 GTP Firewall Solution and methods it uses to address many possible GTP attack vectors
F5 has a portfolio of products and solutions made specifically for Service Providers - S/Gi Firewall, Context-aware Policy Enforcement (PEM), DNS Solutions, Diameter signaling solutions, CGNAT and TCP Optimization help Service Providers around the globe secure and optimize their Packet Core networks. GTP Firewall Solution is now part of the offering that enables MNOs to further secure their network edge.
GTP Firewall Solution is based on the F5 TMOS and offers a variety of deployment options ranging from standalone appliances and F5 Viprion blade chassis to public and private cloud VEs. GTP FW comprises the following components:
GTP Intrusion Prevention System
GTP Plausibility checks via LTM iRules
By combining AFM with GTP Plausibility checks via LTM iRules, GTP Firewall achieves L3-L7 capabilities necessary to perform an effective GTP analysis and manipulation.
Pic 1. F5 GTP Firewall
Network Layer Security
GTP Firewall uses AFM to secure network edge to IPX/GRX and perform IP filtering. Only known roaming partners can send GTP traffic to local SGWs and PGWs. Access Control List and Message Filtering secure the network further by allowing only certain message types to be accepted from IPX/GRX. For instance, only S8 messages would be allowed while S5 messages would be blocked. DoS/DDoS profiles are used to detect attack vectors and block violating traffic.
Pic 2. Block disallowed messages
Plausibility of GTP messages
Part of Layer 7 GTP Firewall inspects GTP messages and analyzes certain parameters to detect anomalies. Plausibility checks include:
IP Address validation in GTP messages
Validity of information in IE representing Roaming Partner and/or Subscriber
GTP-in-GTP encapsulation detection
Protection against manipulated and fake GTP messages
Plausibility checks help prevent Layer 7 attacks that exploit network’s inability to block malicious GTP messages that pose as legitimate requests. GTP Firewall can use the flexibility of LTM iRules to query external databases and confirm the validity of GTP IE. This functionality allows for agile and customized deployments of F5 GTP Firewall solution
Pic 3. Plausibility checks
Intrusion Prevention System and Layer 7 GTP Firewall
AFM Intrusion Prevention System has been enhanced to fully support GTP protocol. IPS makes it easy to perform tens if not hundreds of checks of GTP messages and configure rules according to the customer’s specific requirements. From limiting APNs to blocking ports to IP blacklisting - IPS is highly regarded for its flexibility in defining a virtually unlimited number of check combinations. Here are some commonly used rules that can be configured in GTP Intrusion Prevention System:
Signature conformance on known security issues
Filter GTPv2-C IE by message type. 100+ types in DB, can blacklist/whitelist specific fields
APN verification (wildcards can be used) for Create Session Requests
Throttle by RAT Type, PDN Type (v4/v6), User Location Info, Aggregate Max Bit Rate, QoS
IP blacklisting of tunneled packets
DoS vectors for tunneled packets and GTP-in-GTP
Map Radio QoS to Network QoS
Throttling per user or per roaming partner
Log enrichment: TEID, APN, IMSI etc
By combining traditional Layer 4 Firewall capabilities with F5’s Intrusion Prevention System and LTM iRules GTP Firewall Solution has become the most advanced MNO network protection offering that can successfully deal with many GTP attacks and protect critical Network Elements like PGWs and SGWs while optimizing security costs.