1. Diameter Security Application User Guide with UDR
  2. Understanding DSA Functionality and Logic
  3. DSA Overview

2.1 DSA Overview

Most security threats observed in a SS7 network (for example, Location Tracking, Call Intercept, Subscriber Denial Service, SMS Spams etc.) use messages from the Mobile Application Part (MAP) in the control plane. Similar kind of attacks can be simulated by the hacker using MAP equivalent Diameter Message in a LTE network. Most of the Diameter security vulnerabilities are introduced from roaming networks through IPX or directly from roaming partner networks. Therefore, there is a need for Mobile Network Operators (MNOs) to protect their home network from various diameter vulnerabilities by filtering out vulnerable Diameter messages received from various roaming partners.

DSA lets the operator protect its LTE network from various threats/attacks from roaming partners. This application defines various validation procedures (called countermeasures), which can be independently enabled/disabled as per the user’s requirement. Some of these countermeasures require data from previous diameter messages to validate the current diameter message. In these cases, UDR is used to preserve the data of the previous diameter message, which is later retrieved for validating subsequent diameter messages.

During the message validation by a countermeasure, if the message is found as vulnerable by the countermeasure’s business logic, DSA allows the operator to either discard the vulnerable message or send an error answer to the vulnerable message or continue processing the vulnerable message (to find more vulnerabilities).

DSA is configured as the owner of a UDR database. To avoid overloading DSA, the Application Routing Table (ART) is configured to route only messages from foreign networks (Incoming Roaming Traffic, meaning, messages that have Origin-Realm that do not match the realm of the operator’s home network and Destination-Realm that match the realm of the operator’s home network) to DSA. Some countermeasures are required to process outgoing diameter messages that are being sent to a foreign network from the operator’s home network. These outgoing diameter messages to the foreign networks (Outgoing Traffic to foreign network, meaning, messages that are have Origin-Realm that match the realm of the operator’s home network and Destination-Realm that does not match the realm of the operator’s home network) are also routed to DSA.

DSA can be enabled and disabled as a DCA framework application. Disabling DSA on a specific site is possible only if DSA has been disabled on all the DA-MPs for that specific site. DSA can be completely configured at the SO.

The DCA framework creates applications on top of the Diameter Signaling Router (DSR) allowing for a faster development cycle. There can be up to 10 versions of each DCA in the various states.

To use DSA for DCA, the DCA framework must be activated on the NO. Activation needs to be performed only once. For instructions about how to activate the DCA framework, refer to the Diameter Custom Applications Feature Activation Guide.

When DSA is initially installed, it is disabled, and you must manually enable it by navigating to Diameter, and then Maintenance, and then Applications and enable the application for every DMAP using DSA.

If DSA is in the DCA framework GUI menu, it indicates that the application is already enabled, but that does not guarantee if it is provisioned. You can also disable DSA from Diameter, and then Maintenance, and then Applications.

DCA framework application functionality varies between the SO and NO, for example, System Options is available on the SO only.