Diameter Security Application (DSA)

Network security is a key concern for service providers as they interconnect networks to provide universal services for their subscribers. Signaling networks at interconnect are secured through business arrangements rather than firewalls between other MNO’s where there is trust between MNO’s when communicating information. Most of the Diameter Security vulnerabilities happen in the interconnect from roaming networks through IPX or directly from roaming partner networks.

Figure 2-61 Interconnect Network and Security Vulnerabilities

GSMA has published the interconnect diameter network security recommendations in FS.19 and IR.88 standard specifications. It includes detailing the different security threats associated with both Diameter networks, describing the possible attacks which can be implemented, evaluating the risks and defining a set of best practice countermeasures. Best practice to secure Diameter network is to use single point of interconnect and controlling access permission for all incoming requests at Diameter Edge Agent (DEA). DEA is the only point of contact into and out of an operator’s network at the Diameter application level. DSR provides GSMA FS.19 and IR.88 compliant integrated Diameter Firewall functionality through Diameter Security Application (DSA) when DSR acting as DEA. Diameter Security application (DSA) implements all GSMA FS.19 standard defined security message category filters and other security countermeasures to mitigate different Diameter attacks. Diameter Security application(DSA) shall apply different countermeasures for ingress messages received from external foreign network and for egress messages sent to external foreign network.

Figure 2-62 Diameter Security Application (DSA)

DSA security countermeasures are applied to two types of subscribers:

Inbound roaming subscribers: Countermeasures are applied for visited network subscribers roaming inhome network.
Outbound roaming subscribers: Countermeasures are applied for home network subscribers roaming invisited network.

Different Security countermeasure profiles can be created for different IPX or roaming partners by enabling and disabling countermeasures individually for different IPX provider or roaming partner Diameter Peers. DSA shall provide two modes of operation for individual countermeasure:

Detection Only: DSA shall monitor Diameter Traffic and report different Diameter Vulnerabilities.
Detection and Correction:
- By Dropping message: DSA shall drop the vulnerable Diameter messages.
- By Rejecting message: DSA shall reject the vulnerable Diameter request messages with error answer messages. If the vulnerable message is answer message then answer message shall be dropped by DSA.

DSA security countermeasures can be classified as:

Stateless Security Countermeasures: Counter measures which can be applied without maintaining the state information at DSA. Some of the important countermeasures are:
- Application-Id whitelist screening.
- Application-Id and Command Code consistency Check.
- AVP Multiple Instance Check.
- Avp Whitelist Screening
- Destination-Realm and Origin-Realm match Check.
- Origin Realm and Destination Realm whitelist screening.
- Realm and IMSI consistency check.
- Specific AVP Screening.
- Session-Id validation check.
- Subscriber Identity validation.
- Orign-Host and Origin-Realm format check.
- Origin host and Origin Realm consistency check.
- Visited-PLMN-ID and Origin-Realm consistency check.

Stateful countermeasures: Countermeasures that requires maintaining the state information at DSA for correlating different Diameter Transactions in call flows. Some of the important countermeasures are:
- Previous Location Check
- Time-Distance Check
- Source Host validation – MME Validation
- Source Host validation – HSS Validation
- Message rate monitoring

2.13.5 Diameter Security Application (DSA)