Palo Alto Networks Knowledgebase: SCTP-related App-ID changes

SCTP-related App-ID changes

2235
Created On 02/08/19 00:03 AM - Last Updated 02/08/19 00:03 AM
Resolution

SCTP and How It's Used

Stream Control Transmission Protocol (SCTP—protocol number 132), an IP transport-layer protocol defined in RFC 4960, is a reliable, message-based transport protocol. Mobile networks widely use SCTP to transport signaling traffic on various interfaces, such as S1-MME, S6a, and X2, and to send multiple streams of signaling, voice, and other data simultaneously.

  

We currently have 17 App-IDs for SCTP-related protocols and are planning to obsolete 13 of these App-IDs related to SS7 protocols including:

  • ss7-cap
  • ss7-inap
  • ss7-sccp
  • ss7-map-css-callingparty
  • ss7-map-eir-callingparty
  • ss7-map-ggsn-callingparty
  • ss7-map-gmlc-callingparty
  • ss7-map-gsmscf-callingparty
  • ss7-map-hlr-callingparty
  • ss7-map-msc-callingparty
  • ss7-map-sgsn-callingparty
  • ss7-map-siwf-callingparty
  • ss7-map-vlr-callingparty

For these SS7 protocols, we advise our customers to adopt the SCTP Security feature released in PAN-OS 8.1 on supported security platforms. This feature provides better security, granularity, and visibility into these protocols.

 

We also plan to improve identification mechanisms for the remaining 4 App-IDs for SCTP-related protocols, including:

  • diameter-over-sctp
  • m3ua
  • sua
  • s1ap

Release Plan

On 15 May 2018, Palo Alto Networks will be improving identification mechanisms for 4 App-IDs for SCTP-related protocols and obsoleting 13 App-IDs for SCTP-based SS7 protocols.

 

Frequently Asked Questions

 

Q: Why did Palo Alto Networks make this change?

A: Based on our interaction with our Mobile Service Provider customers and the evolving threat landscape in signaling plane, we investigated and came up with these improvements. Being cognizant of that and our continuing efforts to provide better application visibility in the Mobile Networks, we made the decision to obsolete 13 SCTP-related App-IDs and improve 4 SCTP-related App-IDs. We released SCTP Security feature in PAN-OS 8.1 which provides better security, granularity, and visibility into the SCTP-related protocols. 

 

Q: What policy changes will be required?

A1: If you are a customer who is using an App-ID based policy and the App-ID named SCTP and Diameter-over-SCTP to allow SCTP and Diameter related traffic, then no change is required.

  

Here is an example of a security policy, for illustrative purposes only.

1.png

 

A2: If you are a customer using an App-ID based policy and the App-ID named SCTP and any of the 13 SCTP related App-IDs, including ss7-cap, ss7-inap, ss7-sccp , ss7-map-css-callingparty, ss7-map-eir-callingparty, ss7-map-ggsn-callingparty, ss7-map-gmlc-callingparty, ss7-map-gsmscf-callingparty, ss7-map-hlr-callingparty, ss7-map-msc-callingparty, ss7-map-sgsn-callingparty, ss7-map-siwf-callingparty, ss7-map-vlr-callingparty to allow SCTP and SS7 related traffic, you will be required to change this policy to “add” M3UA or SUA App-ID depending upon the adaptation layer protocol used in your network. Pay close attention to the word "add" in the preceding sentence.  

 

Following is an example of a security policy, for illustrative purposes only.

2.png

 

Q: What happens if Diameter-over-SCTP is not added in the security policies with SCTP, in case Diameter traffic is running over SCTP?

A:  Beginning on the third Tuesday in May 2018, Diameter traffic running over SCTP with PPID 46 and 47 will now be identified as Diameter-over-SCTP. If the existing security policy has SCTP explicitly allowed, and there is traffic matching Diameter-over-SCTP, it may get dropped.  

 

Q: What happens if S1AP is not added in the security policies with SCTP in case S1AP traffic is running over SCTP?

A: Beginning on the third Tuesday in May 2018, S1AP traffic running over SCTP will now be identified as S1AP. If the existing security policy has SCTP explicitly allowed, and there is traffic matching S1AP, it may get dropped.  

 

Q: What happens if M3UA or SUA is not added in the security policies with SCTP in case SS7 traffic is running over SCTP?

A: Beginning on the third Tuesday in May 2018, SS7 traffic running over SCTP will now be identified as M3UA or SUA. If the existing security policy has SCTP explicitly allowed, and there is traffic matching M3UA or SUA, it may get dropped.  

 

Q: What is the SCTP Security feature?

A:  SCTP Security feature allows you to enforce multilayer security on SCTP traffic to prevent information from leaking and to prevent attackers from causing denial of service, network congestion, and outages that disrupt data and voice services for mobile subscribers.

 

In addition to enable stateful inspection with multi-homing support, multi-chunk inspection and protocol validation of SCTP, this feature enables filtering SCTP traffic based on payload protocol IDs (PPIDs) and to filter Diameter and SS7 traffic over SCTP.

SCTP security is supported only on PA-5200 Series and VM-Series firewalls and requires content release version 785 or a later version.

 

For more info, refer to https://www.paloaltonetworks.com/documentation/81/service-providers/mobile-network-infrastructure-getting-started/sctp  



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbICAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language