Skip to content

Signaling

Security

Diameter Firewall

Get product information

built by broadforward

FS.19 GSMA guidelines for Signaling Firewalls of the Diameter protocol

Diameter Firewall (BroadForward DFW) is a complete and advanced software-based solution that protects 4G networks against potential attacks, unauthorized senders, malformed messages, overload situations, and much more.

  • Unrivaled flexibility
  • Transparent mode support
  • Velocity check support
  • Fully compliant with the relevant GSMA FS.19 recommendations

An integrated security solution that can cover multiple access technologies

Diameter Firewall (DFW) is in use with leading mobile operators around the world. The DFW provides operators with a default set of firewall rules that implement the GSMA specifications FS.19. None of the firewall rules in the system are ‘hard-coded’ and can therefore be adapted for/by the operator as required. Also see: BroadForward again recognized by Kaleido as Champion vendor for signaling security

The DFW reduces the window of opportunity for criminals to exploit a breach on their mobile network. It detects and blocks duplicated SIM or SIM swap fraud in real-time by performing velocity tracking. This unique feature automatically determines – with a high degree of accuracy – whether roaming location changes are plausible in terms of the speed normally required to bridge that distance (‘time-distance plausibility’).

The easy-to-use Graphical User Interface provides full control of firewall rules and insight into signaling traffic. It gives extensive flexibility to configure, adapt, enable or disable firewall rules that can be deployed across all supported access technologies. The use of readily available templates means operators do not require vendor involvement, scripting or coding to manage or customize firewall rules.

The BroadForward DFW will improve the operator’s effectiveness in dealing with unexpected (fraudulent) behavior and significantly increases roaming security. The BroadForward DFW offers major differentiators compared to traditional firewall products:

  • Unrivaled flexibility. Routing, screening and filtering on any message parameter. Freedom to create, adapt and deploy security rules at any time without need for coding or scripting or vendor dependency.
  • Transparent mode support. Unique, live – non-intrusive – effectiveness testing of security rules while logging Event Detail Records for off-line evaluation.
    Velocity check support. Advanced location tracking function (GSMA FS.19 Category 3 compliant), including global neighboring country lists and velocity checks for location change plausibility checking.
  • Fully compliant with the relevant GSMA FS.19 recommendations.
    Security suite combination support. 2G/3G/4G and even 5G Firewall support in a single engine software design.
  • Flexible deployment models. Standalone DFW or in combination with e.g. SS7FW (and later 5GFW), using shared location tracking, common GUI interface, single capacity license.
  • Completely GUI based. All configuration, rules orchestration, monitoring and management can be done using the graphical user interface.
    Active anomaly detection support. Provides reporting/notification interfaces (such as HTTP, SMS & SNMP).
  • Carrier grade. Highly scalable, high available, geo-redundant solution.
Signaling Routing Service Communication Proxy Diameter Routing Engine Signaling Transfer Point Security Edge Protection Diameter Firewall SS7 Firewall Signaling Probe Unit Camel Gateway

GSMA FS.19 categories

The GSMA regularly releases updates to its guidelines for “Diameter Interconnect Security” also known as the FS.19 recommendations. In general, these recommendations define the following four categories:

  • Category 0: Low-Layer Format filtering is to detect very simple spoofing attempts to relay messages into the network. It corresponds to low level (base) Diameter screening without the need to fully understand upper applications or decode specific AVPs, typically based on all lower-level information such as IP, host and realm screening as well as Diameter message format screening.
  • Category 1: corresponds to Application ID and Command Code screening without the need to decode specific AVPs. Category 1 filtering focuses on interface misuse (important to prevent external access to internal interfaces), hijacking interfaces and consistencies inside the message.
  • Category 2: corresponds to detailed AVP level screening e.g. using IMSI, MSISDN (User-Name AVPs). Such messages should not target internal subscribers from international interconnect. Receipt of these message needs to be permitted to support inbound roamers. Filtering is typically performed based on the User-Name AVP for this category, but it may extend to other AVPs. The User-Name AVP should only appear once in a message to avoid bypassing filtering.
  • Category 3: Practice for Category 3 filtering is to deny all Diameter messages except those expressly required for a given interface. Only the interface(s) required to support the MNO usage scenarios should be activated on the DRA. Messages that indicate an unusually rapid change of location (measured by consecutive Location Updates from non-bordering countries within a short period) should be filtered.

functional specs

No specifications available.

Let'sconnect

Telecom is our expertise

Tools for dev

company

Contact

Follow us

Network Services

VOICE & MESSAGING

CLOUD NATIVE

Signaling

Contact

Follow us

All rights reserved @ Modulo Communication Systems Ltd. 2025

Made with by DIGITA