SS7, Diameter, GTP-C, and 5G Firewall

Enea Adaptive Signaling Firewall

SS7 Firewall

SS7 was designed for a trusted, closed environment, but in reality, signaling access can be purchased or brokered through third parties, giving both commercial and state-backed threat actors an entry point into mobile networks. This outdated trust model, combined with weak authentication and limited message validation, enables SS7 attacks including:

• Location tracking
• Call and SMS interception
• Fraud
• Subscriber DoS
• Network DoS
• Probing

Because attackers continuously evolve their techniques and exploit the protocol’s flexibility to bypass static filters in new ways, SS7 must be protected by a dedicated SS7 firewall that, in addition to basic filtering and protocol validation, also enforces correlation, anomaly, and plausibility rules.

Diameter Firewall

Diameter was introduced for LTE with similar vulnerabilities as SS7 because it was not designed with security in mind and used the same signaling roaming paradigm. Direct access to Diameter edge nodes allows attackers to impersonate remote nodes, while hop-by-hop routing and lack of end-to-end security enable attackers to hide and carry out attacks, including:

• Location tracking
• Message and Data Interception
• Authentication Key theft
• Subscriber DoS
• Network DoS
• Discovery
• Protocol downgrades (forcing subscribers to 3G/SS7 signaling for further attacks)

As operators harden their SS7 exposure, signaling attacks increasingly focus on Diameter as an alternative path to the same objectives. Deploying a Diameter firewall is crucial to protecting networks and subscribers.

GTP-C Firewall

GTP-C is used in 3G and 4G (and even “2.5G”). Direct access to GTP-C endpoints allows attackers to impersonate remote nodes. GTP-C is essential for establishing and managing data tunnels, but like SS7 and Diameter, it lacks strong built-in security controls, making it susceptible to attacks, including:

• Session or tunnel hijacking
• Location tracking
• Fraud
• Subscriber DoS
• Subscriber Data Disclosure
• C2 communication (e.g., GTPDOOR)

A GTP-C firewall is essential for preventing a wide range of attacks and protecting subscribers and networks from data leakage or service disruptions. The GTP-C firewall must protect both GTPv1 and GTPv2 and should also be able to handle stateful inspection when asynchronous routing is used.

5G Signaling over HTTP/2

5G is the first network generation designed for explicit security rather than implicit trust among operators and other network members. That doesn’t mean there isn’t a critical need for 5G firewalls to protect signaling interconnects in mobile networks.

• Common IT protocols used in 5G core are widely known and targeted, making them susceptible to exploitation,
• 5G signaling is richer compared to previous network generations, creating significantly more complexity,
• Legacy protocols remain a vital part of mobile communication, especially within IPX and roaming hubs, as 5G roaming is not yet on the horizon
• The SEPP is not a meaningful defense mechanism without 5G roaming and direct end-to-end connections between operators,
• New features and use cases, including API exposure, network slicing, and IoT, expand the attack surface and add new security risks, which can lead to unauthorized access and data leakage,
• Security gaps occur when operators adopt security-by-design selectively to balance cost with controls, or because of misconfigurations in the network,

Operators need 5G firewalls because 5G networks interwork with vulnerable legacy SS7, Diameter, and GTP protocols, while introducing new risks such as network slicing and expanded roaming attack surfaces that SEPP proxies cannot fully mitigate. 5G firewalls should provide multi-protocol, stateful inspection, cross-generation threat correlation, and real-time anomaly detection to block sophisticated fraud, DoS, location tracking, and data interception attempts across hybrid 3G/4G/5G environments.

More about 5G security

Protocol Cross-Correlation

Cross-correlation across all signaling protocols is crucial for signaling firewalls because it allows for consistency checks that separate SS7, Diameter, and GTP-C firewalls cannot perform. Advanced attacks can target multiple protocols at once, bypassing firewalls that concentrate on a single protocol. Without integrated visibility, these multi-stage attacks appear as isolated anomalies, enabling fraud, DoS, or surveillance.

Real-time correlation of subscriber parameters, such as IMSI, location, and session state, across protocols detects inconsistencies like the same user appearing in conflicting locations and prevents coordinated threats before they happen.