SCTP

Security cookie against SYN flood attack

Since every packet contains verification of its place in the stream, it makes it easy for the protocol to detect when redundant, corrupted or malicious packets flood the path, and they are automatically dropped when necessary.

 

Built-in heartbeat (reachability check)

Endpoints automatically send specific control chunks among the other SCTP packet information to peer endpoints, to determine the reachability of the destination. Hearthbeat acknowledgement packets are returned if the destination is available.

 

SCTP Firewall

FortiGate stateful firewalls will protect and inspect SCTP traffic, according to RFC4960. SCTP over IPsec VPN is also supported. The FortiGate device is inserted as a router between SCTP endpoints. It checks SCTP Syntax for the following information:

  • Source and destination port
  • Verification Tag
  • Chunk type, chunk flags, chunk length
  • Sequence of chunk types
  • Associations

The firewall also oversees and maintains several SCTP security mechanisms:

  • SCTP four-way handshake
  • SCTP heartbeat
  • NAT over SCTP

The firewall has IPS DoS protection against known threats to SCTP traffic, including INIT/ACK flood attacks, and SCTP fuzzing.

 

SCTP example scenario

An ideal SCTP configuration for a Carrier serving multiple operators/service providers involves a unified Firewall, securing all incoming and outgoing traffic over the Carrier network, whether it be standard web traffic, GTP or other carrier traffic, or corporate traffic for the Carrier company.

One best practice method to provide a unified firewall with built-in redundancy is to make use of multiple FortiGate units, connected in a High Availability cluster. Also, there are additional methods that can be applied to ease the complexity of managing multiple services, functions, and traffic types across multiple devices.

 

Sample SCTP Network Topology

Outward-facing servers: Sales, billing, etc.

Operator STP nodes

(locally secured)

Internet

Central Carrier STP node and services, behind FW (secured)

SCTP Firewall Layer

(HA Setup)

Public Internet

(unsecured)

In this example, the firewall layer is configured with two FortiGate devices to act as an HA cluster, providing automatic load balancing and failover detection for the main firewall.

The two devices together make up the firewall, through which all traffic passes. Virtual Domains are created within the FortiGate units, distributing services and traffic into individual VDOMs, allowing them to be monitored and secured individually, to help mitigate possible threats to Carrier networks that target specific services. Individual departments or administrators can manage specific VDOMs, or the FortiGates can be collectively managed centrally by network administrators.

The VDOMs are distributed as shown below:

 

VDOM distribution between SCTP Firewall Layer FortiGate units

SCTP

VDOM GTP VDOM

Corporate

VDOM

Services

VDOM

Root VDOM

Slave   Master

Virtual

Cluster 2

 

 

 

 

 

 

Master    Slave

 

 

 

Virtual

Cluster 1

SCTP

VDOM GTP VDOM

 

 

 

Corporate

VDOM

 

Services

VDOM

 

 

 

Root VDOM

 

 

 

 

 

FGT_1                                       FGT_2

 

One FortiGate handles basic FortiGate services and non-Carrier traffic. Configuring virtual clustering across the two FortiGates allows one to mirror its VDOMs across to the other unit.

 

The second FortiGate can then primarily provide Carrier-specific services and handle SCTP, Gi and GTP traffic, using the first FortiGate as the slave unit in a second virtual cluster.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Name *
Email *
Website