Configuring IMSI filtering in FortiOS Carrier

In many ways the IMSI on a GPRS network is similar to an IP address on a TCP/IP network. Different parts of the number provide different pieces of information. This concept is used in IMSI filtering on FortiOS Carrier.

To configure IMSI filtering go to Security Profiles > GTP Profile and expand IMSI filtering.

While both the APN and MCC-MCN fields are optional, without using one of these fields the IMSI entry will not be useful as there is no information for the filter to match.

Enable IMSI Filter Select to turn on IMSI filtering.

Default IMSI Action

Select Allow or Deny. This action will be applied to all IMSI numbers except as indicated in the IMSI list that is displayed.

The default value is Allow.

APN The Access Point Number (APN) to filter on.

This field is optional.

MCC–MNC

The Mobile Country Code (MCC) and Mobile Network Code (MNC) to filter on. Together these numbers uniquely identify the carrier and network of the GGSN being used.

This field is optional.

Mode Select the source of the IMSI information as one or more of the following:

Mobile Station provided – the IMSI number comes from the mobile sta- tion the mobile device is connecting to.

Network provided – the IMSI number comes from the GPRS network which could be a number of sources such as the SGSN, or HLR.

Subscription Verified – the IMSI number comes from the user’s home network which has verified the information.

While Subscription Verified is the most secure option, it may not always be available. Selecting all three options will ensure the most complete cov- erage.

Action Select the action to take when this IMSI information is encountered. Select one of Allow or Deny.

Delete Icon Select the delete icon to remove this IMSI entry.

Edit Icon Select the edit icon to change information for this IMSI entry.

Add IMSI Select to add an IMSI to the list. Not active while creating GTP profile, only when editing an existing GTP profile.

Save all changes before adding IMSIs. A warning to this effect will be dis- played when you select the Add IMSI button.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

GTP identity filtering

Leave a reply

GTP identity filtering

FortiOS Carrier supports a number of filtering methods based on subscriber identity such as APN filtering, IMSI

filtering, and advanced filtering. This section includes:

IMSI on carrier networks
Other identity and location based information elements
Configuring APN filtering in FortiOS Carrier Configuring IMSI filtering in FortiOS Carrier Configuring advanced filtering in FortiOS Carrier

IMSI on carrier networks

The International Mobile Subscriber Identity (IMSI) number is central to identifying users on a carrier network. It is a unique number that is assigned to a cell phone or mobile device to identify it on the GMS or UTMS network.

Typical the IMSI number is stored on the SIM card of the mobile device and is sent to the network as required. An IMSI number is 15 digits long, and includes the Mobile Country Code (MCC), Mobile Network Code (MNC), and Mobile Station Identification Number (MSIN).

IMSI codes

The Home Network Identity (HNI) is made up of the MCC and MNC. The HNI is used to fully identify a user’s home network. This is important because some large countries have more than one country code for a single carrier. For example a customer with a mobile carrier on the East Coast of the United States would have a different MCC than a customer on the West Coast with the same carrier because even through the MNC would be the same the MCC would be different — the United States uses MCCs 310 to 316 due to its size.

If an IMSI number is not from the local carrier’s network, IMSI analysis is performed to resolve the number into a Global Title which is used to access the user’s information remotely on their home carrier’s network for things like billing and international roaming.

Other identity and location based information elements

IMSI focuses on the user, their location, and carrier network. There are other numbers used to identify different user related Information Elements (IE).

These identity and location based elements include:

Access Point Number (APN)
Mobile Subscriber Integrated Services Digital Network (MSISDN)
Radio Access Technology (RAT) type
User Location Information (ULI)
Routing Area Identifier (RAI)
International Mobile Equipment Identity (IMEI)

Access Point Number (APN)

The Access Point Number (APN) is used in GPRS networks to identify an IP packet data network that a user wants to communicate with. The Network Identifier describes the network and optionally the service on that network that the GGSN is connected to. The APN also includes the MCC and MCN, which together locate the network the GGSN belongs to. An example of an APN in the Barbados using Digicel as the carrier that is connecting to the Internet is internet.mcc342.mnc750.gprs.

When you are configuring your Carrier-enabled FortiGate unit’s GTP profiles, you must first configure the APN. It is critical to GTP communications and without it no traffic will flow.

The access point can then be used in a DNS query to a private DNS network. This process (called APN resolution) gives the IP address of the GGSN which serves the access point. At this point a PDP context can be activated.

Mobile Subscriber Integrated Services Digital Network (MSISDN)

This is a 15-digit number that, along with the IMSI, uniquely identifies a mobile user. Normally this number includes a 2-digit country code, a 3-digit national destination code, and a 10-digit subscriber number or the phone number of the mobile device, and because of that may change over time if the user changes their phone number. The MSISDN number follows the ITU-T E.164 numbering plan.

Radio Access Technology (RAT) type

The RAT type represents the radio technology used by the mobile device. This can be useful in determining what services or content can be sent to a specific mobile device. FortiOS Carrier supports:

UMTS Terrestrial Radio Access Network (UTRAN), commonly referred to as 3G, routes many types of traffic including IP traffic. This is one of the faster types.
GSM EDGE Radio Access Network (GERAN) is a key part of the GSM network which routes both phone calls and data.
Wireless LAN (WLAN) is used but not as widely as the other types. It is possible for the mobile device to move from one WLAN to another such as from an internal WLAN to a commercial hot spot.
Generic Access Network (GAN) can also be called unlicensed mobile access (UMA). It routes voice, data, and SIP over IP networks. GAN is commonly used for mobile devices that have a dual-mode and can hand-off between GSM and WLANs.
High Speed Packet Access (HSPA) includes two other protocols High Speed Downlink and Uplink Packet Access protocols (HSDPA and HSUPA respectively). It improves on the older WCDMA protocols by better using the radio bandwidth between the mobile device and the radio tower. This results in an increased data transfer rate for the user.

RAT type is part of advanced filtering configuration. See Configuring advanced filtering in FortiOS Carrier.

Pages: 1 2

Configuring GTP on FortiOS Carrier

Leave a reply

Configuring GTP on FortiOS Carrier

Configuring GTP support on FortiOS Carrier involves configuring a number of areas of features. Some features require longer explanations, and have their own chapters. The other features are addressed here.

GTP support on the Carrier-enabled FortiGate unit
Configuring General Settings on the Carrier-enabled FortiGate unit
Configuring Encapsulated Filtering in FortiOS Carrier Configuring the Protocol Anomaly feature in FortiOS Carrier Configuring Anti-overbilling in FortiOS Carrier
Logging events on the Carrier-enabled FortiGate unit

GTP support on the Carrier-enabled FortiGate unit

The FortiCarrier unit needs to have access to all traffic entering and exiting the carrier network for scanning, filtering, and logging purposes. This promotes one of two configurations — hub and spoke, or bookend.

A hub and spoke configuration with the Carrier-enabled FortiGate unit at the hub and the other GPRS devices on the spokes is possible for smaller networks where a lower bandwidth allows you to divide one unit into multiple virtual domains to fill multiple roles on the carrier network. It can be difficult with a single FortiOS Carrier as the hub to ensure all possible entry points to the carrier network are properly protected from potential attacks such as relayed network attacks.

A bookend configuration uses two Carrier-enabled FortiGate units to protect the carrier network between them with high bandwidth traffic. One unit handles traffic from mobile stations, SGSNs, and foreign carriers. The other handles GGSN and data network traffic. Together they ensure the network is secure.

The Carrier-enabled FortiGate unit can access all traffic on the network. It can also verify traffic between devices, and verify that the proper GPRS interface is being used. For example there is no reason for a Gn interface to be used to communicate with a mobile station — the mobile station will not know what to do with the data — so that traffic is blocked.

When you are configuring your Carrier-enabled FortiGate unit’s GTP profile, you must first configure the APN. It is critical to GTP communications — no traffic will flow without the APN.

The Carrier-enabled FortiGate unit does more than just forward and route GTP packets over the network. It also performs:

Packet sanity checking
GTP stateful inspection
Protocol anomaly detection and prevention
HA
Virtual domain support

Pages: 1 2 3 4 5 6 7 8 9

Sending administrator alert notifications

Leave a reply

Sending administrator alert notifications

When duplicate messages are detected, the Carrier-enabled FortiGate unit can be configured to notify you immediately with an MMS message. Enable this feature by selecting Alert Notification in the duplicate message action. Each duplicate message threshold can be configured separately.

Configuring how and when to send alert notifications

You can configure different alert notifications for MM1 and MM4 duplicate messages. You can configure the FortiOS Carrier unit to send these alert notifications using the MM1, MM3, MM4, or MM7 content interface. Each of these content interfaces requires alert notification settings that the FortiOS Carrier unit uses to communicate with a server using the selected content interface.

For the MM1 content interface you require:

The hostname of the server
The URL of the server (usually “/”)
The server port (usually 80)

For the MM3 and MM4 content interfaces you require:

The hostname of the server l The server port (usually 80) l The server user domain For the MM7 content interface you require:
The message type
submit.REQ to send a notification message to the sender in the form of a submit request. The message goes from a VAS application to the MMSC.
deliver.REQ to send a notification message to the sender in the form of a deliver request. The message goes from the MMSC to a VAS application.
The hostname of the server
The URL of the server (usually “/”)
The server port (usually 80)
A user name and password to connect to the server
The value-added-service-provider (VASP) ID
The value-added-service (VAS) ID

To configure administrator alert notifications – web-based manager

1. Go to Security Profiles > MMS Profile and edit or add a new MMS protection profile.

2. Expand MMS Bulk Email Filtering Detection.

There are three duplicate message thresholds.

3. Expand the threshold that you want to configure alert notification for.

4. For Duplicate Message Action, select the Alert Notification check box. Alert notification options appear.

5. For the Source MSISDN, enter the MSISDN from which the alert notification message will be sent.

6. Select the Message Protocol the alert notification will use: MM1, MM3, MM4, or MM7.

7. Add the information required by FortiOS Carrier to send messages using the selected message protocol:

8. For Notifications Per Second Limit, enter the number of notifications to send per second.

Use this setting to reduce control the number of notifications sent by the FortiOS Carrier unit. If you enter zero (0), the notification rate is not limited.

9. If required, change Window Start Time and Window Duration configure when the FortiOS Carrier unit sends alert notifications.

By default, notifications are sent at any time of the day. You can change the Window Start Time if you want to delay sending alert messages. You can also reduce the Window Duration if you want to stop sending alert notifications earlier.

For example, you might not want FortiOS Carrier sending notifications except during business hours. In this case the Window Start Time could be 9:00 and the Window Duration could be 8:00 hours.

You can set different alert notifications for each message threshold. For example, you could limit the message window for lower thresholds and set it to 24 hours for higher thresholds. This way administrators will only receive alert notifications outside of business hours for higher thresholds.

10. For Day of Week, select the days of the week to send notifications.

For example, you may only want to send alert notifications on weekends for higher thresholds.

11. In the Interval field, enter the maximum frequency that alert notification messages will be sent, in minutes or hours.

All alerts occurring during the interval will be included in a single alert notification message to reduce the number of alert messages that are sent.

Configuring who to send alert notifications to

In each MMS protection profile you add a list of recipient MSISDNs. For each of these MSISDNs you select the duplicate threshold that triggers sending notifications to this MSISDN.

To configure the alert notification recipients – web-based manager

1. Go to Security Profiles > MMS Profile.

2. Select the Edit icon of the MMS profile in which you want to configure the alert notification recipients.

3. Expand MMS Bulk Email Filtering Detection.

4. Expand Recipient MSISDN.

5. Select Create New.

6. In the New MSISDN window, enter the MSISDN to use for duplicate threshold alert notification. Select the duplicate thresholds at which to send alert notifications to the MSISDN.

For the duplicate threshold to be able to send an alert notification to the MSISDN, the duplicate message threshold alert notification action must be enabled and configured.

Notifying duplicate message senders and receivers

Leave a reply

Notifying duplicate message senders and receivers

The FortiOS Carrier unit does not send notifications to the sender or receiver of duplicate messages. If the sender or receiver is an attacker and is explicitly informed that they have exceeded a message threshold, the attacker may try to determine the exact threshold value by trial and error and then find a way around duplicate message protection. For this reason, no notification is set to the sender or receiver.

However, the FortiOS Carrier unit does have replacement messages for sending reply confirmations to MM1 senders and receivers and for MM4 senders for blocked messages identified as duplicate messages. For information about how FortiOS Carrier responds when message flood detection blocks a message, see and MMS duplicate messages and message floods.

Responses to MM1 senders and receivers

When the FortiOS Carrier unit identifies an MM1 message sent by a sender to an MMSC as a duplicate message and blocks it, the FortiOS Carrier unit returns a message submission confirmation (m-send.conf) to the sender (otherwise the sender’s handset would keep retrying the message). The m-send.conf message is sent only when the MM1 duplicate message action is set to Block. For other duplicate message actions the message is actually delivered to the MMSC and the MMSC sends the m-send.conf message.

You can customize the m-send.conf message by editing the MM1 send-conf duplicate message MM1 replacement message (from the CLI the mm1-send-conf-dupe replacement message). You can customize the response status and message text for this message. The default response status is “Content not accepted”. To hide the fact that the FortiOS Carrier unit is responding to a duplicate message, you can change the response status to “Success”. The default message text informs the sender that the message was blocked. You could change this to something more generic.

For example, the following command sets the submission confirmation response status to “Success” and changes the message text to “Message Sent OK”:

config system replacemsg mm1 mm1-send-conf-dupe set rsp-status ok

set rsp-text “Message Sent OK”

end

When the FortiOS Carrier unit identifies an MM1 message received by a receiver from an MMSC as a duplicate message and blocks it, the FortiOS Carrier unit returns a message retrieval confirmation (m-retrieve.conf) to the sender (otherwise the sender’s handset would keep retrying). The m-retrieve.conf message is sent only when the MM1duplicate message action is set to Block. For other message flood actions the message is actually received by the receiver, so the MMSC sends the m-retrieve.conf message.

You can customize the m-retrive.conf message by editing the MM1 retrieve-conf duplicate message MM1 replacement message (from the CLI the mm1-retr-conf-dupe replacement message). You can customize the class, subject, and message text for this message.

For example, you could use the following command make the response more generic:

config system replacemsg mm1 mm1-retr-conf-dupe set subject “Message blocked”

set message “Message temporarily blocked by carrier”

end

Forward responses for duplicate MM4 messages

When the FortiOS Carrier unit identifies an MM4 message as a duplicate message and blocks it, the FortiOS Carrier unit returns a message forward response (MM4_forward.res) to the forwarding MMSC (otherwise the forwarding MMSC would keep retrying the message). The MM4_forward.res message is sent only when the MM4 duplicate message action is set to Block and the MM4-forward.req message requested a response. For more information, see and MMS duplicate messages and message floods.

You can customize the MM4_forward.res message by editing the MM4 duplicate message MM4 replacement message (from the CLI the mm4-dupe replacement message). You can customize the response status and message text for this message. The default response status is “Content not accepted” (err-content-not- accept). To hide the fact that the FortiOS Carrier unit is responding to a duplicate message, you can change the response status to “Success”. The default message text informs the sender that the message was blocked. You could change this to something more generic.

For example, the following command sets the submission confirmation response status to “Success” and changes the message text to “Message Forwarded OK”:

config system replacemsg mm4 mm4-dupe set rsp-status ok

set rsp-text “Message Forwarded OK”

end

Viewing DLP archived messages

If DLP Archive is a selected duplicate message action, the messages that exceed the threshold are saved to the MMS DLP archive. The default behavior is to save all of the offending messages but you can configure the DLP archive setting to save only the first message that exceeds the threshold. See Viewing DLP archived messages.

Order of operations: flood checking before duplicate checking

Although duplicate checking involves only examination and comparison of message contents and not the sender or recipient, and flood checking involves only totalling the number of messages sent by each subscriber regardless of the message content, there are times when a selection of messages exceed both flood and duplicate thresholds.

The Carrier-enabled FortiGate unit checks for message floods before checking for duplicate messages. Flood checking is less resource-intensive and if the flood threshold invokes a Block action, the blocked messages are stopped before duplicate checking occurs. This saves both time and FortiOS Carrier system resources.

Bypassing duplicate message detection based on user’s carrier endpoints

You can use carrier endpoint filtering to exempt MMS sessions from duplicate message detection. Carrier endpoint filtering matches carrier endpoints in MMS sessions with carrier endpoint patterns. If you add a carrier endpoint pattern to a filter list and set the action to exempt from mass MMS, all messages from matching carrier endpoints bypass duplicate message detection. For more information about endpoints, see FortiOS Handbook User Authentication guide.

Configuring duplicate message detection

To have the Carrier-enabled FortiGate unit check for duplicate messages, configure the duplicate threshold in an

MMS profile, and select the MMS profile in a security policy.

All traffic matching the security policy will be checked for duplicate messages according to the settings in the

MMS profile.

The duplicate scanner will only scan content. It will not scan headers. Content must be exactly the same. If there is any difference at all in the content, it will not be con- sidered a duplicate.

The modular nature of the profiles allows you great flexibility in how you configure the scanning options. MMS profiles can be used in any number of policies, with different GTP profiles.

In a complex configuration, there may be many security policies, each with a different MMS profile. For a simpler network, you may have many security policies all using the same MMS profile.

OBS Installed Videos Coming Next Week

Leave a reply

So I got OBS (Open Broadcasting Software) installed on my rig and all configured. That means you guys are REALLY close to getting some videos that are going to feature my ugly mug, my southern voice and some pretty groovy Fortinet tips and tricks. Pretty excited to be able to share the knowledge I have and engage with you all when it comes to Fortinet hardware and software.

Also, the Forums will be up soon so we can have live conversation and interaction a little better than just using the Comments section of the blog!

Duplicate message protection

Leave a reply

Duplicate message protection

The convenience offered by MM1 and MM4 messaging can be abused by users sending spam or other unwanted messages. Often, the same message will be sent by multiple subscribers. The message can be spam, viral marketing, or worm-generated messages. MMS duplicate prevention can help prevent this type of abuse by keeping track of the messages being sent.

Overview

Using message fingerprints to identify duplicate messages
Messages from any sender to any recipient Setting duplicate message thresholds Duplicate message actions
Notifying duplicate message senders and receivers
Viewing DLP archived messages
Order of operations: flood checking before duplicate checking
Bypassing duplicate message detection based on user’s carrier endpoints
Configuring duplicate message detection
Sending administrator alert notifications

Overview

Duplicate message protection for MM1 messages prevents multiple subscribers from sending duplicate messages to your MMSC. Duplicate message protection for MM4 messages prevents another service provider from sending duplicate messages from the same subscriber to your MMSC. This can help prevent a potential flood that would otherwise become widespread between carriers.

MM1 and MM4 duplicate message protection

The FortiOS Carrier unit keeps track of the sent messages. If the same message appears more often than the threshold value you configure, then action is taken. Possible actions are logging the duplicates, blocking or intercepting duplicate messages, archiving the duplicate messages, and sending an alert to inform an administrator that duplicates are occurring.

With this highly configurable system, you can prevent the transmission of duplicate messages when there are more than you determine is acceptable.

For detailed configuration options, see Duplicate Message.

Using message fingerprints to identify duplicate messages

The Carrier-enabled FortiGate unit detects duplicates by keeping a record of all the messages travelling on the network and comparing new messages to those that have already been sent.

Rather than save the messages, the FortiOS carrier creates a checksum using the message body and subject. This serves as a fingerprint to identify the message. If another message with the same message body and subject appears, the fingerprint will also be the same and the Carrier-enabled FortiGate unit will recognize it as a duplicate.

By creating and saving message fingerprints instead of saving the messages, the Carrier-enabled FortiGate unit can save resources and time.

Messages from any sender to any recipient

Duplicate message detection will detect duplicate messages regardless of the sender or recipient. To do this, message fingerprints are generated using only the message body and subject. The sender, recipient, and other header information is not included.

If multiple messages appear with the same subject and message body, the Carrier-enabled FortiGate unit will recognize them as being the same.

Setting duplicate message thresholds

The FortiOS Carrier recognizes all duplicate messages, but it will take action when it detects a volume of duplicate messages that exceed the duplicate threshold you set. The threshold defines the maximum number of duplicate messages allowed, the period during which the messages are considered, and the length of time the duplicate message can not be sent by anyone.

For example, you may determine that once a duplicate message is sent more than 300 times in an hour, any attempt to send the same duplicate message will be blocked for 30 minutes.

If a particular duplicate message exceeds the duplicate message threshold and is blocked, any further attempts to send the same message will re-start the block period.

Using the example above, if the duplicate message count exceeds the duplicate threshold, any attempt to send a copy of the duplicate message will be blocked for 30 minutes. If a subscriber tries to send a copy of the message after waiting 15 minutes, the message will be blocked and the block period will be reset to 30 minutes. The block period must expire with no attempts to send a duplicate message. Only then will a subscriber be allowed to send the message. Non-duplicate messages will not reset the block period.

Duplicate message actions

When the Carrier-enabled FortiGate unit detects that a duplicate message has exceeded duplicate threshold, it can take any combination of the five actions you configure for the duplicate threshold.

Action Description

Log Add a log entry indicating that a duplicate message event has occurred.

You must also enable logging for MMS Scanning > Bulk Messages

in the Logging section of the MMS protection profile.

DLP Archive

All messages Save all the messages that exceed the duplicate threshold in the DLP archive.

First message only Save the first message to exceed the duplicate threshold in the DLP archive. Subsequent messages that exceed the duplicate threshold will not be saved.

Intercept Messages that exceed the duplicate threshold are passed to the recip- ients, but if quarantine is enabled for intercepted messages, a copy of each message is also quarantined for later examination. If the quar- antine of intercepted messages is disabled, the Intercept action has no effect.

Block Messages that exceed the duplicate threshold are blocked and will not be delivered to the message recipients. If quarantine is enabled for blocked messages, a copy of each blocked message is quarantined for later examination.

Alert Notification If the duplicate threshold is exceeded, the Carrier-enabled FortiGate unit will send an MMS duplicate message notification message.

Sending administrator alert notifications

Leave a reply

Sending administrator alert notifications

When message floods are detected, the Carrier-enabled FortiGate unit can be configured to notify you immediately with an MMS message. Enable this feature by selecting Alert Notification in the message flood action. Each message flood threshold can be configured separately.

Configuring how and when to send alert notifications

You can configure different alert notifications for MM1 and MM4 message floods. You can configure the FortiOS Carrier unit to send these alert notifications using the MM1, MM3, MM4, or MM7 content interface. Each of these content interfaces requires alert notification settings that the FortiOS Carrier unit uses to communicate with a server using the selected content interface.

For the MM1 content interface you require:

The hostname of the server
The URL of the server (usually “/”)
The server port (usually 80)

For the MM3 and MM4 content interfaces you require:

The hostname of the server l The server port (usually 80) l The server user domain For the MM7 content interface you require:
The message type
submit.REQ to send a notification message to the sender in the form of a submit request. The message goes from a VAS application to the MMSC.
deliver.REQ to send a notification message to the sender in the form of a deliver request. The message goes from the MMSC to a VAS application.
The hostname of the server
The URL of the server (usually “/”)
The server port (usually 80)
A user name and password to connect to the server
The value-added-service-provider (VASP) ID
The value-added-service (VAS) ID

For more information, see MMS notifications.

To configure administrator alert notifications – web-based manager

1. Go to Firewall Objects > MMS Profile and edit or add a new MMS protection profile.

2. Expand MMS Bulk Email Filtering Detection.

There are three message flood thresholds.

3. Expand the threshold that you want to configure alert notification for.

4. For Message Flood Action, select the Alert Notification check box. Alert notification options appear.