MMS virus scanning

Leave a reply

MMS virus scanning

You can use MMS virus scanning to scan content contained within MMS messages for viruses. FortiOS Carrier virus scanning can be applied to the MM1, MM3, MM4, and MM7 interfaces to detect and remove content containing viruses at many points in an MMS network. Perhaps the most useful interface to apply virus scanning would be the MM1 interface to block viruses sent by mobile users before they get into the service provider network.

To go to MMS virus scanning, go to Security Profiles MMS Profile, select an existing or create a new profile, and expand MMS Scanning. See MMS scanning options.

This section includes:

  • MMS virus monitoring
  • MMS virus scanning blocks messages (not just attachments)
  • Scanning MM1 retrieval messages
  • Configuring MMS virus scanning
  • Removing or replacing blocked messages
  • Carrier Endpoint Block
  • MMS Content Checksum
  • Passing or blocking fragmented messages
  • Client comforting
  • Server comforting
  • Handling oversized MMS messages

 

MMS virus monitoring

To enable MMS virus monitoring, expand MMS Scanning and enable Monitor only for the selected MMS types.

This feature causes the FortiOS Carrier unit to record log messages when MMS scanning options find a virus, match a file name, or match content using any of the other MMS scanning options. Selecting this option enables reporting on viruses and other problems in MMS traffic without affecting users.

 

MMS virus scanning blocks messages (not just attachments)

To enable MMS virus scanning, expand MMS Scanning and enable Virus Scan for the selected MMS types.

Because MM1 and MM7 use HTTP, the oversize limits for HTTP and the HTTP antivirus port configurations also apply to MM1 and MM7 scanning. See

MM3 and MM4 use SMTP and the oversize limits for SMTP and the SMTP antivirus port configurations also apply to MM3 and MM4 scanning.

The message contents will be scanned for viruses, matched against the file extension blocking lists and scanned for banned words. All these items will be configured via the standard GUI interfaces available for the other protocols and will be controlled at the protection profile level with new options specifically for the MM1 messages.

The FortiOS Carrier unit extracts the sender’s Mobile Subscriber Integrated Services Digital Network Number (MSISDN) from the HTTP headers if available. The POST payload will be sent to the scanunits which will parse the MMS content and scan each message data section. If any part of the data is to be blocked, the proxy will be informed, the connection to the MMSC will be reset and the Carrier-enabled FortiGate unit will return an HTTP 200 OK message with an m-send-conf payload to the client to prevent a retry. Finally the appropriate logging, alert, and replacement message events will be triggered.

For client notification, the  x-mms-response-status and x-mms-response-text fields can also be customized as required.

Scanning MM1 retrieval messages

To scan MM1 retrieval messages, expand MMS Scanning and select Scan MM1 message retrieval.

Select to scan message retrievals that use MM1. If you enable Virus Scan for all MMS interfaces, messages are also scanned while being sent. In this case, you can disable MM1 message retrieval scanning to improve performance.

 

Configuring MMS virus scanning

To configure MMS virus scanning, expand MMS Scanning and enable Virus Scan.

Once applied to a security policy, the MMS protection profile will then perform virus scans on all traffic accepted by that policy.

 

Removing or replacing blocked messages

To remove blocked messages, expand MMS Scanning and select Remove Blocked for the selected MMS types.

Select Remove Blocked remove blocked content from each protocol and replace it with the replacement message. If FortiOS Carrier is to preserve the length of the message when removing blocked content, as may occur when billing is affected by the length of the message, select Constant.

If you only want to monitor blocked content, select Monitor Only.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2 3 4 5 6 7

MMS Security features

Leave a reply

MMS Security features

FortiOS Carrier includes all the Security features of FortiOS with extra features specific to MMS carrier networks. This section includes:

  • Why scan MMS messages for viruses and malware?
  • MMS virus scanning
  • Sender notifications and logging
  • MMS content-based Antispam protection
  • MMS DLP archiving

 

Why scan MMS messages for viruses and malware?

The requirement for scanning MM1 content comes from the fact that MMS is an increasingly popular technique for propagating malware between mobile devices.

 

Example: COMMWARRIOR

This is a virus for Series 60 type cell phones, such as Nokia, operating Symbian OS version 6 [or higher]. The object of the virus is to spread to other phones using Bluetooth and MMS as transport avenues. The targets are selected from the contact list of the infected phone and also sought via Bluetooth searching for other Bluetooth- enabled devices (phones, printers, gaming devices etc.) in the proximity of the infected phone.

This virus is more than a proof of concept – it has proven successfully its ability to migrate from a zoo collection to being in-the-wild. Currently, this virus is being reported in over 18 different countries around Europe, Asia and North America.

When the virus first infects a cell phone, a prompt is displayed asking the recipient if they want to install “Caribe”. Symptoms of an infected phone may include rapid battery power loss due to constant efforts by the virus to spread to other phones via a Bluetooth seek-and-connect outreach.

The following variants among others are currently scanned by the FortiOS Carrier devices, in addition to more signatures that cover all known threats.

  • SymbOS/COMWAR.V10B!WORM
  • Aliases: SymbOS.Commwarrior.B, SymbOS/Commwar.B, SymbOS/Commwar.B!wm, SymbOS/Commwar.B-net, SymbOS/Commwarrior.b!sis, SymbOS/Comwar.B, SymbOS/Comwar.B!wm, SymbOS/Comwar.B-wm, SYMBOS_ COMWAR.B, SymbOS/Comwar.1.0.B!wormSYMBOS/COMWAR.V10B.SP!WORM [spanish version]
  • First Discovered In The Wild: July 04, 2007
  • Impact Level: 1
  • Virus Class: Worm
  • Virus Name Size: 23,320
  • SymbOS/Commwar.A!worm
  • Aliases: Commwarrior-A, SymbOS.Commwarrior.A [NAV], SymbOS/Commwar.A-net, SymbOS/Commwar_ezboot.A-ne, SymbOS/Comwar.A, SymbOS/Comwar.A-wm, SYMBOS_COMWAR.A [Trend]
  • First Discovered In The Wild: May 16 2005
  • Impact Level: 1
  • Virus Class: Worm
  • Virus Name Size: 27,936
  • SymbOS/Commwarriie.C-wm
  • Aliases: None
  • First Discovered In The Wild: Oct 17 2005
  • Impact Level: 1
  • Virus Class: File Virus
  • Virus Name Size: None

 

For the latest list of threats Fortinet devices detect, visit the FortiGuard Center.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Carrier web-based manager settings

Leave a reply

Carrier web-based manager settings

he Carrier menu provides settings for configuring FortiOS Carrier features within the Security Profiles menu. These features include MMS and GTP profiles.

In Security Profiles > Carrier, you can configure profiles and settings for MMS and GTP. In the Carrier menu, you can configure an MMS profile and then apply it to a security policy. You can also configure GTP profiles and apply those to security policies as well.

This topic includes the following:

MMS profiles

Since MMS profiles can be used by more than one security policy, you can configure one profile for the traffic types handled by a set of security policies requiring identical protection levels and types, rather than repeatedly configuring those same profile settings for each individual security policy.

If the security policy requires authentication, do not select the MMS profile in the secur- ity policy. This type of profile is specific to the authenticating user group. For details on configuring the profile associated with the user group, see User Groups in the Authentication guide.

For example, while traffic between trusted and untrusted networks might need strict protection, traffic between trusted internal addresses might need moderate protection. To provide the different levels of protection, you might configure two separate protection profiles: one for traffic between trusted networks, and one for traffic between trusted and untrusted networks.

Once you have configured the MMS profile, you can then apply the profile to MMS traffic by applying it to a security policy.

MMS profiles can contain settings relevant to many different services. Each security policy uses the subset of the MMS profile settings that apply to the sessions accepted by the security policy. In this way, you might define just one MMS profile that can be used by many security policies, each policy using a different or overlapping subset of the MMS profile.

 

The MMS Profile page contains options for each of the following:

  • MMS scanning
  • MMS Bulk Email Filtering Detection
  • MMS Address Translation
  • MMS Notifications
  • DLP Archive
  • Logging

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30

SCTP

Leave a reply

SCTP

As of FortiOS version 5.0, the FortiGate natively handles SCTP (Stream Control Transport Protocol) traffic, as an alternative to TCP and UDP for use in Carrier networks. The FortiGate handles SCTP as if it would any other traffic.

 

 

Overview

SCTP is a connection-oriented transport protocol that overcomes some of the limitations of both TCP and UDP that prevent reliable transfer of data over IP-based networks (such as those used by telephony systems and carrier networks). The ‘Stream’ in SCTP refers to the sequence of user messages or packets that are considered at the same time to be individual objects and also treated as a whole by networked systems. SCTP is less vulnerable to congestion and flooding due to more advanced error handling and flood protection built into the protocol.

 

SCTP features as compared to TCP and UDP  
Feature SCTP TCP UDP
 

State required at each endpoint

  

yes

  

yes

  

no
 

Reliable data transfer

  

yes

  

yes

  

no
 

Congestion control and avoidance

  

yes

  

yes

  

no
 

Message boundary conservation

  

yes

  

no

  

yes
 

Path MTU discovery and message fragmentation

  

yes

  

yes

  

no
 

Message bundling

  

yes

  

yes

  

no
 

Multi-homed hosts support

  

yes

  

no

  

no
 

Multi-stream support

  

yes

  

no

  

no
 

Unordered data delivery

  

yes

  

no

  

yes
 

Security cookie against SYN flood attack

  

yes

  

no

  

no
 

Built-in heartbeat (reachability check)

  

yes

  

no

  

N/A

All of these features are built into the design of the Protocol, and the structure of SCTP packets and networks. The FortiGate unit interprets the traffic and provides the necessary support for maintenance and verification features, but the features are not FortiGate specific. These features are documented in greater detail below.

 

State required at each endpoint

Constant back and forth acknowledgement and content verification messages are sent between all SCTP peer endpoints, and all endpoints’ state machine actions must be synchronized for traffic to flow.

 

Reliable data transfer

SCTP places data and control information (eg. source, destination, verification) into separate messages, both sharing the same header in the same SCTP packet. This allows for constant verification of the contained data at both ends and along the path, preventing data loss or fragmentation. As well, data is not sent in an interruptible stream as in TCP.

 

Congestion control and avoidance

Built-in, constantly updating path detection and monitoring automatically redirect packets along alternate paths in case of traffic congestion or inaccessible destinations. For deliberate/malicious congestion control, see the below section on Security cookie against SYN flood attack.

 

Message boundary conservation

SCTP is designed in such a way that no matter how messages are divided, redirected, or fragmented, the message boundaries will be maintained within the packets, and all messages cannot be appended without tripping verification mechanisms.

 

Path MTU discovery and message fragmentation

SCTP is capable of Path Maximum Transmission Unit discovery, as outlined in RFC4821. Two specific alterations have been made to how SCTP handles MTU. First, that endpoints will have separate MTU estimates for each possible multi-homed endpoint. Second, that bundled message fragments (as explained below) will be directed based on MTU calculations, so that retransmissions (if necessary) will be sent without delay to alternate addresses.

 

Message bundling

SCTP is a message-oriented protocol, which means that despite being a streaming data protocol, it transports a sequence of specific messages, rather than transporting a stream of bytes (like TCP). Since some data transmissions are small enough to not require a complete message’s worth of content, so multiple pieces of content will be transmitted simultaneously within the messages.

 

Multihomed hosts support

SCTP supports multi-homing, which is a network structure in which one or multiple sources/destinations has more than one IP address. SCTP can adapt to multi-homing scenarios and redirect traffic to alternate IP addresses in case of failure.

 

Multistream support

Due to the message bundling feature allowing for multiple pieces of content to be sent in messages at once, SCTP can ‘multi-stream’ content, by deliberately dividing it among messages at a fixed rate, so that multiple types of content (eg. both images and text) can be loaded at once, at the same pace.

 

Unordered data delivery

With control messages in every packet to provide verification of any packet’s data and its place in the stream, the data being transmitted can actually arrive in any order, and verify that all has arrived or that some is missing.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2

GPRS network common interfaces

Leave a reply

GPRS network common interfaces

There are interfaces for each connection on the GPRS network. An interface is an established standard form of communication between two devices. Consider a TCP/IP network. In addition to the transport protocol (TCP) there are other protocols on that network that describe how devices can expect communications to be organized, just like GPRS interfaces.

 

Interfaces between devices on the network

There are a series of interfaces that define how different devices on the carrier network communicate with each other. There interfaces are called Ga to Gz, and each one defines how a specific pair of devices will communicate. For example Gb is the interface between the base station and the SGSN, and Gn is one possible interface between the SGSN and GGSN.

The SGSN and GGSN keep track of the CDR information and forward it to the Charging Data Function (CDF) using the Gr interface between the SGSN and home location register (HLR), Gs interface between the SGSN and MSC (VLR), Gx interface between the GGSN and the Charging Rules Function (CRF), Gy between the GGSN and online charging system (OCS), and finally Gz which is the off-line (CDR-based) charging interface between the GSN and the CG that uses GTP’.

Each of these interfaces on the GPRS network is has a name in the format of Gx where x is a letter of the alphabet that determines what part of the network the interface is used in. It is common for network diagrams of GPRS networks to include the interface name on connections between devices.

The Carrier-enabled FortiGate unit only provides protection on the Gn, Gp, and Gi interfaces.

 

GPRS network interfaces, their roles, and billing

Name      Device connections that use this interface

Traffic Protocol used

Its role or how it affects billing

 

Ga            CDR and GSN (SGSNs and GGSNs)

GTP‘ – GTP mod- ified to include CDR role

CDR have the accounting records, that are compiled in the GSN and then sent to the Charging Gateway (CG)

Gb            MS and SGSN                             Frame Relay or IP

When an IP address moves to a new MS, the old MS may continue to use and bill that IP address.

Gi             GGSN and public data net- works (PDNs)

Gn            SGSN and external SGSNs and internal GGSNs

IP based                     This is the connection to the Internet. If the GTP tunnel is deleted without noti- fying the Gi interface, the connection may remain open incurring additional charges. FortiOS Carrier adds this interface to a firewall. See Anti-overbilling with FortiOS Carrier.

GTP                           When the GTP tunnel is deleted, need to inform other interfaces immediately to

prevent misuse of connections remaining

Gp            Internal SGSN and external

GGSNs

GTP

open. FortiOS Carrier adds this interface to a firewall.

 

Gz            GSN (SGSN and GGSN) and the charging gateway (CG)

GTP‘                          Used for the offline charging interface.

Ga is used for online charging.

Corporate customers may have a direct connection to the Gi interface for higher security. The Gi interface is normally an IP network, though a tunnelling protocol such as GRE or IPsec may be used instead.

 

 

Packet flow through the GPRS network

To better understand the GPRS network, we will follow the path data takes for a normal connection. For this example a call placed from a mobile phone involves accessing services on the Internet.

 

Sample GPRS network topology

1. A mobile phone places a call using a mobile station (MS). This connection between the mobile phone and the MS is a radio connection using one of the radio access technologies. See Radio Access Technology (RAT) type.

2. The MS connects to a GPRS System Node (GSN) specifically a Sending GSN. This connection uses the Gb interface and typically uses IP address or Frame Relay.

3. The SGSN checks the mobile phone information located in the home location register (HLR) or visitor location register (VLR) to ensure there is subscriber information for that phone. If this mobile phone is from another network, the SGSN uses the VLR and updates its home carrier’s information with its current location and information. This connection involves the Ga or Gz interfaces, and uses the GTP’ protocol for communication.

4. The SGSN checks to make sure the phone did not transfer this connection from a different MS. If it did, the connection has already been established (along with the billing) and is handed off to this SGSN. If the call is being handed over from another SGSN, it will use the Gn interface between the two SGSNs.

5. The SGSN sends GTP messages to the local external Gateway GSN (GGSN) to create a GTP tunnel for this PDP context to access the Internet. It is possible that a remote GGSN has access to a service, such as a WAP gateway, that the local GGSN is missing. In this situation, the local SGSN uses the Gp interface to connect to the remote GGSN. Both the Gn and Gp interfaces use GTP.

6. The both the local and remote GGSNs connect to external services outside the GPRS network. These services can include a WAP gateway, a corporate IP network directly connected to the GPRS network, or the Internet. The connection from the GGSN to the external services uses the Gi interface.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

GPRS security

Leave a reply

GPRS security

The GPRS network has some built-in security in the form of GPRS authentication. However this is minimal, and is not sufficient for carrier network security needs. A GTP firewall, such as FortiOS Carrier, is required to secure the Gi, Gn, and Gp interfaces.

 

GPRS authentication

GPRS authentication is handled by the SGSN to prevent unauthorized GPRS calls from reaching the GSM network beyond the SGSN (the base station system, and mobile station). Authentication is accomplished using some of the customer’s information with a random number and uses two algorithms to create ciphers that then allow authentication for that customer.

User identity confidentiality ensures that customer information stays between the mobile station and the SGSN — no identifying information goes past the SGSN. Past that point other numbers are used to identify the customer and their connection on the network.

Periodically the SGSN may request identity information from the mobile station to compare to what is on record, using the IMEI number.

Call confidentiality is achieved through the use of a cipher, similar to the GPRS authentication described earlier. The cipher is applied between the mobile station and the SGSN. Essentially a cipher mask is XORd with each outgoing frame, and the receiving side XORs with its own cipher to result in the original frame and data.

 

Parts of a GTPv1 network

A sample GTP network consists of the end handset sender, the sender’s mobile station, the carrier’s network including the SGSN and GGSN, the receiver’s mobile station, and the receiver handset.

When a handset moves from one mobile station and SGSN to another, the handset’s connection to the Internet is preserved because the tunnel the handset has to the Internet using GTP tracks the user’s location and information. For example, the handset could move from one cell to another, or between countries.

 

The parts of a GPRS network can be separated into the following groups according to the roles of the devices:

  • Radio access to the GPRS network is accomplished by mobile phones and mobile stations (MS).
  • Transport the GPRS packets across the GPRS network is accomplished by SGSNs and GGSNs, both local and remote, by delivering packets to the external services.
  • Billing and records are handled by CDF, CFR, HLR, and VLR devices.

GPRS networks also rely on access points and PDP contexts as central parts of the communication structure. These are not actual devices, but they are still critical .

These devices, their roles, neighboring devices, the interfaces and protocols they use are outlined in the following table.

 

Carrier network showing the interfaces used (GTPv1)

 

Devices on a GTPv1 network

 

Device role Neighboring Devices Interfaces used Protocols used
 

Mobile Users

  

Mobile Stations (MS)

  

Radio Access Tech- nology (RAT)

  
 

Mobile Stations

(MS)

  

Mobile Users, SGSN

  

Gb

  

IP, Frame Relay
 

SGSN (local)

  

MS, SGSN (local or remote), GGSN (local and remote), CDR, CFR, HLR, VLR

  

Ga, Gb, Gn, Gp, Gz

  

IP, Frame Relay, GTP, GTP’
 

SGSN (remote)

  

SGSN (local)

  

Gn

  

GTP
 

GGSN (local)

  

SGSN (local or remote), GGSN (local and remote), CDR, CFR, HLR, VLR

  

Ga, Gi, Gn, Gp, Gz

  

IP, GTP, GTP’
 

 

GGSN (remote)

  

SGSN (local), WAP gateway, Internet, other external ser- vices

  

 

Gi, Gp

  

 

IP, GTPv1
 

CDR, CFR

  

SGSN (local), GGSN (local)

  

Ga, Gz

  

GTP’
 

HLR, VLR

  

SGSN (local), GGSN (local)

  

Ga, Gz

  

GTP’

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2 3 4

MMS protection profiles

Leave a reply

MMS protection profiles

An MMS protection profile is a group of settings that you can apply to an MMS session matched by a security policy.

MMS protection profiles are easy to configure and can be used by more than one security policy. You can configure a single MMS protection profile for the different traffic types handled by a set of security policies that require identical protection levels and types. This eliminates the need to repeatedly configure those same MMS protection profile settings for each individual security policy.

For example, while traffic between trusted and untrusted networks might need strict protection, traffic between trusted internal addresses might need only moderate protection. You would configure two separate MMS protection profiles to provide the different levels of protection: one for traffic between trusted networks, and one for traffic between trusted and untrusted networks.

Once you have configured the MMS Protection Profile, you need to add it to a security policy to apply the profile to MMS traffic.

 

Bypassing MMS protection profile filtering based on carrier endpoints

You can use carrier endpoint filtering to exempt MMS sessions from MMS protection profile filtering. Carrier endpoint filtering matches carrier endpoints in MMS sessions with carrier endpoint patterns. If you add a carrier endpoint pattern to a filter list and set the action to exempt from all scanning, all messages from matching carrier endpoints bypass MMS protection profile filtering. See Bypassing message flood protection based on user’s carrier endpoints.

 

Applying MMS protection profiles to MMS traffic

To apply an MMS protection profile you must first create the MMS protection profile and then add the MMS protection profile to a security policy by enabling the Carrier security profile. The MMS protection profile then applies itself to the traffic accepted by that security policy.

MMS protection profiles can contain settings relevant to many different services. Each security policy uses the subset of the MMS protection profile settings that apply to the sessions accepted by the security policy. In this way, you might define just one MMS protection profile that can be used by many security policies, each policy using a different or overlapping subset of the MMS protection profile.

 

To add an MMS protection profile to a security policy

1. Go to Security Profiles > MMS Profile.

2. Select Create New to add an MMS protection profile.

3. Configure as needed, and save.

4. Go to Policy & Objects > IPv4 Policy.

5. Select Create New to add a security policy, or select an existing policy and Edit to add the MMS profile.

6. Configure the security policy as required.

7. Enable MMS Profile, and select the MMS profile to add to the security policy.

8. Select OK.

 

 

GTP basic concepts

GPRS currently supports data rates from 9.6kbps to more than 100 kbps, and is best suited for burst forms of traffic. GPRS involves both radio and wired components. The mobile phone sends the message to a base station unit (radio based), and the base station unit sends the message to the carrier network and eventually the Internet (wired carrier network).

The network system then either sends the message back to a base station and to the destination mobile unit, or forwards the message to the proper carrier’s network where it gets routed to the mobile unit.

 

PDP Context

The packet data protocol (PDP) context is a connection between a mobile station and the end address that goes through the SGSN and GGSN. It includes identifying information about the mobile customer used by each server or device to properly forward the call data to the next hop in the carrier network, typically using a GTP tunnel between the SGSN and GGSN.

When a mobile customer has an active voice or data connection open, both the SGSN and GGSN have the PDP context information for that customer and session.

When a mobile phone attempts to communicate with an address on an external packet network, either an IP or X.25 address, the mobile station that phone is connected to opens a PDP context through the SGSN and GGSN to the end address. Before any traffic is sent, the PDP context must first be activated.

The information included in the PDP context includes the customer’s IP address, the IMSI number of the mobile handset, and the tunnel endpoint ID for both the SGSN and GGSN. The ID is a unique number, much like a session ID on a TCP/IP firewall. All this information ensures a uniquely identifiable connection is made.

Since one mobile device may have multiple connections open at one time, such as data connections to different Internet services and voice connections to different locations, there may be more than one PDP context with the same IP address making the extra identifying information required.

The endpoint that the mobile phone is connecting to only knows about the GGSN — the rest of the GPRS connection is masked by the GGSN.

Along the PDP context path, communication is accomplished in using three different protocols.

  • The connection between the Mobile Station and SGSN uses the SM protocol.
  • Between SGSN and GGSN GTP is used.
  • Between GGSN and the endpoint either IP or X.25 is used.

FortiOS Carrier is concerned with the SGSN to GGSN part of the PDP context — the part that uses GTP. For more about PDP context, see Tunnel Management Messages.

Creating a PDP context

While FortiOS Carrier is concerned mostly with the SGSN to GGSN part of the PDP Context, knowing the steps involved in creating a PDP context helps understand the role each device, protocol, and message type plays.

Both mobile stations and GGSNs can create PDP contexts.

 

A Mobile Station creates a PDP context

1. The Mobile Station (MS) sends a PDP activation request message to the SGSN including the MS PDP

address, and APN.

2. Optionally, security functions may be performed to authenticate the MS.

3. The SGSN determines the GGSN address by using the APN identifier.

4. The SGSN creates a downlink GTP tunnel to send IP packets between the GGSN and SGSN.

5. The GGSN creates an entry in its PDP context table to deliver IP packets between the SGSN and the external packet switching network.

6. The GGSN creates an uplink GTP tunnel to route IP-PDU from SGSN to GGSN.

7. The GGSN then sends back to the SGSN the result of the PDP context creation and if necessary the MS PDP

address.

8. The SGSN sends an Activate PDP context accept message to the MS by returning negotiated the PDP

context information and if necessary the MS PDP address.

9. Now traffic can pass from the MS to the external network endpoint.

 

A GGSN creates a PDP context

1. The network receives an IP packet from an external network.

2. The GGSN checks if the PDP Context has already been created.

3. If not, the GGSN sends a PDU notification request to the SGSN in order to initiate a PDP context activation.

4. The GGSN retrieves the IP address of the appropriate SGSN address by interrogating the HLR from the IMSI identifier of the MS.

5. The SGSN sends to the MS a request to activate the indicated PDP context.

6. The PDP context activation procedure follows the one initiated by the MS. See “A Mobile Station creates a PDP context”.

7. When the PDP context is activated, the IP packet can be sent from the GGSN to the MS.

 

Terminating a PDP context

A PDP context remains open until it is terminated. To terminate the PDP context an MS sends a Deactivate PDP context message to the SGSN, which then sends a Delete PDP Context message to the GGSN. When the SGSN receives a PDP context deletion acknowledgment from the GGSN, the SGSN confirms to the MS the PDP context deactivation. The PDP can be terminated by the SGSN or GGSN as well with a slight variation of the order of the messages passed.

When the PDP Context is terminated, the tunnel it was using is deleted as well. If this is not completed in a timely manner, it is possible for someone else to start using the tunnel before it is deleted. This hijacking will result in the original customer being overbilled for the extra usage. Anti-overbilling helps prevent this. See Configuring Anti-overbilling in FortiOS Carrier.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiOS Carrier and MMS duplicate messages and message floods

Leave a reply

FortiOS Carrier and MMS duplicate messages and message floods

FortiOS Carrier detects duplicate messages and message floods for the MM1 and MM4 interfaces. How FortiOS Carrier detects and responds to duplicate messages and message floods is different from how FortiOS Carrier detects and responds to viruses and other MMS scanning protection measures.

For message floods and duplicate messages, the sender does not receive notifications about floods or duplicate messages, as if the sender is an attacker they can gain useful information about flood and duplicate thresholds. Plus, duplicate messages and message floods are usually a result of a large amount of messaging activity and filtering of these messages is designed to reduce the amount of unwanted messaging traffic. Adding to the traffic by sending notifications to senders and receivers could result in an increase in message traffic.

You can create up to three thresholds for detecting duplicate messages and message floods. For each threshold you can configure the FortiOS Carrier unit to respond by logging the activity, archiving or quarantining the messages, notifying administrators of the activity, and by blocking the messages. In many cases you may only want to configure blocking for higher activity thresholds, and to just monitor and send administrator notifications at lower activity thresholds.

When a block threshold is reached for MM1 messages, FortiOS Carrier sends m-send.conf or m-retrieve.conf messages to the originator of the activity. These messages are sent to end the MM1 sessions, otherwise the originator would continue to re-send the blocked message. When a block threshold is reached for MM4, FortiOS Carrier sends a MM4-forward.res message to close the MM4 session. An MM4 message is sent only if initiated by the originating MM4-forward.req message.

MM1 message flood and duplicate message blocking of sent messages
Sender FortiOS Carrier

MMSC
1. Open TCP session

2. Open TCP session
3. m-send.req

4. Flood or duplicate blocked
5. Reset TCP session

6. m-send.conf replacement message
7. Close TCP Session

8. Notification message to administrators (various protocols)

Sent once per notification period, regardless of how many messages are blocked

MM1 message flood and duplicate message blocking of received messages
MMSC

FortiOS Carrier

Receiver
1. GET request for message
2. GET request for message
3. m-retrieve.conf mesage

4. Flood or duplicate blocked

6. Notification message to administrators (various protocols)

Sent once per notification period, regardless of how many messages are blocked
5. m-retrieve.conf replacement message

MM4 message flood and duplicate message blocking

Forwarding Operator
MMSC

FortiOS Carrier

Receiving Operator
MMSC
1. Open TCP session
2. Open TCP session

3. Send full MM4-forward.req message
5. m-retrieve.conf mesage
4. Send full MM4-forward.req message

Without ‘.’ on single line

6. Flood or duplicate blocked

7. Reset TCP session
8. Send 250 response
9. Close TCP session
10. Open new TCP session
11. Send MM4-forward.res message 10, 11, 12 Only initiated if the
MM4-forward.req message
12. Close TCP session

requested a response
13. Notification message to administrators (various protocols)

Sent once per notification period, regardless of how many messages are blocked


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!