Gi Firewall for mobile subscribers

• Previous message (by thread): Gi Firewall for mobile subscribers
• Next message (by thread): Gi Firewall for mobile subscribers
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On tir., 09 apr. 2019, Amos Rosenboim <amos at oasis-tech.net> wrote:

> On the other hand, allowing only subscriber initiated traffic is mostly achievable using ACLs on the mobile core facing routers, or is it with the growing percentage of UDP traffic ?
> 
> BTW – I don’t mention IPv4 traffic on the mobile network as it’s all behind CGNAT which don’t allow internet initiated connections.
> 
> Anyway, we are very interested to know hear more opinions,  and especially to hear what are other mobile operators do.

In a previous job we did have a stateful Gi firewall and experienced
first hand what backscatter does to the radio network. By accident we
allowed icmp from the Internet to the subcribers and paging went up by
30%. We all agree that the average amount of backscatter on IPv6 is much
less than what we see in IPv4. However active IPv6 adresses are exposed
(for instance on IRC!) and will be targeted by attackers. Also half-open
TCP sessions can be very long running - for instance a mobile goes
offline while downloading a file. Some webservers will keep trying to
send data for a long time, and having a stateful device with agressive
timeouts on half open sessions will definately reduce paging

Also keep in mind that most GGSN/PGW will assign a /64 (and not a /128)
so if someone does a scan targeting that specific /64 you might see a
lot of traffic to the device. I would strongly suggest deploying a
stateful device - purely to protect the radio and signaling network -
not the terminal/phone

- Jan

• Previous message (by thread): Gi Firewall for mobile subscribers
• Next message (by thread): Gi Firewall for mobile subscribers
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]