Security cookie against SYN flood attack
Since every packet contains verification of its place in the stream, it makes it easy for the protocol to detect when redundant, corrupted or malicious packets flood the path, and they are automatically dropped when necessary.
Built-in heartbeat (reachability check)
Endpoints automatically send specific control chunks among the other SCTP packet information to peer endpoints, to determine the reachability of the destination. Hearthbeat acknowledgement packets are returned if the destination is available.
SCTP Firewall
FortiGate stateful firewalls will protect and inspect SCTP traffic, according to RFC4960. SCTP over IPsec VPN is also supported. The FortiGate device is inserted as a router between SCTP endpoints. It checks SCTP Syntax for the following information:
- Source and destination port
- Verification Tag
- Chunk type, chunk flags, chunk length
- Sequence of chunk types
- Associations
The firewall also oversees and maintains several SCTP security mechanisms:
- SCTP four-way handshake
- SCTP heartbeat
- NAT over SCTP
The firewall has IPS DoS protection against known threats to SCTP traffic, including INIT/ACK flood attacks, and SCTP fuzzing.
SCTP example scenario
An ideal SCTP configuration for a Carrier serving multiple operators/service providers involves a unified Firewall, securing all incoming and outgoing traffic over the Carrier network, whether it be standard web traffic, GTP or other carrier traffic, or corporate traffic for the Carrier company.
One best practice method to provide a unified firewall with built-in redundancy is to make use of multiple FortiGate units, connected in a High Availability cluster. Also, there are additional methods that can be applied to ease the complexity of managing multiple services, functions, and traffic types across multiple devices.
Sample SCTP Network Topology
Outward-facing servers: Sales, billing, etc.
Operator STP nodes
(locally secured)
Internet
Central Carrier STP node and services, behind FW (secured)
SCTP Firewall Layer
(HA Setup)
Public Internet
(unsecured)
In this example, the firewall layer is configured with two FortiGate devices to act as an HA cluster, providing automatic load balancing and failover detection for the main firewall.
The two devices together make up the firewall, through which all traffic passes. Virtual Domains are created within the FortiGate units, distributing services and traffic into individual VDOMs, allowing them to be monitored and secured individually, to help mitigate possible threats to Carrier networks that target specific services. Individual departments or administrators can manage specific VDOMs, or the FortiGates can be collectively managed centrally by network administrators.
The VDOMs are distributed as shown below:
VDOM distribution between SCTP Firewall Layer FortiGate units
SCTP
VDOM GTP VDOM
Corporate
VDOM
Services
VDOM
Root VDOM
Slave Master
Virtual
Cluster 2
Master Slave
Virtual
Cluster 1
SCTP
VDOM GTP VDOM
Corporate
VDOM
Services
VDOM
Root VDOM
FGT_1 FGT_2
One FortiGate handles basic FortiGate services and non-Carrier traffic. Configuring virtual clustering across the two FortiGates allows one to mirror its VDOMs across to the other unit.
The second FortiGate can then primarily provide Carrier-specific services and handle SCTP, Gi and GTP traffic, using the first FortiGate as the slave unit in a second virtual cluster.