Border Gateway Roaming Security

Protect the connections from other operators

With new regulation in European Union and elsewhere being a driver, roaming traffic has been increasing exponentially. Customers expect the same services they use at home to work equally good while being on vacation or a business trip. Communication Service Providers setup direct links to their preferred roaming partners, or route via roaming exchanges. Even though they do not own the network in the other countries, they extend the perimeter and need to trust the incoming traffic. This can leave CSPs exposed to threats that are easily avoided.


Border Gateway Roaming Security

Traffic from other operators needs to be scanned before allowed into the CSPs network. Roaming traffic signaling inspection is required on the SCTP protocol for Diameter traffic as well as GTP signaling validation. Together with Perimeter Protection, Advanced Threat Protection with IDS and Network/Server Attack Protection for DDoS threats.

For signaling validation a deep dive into the GTP-C v0/v1/v2, and GTP-U protocols will provide insights into protocol anomalies. The solution works as a stateful proxy and can apply ACL and Packet Shaping and Forwarding Rules on the traffic. There are multiple GTP Multiple Filter Options (Message, APN, IE removal) as well as Sanity Checking – all Header field check and Protocol Fuzzing Detection and Prevention.

For SCTP there is static validation of SCTP packets and stateless forwarding. The solution will provide logs and flow-lifetime and provides validation also when matching “Implicit” SCTP services. There is Traffic Shaping Support for SCTP flows to mitigate an overload and transparent failover between redundant network paths.

In addition BGP routing capabilities are required to support high availability setups with connectivity via multiple carriers. All security protections to make sure roaming traffic is safe and a good experience is provided to the end users.

Clavister Service-Based Firewall Report

Heavy Reading Analyst Jim Hodges explains why traditional firewalls are not sufficient for architectures prepairing for 5G and Next Generaiton Core networks.

Topics covered in this white paper include:

  • How the 5G Service Based Architecture (SBA) core network and associated capabilities such as 5G slicing will drive new security enforcement firewall functionality
  • The security firewall requirements associated with managing the 5G cloud-distributed new radio (NR) access network
  • The implication of these technologies on existing cloud-based Firewall as a Service (FWaaS) deployments
  • Clavister’s product strategy for dealing with these new service-driven firewall requirements

Use Cases

Resilient Interconnect Connectivity

Interconnection with Border Gateway Routing (BGP) for carrier independence

Control Signalling Validation

Gateway function for specific signalling validation including GTP and SCTP

Network Attack Protection

Intrusion detection and prevention system, GeoIP restrictions and denial of service protection



Virtual Models

High performance virtualized security gateways designed for new carrier networks based on NFV/SDN.

Get in touch! It will only take a minute