Methods, systems, and computer readable media for providing diameter signaling router with firewall functionality

US 8,613,073 B2
Filed: 10/18/2010
Issued: 12/17/2013
Est. Priority Date: 10/16/2009
Status: Active Grant

First Claim

Patent Images

1. A system for Diameter routing and firewall filtering, the system comprising:

a Diameter signaling router, comprising;

a network interface for receiving, from a first Diameter node, a first Diameter message having Diameter information, wherein the Diameter information includes Diameter header portion information;

a firewall module configured to determine whether the first Diameter message satisfies a firewall policy, wherein the firewall policy is based on at least a portion of the Diameter header portion information in the first Diameter message, wherein the firewall module includes functionality for performing an equipment identity register (EIR) dip using information from the first Diameter message, wherein the functionality for performing an EIR dip includes an EIR database for storing equipment-related information used in determining whether user equipment is authorized or blocked and an EIR dip function for accessing the EIR database in determining whether equipment-related information associated with the first Diameter message is present in the EIR database; and

a routing module configured to forward at least a portion of the first Diameter message towards a second Diameter node in response to the first Diameter message satisfying the firewall policy, wherein the second Diameter node is a home subscriber server (HSS) or a mobility management entity (MME).

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one aspect, the subject matter described herein includes a system for Diameter routing and firewall filtering. The system includes a Diameter signaling router comprising a network interface for receiving, from a first Diameter node, a first Diameter message having Diameter information. The Diameter signaling router also includes a firewall module for determining whether the first Diameter message satisfies a firewall policy. The firewall policy is based on at least a portion of the Diameter information in the first Diameter message. The Diameter signaling router further includes a routing module for forwarding at least a portion of the first Diameter message towards a second Diameter node in response to the first Diameter message satisfying the firewall policy.

Citations

28 Claims

1. A system for Diameter routing and firewall filtering, the system comprising:
- a Diameter signaling router, comprising;
  
  a network interface for receiving, from a first Diameter node, a first Diameter message having Diameter information, wherein the Diameter information includes Diameter header portion information;
  
  a firewall module configured to determine whether the first Diameter message satisfies a firewall policy, wherein the firewall policy is based on at least a portion of the Diameter header portion information in the first Diameter message, wherein the firewall module includes functionality for performing an equipment identity register (EIR) dip using information from the first Diameter message, wherein the functionality for performing an EIR dip includes an EIR database for storing equipment-related information used in determining whether user equipment is authorized or blocked and an EIR dip function for accessing the EIR database in determining whether equipment-related information associated with the first Diameter message is present in the EIR database; and
  
  a routing module configured to forward at least a portion of the first Diameter message towards a second Diameter node in response to the first Diameter message satisfying the firewall policy, wherein the second Diameter node is a home subscriber server (HSS) or a mobility management entity (MME).
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 24, 25)
- - 2. The system of claim 1 wherein the Diameter signaling router includes a mitigation module configured to perform a mitigating action in response to the first Diameter message failing to satisfy the firewall policy.
  - 3. The system of claim 1 wherein a mitigation action includes at least one of:
    - discarding the first Diameter message, generating an error code, generating an error message, communicating an error message to the first Diameter node, generating an event record, generating a log entry, modifying the first Diameter message, generating a second Diameter message based on the first Diameter message;
      
      modifying the Diameter information in the first Diameter message, modifying the first Diameter message to satisfy the firewall policy, triggering network address translation (NAT) processing for a Diameter message, triggering the routing module to handle the modified first Diameter message, triggering the routing module to handle the second Diameter message, and notifying an entity.
  - 4. The system of claim 1 wherein the firewall module includes a network address translation (NAT) module configured to perform network address translation (NAT) processing on the first Diameter message.
  - 5. The system of claim 4 wherein the NAT module is configured to perform NAT processing on a response message destined for the first Diameter node that corresponds to the first Diameter message.
  - 6. The system of claim 1 wherein the firewall policy includes at least one of:
    - a rule for determining whether the first Diameter message is associated with one or more desired characteristics, a rule for determining whether the first Diameter message is associated with one or more undesired characteristics, information for accessing a data structure for determining whether the first Diameter message satisfies a firewall policy, information for accessing a whitelist, and information for accessing a blacklist.
  - 7. The system of claim 6 wherein the undesired or desired characteristics include at least one of:
    - one or portions of Diameter information in a Diameter message, an attribute value pair (AVP), a message parameter, a value, a parameter length, a message length, a destination, an origination, a session, a network address in a Diameter message processed by a network address translation (NAT) module, a network address in a Diameter message not processed by a network address translation (NAT) module, exclusion of a message parameter, inclusion of a message parameter, a message type, manner in which a message is received, time of day, and time of week.
  - 8. The system of claim 1 wherein the first Diameter node is a home subscriber server (HSS).
  - 9. The system of claim 8 wherein the second Diameter node is a mobility management entity (MME).
  - 10. The system of claim 1 wherein the first Diameter node is a mobility management entity (MME).
  - 11. The system of claim 10 wherein the second Diameter node is a home subscriber server (HSS).
  - 12. The system of claim 1 wherein the first Diameter message includes one of:
    - an UpdateLocation Request (ULR) message, an UpdateLocation Answer (ULA) message, an AuthenticationInformation Request (AIR) message, an AuthenticationInformation Answer (AIA) message, a CancelLocation Request (CLR) message, a CancelLocation Answer (CLA) message, an InsertSubscriberData Request (IDR) message, an InsertSubscriberData Answer (IDA) message, a DeleteSubscriberData Request (DSR) message, a DeleteSubscriberData Answer (DSA) message, a PurgeUE Request (PUR) message, a PurgeUE Answer (PUA) message, a Reset Request (RSR) message, a Reset Answer (RSA) message, a Notify Request (NOR) message, a Notify Answer (NOA) message, an MEIdentityCheck Request (ECR) message, and an MEIdentityCheck Answer (ECA) message.
  - 13. The system of claim 1 wherein the Diameter information in the first Diameter message includes at least one of:
    - the Diameter header portion information, a Diameter version, a Diameter message length, a Diameter flag, a command code (CC), a Diameter application identifier (ID), a hop by hop ID, an end to end ID, Diameter data portion information, a Diameter attribute value pair (AVP), an AVP parameter, an AVP code, an AVP flag, an AVP length, a vendor ID, AVP data, a parameter, a subscriber identifier, a device identifier, an international mobile subscriber identifier (IMSI), a mobile subscriber integrated services digital network (MSISDN) number, a short code, a uniform resource identifier (URI), an international mobile equipment identifier (IMEI), a mobile identification number (MIN), an Auth-Session-State parameter, a Origin-Host parameter, a Origin-Realm parameter, a Destination-Host parameter, a Destination-Realm parameter, a User-Name parameter, a Supported-Features parameter, a Terminal-Information parameter, a RAT-Type parameter, a ULR-Flags parameter, a Visited-PLMN-Id parameter, a SGSN-Number parameter, a Proxy-Info parameter, and a Route-Record parameter.
  - 24. The method of claim 13 wherein the first Diameter node is a mobility management entity (MME).
  - 25. The method of claim 24 wherein the second Diameter node is a home subscriber server (HSS).

14. A method for Diameter routing and firewall filtering, the method comprising:
- at a Diameter signaling router;
  
  receiving, from a first Diameter node and at a network interface, a first Diameter message having Diameter information, wherein the Diameter information includes Diameter header portion information;
  
  determining whether the first Diameter message satisfies a firewall policy, wherein the firewall policy is based on at least a portion of the Diameter header portion information in the first Diameter message, wherein the firewall module includes functionality for performing an equipment identity register (EIR) dip using information from the first Diameter message, wherein the functionality for performing an EIR dip includes an EIR database for storing equipment-related information used in determining whether user equipment is authorized or blocked and an EIR dip function for accessing the EIR database in determining whether equipment-related information associated with the first Diameter message is present in the EIR database; and
  
  forwarding at least a portion of the first Diameter message towards a second Diameter node in response to the first Diameter message satisfying the firewall policy, wherein the second Diameter node is a home subscriber server (HSS) or a mobility management entity (MME).
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 26, 27)
- - 15. The method of claim 14 comprising performing a mitigating action in response to the first Diameter message failing to satisfy the firewall policy.
  - 16. The method of claim 14 wherein the Diameter application level portion of the first Diameter message includes a Diameter attribute value pair (AVP).
  - 17. The method of claim 15 wherein a mitigation action includes at least one of:
    - discarding the first Diameter message, generating an error code, generating an error message, communicating an error message to a Diameter node, generating an event record, generating a log entry, modifying the first Diameter message, generating a second Diameter message based on the first Diameter message;
      
      modifying the Diameter information in the first Diameter message, modifying the first Diameter message to satisfy the firewall policy, triggering NAT processing for a Diameter message, triggering the routing module to handle the modified first Diameter message, triggering the routing module to handle the second Diameter message, and notifying an entity.
  - 18. The method of claim 14 wherein determining whether the first Diameter message satisfies a firewall policy includes determining whether to perform network address translation (NAT) processing on the first Diameter message.
  - 19. The method of claim 18 wherein in response to determining that NAT processing is to be performed, performing NAT processing on the first message and performing NAT processing on a corresponding response message destined to the first Diameter node.
  - 20. The method of claim 14 wherein the firewall policy includes at least one of:
    - a rule for determining whether the first Diameter message is associated with one or more desired characteristics, a rule for determining whether the first Diameter message is associated with one or more undesired characteristics, information for accessing a data structure for determining whether the first Diameter message satisfies a firewall policy, information for accessing a whitelist, and information for accessing a blacklist.
  - 21. The method of claim 20 wherein the undesired or the desired characteristics include at least one of:
    - one or portions of Diameter information in a Diameter message, a message parameter, attribute value pair (AVP), a value, a parameter length, a message length, a destination, an origination, a session, a network address in a Diameter message processed by a network address translation (NAT) module, a network address in a Diameter message not processed by a network address translation (NAT) module, exclusion of a message parameter, inclusion of a message parameter, a message type, manner in which a message is received, time of day, and time of week.
  - 22. The method of claim 14 wherein the first Diameter node is a home subscriber server (HSS).
  - 23. The method of claim 22 wherein the second Diameter node is a mobility management entity (MME).
  - 26. The method of claim 14 wherein the first Diameter message includes one of:
    - an UpdateLocation Request (ULR) message, an UpdateLocation Answer (ULA) message, an AuthenticationInformation Request (AIR) message, an AuthenticationInformation Answer (AIA) message, a CancelLocation Request (CLR) message, a CancelLocation Answer (CLA) message, an InsertSubscriberData Request (IDR) message, an InsertSubscriberData Answer (IDA) message, a DeleteSubscriberData Request (DSR) message, a DeleteSubscriberData Answer (DSA) message, a PurgeUE Request (PUR) message, a PurgeUE Answer (PUA) message, a Reset Request (RSR) message, a Reset Answer (RSA) message, a Notify Request (NOR) message, a Notify Answer (NOA) message, an MEIdentityCheck Request (ECR) message, and an MEIdentityCheck Answer (ECA) message.
  - 27. The method of claim 14 wherein the Diameter information in the first Diameter message includes at least one of:
    - the Diameter header portion information, a Diameter version, a Diameter message length, a Diameter flag, a command code (CC), a Diameter application identifier (ID), a hop by hop ID, an end to end ID, Diameter data portion information, a Diameter attribute value pair (AVP), an AVP parameter, an AVP code, an AVP flag, an AVP length, a vendor ID, AVP data, a parameter, a subscriber identifier, a device identifier, an international mobile subscriber identifier (IMSI), a mobile subscriber integrated services digital network (MSISDN) number, a short code, a uniform resource identifier (URI), an international mobile equipment identifier (IMEI), a mobile identification number (MIN), an Auth-Session-State parameter, a Origin-Host parameter, a Origin-Realm parameter, a Destination-Host parameter, a Destination-Realm parameter, a User-Name parameter, a Supported-Features parameter, a Terminal-Information parameter, a RAT-Type parameter, a ULR-Flags parameter, a Visited-PLMN-Id parameter, a SGSN-Number parameter, a Proxy-Info parameter, and a Route-Record parameter.

28. A non-transitory computer readable medium having stored thereon executable instructions that when executed by the processor of a computer control the computer to perform steps comprising:
- at a Diameter signaling router;
  
  receiving, from a first Diameter node and at a network interface, a first Diameter message having Diameter information, wherein the Diameter information includes Diameter header portion information;
  
  determining whether the first Diameter message satisfies a firewall policy, wherein the firewall policy is based on at least a portion of the Diameter header portion information in the first Diameter message, wherein the firewall module includes functionality for performing an equipment identity register (EIR) dip using information from the first Diameter message, wherein the functionality for performing an EIR dip includes an EIR database for storing equipment-related information used in determining whether user equipment is authorized or blocked and an EIR dip function for accessing the EIR database in determining whether equipment-related information associated with the first Diameter message is present in the EIR database; and
  
  forwarding at least a portion of the first Diameter message towards a second Diameter node in response to the first Diameter message satisfying the firewall policy, wherein the second Diameter node is a home subscriber server (HSS) or a mobility management entity (MME).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tekelec, Inc. (Oracle Corporation)
Original Assignee
Tekelec, Inc. (Oracle Corporation)
Inventors
McCann, Thomas M., Marsico, Peter J.
Primary Examiner(s)
Shaw, Peter
Assistant Examiner(s)
ELMORE, JOHN E

Application Number

US12/906,998
Publication Number

US 20110126277A1
Time in Patent Office

1,156 Days
Field of Search

726 2- 3, 726 11- 14
US Class Current

726/13
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/0892   by using authentication-aut...

H04L 63/101   Access control lists [ACL]

H04L 63/1408   by monitoring network traff...

H04L 63/1458   Denial of Service

H04M 15/47   Fraud detection or preventi...

H04W 12/06   Authentication

H04W 12/12   Detection or prevention of ...

H04W 12/71   Hardware identity

H04W 12/72   Subscriber identity

H04W 4/24   Accounting or billing

Methods, systems, and computer readable media for providing diameter signaling router with firewall functionality

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Methods, systems, and computer readable media for providing diameter signaling router with firewall functionality

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links