mTLS / TLS 1.2+: Are all Diameter connections between peers secured using mutual TLS (mTLS) with certificates signed by a trusted CA (e.g., GRU)?

IPsec Tunelling: Is IPsec (ESP) used for inter-operator transport when TLS is not supported?

SCTP Multi-homing: Are multi-homing configurations verified to ensure no unauthorized endpoints can join the association?

Node Isolation: Are signaling nodes (MME, HSS, PCRF) on isolated VLANs/subnets with no direct public access?

Topology Hiding: Does the Diameter Edge Agent (DEA) hide internal node identities (FQDNs) in outgoing signaling messages?

AVP Filtering: Is there a blacklist/whitelist for unauthorized AVP (Attribute Value Pair) types at the network perimeter?

Rate Limiting: Are signaling messages (especially ULR, AIR, and CCR) rate-limited to prevent DoS attacks?

Unauthorized Origin: Does the firewall block signaling messages with origin-host/realm that do not match the peer's expected identity?

Category 1 (Protocol Validation): Are basic protocol validation checks enabled (message length, AVP format, mandatory AVPs)?

Category 2 (Anti-Spoofing): Are signaling messages with known invalid origin identities (e.g., non-roaming partner claim) blocked?

Category 3 (Session Validation): Is there correlation between signaling messages and active subscriber sessions to prevent rogue detached/profile updates?

Velocity Checks: Are subscribers flagged for impossible movement between VPLMN IDs in a short time frame?

Signaling Logs: Are all failed Diameter authentication and location update attempts logged centrally (SIEM)?

Anomaly Detection: Is there an automated system to detect spikes in signaling traffic from specific roaming partners?

Incident Response: Is there a defined process for blacklisting a misbehaving roaming partner's Diameter identity?