Physical / Logical Isolation: Signaling gateway / STP is isolated from the OAM/management plane (X.805 Management Plane separation)

SCTP/M3UA Access Control: ACLs on SCTP associations limit origination to known PLMN IP blocks; wildcard "any" associations are not in use

Signaling VLAN / Segment: SS7 and Diameter signaling is carried on dedicated VLANs or segments isolated from corporate/internet-accessible networks

Management Interface Security: STP/DEA management console requires MFA; no Telnet; SNMPv3 enforced; management access logged

Category 1 (Address Spoofing): Messages with source Global Title (GT) not in the allowed PLMN GT whitelist are blocked and logged

Category 2 (Internal-only operations): Messages that should only traverse home network internals (e.g., MAP UpdateLocation from foreign PLMNs targeting internal VLR) are blocked

Category 3 (Subscriber data manipulation): High-risk operations (MAP DeleteSubscriberData, MAP RegisterSS from external peers) are blocked

ATI (AnyTimeInterrogation) blocking: MAP ATI from external peers is rejected unless a bilateral roaming agreement with specific GT authorization is in place

SRI-SM filtering: MAP SendRoutingInfo for SM from unauthorized sources is blocked; logging is enabled and alerts are reviewed

Origin-Host / Origin-Realm validation: All Diameter messages from external peers are validated against a provisioned whitelist of authorized Origin-Host / Origin-Realm pairs

S6a ULR from unauthorized peers: Update-Location-Requests from unrecognized Diameter hosts are rejected with DIAMETER_UNABLE_TO_DELIVER

S6a SAR (Server Assignment): Unauthorized SAR messages from external DEAs are blocked to prevent subscriber profile manipulation

Diameter category filtering per Q.3066: Category 1/2/3 filtering equivalent is applied at the DEA level for the Diameter protocol

mTLS for Diameter peers: All external Diameter peers authenticate via mutual TLS (certificates); anonymous TLS connections are rejected

Q.3062 HMAC / token enforcement: Where supported, signaling messages include authentication tokens (HMAC-SHA or equivalent) that are verified before message processing

SEPP (N32) mTLS for 5G: All inter-PLMN 5G signaling transits the SEPP; N32 interface uses mutual TLS with operator-issued certificates

SS7 ATI spoofing test: Send MAP AnyTimeInterrogation from a test peer with spoofed source GT → Expected: Blocked and logged by signaling firewall; no MSISDN/IMSI location returned

SS7 SRI-SM intercept test: Send MAP SRI-SM from unauthorized source GT → Expected: Rejected; no routing number returned to unauthorized peer

SS7 RegisterSS hijacking test: Send MAP RegisterSS (call forwarding) from external peer for a local subscriber → Expected: Rejected by Category 3 filter

Diameter ULR injection test: Send Update-Location-Request from an unauthorized Diameter host → Expected: DIAMETER_UNABLE_TO_DELIVER; no authentication vectors leaked

Replay protection test: Capture and replay a valid MAP UpdateLocation message → Expected: Detected and blocked (sequence number / timestamp validation)

Resource exhaustion test: Simulate signaling storm (SCTP flood) at 10× normal BHCR → Expected: CPU/Memory within acceptable bounds; critical services unaffected; alarm triggered

SEPP is deployed on all N32 interfaces: No direct HTTP/2 SBA API exposure to external PLMNs without SEPP mediation

N32 TLS version: TLS 1.3 with PFS cipher suites enforced on all SEPP N32 connections; TLS 1.2 only if TLS 1.3 is unavailable with agreed cipher suite

OAuth2 access tokens: All SBA API calls between internal NFs carry valid OAuth2 access tokens issued by the NRF

Token scope enforcement: NFs verify that received OAuth2 tokens have explicit scope for the requested operation (e.g., AMF → UDM: nudr-dr scope only)

NAS security: AMF enforces NIA0 (null integrity) prohibition; NAS integrity protection is mandatory for all UEs per TS 33.501 §6.7

Log retention: Signaling transaction logs (SS7, Diameter, SEPP N32) are retained for ≥90 days in a tamper-proof, access-controlled log store

Alert integration: Signaling Firewall alerts are forwarded to the NOC/SOC SIEM; runbooks exist for SS7 ATI, SRI-SM, and ULR alert categories

Firewall ruleset versioning: Current signaling firewall ruleset is version-controlled in an SCM system; change approval process is documented

GSMA FS.11 / FS.19 compliance: Signaling firewall configuration is cross-referenced against GSMA FS.11 (SS7) and FS.19 (Diameter/GTP) baseline requirements

Incident response drills: SS7 signaling attack simulation has been conducted within the past 12 months; results documented and remediation tracked