The aim of AA Firewall protection is to protect and prevent any abuse of OAM network resources (such as NMS).
Network flooding attacks, malformed packets and port scans are examples of such attacks that can be carried out using a compromised eNB/Femto Access Points (FAP).
ports scan attacks
Using AA FW stateful session filters, operators can allow traffic only on certain IP addresses and port numbers.
For example, operator can configure AA to only allow traffic that is initiated by NMS toward the FAPs. Therefore, a compromised FAP cannot initiate an attack on NMS infrastructure.
Operator can limit the type of traffic allowed based on Layer 3 — Layer 7 classification. Operator can allow only HTTP with a specific URL/domain, DNS, PTP, FTP (independent of the port number used) and block all other traffic.
flood attacks
The operator can limit the type of traffic allowed based on Layer 3 — Layer 7 classification. The operator can allow only HTTP with a specific URL/domain, DNS, PTP, FTP. The AA ISA provides configurable flow policers that can act on FW permitted sessions. These policers, when configured prevent all sort of flooding attacks, such as ICMP PING flooding, UDP flooding, SYN Flood Attack, and so on, of the port number used) and block all other traffic.
These policers provide protection at multiple levels; per system per application/application groups and per FAP (or per NMS) per applications/applications groups.
There are three types of AA ISA policers:
flow setup rate policers to limit the number of new flows
flow count policers to limit the total number of active flows
bandwidth policers to limit the total OAM bandwidth allowed by a FAP toward NMS
malformed packets attacks
To protect Hosts and network resources, AA FW performs validation on IP packets, at the IP layer and TCP/UDP layer, to ensure that the packets are valid. Invalid packets are discarded (a configurable option). This provides protection against well-known attacks such as LAND attack. See Stateful firewall service for a complete description. AA allows the operator to optionally drop fragmented or out-of-order fragmented IP packets.
In addition, for OAM traffic, all AA functionalities including Layer 7 analytics and control as well as Application Layer Gateway (ALG) are supported.
For more details on OAM Traffic protection, see the AA firewall and the DoS protection sections.