To protect subscribers of a Public Land Mobile Network (PLMN) from Overbilling attacks requires two security devices and involves NetScreen Gatekeeper Protocol (NSGP) and the NSGP module.
The NSGP module includes two components: the client and the server. ScreenOS 5.0.0. and later releases support the client component of NSGP, which means that you can configure a security device to act as a server, also referred to as a Gi firewall. The client device, also referred to as a GTP (GPRS Tunneling Protocol) firewall, must run the ScreenOS 5.0.0 or a later release.
Note: We strongly recommend that you upgrade to the latest ScreenOS release.
NSGP uses Transmission Control Protocol (TCP) and monitors connectivity between a client and server by sending Hello messages at set intervals. NSGP currently only supports the session context, which is a space that holds user-session information, is bound to a security zone, and is identified by a unique number (context ID).
When configuring NSGP on the client and server devices, you must use the same context ID on each device. When the client sends a clear session request to the server, the request must include the context ID and IP address of the server. Upon receiving the clear session request, the server matches the context ID and then clears the session from its table.
You configure NSGP on the GTP firewall to enable it to notify the Gi firewall when a GTP tunnel is deleted. You configure NSGP on the Gi firewall to enable it to automatically clear sessions whenever the Gi firewall gets a notification from the GTP firewall that a GTP tunnel was deleted. By clearing the sessions, the Gi firewall stops the unsolicited traffic.
Enter the necessary information:
Port: Set a port on which the Gi firewall can receive Overbilling Attack notifications. The default is 12521.
MD-5 Authentication: Specify a password to enable the Gi firewall to enforce the MD5 auth option specified in the TCP header. You can only specify one MD5 authentication password per security device.
Note: This option is available only at the root level and not at the vsys level.
Create a context: A contextis a space that holds user-session information. The same context ID must exist on both the client and the server devices.
Context ID: Enter a context identification number.
Zone: Select the zone for which you are creating the context.
Hold-off: Specify the time, in seconds, for which an IP address cannot be reused and within which the unintended traffic from the server is denied. The range is 10–600 seconds.
Click Add to save your settings.
To remove a context, click Remove.
Note: Currently, devices support only the session context type.
Click OK to save your settings.
The "Interfaces with NSGP (Overbilling) service enabled" table displays interfaces on the security device that have the NSGP Overbilling feature enabled. You can enable this feature on physical Ethernet interfaces only.
To enable the Overbilling feature on a physical interface, you must configure the Interface Service Setting.
To enable the Overbilling feature on a physical interface, you can do one of the following:
Click Interface Service Setting. For more information, see Service Setting.
or
You can enable it on the interface configuration page by going to Network > Interfaces > Edit (for the interface on which you want to enable the feature). For more information, see Interface Configuration.