NSGP Overbilling

To protect subscribers of a PLMN (Public Land Mobile Network) from Overbilling attacks requires two security devices and involves NSGP (NetScreen Gatekeeper Protocol) and the NSGP module.

NSGP Module

The NSGP module includes two components: the client and the server. This release of ScreenOS supports the client component of NSGP, which means that you can configure a NetScreen device to act as a server, also referred to as a Gi firewall. The client device, also referred to as a GTP (GPRS Tunneling Protocol) firewall, must run the ScreenOS 5.0.0 GPRS firmware (for more information, refer to the ScreenOS 5.0.0 GPRS Reference Guide).

NetScreen Gatekeeper Protocol

NSGP uses the Transmission Control Protocol (TCP) and monitors the connectivity between client and server by sending Hello messages at set intervals. NSGP currently only supports the “session” type of context, which is a space that holds user-session information, is bound to a security zone, and is identified by a unique number (context ID).

When configuring NSGP on the client and server devices, you must use the same context ID on each devices. When the client sends a “clear session” request to the server, the request must include the context ID and IP address of the server. Upon receiving the “clear session” message, the server matches the context ID and then clears the session from its table.

You configure NSGP on the GTP firewall to enable it to notify the Gi firewall when a GTP tunnel is deleted and you configure NSGP on the Gi firewall to enable it to automatically clear sessions whenever the Gi firewall gets a notification from the GTP firewall that a GTP tunnel was deleted. By clearing the sessions, the Gi firewall stops the unsolicited traffic.

To Configure NSGP

  1. Enter the necessary information: 

Port: Set a port on which the Gi firewall can receive Overbilling Attack notifications. The default port number is 12521.

Md-5 Authentication: Specify a password to enable the Gi firewall to enforce the MD5 auth option specified in the TCP header. You can only specify one MD5 authentication password per NetScreen device.

Note: This option is only available at the root level and not at the vsys level.

Create a context: A contextis a space that holds user-session information. The same context ID must exist on both the client and the server devices.

  1. Context ID: Enter a context identification number.

  1. Zone: Select the zone for which you are creating the context.

  2. Click Add to save your settings.

To remove a context, click Remove.

Note: Currently devices only support the "session” type of context.

  1. Click OK to save your settings.

Interfaces with NSGP

The table "Interfaces with NSGP (Overbilling) service enabled" displays which interfaces on the security device have the NSGP Overbilling feature enabled. You can enable this feature on physical Ethernet interfaces only.

To enable the Overbilling feature on a physical interface, you can Interface Service Setting

To Enable Overbilling

To enable the Overbilling feature on a physical interface, you can do one of the following:

  1. Click Interface Service Setting. For more information, see Service Setting.

or

  1. You can enable it on the interface configuration page by going to Network > Interfaces > Edit (for the interface on which you want to enable the feature). For more information, see Interface Configuration.