-
Notifications
You must be signed in to change notification settings - Fork 58
/
Copy pathdiameterfw.json
152 lines (140 loc) · 6.37 KB
/
diameterfw.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
{
"operator_configuration": {
"Home_IMSI_prefixes_comment": "# Identification Home IMSI range for HPLMN network, used to identify home subscribers",
"Home_IMSI_prefixes": [
"111111"
],
"Home_Diameter_Realm_list_comment": "Operator Diameter Internal Realm list, used to identify incoming and outgoing traffic of HPLMN",
"Home_Diameter_Realm_list": [
"exchange.example.org"
]
},
"sigfw_configuration": {
"sctp": {
"sctp_management_name": "sctp_mgmt",
"sctp_max_in_streams": "32",
"sctp_max_out_streams": "32",
"sctp_server": [
{
"server_name": "sctp_server",
"host_address": "127.0.0.1",
"port": "3869",
"accept_anonymous_associations_comment": "# set true if the FW accepts SCTP associations from random source port",
"accept_anonymous_associations": "false"
}
],
"sctp_server_association": [
{
"peer_address": "127.0.0.1",
"peer_port": "13868",
"server_name": "sctp_server",
"assoc_name": "sctp_from_client_to_firewall"
}
],
"sctp_association": [
{
"host_address": "127.0.0.1",
"host_port": "13869",
"peer_address": "127.0.0.1",
"peer_port": "3868",
"assoc_name": "sctp_from_firewall_to_server"
}
]
},
"firewall_rules": {
"firewall_rules_comment": "# Firewall filtering rules configuration",
"firewall_policy_comment": "# Allowed value is one from: DROP_SILENTLY, DROP_WITH_DIAMETER_ERROR, DNAT_TO_HONEYPOT, ALLOW",
"firewall_policy": "DROP_SILENTLY",
"diameter": {
"origin_realm_blacklist": [
"blacklisted.example.org"
],
"application_id_whitelist": [
"0",
"16777360",
"16777251"
],
"command_code_blacklist": [
"8388620",
"8388622"
],
"cat2_command_code_blacklist": [
"317",
"319",
"329"
]
},
"lua": {
"lua_comment": "# LUA Blacklist firewall rules. Currently supported LUA variables are: diameter_orig_host, diameter_orig_realm, diameter_dest_host, diameter_dest_realm, diameter_cc, diameter_ai, diameter_imsi, diameter_msisdn",
"blacklist_rules": [
"diameter_orig_realm == 'exchangeClientA.example.org'",
"diameter_orig_realm == 'exchangeClientB.example.org'"
]
},
"ids": {
"ids_comment": "# IDS API. After evaluating internal firewall rules, the external IDS system can be used to check message (e.g. Cat3). If not required remove this ids json block from config.",
"ids_api_type_comment": "# Type of connector. Currently supported only REST",
"ids_api_type": "REST",
"ids_servers": [
{
"host": "https://localhost:8443/diameterfw_api/1.0/eval_diameter_message_in_ids",
"username": "user",
"password": "password"
}
]
},
"mthreat": {
"mthreat_comment": "# mThreat API. If the message matches internal firewall or IDS rules, then the firewall can report the event in anonymized way to mThreat. If not required remove this mthreat json block from config.",
"mthreat_api_type_comment": "# Type of connector. Currently supported only REST",
"mthreat_api_type": "REST",
"mthreat_salt_comment": "# Change the salt value for unique anonymization",
"mthreat_salt": "XVm4AoKrkicsgEcx",
"mthreat_servers": [
{
"host": "https://127.0.0.1:8444/mthreat_api/1.0/send_diameter_alert_to_mthreat",
"username": "user",
"password": "pass"
}
]
},
"honeypot": {
"honeypot_comment": "# Honeypot configuration. Only used if firewall policy is DNAT_TO_HONEYPOT",
"diameter_host_comment": "# The firewall after detecting the message will perform DNAT to the following Diameter address.",
"diameter_host": "127.0.0.1",
"diameter_realm": "honeypot.example.org",
"dnat_session_expiration_timeout_comment": "# After matching the firewall or IDS rules, the firewall will apply DNAT for Diameter address for the defined number of seconds",
"dnat_session_expiration_timeout": "30"
}
},
"encryption_rules": {
"destination_realm_encryption": [
],
"destination_realm_decryption": [
{
"destination_realm": "exchange.example.org",
"public_key_type": "RSA",
"public_key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCm/PAsXOj7cjirJsQsiIeHauFNLwBIuM1brkUm3aVXeraDIeJ2BWXmWlKMmX/FRZh4Qhe9mUy6YgwTO8PndWdMDRWMw8vvXJFI7HPJpsNfcBykefSqhr5X4h6HyQr73V8O0U5PtgCBuVoyuOFIj87WFwaLuajHiQgps7NOloeH1wIDAQAB",
"private_key_type": "RSA",
"private_key": "MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAKb88Cxc6PtyOKsmxCyIh4dq4U0vAEi4zVuuRSbdpVd6toMh4nYFZeZaUoyZf8VFmHhCF72ZTLpiDBM7w+d1Z0wNFYzDy+9ckUjsc8mmw19wHKR59KqGvlfiHofJCvvdXw7RTk+2AIG5WjK44UiPztYXBou5qMeJCCmzs06Wh4fXAgMBAAECgYBwNrkOlsDZd8AtAzgA1R5+GYydWWBPfiBB47IElB1v076iEDsmJCp9yWR/pwb9ge8boQ5jEolFFm4W3qqe934ZvBkJaL38zqI3rjZJJ7c9uJwr3ldmREFZa5U8l9tnvlck1b9QW0KDvjt+1Q547+eFlgQaqY5QfY+9D3rpdkZYwQJBAO/2PyNrYlHmVGZOt6foJLv3w4uMkTuleVH9Qu9TOQiv5wyCPTmMDMzW3AwPlFNaZI6YqqYYPUpyI1T0vWVpfS0CQQCyJhtwb5Xxg+b9NGuGmMqJ9GVzYwDPufhMDp7CDDaRKwV3q7eOtsasEGZX64ZkuVRL9xssKLunoqiT5c9z5aOTAkEApf060692hZzEiTiuhjFpJ7VNyPxlglMGxxZf9NkmvMGhG+ADpgkg2ZlPAfDM85O1t4YXlWlzDEpD8oKReNMtyQJAQZN9bjnk++4NzQ7KtdTwWS+5WGwNFGnkWDrZfZx5SZ6IeLCg9Mua/iNbSOnNoq4FtaDUQ8EKsn5Rh3+EiajyOQJAB/dZABQVKyvDAN4s3rXWsrGSuMzGoNCBf1Min1cnWhW2ndE7XC9szNsDGn7sCXmpjwdb7SA6iuh7yrH0YAiOgQ=="
}
],
"autodiscovery_comment": "# If enabled, then the special diameter command code is used to retrieve the foreign SigFW encryption public key.",
"autodiscovery": "true",
"dtls_encryption_comment": "# If dtls_encryption is enabled, than the autodiscovery is not used anymore. DTLS handshake in Diameter protocol is used instead. For DTLS handshake the trustore and keystore is used. After successful handshake the DTLS encryption is used. Signature_rules, can be still used together with DTLS, however DTLS provides also integrity protection so they are not mandatory.",
"dtls_encryption": "true"
},
"signature_rules": {
"origin_realm_verify": [
{
"origin_realm": "exchange.example.org",
"signing_realm_comment": "Subject name which is issuing signature",
"signing_realm": "exchange.example.org",
"public_key_type": "RSA",
"public_key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCm/PAsXOj7cjirJsQsiIeHauFNLwBIuM1brkUm3aVXeraDIeJ2BWXmWlKMmX/FRZh4Qhe9mUy6YgwTO8PndWdMDRWMw8vvXJFI7HPJpsNfcBykefSqhr5X4h6HyQr73V8O0U5PtgCBuVoyuOFIj87WFwaLuajHiQgps7NOloeH1wIDAQAB"
}
],
"origin_realm_signing": [
]
}
}
}