(If you don’t know what Diameter is, you may want to start here.)
What is a Diameter penetration test?
You might be familiar with IP based “pen testing”, such as the tests performed on e-commerce websites in the USA to achieve PCI compliance as required by credit card companies. These tests are typically quick, inexpensive, and can be performed remotely over the Internet without physical presence or any physical devices being installed in the network.
A Diameter penetration test, or Diametersecurity audit, is very similar in concept to a PCI compliance test. Through our partnership with multiple mobile operators, we have access to IPX connectivity with Diameter roaming. We will fire various Diameter messages at you from various external sources (trying when possible to test across your multiple SCCP providers, just in case one of them has implemented a cloud-based firewall solution). Sources of the messages will not be disclosed to you in advance, in order to maintain the independence of the test. Messages will replicate dozens of different types of attacks that are known to us, but will only be directed at specific single-purpose test subscriptions on your network, in order not to disrupt or breach privacy of any real subscriber.
We will not perform any network-wide DOS testing, for obvious reasons, unless you have a lab setup against which we can run these more involved tests.
Typically, no direct Diameter connection needs to be established with your network in order to conduct an audit, which keeps audits relatively inexpensive and quick, when compared to the cost and implementation time of a full-blown on-premises firewall solution.
After the test has been concluded, we will provide you with a report of the those vulnerabilities that have been detected on your network, and we will provide directions as to how they can be eliminated. At your option, we can interact with your mobile node vendors in order to facilitate the development and deployment of patches to address the various issues, and perform a rescan at a later time, to confirm that the vulnerabilities have been eliminated.
In some regions of the world, we sell our Diameter penetration testing services through VARs, and if a VAR is available in your area, it is likely that their security experts will be able to present test results to your team in person.
We also perform Diameter penetration tests on behalf of country regulators who wish to raise the issue of Diameter and SS7 vulnerabilities in their country.