For 3G systems it is a clear goal to be able to protect inter-network SS7 signalling protocols. The protection is done by security gateways which are located at the network border. As a consequence intra network SS7 signalling is not protected and network elements other than Security Gateways are not impacted.
This TS provides functional description of the SS7 Security Gateway. The document covers also network
architecture, routeing considerations, and protocol details.
In a PLMN that employs SS7 Security Gateways all TCAP user signalling messages entering or leaving the PLMN have to transit an SS7 Security Gateway which belongs to the PLMN and which performs the protection of leaving (i.e. outbound) messages and the protection checking and de-protection or blocking of entering (i.e. inbound) messages.
One or several SS7 Security Gateways may be employed within a PLMN.
An SS7 Security Gateway may be co-located with any TCAP user NE or it may stand alone. However, for the purpose of this document and without imposing any restrictions, it is assumed that the SS7 Security Gateways is a stand alone entity.
It is further assumed that the SS7 Security Gateways are located at the boarder of the PLMN i.e. inbound messages transit an SS7 Security Gateway before they reach any other node within the PLMN, and outbound messages transit an SS7 Security Gateway immediately before reaching a node outside the PLMN.
SS7 routeing is not impacted by the SS7 Security Gateway Architecture. As a consequence SS7 Security Gateways are stateless at TCAP level: No TCAP dialogue states are maintained in the SS7 Security Gateway since the outbound dialogue request message may transit a different SS7 Security Gateway than the corresponding inbound dialogue response message; similarly the inbound dialogue request message may transit a different SS7 Security Gateway than the corresponding outbound dialogue response message.