GSMA FS.21, Interconnect Signalling Security Recommendations, is the document that ties together the protocol-specific signalling security guidelines operators already use. Where FS.11 covers SS7, FS.19 covers Diameter and FS.20 covers GTP, FS.21 sits one level up and treats interconnect signalling security as a single discipline: classify the traffic, monitor it, filter it, and keep the controls current as the network spans 2G through 5G. If you run a signalling firewall or a monitoring practice and want the framework that should govern it, FS.21 is the reference to read first.
What GSMA FS.21 is
FS.21 is a GSMA Fraud and Security Group (FASG) document that consolidates interconnect signalling security guidance across the protocols that carry roaming and interconnect traffic. It does not replace the protocol-specific guidelines. It provides the common structure, terminology and recommendations that FS.11 for SS7, FS.19 for Diameter and FS.20 for GTP then apply to each protocol. The message is consistent across all of them: interconnect signalling cannot be trusted by default, so an operator needs to know which messages are legitimate at the network border, monitor what actually arrives, and filter what should never be there.
The reason a cross-protocol document exists is that real networks do not experience these protocols in isolation. A single roaming relationship can involve SS7 MAP for 2G and 3G, Diameter for 4G, and GTP for user-plane and control-plane tunnelling, with messages for the same subscriber crossing more than one of them. Attackers exploit that fragmentation. Treating SS7, Diameter and GTP as separate problems, each owned by a different team with a different tool, is precisely the gap FS.21 is written to close.
Where FS.21 fits in the GSMA FS-series
The FS-series is layered. FS.21 is the cross-protocol interconnect document; the others are the protocol-specific and baseline references that operationalise it.
- FS.11 covers SS7 interconnect security monitoring and firewall guidelines, including the SS7 and MAP message categories that underpin filtering. See our breakdown of GSMA FS.11 and SS7 security.
- FS.19 covers Diameter interconnect security for 4G/LTE and 5G interworking, detailed in our GSMA FS.19 Diameter security post.
- FS.20 covers GTP security, summarised in GSMA FS.20 securing the GTP protocol.
- FS.36 covers 5G interconnect security at the SEPP and N32 boundary; see 5G interconnect security with FS.36.
- FS.31 is the baseline security controls catalogue, including roaming and interconnect controls; see GSMA FS.31 baseline security.
FS.21 is the connective tissue. It is where an operator should start when defining an interconnect signalling security policy, then descend into FS.11, FS.19 and FS.20 for the per-protocol rules.
The core idea: categorise, monitor, filter
FS.21 and its companion documents are built on a simple, durable principle. Every signalling message arriving at the interconnect border can be judged by whether it has any legitimate reason to be there, and that judgement should drive monitoring and filtering decisions.
Message categorisation
The clearest expression of this is the SS7 and MAP message categorisation that FS.11 defines and FS.21 frames at the policy level. Messages fall into broad categories by where they should legitimately originate:
- Messages that should never arrive from an interconnect partner because they only make sense inside a single operator network. These can be blocked outright at the border.
- Messages that should only arrive from the network where the subscriber is currently located, which can be validated against the subscriber state the operator already holds.
- Messages that are expected on interconnects, such as those serving the operator's own outbound roamers, which require more nuanced, stateful checks rather than a flat allow or deny.
The same logic generalises to Diameter and GTP. Not every protocol has an identical three-way split, but the question is always the same: does this message, from this peer, for this subscriber, have a legitimate reason to exist on this interface? That question is the foundation of every signalling firewall rule worth writing.
Monitoring before filtering
FS.21 stresses monitoring, not only blocking. Operators are encouraged to observe interconnect signalling and understand normal patterns before enforcing aggressive filters, because a misconfigured filter can break legitimate roaming and silently degrade service for real subscribers. Monitoring also produces the evidence base for tuning: you cannot safely block category two and three traffic until you understand what your genuine roaming partners actually send. This is why detection capability and filtering capability belong together. Our note on why firewalls still matter for SS7, Diameter and GTP expands on the monitor-then-enforce sequence.
Why interconnect signalling is exposed in the first place
SS7 and the early interconnect protocols were designed for a closed club of trusted operators. That trust assumption no longer holds. Interconnect access can be obtained through leased global titles, compromised partners, and resellers, which means a message reaching your border may not come from the operator the address suggests. We cover that addressing problem in global titles and GT leasing, and the underlying attack classes in understanding SS7 attacks.
Diameter inherited the same architectural optimism in 4G, and GTP adds a user-plane dimension where tunnelling can be abused for denial of service, overbilling and interception. The result is an interconnect surface where every protocol generation carries its own version of the same trust gap. FS.21 exists because the defensive answer has to be coherent across all of them, not bolted on per protocol. For the broader picture, see telecom interconnection security.
How operators apply FS.21 in practice
FS.21 is voluntary guidance rather than a binding mandate, but it maps cleanly onto an operational programme. A practical reading turns into a sequence of steps.
1. Inventory the interconnect surface
Identify every interface where external signalling enters the network: SS7 and SIGTRAN links, Diameter Edge Agents, GTP interfaces, and the 5G SEPP. You cannot apply FS.21 to traffic you cannot see. Many real exposures come from forgotten links and legacy interconnects that no one currently owns.
2. Classify expected traffic per interface
For each interface, define what legitimate traffic looks like by message type, peer and direction, using the categorisation logic above. This is where the protocol-specific documents do the heavy lifting and where FS.11 message categories, FS.19 Diameter guidance and FS.20 GTP guidance become concrete rules.
3. Monitor first, then enforce
Deploy monitoring to validate the classification against reality, identify anomalies, and build confidence before turning on blocking. Stateful checks, such as confirming that a message about a subscriber matches where that subscriber is actually registered, catch abuse that simple message-type filters miss.
4. Keep controls current
Interconnect security is not a one-time project. New roaming partners, new services, network evolution toward 5G standalone, and new attack techniques all change what should be allowed. FS.21 treats this as an ongoing capability, which aligns with the baseline-controls thinking in FS.31.
FS.21 and 5G
5G changes the transport but not the principle. The Security Edge Protection Proxy and the N32 interface, covered by FS.36, are the modern expression of the same idea: a controlled, inspectable border between operators where signalling is validated rather than trusted. An operator running a multi-generation network will be enforcing FS.11-style SS7 filtering, FS.19 Diameter controls and FS.36 SEPP protections at the same time, for the same roaming relationships. FS.21 is the policy umbrella that keeps those efforts consistent rather than contradictory.
Key takeaways
- FS.21 is the cross-protocol GSMA FASG document for interconnect signalling security; FS.11, FS.19, FS.20 and FS.36 implement it per protocol.
- Its core principle is categorise, monitor, then filter: judge every message by whether it has a legitimate reason to be at the border.
- Monitoring comes before aggressive blocking, so filters do not break legitimate roaming.
- The guidance is voluntary but maps directly onto a practical programme: inventory the surface, classify expected traffic, monitor, then keep controls current as the network evolves to 5G.
If you want help translating FS.21 and its companion documents into a working interconnect signalling security programme across SS7, Diameter, GTP and 5G, reach out at [email protected].
