The "gateway" into SS7 is just an IP and port, with little to no security, but the 4 German telecoms have figured out how to filter accesses from outside the network, and block it. It's like the internet was way back when there were little to no firewalls. Remember how SMTP Outgoing messages would be passed from anyone? Then, along came spammers who forced more filtering. Telcos are doing that now, but when it comes to roaming, and other features the SS7 has to deal with, these are very hard to filter out, but "Snort" or other IDS's can be used, they just have to create the IDS rules to block it, much like the internet is today.