Pieter Veenstra, Senior Manager Product Development – Security and Routing
With the wide variety of connected mobile devices surrounding humans in their daily life, hackers have become overly interested in the signaling messages that transfer valuable and personal information. Hence mobile service providers face new decisions for securing their networks and to protect their infrastructures from cyber attacks. Additionally, there’s increase legislation around protecting end user information (e.g. GDPR in Europe).
In recent years mobile operators have faced growing attempts of global criminal organizations to get access to sensitive customer data via signaling protocol attacks with SS7 and Diameter for banking fraud and other criminal acts. The acceleration in the volume and severity of the signaling security incidents are caused by factors such as:
- Attack Surface Expansion: simplified access to the core signaling networks facilitated with the widespread use of IP and internet with their inherent security vulnerabilities.
- Hacking Industrialization: sophisticated attack scenarios developed and executed by global criminal organizations enabled with computing and proliferation of knowledge.
- Solution Fragmentation: increased complexity of networks and service platforms complicated with the coexistence of consecutive technology solutions in parallel stovepipes.
Historically use of the SS7 signaling protocol has seen as inherently secure. It was deemed close to impossible to get a SS7 connection if you didn’t have a license to operate a fixed or mobile network, unfortunately that’s no longer the case, but the standards pre-date this and as such have very little security precautions. To make things worse, the standards have taken the same assumptions when working on Diameter, which is used in the latest generations of mobile networks to replace SS7.
Comprehensive signaling firewalls are needed to secure the SS7 and Diameter signaling networks against today’s sophisticated signaling attacks. Such attack scenarios, and the guidelines for these signaling firewalls, are described in the GSMA standards FS.11 for SS7 and in FS.19 for Diameter.
While this was a good step it looked at the issue at the protocol level which ignores the fact that many attacks today are not limited to only the SS7 protocol or Diameter protocol or even a single interface. Last year GSMA started and completed the work on FS.21 “Using IP network layer information in signaling firewalls”. The multi-protocol protection schemes in the FS.21 standard go beyond a single protocol, and looks at the problem more holistic, taking both the IP transport layers and the signaling protocol layers into account.
It is this very same problem and approach in FS.21 which was the source of the collaboration of Cisco with NetNumber. The combination of both firewall products provides and unique end-to-end security solution:
- Cisco Adaptive Security Virtual Appliance (ASAv) protects up to IP SCTP layer.
- NetNumber TITAN Signaling Firewall protects the application layers above SCTP.
The Cisco IP firewall solution combined with the multi-protocol NetNumber signaling firewall provides enhanced end-to-end protection schemes for the network. For example, IP firewall functions may be valuable in signaling attack scenarios such as port scanning at the IP interconnection, followed by sending Location Update requests in SS7 MAP or Diameter messages to a certain port. In addition, integrating signaling firewall functions and IP firewall functions brings operational deployment and management advantages for mobile operators.
And these days NetNumber is developing some unique complimentary security data capabilities that will radically change the working and protection of signaling firewalls. The effectiveness of a firewall depends highly on both the data used by the filtering logic. If the data is inaccurate, the firewall will be bypassed by risky traffic and may block allowed traffic. This will result in false/positives, customer complaints, and an unwanted high workload for the operational staff to decide on the type of the mitigation action and its execution.
Mobile operators report great difficulty in collecting these data sets. Traditionally mobile operators register their roaming network details in the GSMA RAEX IR.21 database. In reality the information in this IR.21 database is far from complete and not up-to-date. Hackers are aware of these limitations and learned how to bypass signaling firewalls with inadequately provisioned filters. Carriers are helped with an automated provisioning of their firewall rules with these real-time updated industry data sets for the GSMA Cat.1 and Cat.2 filtering rules.
Another fundamental signaling firewall capability refers to the white-/blacklisting of the SS7 and Diameter network elements that are used by the 1000 mobile operators worldwide. Also here mobile operators report great difficulty in collecting and updating the addresses and the role (HLR, HSS, MSC, MME, …) of each signaling node as these details are not always found in the GSMA RAEX IR.21 database. Element Profiling provides the means to overcome this security dilemma by inspecting all signaling traffic to learn what addresses are being active and the specific role of each network element and so Element Profiling that provides:
- Protection against unknown, suspicious elements: New attack vectors can be recognized in real-time as deviations when compared to known, learned profiles. The operator can provision in advance the set of MAP OpCodes per profile that shall be blocked (blacklist) and which set(s) may pass.
- Simplifies firewall operations: Deviations from the profiles can be scored and distributed in a blacklist, greylist, and whitelist, help to reduce false-positives.
- Protection against configuration errors: Element Profiling helps to secure the operator network against fatal configuration errors with early warning of irregular node behavior.