Pieter Veenstra, Senior Manager Product Development – Security and Routing
At the recent GSMA Fraud and Security Group (FASG) meeting in Tokyo, an on-line poll and a roundtable discussion were held following the presentation by NetNumber “Signaling Firewall Implementation – Operational Challenges & Supporting Data Needs”.
The presentation describes the learnings NetNumber made with the implementation of its Signaling Firewall in the network of a leading TIER1 Global Mobile Operator Group. The case study discusses the operational challenges a mobile operator encounters with the accurate provisioning and updating of the filtering rules in the Signaling Firewall.
The effectiveness of protecting a signaling firewall depends on both the accuracy and the completeness of the data used by the firewall filtering rules logic. If the data is inaccurate or incomplete, the firewall will pass potentially risky signaling traffic and will erroneously block wanted traffic. This will result in many false-positive cases, customer complaints, and a high workload for the operational staff to research all incidents that require action.
The problem particularly applies to international mobile roaming traffic, as it encompasses more than 1000 mobile roaming partners exchanging SS7 and Diameter signaling messages end-to-end, worldwide. This signaling traffic is essential, however, underlying information transfer between operators when customers are travelling abroad.
The problem refers to two fundamental issues that need to be resolved:
- To protect inbound roamers, the visiting mobile network needs to implement the GSMA Cat.2 filtering checks as in GSMA’s FS.11 (SS7) and FS.19 (Diameter). For SS7 this requires provisioning of both CC+NDC ranges and MCC+MNC ranges of all 1000 mobile roaming partners. Operators face great difficulty in collecting and updating because of frequent mutations and the subsequent inaccuracy of this data.
- A fundamental signaling firewall capability refers to the white-/blacklisting of the many SS7 and Diameter network nodes that are used by the 1000 mobile operators worldwide. CSPs also report great difficulty in collecting and updating the addresses and the role (HLR, HSS, MSC, MME, …) of each signaling node as the data available in the GSMA RAEX IR.21 database is not accurate or missing completely.
NetNumber learned in the use case with the TIER1 Global Mobile Operator Group that for signaling security, comprehensive data sets and address learning techniques are especially needed for the protection of the mobile roaming traffic over SS7 and Diameter:
- Operators need real-time updated filtering data sets for automated provisioning to their signaling firewalls.
- By inspecting all signaling traffic, sophisticated nodal learning techniques provide valuable insights about active signaling nodes and their role in the network.
As a result of the interactive feedback at the GSMA FASG meeting it was agreed to continue the discussion on these topics. It was agreed that there is a principle problem with accurate filtering data and the need for preventive protection with nodal learning. Also, it was agreed to discuss sharing of information between operators about vulnerability incidents and real network data.
In conclusion, the presentation was well received in GSMA FASG and raised useful feedback during the interactive part. It was an excellent opportunity to create more awareness in the industry on the operational challenges and data needs of a Signaling Firewall and remedies. The accompanying NetNumber whitepaper “Real Time, Automated Data Provisioning and Nodal Learning Essential to Fight Signaling Attack” was also distributed and provides more background details and explanations.