Signaling Security

The Challenge

The security of the communication service providers (CSPs) signaling network is at risk due to multiple factors, including a new wave of vulnerabilities created by roaming via SS7 interconnections. With tens of billions of additional devices connected to the network, the Internet of Things (IoT) represents a critical challenge for operators in terms of signaling and security. Consequently, CSPs need a new, highly secure signaling architecture, protected by a robust multi-protocol signaling firewall.

The NetNumber Solution

NetNumber offers the industry’s most comprehensive multi-protocol signaling firewall on its TITAN platform, providing the same level of firewall capabilities for both SS7 and Diameter. In particular, the NetNumber Signaling Firewall provides effective stateless and stateful protection against all attacks defined by the GSMA Fraud and Security Group and offers the necessary high resilience and performance required for a telco-grade signaling product.

To successfully mitigate some types of attacks, it is essential that the Signaling Firewall has access to the most precise and up-to-date information about its signaling peer nodes in other networks.

Global Data Services (GDS) integrate a comprehensive collection of number portability databases, the Override Service Registry, code range data and other data sets which together describe each phone number with various data points. This rich set of information can be used when defining the Signaling Firewall rules in order to implement specific restrictions that secure the network.

Key Features

Global Data Services
NetNumber’s GDS brings in phone number intelligence which enhances the firewall capabilities and enables it to detect and prevent sophisticated threats.

Enhanced Detection and Prevention
NetNumber’s GDS enables smart message screening within a deployed firewall. The way this works is by implementing additional checks, which validate if the various network nodes are who they pretend to be and if they have the right to send specific signals towards the protected network.

Carrier Grade Platform
The NetNumber Signaling Firewall is a telco-grade, real-time, in-network signaling element built on the widely deployed TITAN Centralized Signaling and Routing Control (CSRC) platform.

Fully Redundant – Managed Service
We operate a fully redundant service which we manage 24×7. This ensures carrier-grade service availability and performance.

Use Cases

GSMA Category 1 Attack Prevention

Certain MAP messages such as Any-Time-Interrogation (ATI) should be blocked if received from a roaming partner. National regulations however might require that an operator forwards the requests to the HPLMN of the subscriber if the number is ported. NetNumber’s GDS enable the Signaling Firewall to check the subscriber MSISDN included in the ATI request, determine if the MSISDN has been ported or not and allow it in this case.

Attack: Location Tracking
Mitigation with Signaling Firewall

Attacker sends a fraudulent MAP ATI request to the subscriber’s HLR impersonating a gsmSCF.

The HLR returns valuable data to the attacker: subscriber location, subscriber state, IMSI, VMSC. Attacker can reuse the harvested data for subsequent attacks with other MAP requests.

Block the request. According to the GSMA FS.11 specifications, there should be no MAP ATI on roaming interfaces.

Using number portability, check if the MSISDN has been ported to another operator and in this case allow the ATI request to be forwarded.

GSMA Category 2 Attack Prevention

NetNumber’s GDS maintains an up-to-date repository of valid number ranges of operators. With this information, the Signaling Firewall can perform a detailed check of the complete Calling Global Title against the MCC/MNC of the received IMSI. Only the signals where the CgGT matches the MCC/MNC will pass the validation.

Attack: Call Interception
Mitigation with Signaling Firewall

Attacker sends a fraudulent insertSubscriberData request to the subscriber’s VMSC impersonating the subscriber’s HLR.

Malicious O-CSI or T-CSI in the insertSubscriberData request instructs the VMSC to redirect all calls to the attacker, e.g. for listening in, forwarding calls to high tariff numbers etc.

Block the request if the IMSI prefix matches the own MCC/MNC, because the VMSC should not receive such external requests for non-roaming subscribers.

Compare the Calling Global Title with the MCC/MNC derived from the IMSI and block the request if there is no match.

  • Prevents GSMA Category 1 attacks with Smart Subscriber Check
  • Prevents GSMA Category 2 attacks with Smart Origin Check