Date post: | 19-Apr-2018 |
Category: |
Documents |
Upload: | truongthuan |
View: | 225 times |
Download: | 4 times |
RECOMMENDED PRACTICES
Securing the Gi/SGi Interface in Mobile Networks
Advanced mobile networks are increasingly vulnerable to attacks via the SGi interface, but operators can combat them with a comprehensive set of F5 security tools.
Ryan DavisSenior Product Management Engineer
RECOMMENDED PRACTICES
Securing the Gi/SGi Interface in Mobile Networks
2
Contents
Introduction 3
The Attack Landscape and How to Respond 4
UE reconnaissance (sweeps) 4
UE compromise (bot net attacks) 6
UE DDoS (billing attacks) 7
Network element reconnaissance (scans) 9
NE compromise (malware) 11
NE DDoS (control storms) 13
Conclusion 14
RECOMMENDED PRACTICES
Securing the Gi/SGi Interface in Mobile Networks
3
IntroductionThe Gi/SGi interface is rapidly becoming one of the most critical points in the mobile
network for operators to secure. Voice, message, and gateway services were previously
considered the more important points to secure, but these elements were more
conveniently located on an interior portion of the network or on a circuit-switched network.
With mobile data growing and over-the-top (OTT) services expanding, the security of the
customer Internet edge is now increasingly important—especially considering how network
resources are exposed to greater vulnerabilities by facing the general Internet. An effective
Internet edge security posture is required, and that posture needs to be continually
monitored and adjusted as security threats evolve to target consumer devices and service
provider network elements.
Legacy ISP-type service providers have traditionally offered minimal subscriber security in the
past. Mobile networks, on the other hand, have traditionally applied a firm security posture
but have lagged in evolving their security systems with their transport systems. This is true
for a few reasons. First, in an effort to maintain efficient, low cost, and high performing
service delivery, decision-makers have often dismissed the addition of security mechanisms
as too costly. Second, past mobile devices were not as advanced as the smart devices in
today’s marketplace, and thus they posed a minimal threat as an attack tool. Third,
although offering security as a value-added service for consumer devices appeals to
service providers seeking to increase revenue, not many have had success in selling these
services. Security professionals attribute this to a disconnect between a typical customer’s
understanding of the risks posed by existing threats and the ability of service providers and
the industry to inform customers about those threats.
Service providers are finding that customer device security is actually becoming more and
more of a concern. Security attacks on customer devices and compromises on data traffic
may sometimes be considered small nuisances, but in the hyper-scale terms of mobile
networks, these nuisances can become severe and costly problems. Even greater
concerns for service providers are maintaining security throughout their networks and
ensuring service reliability through security. Large distributed denial-of-service (DDoS)
attacks that originate from the exterior and the interior of a mobile network have been
responsible for taking down the services of almost all providers. However, many in the
mobile community may be unaware of these attacks due to a reluctance to disclose them.
As these security issues become serious threats and the network infrastructure attack surface
expands with a convergence of data transfer into packet-switched networks, Gi/SGi security is
now an absolute requirement for business continuity in all service provider networks. The F5
suite of security software solutions, which are delivered on top of the high performance and
RECOMMENDED PRACTICES
Securing the Gi/SGi Interface in Mobile Networks
4
highly programmable F5® BIG-IP® platforms, include BIG-IP® Advanced Firewall Manager™
(AFM), BIG-IP® Carrier-Grade NAT (CGNAT), BIG-IP® Policy Enforcement Manager™ (PEM),
and BIG-IP® DNS. These security modules, combined with the extensive set of BIG-IP
system capabilities within the platforms, create a flexible and feature-rich, carrier-class
network firewall. This firewall mitigates threats and protects the Gi/SGi interface in advanced
and rapidly evolving mobile networks.
The Attack Landscape and How to RespondThe dominant attacks on the Si/SGi interface today fall into two groups: those that target
user equipment (UE or devices) and those that target the mobile network infrastructure itself
across the Internet edge. This does not mean that an attack on one will not affect the other.
In fact, often the attack on one is discovered via the collateral damage to the other.
Fortunately, the appropriate security solutions and configurations can be combined to
protect the mobile network and its customers.
Attacks on or via user equipment Traditionally, some legacy Internet service providers (ISPs) have mistakenly left the
responsibility of protecting UE to device manufacturers and users. In modern networks,
and especially in mobile networks, this has become a severe problem. Many service
providers now find themselves helpless and suffering serious business damage when their
customers fail to protect themselves.
UE reconnaissance (sweeps)
Any advanced attack begins with reconnaissance. In cyber-security, this is known as
footprinting a network—understanding how it is constructed, much like creating a map of it.
Reconnaissance gives an attacker much more insight into the least costly, fastest, and
quietest way to compromise the network.
User equipment (UE) reconnaissance has traditionally been considered a nuisance, but
its threat has become more serious over the years. Attackers traditionally perform
reconnaissance on a network to find targets and subsequently narrow down the search
to a particular target vulnerability. While many of these attempts are thwarted by stateful
devices without granular security controls, the same attack may achieve a secondary
compromise, exhausting session tables for other stateful devices within the network.
RECOMMENDED PRACTICES
Securing the Gi/SGi Interface in Mobile Networks
5
The level of concern has especially risen in the context of machine-to-machine and Internet
of Things security discussions. In this new paradigm, the threats are even more pronounced
in that lightweight IP devices are now available on the network, in large quantities, with low
ability to respond to security incidents themselves. These devices may make reconnaissance
easier for an attacker as well as potentially increase the danger of a self-inflicted denial-of-
service (DoS). Many service providers have realized that blocking these low-level
reconnaissance scans increases available capacity in the network due to resources saved
from spurious traffic.
Devices
eNodeB
S/Gi NetworkEPC
Policy Enforcement
Load Balancing
URL Filtering
CGNAT
Legacy Firewall
TCP Optimization
Attacker
MME
SGW PGW
Figure 1: UE reconnaissance can be used to target UE or attack network equipment.
Solution
One potential solution for this type of attack is to deploy a carrier-class network firewall
with specific features such as the Device DoS Protection feature in BIG-IP AFM. This feature
limits the number of connections to and from a single source and destination, or to and
from multiple sources or destinations. It also imposes overall session table limits for itself
and, subsequently, other stateful devices within the mobile network.
Another alternative is to apply geolocation whitelists and blacklists to shrink the Gi/SGi
interface attack surface. With the geolocation feature in BIG-IP AFM, large sections of the
Internet that map to geographic regions or countries can be blocked from initiating any
traffic whatsoever into the network.
RECOMMENDED PRACTICES
Securing the Gi/SGi Interface in Mobile Networks
6
Devices
MME
SGW PGWeNodeB
S/Gi NetworkEPC
Attacker
Carrier-Class Network Firewall
Third-Party Server
F5 VIPRIONPlatform
Figure 2: UE reconnaissance can be prevented by BIG-IP AFM.
UE compromise (bot net attacks)
The most common type of attack on UE from the SGi interface is malware propagation.
In this attack, various vulnerabilities that are inherent in UE software are used to install
malicious software onto a device. The attacker’s goal may be to eavesdrop on the device to
extract financial or other sensitive information, or to co-opt the device to initiate attacks on
other targets.
Some less progressive mobile providers have previously relied on their Internet edge NAT44
device to prevent some of these attacks. However, all providers are now moving toward
implementing converged NAT and firewall devices, since NAT44 offers no protection for
IPv6 hosts and very little protection for IPv4 hosts against modern attacks. In fact, most
attacks assume the existence of a network address translation (NAT) device in their path.
Devices
eNodeB
S/Gi NetworkEPC
Policy Enforcement
Load Balancing
URL Filtering
CGNAT
Legacy Firewall
TCP Optimization
Attacker
MME
SGW PGWBotnet
Figure 3: UE compromises, like many attacks, can be used to enlist devices in a bot net.
RECOMMENDED PRACTICES
Securing the Gi/SGi Interface in Mobile Networks
7
Solution
F5s solutions deployed as a carrier-class network firewall will perform stateful L3 and L4
security inspections and provide much more advanced security against UE compromise
than solutions that rely on stateless L3 and L4 access control lists (ACLs), which leave
devices vulnerable to basic attacks. Features within BIG-IP AFM, along with F5 IP
Intelligence Services, deliver these inspections to serve as a stateful carrier-class firewall.
Although UE may still become compromised through user actions that cannot be prevented,
additional capabilities of the combination of BIG-IP AFM and IP Intelligence Services can
prevent or limit harm to the network and further harm to the device. Using these advanced
security features, operators can identify a blacklist of IP addresses associated with attack
command-and-control (C&C) networks to prevent that malicious traffic from communicating
with a device via those C&C networks.
Devices
MME
SGW PGWeNodeB
S/Gi NetworkEPC
Attacker
Carrier-Class Network Firewall
Third-Party Server
F5 VIPRIONPlatform
Figure 4: BIG-IP AFM can protect devices from UE compromise attacks.
UE DDoS (billing attacks)
Volumetric attacks have traditionally been used to execute DoS and DDoS attacks
against the UE or provider network. This type of attack includes ICMP, UDP, TCP, or
other floods and is usually focused on reducing service to a device or a series of
devices. Some service providers have put solutions in place that limit the network
infrastructure exposure to DoS attacks, but few have yet focused on also protecting
their customers from these attacks. As networks become larger, however, it is
becoming more cost-effective to deploy additional protections to ensure the quality
of user experience.
While flood protection might cover device availability, DDoS attacks are continuing
to evolve and are being repurposed to cause additional harm to service providers’
businesses. Past attacks were relatively crude, but as service providers added general
RECOMMENDED PRACTICES
Securing the Gi/SGi Interface in Mobile Networks
8
network security functionality plus additional bandwidth capacity, many attackers were
unable to truly accomplish their goals. Unsuccessful attacks were simply added to the
category of general Internet noise.
Unfortunately, many of these attacks are no longer seen as noise; they are being used to
surreptitiously amplify customer bills. In joking, this may be seen as a benefit to the service
provider, but in reality, the consequences can be very damaging to customer relationships
and revenue. A large series of such attacks or even a single enterprise customer attack
can escalate customer service costs, lead to revenue write-offs when the customer cannot
pay, and destroy brand equity due to guilt by association.
Devices
eNodeB
S/Gi NetworkEPC
Policy Enforcement
Load Balancing
URL Filtering
CGNAT
Legacy Firewall
TCP Optimization
Attacker
MME
SGW PGW
Figure 5: UE billing attacks can be costly and irreparably damage customer relationships.
Solution
To defend against this attack, a service provider can deploy specific firewall capabilities that
limit volume based on traffic protocol, port, or application characteristics. Some solutions
can also send alerts when traffic breaches configurable thresholds. Normal traffic speeds
and profiles can be allowed while the solution prevents traffic above a preset threshold,
which reduces the probability of collateral damage when valid traffic is dropped along with
malicious traffic.
The granular Device DoS Protection feature within BIG-IP AFM can be configured to send
alerts or limit traffic reaching the set thresholds. When combined with the Dynamic IP
Blacklisting feature that is also part of BIG-IP AFM, this capability also further reduces traffic
that was blocked but is continually reinitiated by the attacker.
RECOMMENDED PRACTICES
Securing the Gi/SGi Interface in Mobile Networks
9
Devices
MME
SGW PGWeNodeB
S/Gi NetworkEPC
Attacker
Carrier-Class Network Firewall
Third-Party Server
F5 VIPRIONPlatform
Figure 6: UE billing attacks can be thwarted by BIG-IP AFM security features.
Infrastructure attacksInfrastructure attacks are becoming more common in mobile networks. This can be
attributed to a convergence of data services into packet switching, as well as the growth in
public and private espionage led by organized crime and sovereign governments. The
modern mobile network has created a lucrative target for these interests, who attack the
network elements while the service provider incurs the cost. The resulting attacks have
grown so considerably that they have been given the rather on-the-nose name of advanced
persistent threats (APTs). The modern mobile network has created a nexus of all these
interests that do battle while the service provider incurs the cost.
Network element reconnaissance (scans)
As with UE reconnaissance, network element (NE) reconnaissance is executed to gain
information for initiating an attack on the network. Limiting or preventing access to network
information will make it more difficult for attackers to achieve their objectives.
So how does an attacker accomplish reconnaissance? There are several attack options,
many of which fall into the categories of sweeps or scans. Attackers sweep large sections
of a network to capture information about all the hosts connected to it.
Once an individual host is located, they use scans to footprint it and determine the particular
hosts to target for further exploitation. Many of these attacks can be executed in stealth
mode, which allows them to be conducted without the knowledge of hosts and networks
with inadequate security measures in place.
When the attacker knows what network elements are available for further attack, he will
initiate a scan on individual UEs or NEs to deduce the operating system and software
versions that are running. This scan gives the attacker the information needed to
RECOMMENDED PRACTICES
Securing the Gi/SGi Interface in Mobile Networks
10
understand what software is most vulnerable and appropriate to target for further attack.
With explicit knowledge of a service provider network topology that includes routers,
switches, gateways, and so forth, the attacker can now choose a path to compromise
any desired element.
DeviceseNodeB
S/Gi NetworkEPC
Policy Enforcement
Load Balancing
URL Filtering
CGNAT
Legacy Firewall
TCP Optimization
AttackerSwitch
Router
MME
SGW PGW
Figure 7: NE reconnaissance gives attackers insight for future assaults.
Solution
Firewall solutions with the ability to block specific connections and geolocations can
increase security against NE reconnaissance. An effective firewall can recognize that one
source is attempting to access too many resources within the network at once. (It should
be noted, however, that while some interfaces of network equipment might not be routable
from the Internet, other interfaces may be.)
The Dynamic IP Blacklisting feature set within BIG-IP AFM and F5 IP Intelligence Services
can be combined to prevent attackers from sending spurious traffic into the network.
Mobile service providers have found that by simply enabling these features, they have been
able to significantly reduce resource consumption on several elements that were previously
processing sweeps and scans. This solution ultimately prevents a “death by a thousand
cuts” scenario in which very costly mobile capacity is increased merely to account for
malicious traffic.
RECOMMENDED PRACTICES
Securing the Gi/SGi Interface in Mobile Networks
11
Devices
MME
SGW PGWeNodeB
S/Gi NetworkEPC
AttackerSwitch
Router
Carrier-Class Network Firewall
Third-Party Server
F5 VIPRIONPlatform
Figure 8: NE reconnaissance attacks can be prevented by an F5 carrier-class network firewall with BIG-IP AFM.
NE compromise (malware)
A network element compromise, while less common, can be the most severe compromise
a mobile network can suffer. The attacker attempts to take over critical network elements
to hold the “keys to the kingdom” and use that control to inflict damage. Many network
elements now use the same operating system or core software across different vendors,
platforms, and versions, making it much easier to target a large number of elements when
a software vulnerability is discovered.
While this type of attack can cover a large spectrum—from operating system to application-
specific attacks—almost all have the same objective, which is to maintain control of specific
network elements to facilitate extortion or espionage and to further expand control if
possible. Security professionals may not be fully aware of the actual number of occurrences
of extortion or espionage resulting from these network attacks due to the embarrassment
that would result from the disclosures, but we do know that it happens. While attacks
against service providers may not be as prolific as those against some enterprise networks,
the fallout can be much more severe for a service provider. Low-profile attacks might be
targeted at collecting consumer financial or other sensitive information, but the most critical
consequences will result from espionage on government or corporate information systems
that run on the same mobile network.
RECOMMENDED PRACTICES
Securing the Gi/SGi Interface in Mobile Networks
12
DeviceseNodeB
S/Gi NetworkEPC
Policy Enforcement
Load Balancing
URL Filtering
CGNAT
Legacy Firewall
TCP Optimization
AttackerSwitch
Router
MME
SGW PGW
Figure 9: NE compromise attacks can place an entire mobile network at risk.
Solution
The solution to this type of attack is a network firewall that can perform stateful L3 and L4
inspections and use that information to deny dubious traffic from the packet gateway. Even
better is L7 inspection on traffic to any routable interface so that attempts to compromise
that element can be prevented.
The combination of the F5 VIPRION® system and BIG-IP AFM will specifically enable the
carrier-class network firewall to use stateful L3 and L4 inspection to deny traffic from
inappropriate sources and to inappropriate destinations. The F5 solution also enables L7
inspection on traffic to a routable interface that is attempting to compromise the application
software on that element.
Devices
MME
SGW PGWeNodeB
S/Gi NetworkEPC
AttackerSwitch
Router
Carrier-Class Network Firewall
Third-Party Server
F5 VIPRIONPlatform
Figure 10: Critical network infrastructure can be protected from NE compromise attacks by the F5 carrier-class network firewall.
RECOMMENDED PRACTICES
Securing the Gi/SGi Interface in Mobile Networks
13
NE DDoS (control storms)
DDoS attacks are now the most commonly experienced attack, although these attacks
may not always be noticed or reported. A DDoS is a modification of the classic DoS attack,
distributed across many different, unwitting hosts that are controlled by the attacker to
carry out the attack. Thus these attacks contain numerous attack objects that increase
state entries in network devices and aggregate traffic payloads for the highest bandwidth
impact. DDoS attacks can disable extremely large throughput devices, resulting in a large
damage radius.
DeviceseNodeB
S/Gi NetworkEPC
Policy Enforcement
Load Balancing
URL Filtering
CGNAT
Legacy Firewall
TCP Optimization
AttackerSwitch
Router
MME
SGW PGW
SGW/PGW
Figure 11: NE DDoS attacks controlled from the Internet but initiated from UE can jeopardize mobile services.
Solution
Service provider strategies for countering DDoS attacks differ. Some mobile service providers
with access to large swaths of inexpensive bandwidth may start by increasing their Internet
edge provisioning to raise the DoS threshold. However, most service providers are not so
fortunate. Other service providers filter for a specific attack farther upstream from the Internet
edge or point of congestion, but this approach can result in very long remediation times, while
the service provider continues to suffer revenue loss due to the attack.
Given the nature of today’s threat landscape, all mobile service providers should deploy a
Gi/SGi firewall device at the Internet edge to ensure the availability of their mobile networks.
When combined with feature-rich F5 security software modules, the extensive capabilities
within the F5 BIG-IP platforms deliver a carrier-class network firewall that can be deployed
as a Gi/SGi firewall. In this critical network footprint, the F5 solution can selectively deny
command-and-control traffic that can harm network resources, while F5 geolocation and IP
Intelligence Services can prevent user equipment from being controlled by an attacker to
become attack hosts.
RECOMMENDED PRACTICES
Securing the Gi/SGi Interface in Mobile Networks
©2015 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. 0216 GUIDE-SEC-SP-55503900-tech-dc-sgi
Devices
MME
SGW PGWeNodeB
S/Gi NetworkEPC
AttackerSwitch
Router
Carrier-Class Network Firewall
SGW/PGW
Third-Party Server
F5 VIPRIONPlatform
Figure 12: NE DDoS attacks can no longer be initiated from the Internet when BIG-IP AFM is in place.
ConclusionWhile in the past, some service providers may have mistakenly categorized attacks on
mobile devices as outside the realm of the service provider’s responsibility, most now fully
understand the impact of those attacks on their businesses and realize that they must have
tools to prevent them. Attacks targeting user equipment are now firmly within the scope of
concern. At the same time, service providers’ primary security concern continues to be
protecting all critical network elements.
Compounding the challenge of ensuring end-to-end security for all service delivery is the
blurring line between user equipment attacks and network element attacks. As a result of this
evolution, service providers need to implement a scalable, advanced, and comprehensive
security framework that protects both their networks and customers while providing tools and
capabilities to address new, ever-more-sophisticated threats as they emerge. Implementing a
strong security posture at the SGi interface is now more critical and challenging than ever,
and mobile service providers require extensive, programmable, and highly scalable security
functions to accommodate their rapidly evolving 4G/5G networks in this network footprint.
The extensive capabilities of the BIG-IP platform combine with the breadth of F5 security
software modules and features to enable service providers to deploy an industry-leading
carrier-class network firewall that ensures a strong and comprehensive security posture in
the Gi-LAN network footprint.
Find more information about carrier-grade F5 security solutions at f5.com/solutions/
service-provider.