1NetNumber Confidential
Pieter VeenstraSenior Product Manager
Signaling Security
Associate Member
Need for 3rd Generation Signaling Firewalls and
challenges with NFV
22
NetNumber Overview• Private company headquartered in Boston, USA
• Founded in 1999
• 11 Sales Offices Globally
• Support offices Globally (USA and Netherlands)
• PRODUCTS: TITAN platform & Global Data Services
• 150+ customers (IPX carriers, operators & service providers)
• 350+ TITAN servers deployed across five continents
ENUM/DNS CRE NFV & IMS CoreSwitching,
Routing, Datacentric
SS7, DNS TCAP, ISUP, SIP Diameter
Industry Leader in Routing and Number Portability Solutions
SDM & Security
February 2016 Finalist“Best Mobile Technology”
May 2016 Award“One to Watch”
June 2016 Finalist, “Best Core Network Product”
33
STP
FireWall
DSC
IWF
EIR
AAA
BGCF
CSCF
LRF
UtProxy
HLR
DNSENUM
CRE
IN SCP NP
HSS
TITANCSRC
CSRC = Centralized Signaling and Routing Control
NetNumber’s cost savings solutionRadically Simplifying Signaling and Control in the Network Core
• Business Continuity via adding Standard Applications
• Carrier Grade NFV proven solution
• Flexible Programmable Platform
• Enabler for OSS/BSS Simplifications
• Signaling Agnostic Service solutions
• Speed of IT into the Telecom Market
• Less Signaling in the Core to be ready for IoT/5G
44
Signaling Security Issues1. Mobile operators experience serious issues with roaming traffic
o Decreasing trust level – increasing variety of roaming partners all over the worldo Advanced vulnerabilities – increased complexity with exploits application levelo Simplified access SS7 – via manipulated Femto cells, Diameter to SS7 IWF, etc.o Open network model – SS7 and Diameter not designed with security in mind
2. Increased security awareness and stringent privacy protectiono Operators more and more sensitive to impact and damage of security problemso Mid 2017 new EU legislation for data protection will audit (and fine) operators
3. Very different capabilities and strategies STP and DSC productso STP – limited innovation SS7 Firewall capability with STPs on special hardwareo DSC – idem for Diameter Firewall capability for with DSCs on special hardwareo NFV – promoted by suppliers with limitations existing STP and DSC products
55
Vulnerabilities - Categories
• Personal Information Leakage
• Communication Interception (man in the middle attacks)• Communication redirection through premium rate numbers
• Intercepting one-time passphrases shared over messaging channels
• Tricking the handset into automated credit transfer (within countries where allowed)
• Revenue Leakage, examples include:• Originator hiding
• Utilizing communication channels outside of commercial agreements
• Denial of Service (QoS degradation or disruption)• Network flooding, Denied access for calling and/or messaging, Service malfunction
66
Call Delivery to Roaming SubscriberEssential procedures in support of Mobile Roaming services
PLMN
HLRHome PLMNGMSC
VMSC
1To deliver an incoming call to “B”, the GMSC sends a “Send Routing Information” (SRI) request to the HLR with the MSISDN of “B”
“B”
5
4 The HLR (and releasing its address) returns a “Send Routing Information” (SRI) response with the MSRN and the address of the VMSC
3 The VMSC returns a “Provide Roaming Number” (PRN) response to the HLR including the “Mobile Station Roaming Number” (MSRN)
2 If “B” is roaming, the HLR sends a “Provide Roaming Number” (PRN) request to the VMSCwith the IMSI of “B” and the MSISDN of “B”
3
2
0 Incoming call to “B” arrives in GMSC of HPLMN
5 Now the GMSC in the Home PLMN can route the call using the MSRN to forward the call to the VMSC in the VPLMN to the roaming “B”
0
1 4 “B”
Visited PLMN
77
Visited PLMN PLMN
HLRHome PLMN
VMSC
1To deliver an incoming call to “B”, the GMSC sends a “Send Routing Information” (SRI) request to the HLR with the MSISDN of “B”
“B”
“B”
4 The HLR (and releasing its address) returns a “Send Routing Information” (SRI) response with the MSRN and the address of the VMSC
3 The VMSC returns a “Provide Roaming Number” (PRN) response to the HLR including the “Mobile Station Roaming Number” (MSRN)
2 If “B” is roaming, the HLR sends a “Provide Roaming Number” (PRN) request to the VMSCwith the IMSI of “B” and the MSISDN of “B”
0 Incoming call to “B” arrives in GMSC of HPLMN
5 Now the GMSC in the Home PLMN sends many call using the MSRN to forward the call to the VMSC in the VPLMN to the roaming “B”
MSRN repeat => Denial of Service MSCPRN messages are legitimately used between HLR and VMSC
GMSC
2
Hackernow being the Hacker
a The Hacker repeats many PRN requests within a 30-45 s time to the VMSC asking for MSRNs
a
b The VMSC will withhold new incoming calls when the (limited) range of MSRNs becomes occupied
bb
The VMSC has no procedure to mistrust these PRNs L
5
3
2
0
1 4
88
1998 – 1st wave SS7 STP vulnerabilities• Fast growth of SS7 interconnects for mobile roaming • MTP and SCCP screening on OPC/DPC, incoming LS, etc.
2008 – 2nd wave SS7/Diameter vulnerabilities• More intelligent exploits with further openings via IP• Screening message type MAP/CAP operation codes, etc.
to secure Mobile roaming traffic• Prevention against IP security issues with DDoS, etc.
Today – 3rd wave Mobile service vulnerabilities• Exploits combining sensitive information hunted down via
a combination of operations and network elements• Big Data analytics for surveillance and threat detection
Evolution steps Signaling Firewalls
Multi-‐Protocol Signaling Firewall needed !
99
Overview of Attacker Paths in SS7
1010
1. Improved LTE and EPC Roaming Guidelines in IR.88 with extra attention for the Security aspects of inter-carrier connections
2. Description and Classification of SS7 vulnerabilitieso FS.07 – SS7 and SIGTRAN Network Securityo FS.11 – SS7 Interconnect Security Monitoring Guidelines
3. Impressive progress new guidelines Diameter Roaming Security
but …
Many achievements 2015 like
Carriers struggle with what/why/when/how
GSMA work item Requirements 3rd Generation Signaling Firewall
1111
GSMA FASG Work Item1. Rule Set specification in a vendor-agnostic and human readable ‘pseudo-code’
• Initially with focus on the SS7 profiles/vulnerabilities• Subsequently for the Diameter profiles/vulnerabilities• Commonalities across these Rules Sets to cover hybrid protocol profiles/vulnerabilities• Potentially further enhancements with other protocols like SIP to be decided later• The purpose is to provide operators the same type of protection for cat.1, cat.2 and cat.3
type of vulnerabilities irrespective the vendor of the Signaling Firewall
2. Logging generation in a vendor-agnostic ‘pseudo-code’• Initially on Logging data for the SS7 profiles/vulnerabilities• Subsequently on Logging data for the Diameter profiles/vulnerabilities• Commonalities across these Logging data to cover hybrid protocol profiles/vulnerabilities• Potentially further enhancements with other protocols like SIP to be decided later• The purpose to define standard contents and formats of logging data to ease:
a. The integration between elements of different vendors independent of the type interface b. The exchange of information between operators about threats and new vulnerabilities
1212
SS7 Rule Example - GT Screening
1313
SLF
DSC
Cx,Sh,S6,SWx,Wx,Zh/Diameter
Dx,Dh,Dw/Diameter
S13,S13’/Diameter
AAASWm,SWx,SWd,Wm,Wd,Dw,Wx/Diameter
IWF
Diameter
Ro,Rf,Sy/Diameter
MAP,=CAP,=INAP
MAP,INAP
ISC/SIPDNS
SIP
ISUP
MAPINAP
CAP,INAP
Ma/SIP
Cx,Dx,Rf/Diameter
F,Gf/MAP
IN*SCP
O(F)CS
PCRF
Rx,Gx,S9,Sh,Sy/Diameter
EPC,WLAN
RADIUS
S*CSCF
I*CSCF
TAS
Mw/SIP
Dh,Sh,Rf,Ro/Diameter
Mw/SIP
Mw/SIP
DNS
RADIUS
Mi/SIP
DNS
IBCF
MGCF
Mj/SIP
Mg/SIP
Mi/SIP
Mx/SIP
Mx/SIP
Mx/SIP
E*/P*CSCF
Mi/SIP
LRF
Ml/SIP
LoC*DBGMLC
SLg/Diameter
Le/SOAP
Gm/SIP
IPX
Ici/SIP
CS/PLMN
PacketCore
MAP
ISUP,INAP,CAP,MAP
SS7/C7for(CS(&(PS
SIP(for(IMS(&(IPX
Diameterfor(LTE&(WiFi
ENUM/DNSDNS
ENUM
Ut Proxy
Zh/Diameter
SWm,Wm,S6,S13,Gx,S9/Diameter
Rx/Diameter
Cx,Dx/Diameter
Ut/HTTP
Ua,Ub,Ut/HTTP
STP
EIRHSS HSSMNP*DB
CRE
BGCF
Problem – Complexity of Core Networks - No effective Signaling Firewall today with technology dispersed solutions
Signaling and Control functions
Other functions
DNSDiameterSIP
SS7RADIUSOther
Signaling Protocols
1414
SLF
DSC
Cx,Sh,S6,SWx,Wx,Zh/Diameter
Dx,Dh,Dw/Diameter
S13,S13’/Diameter
AAASWm,SWx,SWd,Wm,Wd,Dw,Wx/Diameter
IWF
Diameter
Ro,Rf,Sy/Diameter
MAP,=CAP,=INAP
MAP,INAP
ISC/SIPDNS
SIP
ISUP
MAPINAP
CAP,INAP
Ma/SIP
Cx,Dx,Rf/Diameter
F,Gf/MAP
IN*SCP
O(F)CS
PCRF
Rx,Gx,S9,Sh,Sy/Diameter
EPC,WLAN
RADIUS
S*CSCF
I*CSCF
TAS
Mw/SIP
Dh,Sh,Rf,Ro/Diameter
Mw/SIP
Mw/SIP
DNS
RADIUS
Mi/SIP
DNS
IBCF
MGCF
Mj/SIP
Mg/SIP
Mi/SIP
Mx/SIP
Mx/SIP
Mx/SIP
E*/P*CSCF
Mi/SIP
LRF
Ml/SIP
LoC*DBGMLC
SLg/Diameter
Le/SOAP
Gm/SIP
IPX
Ici/SIP
CS/PLMN
PacketCore
MAP
ISUP,INAP,CAP,MAP
SS7/C7for(CS(&(PS
SIP(for(IMS(&(IPX
Diameterfor(LTE&(WiFi
ENUM/DNSDNS
ENUM
Ut Proxy
Zh/Diameter
SWm,Wm,S6,S13,Gx,S9/Diameter
Rx/Diameter
Cx,Dx/Diameter
Ut/HTTP
Ua,Ub,Ut/HTTP
STP
EIRHSS HLRMNP*DB
CRE
BGCF
DRA
Security – Fragmented Limited Protection- No effective Signaling Firewall today with technology dispersed solutions
SS7 FirewallDiameter
Firewall
Limited protected functional element with essential data
Isolated element with signaling
firewall capabilitiesSTP
HSS HLR
DSC
DRA
SS7 attacks with Cat.2* and Cat.3* packets act upon user profiles in HLR and VMSC, similarly in Diameter
*) SS7 attacks as specified in GSMA FS.07 and FS.11
DNSDiameterSIP
SS7RADIUSOther
Signaling Protocols
1515
SLF
DSC
Cx,Sh,S6,SWx,Wx,Zh/Diameter
Dx,Dh,Dw/Diameter
S13,S13’/Diameter
AAASWm,SWx,SWd,Wm,Wd,Dw,Wx/Diameter
IWF
Diameter
Ro,Rf,Sy/Diameter
MAP,=CAP,=INAP
MAP,INAP
ISC/SIPDNS
SIP
ISUP
MAPINAP
CAP,INAP
Ma/SIP
Cx,Dx,Rf/Diameter
F,Gf/MAP
IN*SCP
O(F)CS
PCRF
Rx,Gx,S9,Sh,Sy/Diameter
EPC,WLAN
RADIUS
S*CSCF
I*CSCF
TAS
Mw/SIP
Dh,Sh,Rf,Ro/Diameter
Mw/SIP
Mw/SIP
DNS
RADIUS
Mi/SIP
DNS
IBCF
MGCF
Mj/SIP
Mg/SIP
Mi/SIP
Mx/SIP
Mx/SIP
Mx/SIP
E*/P*CSCF
Mi/SIP
LRF
Ml/SIP
LoC*DBGMLC
SLg/Diameter
Le/SOAP
Gm/SIP
IPX
Ici/SIP
CS/PLMN
PacketCore
MAP
ISUP,INAP,CAP,MAP
SS7/C7for(CS(&(PS
SIP(for(IMS(&(IPX
Diameterfor(LTE&(WiFi
ENUM/DNSDNS
ENUM
Ut Proxy
Zh/Diameter
SWm,Wm,S6,S13,Gx,S9/Diameter
Rx/Diameter
Cx,Dx/Diameter
Ut/HTTP
Ua,Ub,Ut/HTTP
STP
EIRHSS HLRMNP*DB
CRE
BGCF
DRA
Solution – Distributed Integrated Firewall- Adding local firewalls to secure against internal network vulnerabilities
SS7 Firewall
DiameterFirewall
Locally protected functional element with essential data
Multi-element and multi-protocol signaling firewall
STP
HSS HLR
DSC
DRA
DNSDiameterSIP
SS7RADIUSOther
Signaling Protocols
Complete solution against distributed attacks via SS7, via Diameter, and the combination of SS7 and Diameter
1616
Gateway Screening
Supported Signaling protocols:SS7, Diameter, DNS, HTTP and SIP
Trust Management
Transaction Consistency
Firewall Consistency
Allow, block or throttle the traffic based on any combination of parameters in received message. locally provisioned data, external data and policies
Only allow selected primitives across security boundaries and selected endpoints to communicate with selected primitives
Verify transactions follow the standard flow rather than starting and/or stopping part way through
Cross checking of attributes between protocol layers and protocols with interrogation or collection extra information from internal/external sources
Signaling FirewallScalable application with multi-‐protocol agnostic screening, protection andcontrol logic
Plausibility Checking
Same configuration layout and syntactic framework to handle all signaling protocols
Demand – Need for Intelligent Firewalls- Typical elements of a 3rd generation Signaling Firewall solution
1717
SS7 FWVisited Network B
VLR X
Home Network
HLRPurgeMS
NetNumber SS7 Firewall- Stateful Firewall functions
1) Message Monitoring
If UpdateLocation request is permitted, certain message
content is stored/updated in the FW database (IMSI & VLR nb)
SS7 FWVisited Network A
VLR 1
Home Network
HLRUpdateLocation UpdateLocation
SS7 FWVisited Network A
VLR 1
Home Network
HLRPurgeMS PurgeMSü2) Plausibility Checking
If sub-sequential requests are received (e.g. PurgeMS), certain message parameters (e.g. IMSI & VLR number)are cross-checked with the FW database to
PERMIT or DENY messages.
1818
NetNumber SS7 Firewall- Typical Deployment Scenario
Site 1
Site 2
SS7TITAN
Primary Master
TITAN
StandbyMaster
ü Two identically configured sites, operating in a full geo-redundant mode
ü High-Available, All-Active configurationwith two SS7 Firewall instances per site
ü Federation of stored message datafrom SS7 Firewall to the TITAN Master
ü Fully automated data replication from TITAN Master to all SS7 FW instances
NetNumberSS7 FW
ActiveEdge
NetNumberSS7 FW
ActiveEdge
NetNumberSS7 FW
ActiveEdge
NetNumberSS7 FW
ActiveEdge
SS7
Dat
a re
plic
atio
n
19
NetNumber SS7 Firewall- Deployment Scenarios
PartnerNetwork
OperatorNetwork STP
SS7 FW
PartnerNetwork
OperatorNetworkSTPSS7 FW
PartnerNetwork
OperatorNetworkSTPSS7 FW
Front-End Firewall• Firewall in-line between partner network & STP• Firewall forwards/routes permitted traffic to STP or partner network
Integrated Firewall• Firewall between partner & operator network• Firewall and STP combined in one node
Overlay Firewall• STP sends selected traffic to Firewall• Firewall returns permitted traffic to STP
PartnerNetwork
OperatorNetworkSTP SS7 FW
Back-End Firewall• Firewall in-line between STP & operator network• Firewall forwards/routes permitted traffic to operator network or STP
2020
Site Y
Site X
1. Carrier Grade hardcore solution• Five 9’s in NFV and on COTS HW
2. Also protection to inside attacks• All signaling traffic can be screened
3. Technology and Protocol agnostic• Multi-Protocol integrated solution
4. Cost Saving Investment Strategy• Existing network elements can be
protected as part of NFV solution
5. Central Provisioning and Control DSC
DRA
HSS HLR
STP
DSC
DRA
HSS HLR
STP
Site A
Site B
Legacy network protection no hindrance for NFV roll-‐out
Signaling Firewall on TITANCentral Control, Distributed Logic, Multi-Protocol
2121
NetNumber Industry Recognition
April 2015“Cool Vendor in CSP Infrastructure 2015”
May 2015Finalist, “Private Company of the Year”
February 2016Finalist, “Best Mobile Technology”
May 2016 Award“One to Watch”
June 2016 Finalist, “Best Core Network Product”