Chuck Wesley James PT Focus Day

www.pt.com www.pt.com

Security Considerations for a

Diameter Signaling Network

Chuck Wesley-James

Director of Signaling Product Management


The proliferation of networks and their

need interconnect creates security

and privacy concerns.

2


Signaling messages exchanged between

networks carry a treasure of information

Subscriber

Roaming

Network Topology

3


More Numerous and Higher bandwidth interconnect facilities utilizing Internet Protocols create the need to Ensure service level agreements between carriers

Ensure and maintain security agreements and procedures

Protect networks and revenue streams from Fraudulent traffic

Unwarranted signaling storms

Loss of business intelligence information

4


Designing Security into the Network

Lessons Learned from IP Networking

SS7

Security focus: Attack vectors

Overload and Denial of Service

Redundancy

Fraudulent Network Use

Todays Focus

(ISC)2 = International Information Systems Security Certification Consortium

CISSP = Certified Information Systems Security Professional

5


Diameter network design is not equal to SS7

However: Many of the problems are

the same

Solutions similar and can use the same infrastructure.

SS7 was NOT safer Sigtran is over IP Gateway Screening needed at

SS7 Network Gateways

Congested SS7 Links Fraudulent SMS

Only as secure as last hop

Diameter is just a new protocol requiring the same care and treatment

SS7/Diameter IWF will be tightly coupled

Learning from SS7

6

Not a New

Problem

Diameter is over IP

SS7 Sigtran is over IP

SS7 LSL are not secure System

Access issues

System Monitoring


Bad News Good News

IP is well known, so there are many malicious

ways to harm it.

IP is well known, so there are many best

practices and commercial solutions

IT department does not always understand

Telco operations.

IT department often knows IP network design

and security.

Open Source community

- Tools for attack


-Tools for detection and prevention

- Best Practices

Few Restrictions on bandwidth mean:

- DoS

- Old SS7 was limited by LSL, not SIGTRAN


- Operations simplification

Ubiquitous IP access leads to

- Mesh networks

- More Attack Points

A core diameter router solves mesh network

issues and provides a central point to stop

problems from propagating.

You should have many of these solutions in

place on the SS7 network already.

Bad News Good News

IP is well known, so there are many malicious

ways to harm it.

IP is well known, so there are many best

practices and solutions.

IT department does not always understand

Telco operations.

IT department often knows IP network design

and security.


- Tools for attack


-Tools for detection and prevention

- Best Practices


- DoS or proliferation of Signaling Storm

- Old SS7 was limited by LSL, not SIGTRAN


- Operations simplification

Ubiquitous IP access leads to

- Mesh networks

- More Attack Points

A core diameter router solves mesh network

issues and provides a central point to stop

problems from propagating.

You should have many of these solutions in

place on the SS7 network already.

Good News / Bad News:

This is an IP network

7


Diameter Level GSMA calls for Diameter

Edge Agent (DEA)

DEA is considered as the only point of contact into and out of an operators network at the Diameter application level.

GSMA IR.88

IP Level 3GPP call for NDS/IP Security Gateway into

network.

Based on IPSec (Tunneling) 3GPP 33.210-c20

8

Edge Agents


Signaling Network Access

IP access Packet Filtering

IPSec

TLS/DTLS

Firewalls

Traffic Level Controls Diameter packets may be numerous and legit

In SS7 we had Gateway Screening In Diameter we must have deep packet inspection

Throttling

Message Discrimination

9


SS7

Expected traffic volumes were usually well understood

Legacy SS7 limited by the capacity of Low Speed TDM links

Sigtran SS7 limited by configured bandwidth and congestion procedures

Diameter

Expected traffic volumes are less predictable

Messages must be replied to, or else they will be retried

Needs bandwidth, congestion and throttling procedures on a per External Peer or Connection basis

Throttling or Rejection based on message type

10

Flow Control and Congestion

Configurable Flow Control

Levels

Configurable Congestion

Levels

Alarms based on defined

levels

Actions based on Message

Priorities


TLS Application to Application over TCP

DTLS Application to Application over SCTP

IPSec System to System

Specifications IETF RFC 6733*

DTLS over IPSec

Disadvantage is that off-board Firewall cant do it.

3GPP 33.210-c20 NDS / IP

IPSec on Security Gateways

Caution: watch expiration times of public key certificates

Encryption

DTLS/TLS

*RFC 6733 replaces 3588 and 5719


Five 9s availability Hardware reliability only as good as how the software uses

it

Local redundancy and Geographical redundancy

Handling of failures of other Network Elements Network Design must include recovery scenarios

Load-share vs Hot-standby Network Design must understand levels: network, system,

card, and software

12

System and Network Redundancy


DNS No Security

DNSSEC / DNSSEC-bis Some security, but no confidentiality

No DoS protection

DNS-Based Authentication of Named Entities (DANE) TLS, DTLS and other with DNSSEC

RFC 6698

NSEC3 Addition of protection from zone enumeration or walking

Prevents retrieval of whole database

No DNS or fixed use of internal and trusted DNS is safer

13

Domain Name Server


Virtualization

Cloud Based DTLS and TLS work in application space

IPSec is less common (system level)

Redundancy Requirements may mean understand the structure of the cloud

System Level Loosely coupled solutions

Databases, Routing

Highly cohesive modules Monitoring, OAM, Job Functionality

14


Each function has its own database

Separation of Edge, Core, and IWF functionality

Benefits Similar security tools

and infrastructure

Allows for network design Containment

Simplifies external firewall rules

15

System Level Virtualization


Interworking Function (IWF) between SS7 or

RADIUS based and Diameter based Interfaces

Could allow for propagation of problems from one

network to another.

DoS

Fraudulent SMS

SS7

GWS from and to application

Diameter / Radius

Packet or Message inspection

IWF Translation Function

16


Hosting both STP and Diameter Router Solutions

within a Single Platform.

STP / Diameter Router

Interworking Function

Shared OAM facilities

Staff training and Operational Simplification

Capital Expense Reduction

Bridging Technologies

Legacy NGN Transparency

17


Diameter increases attack paths

Other issues are the same as SS7

Diameter is just another protocol, but requires

the similar operational infrastructure to SS7

Access control

Monitoring

Message control, discrimination, and routing

18

Conclusions


Switch Filter* Packet Level

IP Sec* System To System

Firewall* Linux IP Chains

Multi IP Address

Redundancy and Modularization Software must support Hardware

Data protection

Local and Geographic

19

Diameter and SS7

Security Summary

IP access Traffic level controls

Network Access

Hardware Software Data Connectivity

System Availability

Protection from Operator Error

Live upgrades

Operational

DTLS/TLS

Application Layer

Diameter Edge Agent / Network Gateways

Limit access to your network

Topology Hiding

Flow Control and Congestion Control storms at the source

Prioritization of Functions

Destination Explicit declaration vs DNS and dynamic discovery

Table Screening Roaming control

Who can send messages to whom

Accounting, Statistics and Monitoring Traffic levels as expected

Access Control RADIUS / PAM

Audit Logs

Password structure/Aging

Packet Filtering, IPSec, and Firewall are

often performed on an external router,

before traffic reaches this network element.

Documents

Chuck Wesley James PT Focus Day