19
www.pt.com www.pt.com Security Considerations for a Diameter Signaling Network Chuck Wesley-James Director of Signaling Product Management

Chuck Wesley James PT Focus Day

  • Upload
    rudrom

  • View
    222

  • Download
    5

Embed Size (px)

DESCRIPTION

Chuck Wesley James PT Focus Day

Citation preview

  • www.pt.com www.pt.com

    Security Considerations for a

    Diameter Signaling Network

    Chuck Wesley-James

    Director of Signaling Product Management

  • www.pt.com www.pt.com

    The proliferation of networks and their

    need interconnect creates security

    and privacy concerns.

    2

  • www.pt.com www.pt.com

    Signaling messages exchanged between

    networks carry a treasure of information

    Subscriber

    Roaming

    Network Topology

    3

  • www.pt.com www.pt.com

    More Numerous and Higher bandwidth interconnect facilities utilizing Internet Protocols create the need to Ensure service level agreements between carriers

    Ensure and maintain security agreements and procedures

    Protect networks and revenue streams from Fraudulent traffic

    Unwarranted signaling storms

    Loss of business intelligence information

    4

  • www.pt.com www.pt.com

    Designing Security into the Network

    Lessons Learned from IP Networking

    SS7

    Security focus: Attack vectors

    Overload and Denial of Service

    Redundancy

    Fraudulent Network Use

    Todays Focus

    (ISC)2 = International Information Systems Security Certification Consortium

    CISSP = Certified Information Systems Security Professional

    5

  • www.pt.com www.pt.com

    Diameter network design is not equal to SS7

    However: Many of the problems are

    the same

    Solutions similar and can use the same infrastructure.

    SS7 was NOT safer Sigtran is over IP Gateway Screening needed at

    SS7 Network Gateways

    Congested SS7 Links Fraudulent SMS

    Only as secure as last hop

    Diameter is just a new protocol requiring the same care and treatment

    SS7/Diameter IWF will be tightly coupled

    Learning from SS7

    6

    Not a New

    Problem

    Diameter is over IP

    SS7 Sigtran is over IP

    SS7 LSL are not secure System

    Access issues

    System Monitoring

  • www.pt.com www.pt.com

    Bad News Good News

    IP is well known, so there are many malicious

    ways to harm it.

    IP is well known, so there are many best

    practices and commercial solutions

    IT department does not always understand

    Telco operations.

    IT department often knows IP network design

    and security.

    Open Source community

    - Tools for attack

    Open Source community

    -Tools for detection and prevention

    - Best Practices

    Few Restrictions on bandwidth mean:

    - DoS

    - Old SS7 was limited by LSL, not SIGTRAN

    Few Restrictions on bandwidth mean:

    - Operations simplification

    Ubiquitous IP access leads to

    - Mesh networks

    - More Attack Points

    A core diameter router solves mesh network

    issues and provides a central point to stop

    problems from propagating.

    You should have many of these solutions in

    place on the SS7 network already.

    Bad News Good News

    IP is well known, so there are many malicious

    ways to harm it.

    IP is well known, so there are many best

    practices and solutions.

    IT department does not always understand

    Telco operations.

    IT department often knows IP network design

    and security.

    Open Source community

    - Tools for attack

    Open Source community

    -Tools for detection and prevention

    - Best Practices

    Few Restrictions on bandwidth mean:

    - DoS or proliferation of Signaling Storm

    - Old SS7 was limited by LSL, not SIGTRAN

    Few Restrictions on bandwidth mean:

    - Operations simplification

    Ubiquitous IP access leads to

    - Mesh networks

    - More Attack Points

    A core diameter router solves mesh network

    issues and provides a central point to stop

    problems from propagating.

    You should have many of these solutions in

    place on the SS7 network already.

    Good News / Bad News:

    This is an IP network

    7

  • www.pt.com www.pt.com

    Diameter Level GSMA calls for Diameter

    Edge Agent (DEA)

    DEA is considered as the only point of contact into and out of an operators network at the Diameter application level.

    GSMA IR.88

    IP Level 3GPP call for NDS/IP Security Gateway into

    network.

    Based on IPSec (Tunneling) 3GPP 33.210-c20

    8

    Edge Agents

  • www.pt.com www.pt.com

    Signaling Network Access

    IP access Packet Filtering

    IPSec

    TLS/DTLS

    Firewalls

    Traffic Level Controls Diameter packets may be numerous and legit

    In SS7 we had Gateway Screening In Diameter we must have deep packet inspection

    Throttling

    Message Discrimination

    9

  • www.pt.com www.pt.com

    SS7

    Expected traffic volumes were usually well understood

    Legacy SS7 limited by the capacity of Low Speed TDM links

    Sigtran SS7 limited by configured bandwidth and congestion procedures

    Diameter

    Expected traffic volumes are less predictable

    Messages must be replied to, or else they will be retried

    Needs bandwidth, congestion and throttling procedures on a per External Peer or Connection basis

    Throttling or Rejection based on message type

    10

    Flow Control and Congestion

    Configurable Flow Control

    Levels

    Configurable Congestion

    Levels

    Alarms based on defined

    levels

    Actions based on Message

    Priorities

  • www.pt.com www.pt.com

    TLS Application to Application over TCP

    DTLS Application to Application over SCTP

    IPSec System to System

    Specifications IETF RFC 6733*

    DTLS over IPSec

    Disadvantage is that off-board Firewall cant do it.

    3GPP 33.210-c20 NDS / IP

    IPSec on Security Gateways

    Caution: watch expiration times of public key certificates

    Encryption

    DTLS/TLS

    *RFC 6733 replaces 3588 and 5719

  • www.pt.com www.pt.com

    Five 9s availability Hardware reliability only as good as how the software uses

    it

    Local redundancy and Geographical redundancy

    Handling of failures of other Network Elements Network Design must include recovery scenarios

    Load-share vs Hot-standby Network Design must understand levels: network, system,

    card, and software

    12

    System and Network Redundancy

  • www.pt.com www.pt.com

    DNS No Security

    DNSSEC / DNSSEC-bis Some security, but no confidentiality

    No DoS protection

    DNS-Based Authentication of Named Entities (DANE) TLS, DTLS and other with DNSSEC

    RFC 6698

    NSEC3 Addition of protection from zone enumeration or walking

    Prevents retrieval of whole database

    No DNS or fixed use of internal and trusted DNS is safer

    13

    Domain Name Server

  • www.pt.com www.pt.com

    Virtualization

    Cloud Based DTLS and TLS work in application space

    IPSec is less common (system level)

    Redundancy Requirements may mean understand the structure of the cloud

    System Level Loosely coupled solutions

    Databases, Routing

    Highly cohesive modules Monitoring, OAM, Job Functionality

    14

  • www.pt.com www.pt.com

    Each function has its own database

    Separation of Edge, Core, and IWF functionality

    Benefits Similar security tools

    and infrastructure

    Allows for network design Containment

    Simplifies external firewall rules

    15

    System Level Virtualization

  • www.pt.com www.pt.com

    Interworking Function (IWF) between SS7 or

    RADIUS based and Diameter based Interfaces

    Could allow for propagation of problems from one

    network to another.

    DoS

    Fraudulent SMS

    SS7

    GWS from and to application

    Diameter / Radius

    Packet or Message inspection

    IWF Translation Function

    16

  • www.pt.com www.pt.com

    Hosting both STP and Diameter Router Solutions

    within a Single Platform.

    STP / Diameter Router

    Interworking Function

    Shared OAM facilities

    Staff training and Operational Simplification

    Capital Expense Reduction

    Bridging Technologies

    Legacy NGN Transparency

    17

  • www.pt.com www.pt.com

    Diameter increases attack paths

    Other issues are the same as SS7

    Diameter is just another protocol, but requires

    the similar operational infrastructure to SS7

    Access control

    Monitoring

    Message control, discrimination, and routing

    18

    Conclusions

  • www.pt.com www.pt.com

    Switch Filter* Packet Level

    IP Sec* System To System

    Firewall* Linux IP Chains

    Multi IP Address

    Redundancy and Modularization Software must support Hardware

    Data protection

    Local and Geographic

    19

    Diameter and SS7

    Security Summary

    IP access Traffic level controls

    Network Access

    Hardware Software Data Connectivity

    System Availability

    Protection from Operator Error

    Live upgrades

    Operational

    DTLS/TLS

    Application Layer

    Diameter Edge Agent / Network Gateways

    Limit access to your network

    Topology Hiding

    Flow Control and Congestion Control storms at the source

    Prioritization of Functions

    Destination Explicit declaration vs DNS and dynamic discovery

    Table Screening Roaming control

    Who can send messages to whom

    Accounting, Statistics and Monitoring Traffic levels as expected

    Access Control RADIUS / PAM

    Audit Logs

    Password structure/Aging

    Packet Filtering, IPSec, and Firewall are

    often performed on an external router,

    before traffic reaches this network element.