Sunteți pe pagina 1din 19

Security Considerations for a

Diameter Signaling Network

Chuck Wesley-James Director of Signaling Product Management

www.pt.comwww.pt.com

The proliferation of networks and their need interconnect creates security and privacy concerns. www.pt.comwww.pt.com 2

The proliferation of networks and their

need interconnect creates security

and privacy concerns.

The proliferation of networks and their need interconnect creates security and privacy concerns. www.pt.comwww.pt.com 2
The proliferation of networks and their need interconnect creates security and privacy concerns. www.pt.comwww.pt.com 2
The proliferation of networks and their need interconnect creates security and privacy concerns. www.pt.comwww.pt.com 2
The proliferation of networks and their need interconnect creates security and privacy concerns. www.pt.comwww.pt.com 2
Signaling messages exchanged between networks carry a treasure of information – Subscriber – Roaming –

Signaling messages exchanged between

networks carry a treasure of information

Subscriber

Roaming

Network Topology

networks carry a treasure of information – Subscriber – Roaming – Network Topology www.pt.comwww.pt.com 3
networks carry a treasure of information – Subscriber – Roaming – Network Topology www.pt.comwww.pt.com 3
More Numerous and Higher bandwidth interconnect facilities utilizing Internet Protocols create the need to –

More Numerous and Higher bandwidth

interconnect facilities utilizing Internet Protocols

create the need to

Ensure service level agreements between carriers

Ensure and maintain security agreements and

procedures

Protect networks and revenue streams from

Fraudulent trafficprocedures – Protect networks and revenue streams from Unwarranted signaling storms Loss of business intelligence

Unwarranted signaling stormsProtect networks and revenue streams from Fraudulent traffic Loss of business intelligence information

Loss of business intelligence information– Protect networks and revenue streams from Fraudulent traffic Unwarranted signaling storms www.pt.comwww.pt.com 4

Today’s Focus

Designing Security into the NetworkToday’s Focus Lessons Learned from – IP Networking – SS7 Security focus: – Attack vectors –

Lessons Learned fromToday’s Focus Designing Security into the Network – IP Networking – SS7 Security focus: – Attack

IP Networking

SS7

Security focus:the Network Lessons Learned from – IP Networking – SS7 – Attack vectors – Overload and

Attack vectors

Overload and Denial of Service

Redundancy

Fraudulent Network Use

(ISC) 2 = International Information Systems Security Certification Consortium CISSP = Certified Information Systems Security Professional

Learning from SS7

Diameter network design is not equal to SS7Learning from SS7 However: – Many of the problems are the same – Solutions similar and

However:Learning from SS7 Diameter network design is not equal to SS7 – Many of the problems

SS7 Diameter network design is not equal to SS7 However: – Many of the problems are

Many of the problems are the same

Solutions similar and can use the same infrastructure.

SS7 LSL are not secure SS7 System Sigtran is Access over IP issues Not a
SS7 LSL
are not
secure
SS7
System
Sigtran is
Access
over IP
issues
Not a
Diameter
System
New
is over IP
Monitoring
Problem

SS7 was NOT safer

Sigtran is over IP

Gateway Screening needed at

SS7 Network Gateways

Congested SS7 Links

Fraudulent SMS

Gateways – Congested SS7 Links – Fraudulent SMS Only as secure as last hop Diameter is

Only as secure as last hop

Diameter is just a new protocol requiring the same care and treatment

SS7/Diameter IWF will be tightly coupled

Good News / Bad News:

This is an IP network

Bad News

Bad News

Good News

Good News

IP is well known, so there are many malicious

IP is well known, so there are many malicious

ways to harm it.

ways to harm it.

IP is well known, so there are many best

IP is well known, so there are many best

practices and solutions.

practices and commercial solutions

IT department does not always understand

IT department does not always understand

Telco operations.

Telco operations.

IT department often knows IP network design

IT department often knows IP network design

and security.

and security.

Open Source community

Open Source community

-

-

Tools for attack

Tools for attack

Open Source community

Open Source community

-Tools for detection and prevention

-Tools for detection and prevention

-

-

Best Practices

Best Practices

Few Restrictions on bandwidth mean:

Few Restrictions on bandwidth mean:

-

-

-

-

DoS

DoS or proliferation of Signaling Storm

Old SS7 was limited by LSL, not SIGTRAN

Old SS7 was limited by LSL, not SIGTRAN

Few Restrictions on bandwidth mean:

Few Restrictions on bandwidth mean:

-

-

Operations simplification

Operations simplification

Ubiquitous IP access leads to

Ubiquitous IP access leads to

-

-

-

-

Mesh networks

Mesh networks

More Attack Points

More Attack Points

A

A

core diameter router solves mesh network

core diameter router solves mesh network

issues and provides a central point to stop

issues and provides a central point to stop

problems from propagating.

problems from propagating.

 

You should have many of these solutions in

You should have many of these solutions in

place on the SS7 network already.

place on the SS7 network already.

Edge Agents

Diameter LevelEdge Agents – GSMA calls for Diameter Edge Agent (DEA) – DEA “is considered as the

GSMA calls for Diameter Edge Agent (DEA)

– DEA “is considered as the

only point of contact into and out of an operator’s network at the Diameter

application level”.

GSMA IR.88

IP Levelat the Diameter application level”. – GSMA IR.88 – 3GPP call for NDS/IP – Security Gateway

3GPP call for NDS/IP

Security Gateway into

network.

Based on IPSec (Tunneling)

3GPP 33.210-c20

NDS/IP – Security Gateway into network. – Based on IPSec (Tunneling) – 3GPP 33.210-c20 www.pt.comwww.pt.com 8
NDS/IP – Security Gateway into network. – Based on IPSec (Tunneling) – 3GPP 33.210-c20 www.pt.comwww.pt.com 8

Signaling Network Access

IP accessSignaling Network Access – Packet Filtering – IPSec – TLS/DTLS – Firewalls Traffic Level Controls –

Packet Filtering

IPSec

TLS/DTLS

Firewalls

Traffic Level ControlsPacket Filtering – IPSec – TLS/DTLS – Firewalls – Diameter packets may be numerous and legit

Diameter packets may be numerous and legit

In SS7 we had Gateway Screening

be numerous and legit – In SS7 we had Gateway Screening In Diameter we must have

In Diameter we must have deep packet inspection

Throttling

Message Discrimination

Flow Control and Congestion

SS7Flow Control and Congestion – Expected traffic volumes were usually well understood – Legacy SS7 limited

Expected traffic volumes were usually well understood

Legacy SS7 limited by the capacity of Low Speed TDM links

Sigtran SS7 limited by configured bandwidth and congestion procedures

Diameterlimited by configured bandwidth and congestion procedures – Expected traffic volumes are less predictable –

Expected traffic volumes are less predictable

Messages must be replied to, or else they will be retried

Needs bandwidth, congestion and throttling procedures on a per External Peer or Connection basis

Throttling or Rejection based on message type

Configurable Flow Control Levels

Configurable

Congestion

Levels

Alarms based on defined levels

Actions based on Message Priorities

Encryption

TLSEncryption – Application to Application over TCP DTLS – Application to Application over SCTP IPSec –

Application to Application over TCP

DTLSEncryption TLS – Application to Application over TCP – Application to Application over SCTP IPSec –

Application to Application over SCTP

IPSecover TCP DTLS – Application to Application over SCTP – System to System Specifications – IETF

System to System

Specificationsto Application over SCTP IPSec – System to System – IETF RFC 6733* DTLS over IPSec

IETF RFC 6733*

DTLS over IPSec– System to System Specifications – IETF RFC 6733* Disadvantage is that off- board Firewall can’t

Disadvantage is that off-board Firewall can’t do it. board Firewall can’t do it.

3GPP 33.210-c20

NDS / IPthat off- board Firewall can’t do it. – 3GPP 33.210-c20 IPSec on Security Gateways DTLS/TLS Caution:

IPSec on Security Gatewaysboard Firewall can’t do it. – 3GPP 33.210-c20 NDS / IP DTLS/TLS Caution: watch expiration times

DTLS/TLS
DTLS/TLS

Caution: watch expiration times of public key certificates– 3GPP 33.210-c20 NDS / IP IPSec on Security Gateways DTLS/TLS www.pt.comwww.pt.com *RFC 6733 replaces 3588

www.pt.comwww.pt.com

*RFC 6733 replaces 3588 and 5719

System and Network Redundancy

Five 9’s availability ’s availability

Hardware reliability only as good as how the software uses

it

Local redundancy and Geographical redundancyreliability only as good as how the software uses it Handling of failures of other Network

Handling of failures of other Network Elementsuses it Local redundancy and Geographical redundancy – Network Design must include recovery scenarios

Network Design must include recovery scenarios

Load-share vs Hot-standbyElements – Network Design must include recovery scenarios – Network Design must understand levels: network, system,

Network Design must understand levels: network, system,

card, and software

Domain Name Server

DNSDomain Name Server – No Security DNSSEC / DNSSEC-bis – Some security, but no confidentiality –

No Security

DNSSEC / DNSSEC-bisDomain Name Server DNS – No Security – Some security, but no confidentiality – No DoS

Some security, but no confidentiality

No DoS protection

DNS-Based Authentication of Named Entities (DANE)Some security, but no confidentiality – No DoS protection – TLS, DTLS and other with DNSSEC

TLS, DTLS and other with DNSSEC

RFC 6698

NSEC3(DANE) – TLS, DTLS and other with DNSSEC – RFC 6698 – Addition of protection from

Addition of protection from zone enumeration or walking

Prevents retrieval of whole database

No DNS or fixed use of internal and trusted DNS is saferof protection from zone enumeration or walking – Prevents retrieval of whole database www.pt.comwww.pt.com 13

Virtualization

Cloud BasedVirtualization – DTLS and TLS work in application space – IPSec is less common (system level)

DTLS and TLS work in application space

IPSec is less common (system level)

Redundancy Requirements

is less common (system level) – Redundancy Requirements may mean understand the structure of the cloud

may mean understand the structure of the cloud

System LevelRequirements may mean understand the structure of the cloud – Loosely coupled solutions Databases, Routing –

Loosely coupled solutions

Databases, Routingof the cloud System Level – Loosely coupled solutions – Highly cohesive modules Monitoring, OAM, Job

Highly cohesive modules

solutions Databases, Routing – Highly cohesive modules Monitoring, OAM, Job Functionality www.pt.comwww.pt.com 14

Monitoring, OAM, Job Functionality

System Level Virtualization

Each function has its own databaseSystem Level Virtualization Separation of Edge, Core, and IWF functionality Benefits – Similar security tools and

Separation of Edge, Core, and IWF functionalityLevel Virtualization Each function has its own database Benefits – Similar security tools and infrastructure –

Benefitsown database Separation of Edge, Core, and IWF functionality – Similar security tools and infrastructure –

Similar security tools and infrastructure

Allows for network design Containment

Simplifies external

firewall rules

– Allows for network design Containment – Simplifies external firewall rules www.pt.comwww.pt.com 15

IWF

Translation Function

Interworking Function (IWF) between SS7 or RADIUS based and Diameter based InterfacesIWF Translation Function Could allow for propagation of problems from one network to another. – DoS

Could allow for propagation of problems from one network to another.between SS7 or RADIUS based and Diameter based Interfaces – DoS – Fraudulent SMS SS7 –

for propagation of problems from one network to another. – DoS – Fraudulent SMS SS7 –

DoS

Fraudulent SMS

SS7from one network to another. – DoS – Fraudulent SMS – GWS from and to application

GWS from and to application

Diameter / RadiusDoS – Fraudulent SMS SS7 – GWS from and to application – Packet or Message inspection

Packet or Message inspection

STP / Diameter Router

STP / Diameter Router Hosting both STP and Diameter Router Solutions within a Single Platform. •

Hosting both STP and Diameter Router Solutions

within a Single Platform.

STP and Diameter Router Solutions within a Single Platform. • Interworking Function • Shared OAM facilities

Interworking Function

Shared OAM facilities

Staff training and Operational

Simplification

Capital Expense Reduction

Bridging Technologies

Legacy NGN Transparency

Conclusions

Diameter increases attack pathsConclusions Other issues are the same as SS7 Diameter is just another protocol, but requires the

Other issues are the same as SS7Conclusions Diameter increases attack paths Diameter is just another protocol, but requires the similar operational

Diameter is just another protocol, but requiresincreases attack paths Other issues are the same as SS7 the similar operational infrastructure to SS7

the similar operational infrastructure to SS7

Access control

Monitoring

Message control, discrimination, and routing

Diameter and SS7

Security Summary

• Protection • Hardware from • IP access Network System • Software Operator • Traffic
• Protection
• Hardware
from
• IP access
Network
System
• Software
Operator
• Traffic level
Operational
Access
Availability
• Data
Error
controls
• Connectivity
• Live
upgrades
DTLS/TLS
controls • Connectivity • Live upgrades DTLS/TLS Switch Filter* Application Layer Packet Level Diameter Edge

Switch Filter*

Application LayerConnectivity • Live upgrades DTLS/TLS Switch Filter* Packet Level Diameter Edge Agent / Network Gateways IP

Live upgrades DTLS/TLS Switch Filter* Application Layer Packet Level Diameter Edge Agent / Network Gateways IP

Packet LevelLive upgrades DTLS/TLS Switch Filter* Application Layer Diameter Edge Agent / Network Gateways IP Sec* System

Diameter Edge Agent / Network GatewaysDTLS/TLS Switch Filter* Application Layer Packet Level IP Sec* System To System Limit access to your

IP Sec*Layer Packet Level Diameter Edge Agent / Network Gateways System To System Limit access to your

System To SystemPacket Level Diameter Edge Agent / Network Gateways IP Sec* Limit access to your network Topology

Limit access to your networkEdge Agent / Network Gateways IP Sec* System To System Topology Hiding Firewall* Linux IP Chains

Topology HidingIP Sec* System To System Limit access to your network Firewall* Linux IP Chains Multi IP

Firewall*To System Limit access to your network Topology Hiding Linux IP Chains Multi IP Address Redundancy

Linux IP ChainsLimit access to your network Topology Hiding Firewall* Multi IP Address Redundancy and Modularization Software must

Multi IP Addressto your network Topology Hiding Firewall* Linux IP Chains Redundancy and Modularization Software must support Hardware

Redundancy and ModularizationTopology Hiding Firewall* Linux IP Chains Multi IP Address Software must support Hardware Data protection Local

Software must support HardwareIP Chains Multi IP Address Redundancy and Modularization Data protection Local and Geographic Flow Control and

Data protectionRedundancy and Modularization Software must support Hardware Local and Geographic Flow Control and Congestion Control

Local and GeographicSoftware must support Hardware Data protection Flow Control and Congestion Control storms at the source

Flow Control and Congestionmust support Hardware Data protection Local and Geographic Control storms at the source Prioritization of Functions

Control storms at the sourceprotection Local and Geographic Flow Control and Congestion Prioritization of Functions Destination Explicit declaration

Prioritization of FunctionsFlow Control and Congestion Control storms at the source Destination Explicit declaration vs DNS and dynamic

DestinationControl storms at the source Prioritization of Functions Explicit declaration vs DNS and dynamic discovery Table

Explicit declaration vs DNS and dynamic discoverystorms at the source Prioritization of Functions Destination Table Screening Roaming control Who can send messages

Table ScreeningExplicit declaration vs DNS and dynamic discovery Roaming control Who can send messages to whom Packet

Roaming controldeclaration vs DNS and dynamic discovery Table Screening Who can send messages to whom Packet Filtering,

Who can send messages to whomvs DNS and dynamic discovery Table Screening Roaming control Packet Filtering, IPSec, and Firewall are often

Packet Filtering, IPSec, and Firewall are often performed on an external router, before traffic reaches this network element.

Accounting, Statistics and Monitoringrouter, before traffic reaches this network element. Traffic levels as expected Access Control RADIUS / PAM

Traffic levels as expectedthis network element. Accounting, Statistics and Monitoring Access Control RADIUS / PAM Audit Logs Password

Access ControlStatistics and Monitoring Traffic levels as expected RADIUS / PAM Audit Logs Password structure/Aging

RADIUS / PAMand Monitoring Traffic levels as expected Access Control Audit Logs Password structure/Aging www.pt.comwww.pt.com 19

Audit Logsand Monitoring Traffic levels as expected Access Control RADIUS / PAM Password structure/Aging www.pt.comwww.pt.com 19

Password structure/AgingStatistics and Monitoring Traffic levels as expected Access Control RADIUS / PAM Audit Logs www.pt.comwww.pt.com 19