Upload
rudrom
View
219
Download
5
Tags:
Embed Size (px)
DESCRIPTION
Chuck Wesley James PT Focus Day
Citation preview
www.pt.com www.pt.com
Security Considerations for a
Diameter Signaling Network
Chuck Wesley-James
Director of Signaling Product Management
www.pt.com www.pt.com
The proliferation of networks and their
need interconnect creates security
and privacy concerns.
2
www.pt.com www.pt.com
Signaling messages exchanged between
networks carry a treasure of information
Subscriber
Roaming
Network Topology
3
www.pt.com www.pt.com
More Numerous and Higher bandwidth interconnect facilities utilizing Internet Protocols create the need to Ensure service level agreements between carriers
Ensure and maintain security agreements and procedures
Protect networks and revenue streams from Fraudulent traffic
Unwarranted signaling storms
Loss of business intelligence information
4
www.pt.com www.pt.com
Designing Security into the Network
Lessons Learned from IP Networking
SS7
Security focus: Attack vectors
Overload and Denial of Service
Redundancy
Fraudulent Network Use
Todays Focus
(ISC)2 = International Information Systems Security Certification Consortium
CISSP = Certified Information Systems Security Professional
5
www.pt.com www.pt.com
Diameter network design is not equal to SS7
However: Many of the problems are
the same
Solutions similar and can use the same infrastructure.
SS7 was NOT safer Sigtran is over IP Gateway Screening needed at
SS7 Network Gateways
Congested SS7 Links Fraudulent SMS
Only as secure as last hop
Diameter is just a new protocol requiring the same care and treatment
SS7/Diameter IWF will be tightly coupled
Learning from SS7
6
Not a New
Problem
Diameter is over IP
SS7 Sigtran is over IP
SS7 LSL are not secure System
Access issues
System Monitoring
www.pt.com www.pt.com
Bad News Good News
IP is well known, so there are many malicious
ways to harm it.
IP is well known, so there are many best
practices and commercial solutions
IT department does not always understand
Telco operations.
IT department often knows IP network design
and security.
Open Source community
- Tools for attack
Open Source community
-Tools for detection and prevention
- Best Practices
Few Restrictions on bandwidth mean:
- DoS
- Old SS7 was limited by LSL, not SIGTRAN
Few Restrictions on bandwidth mean:
- Operations simplification
Ubiquitous IP access leads to
- Mesh networks
- More Attack Points
A core diameter router solves mesh network
issues and provides a central point to stop
problems from propagating.
You should have many of these solutions in
place on the SS7 network already.
Bad News Good News
IP is well known, so there are many malicious
ways to harm it.
IP is well known, so there are many best
practices and solutions.
IT department does not always understand
Telco operations.
IT department often knows IP network design
and security.
Open Source community
- Tools for attack
Open Source community
-Tools for detection and prevention
- Best Practices
Few Restrictions on bandwidth mean:
- DoS or proliferation of Signaling Storm
- Old SS7 was limited by LSL, not SIGTRAN
Few Restrictions on bandwidth mean:
- Operations simplification
Ubiquitous IP access leads to
- Mesh networks
- More Attack Points
A core diameter router solves mesh network
issues and provides a central point to stop
problems from propagating.
You should have many of these solutions in
place on the SS7 network already.
Good News / Bad News:
This is an IP network
7
www.pt.com www.pt.com
Diameter Level GSMA calls for Diameter
Edge Agent (DEA)
DEA is considered as the only point of contact into and out of an operators network at the Diameter application level.
GSMA IR.88
IP Level 3GPP call for NDS/IP Security Gateway into
network.
Based on IPSec (Tunneling) 3GPP 33.210-c20
8
Edge Agents
www.pt.com www.pt.com
Signaling Network Access
IP access Packet Filtering
IPSec
TLS/DTLS
Firewalls
Traffic Level Controls Diameter packets may be numerous and legit
In SS7 we had Gateway Screening In Diameter we must have deep packet inspection
Throttling
Message Discrimination
9
www.pt.com www.pt.com
SS7
Expected traffic volumes were usually well understood
Legacy SS7 limited by the capacity of Low Speed TDM links
Sigtran SS7 limited by configured bandwidth and congestion procedures
Diameter
Expected traffic volumes are less predictable
Messages must be replied to, or else they will be retried
Needs bandwidth, congestion and throttling procedures on a per External Peer or Connection basis
Throttling or Rejection based on message type
10
Flow Control and Congestion
Configurable Flow Control
Levels
Configurable Congestion
Levels
Alarms based on defined
levels
Actions based on Message
Priorities
www.pt.com www.pt.com
TLS Application to Application over TCP
DTLS Application to Application over SCTP
IPSec System to System
Specifications IETF RFC 6733*
DTLS over IPSec
Disadvantage is that off-board Firewall cant do it.
3GPP 33.210-c20 NDS / IP
IPSec on Security Gateways
Caution: watch expiration times of public key certificates
Encryption
DTLS/TLS
*RFC 6733 replaces 3588 and 5719
www.pt.com www.pt.com
Five 9s availability Hardware reliability only as good as how the software uses
it
Local redundancy and Geographical redundancy
Handling of failures of other Network Elements Network Design must include recovery scenarios
Load-share vs Hot-standby Network Design must understand levels: network, system,
card, and software
12
System and Network Redundancy
www.pt.com www.pt.com
DNS No Security
DNSSEC / DNSSEC-bis Some security, but no confidentiality
No DoS protection
DNS-Based Authentication of Named Entities (DANE) TLS, DTLS and other with DNSSEC
RFC 6698
NSEC3 Addition of protection from zone enumeration or walking
Prevents retrieval of whole database
No DNS or fixed use of internal and trusted DNS is safer
13
Domain Name Server
www.pt.com www.pt.com
Virtualization
Cloud Based DTLS and TLS work in application space
IPSec is less common (system level)
Redundancy Requirements may mean understand the structure of the cloud
System Level Loosely coupled solutions
Databases, Routing
Highly cohesive modules Monitoring, OAM, Job Functionality
14
www.pt.com www.pt.com
Each function has its own database
Separation of Edge, Core, and IWF functionality
Benefits Similar security tools
and infrastructure
Allows for network design Containment
Simplifies external firewall rules
15
System Level Virtualization
www.pt.com www.pt.com
Interworking Function (IWF) between SS7 or
RADIUS based and Diameter based Interfaces
Could allow for propagation of problems from one
network to another.
DoS
Fraudulent SMS
SS7
GWS from and to application
Diameter / Radius
Packet or Message inspection
IWF Translation Function
16
www.pt.com www.pt.com
Hosting both STP and Diameter Router Solutions
within a Single Platform.
STP / Diameter Router
Interworking Function
Shared OAM facilities
Staff training and Operational Simplification
Capital Expense Reduction
Bridging Technologies
Legacy NGN Transparency
17
www.pt.com www.pt.com
Diameter increases attack paths
Other issues are the same as SS7
Diameter is just another protocol, but requires
the similar operational infrastructure to SS7
Access control
Monitoring
Message control, discrimination, and routing
18
Conclusions
www.pt.com www.pt.com
Switch Filter* Packet Level
IP Sec* System To System
Firewall* Linux IP Chains
Multi IP Address
Redundancy and Modularization Software must support Hardware
Data protection
Local and Geographic
19
Diameter and SS7
Security Summary
IP access Traffic level controls
Network Access
Hardware Software Data Connectivity
System Availability
Protection from Operator Error
Live upgrades
Operational
DTLS/TLS
Application Layer
Diameter Edge Agent / Network Gateways
Limit access to your network
Topology Hiding
Flow Control and Congestion Control storms at the source
Prioritization of Functions
Destination Explicit declaration vs DNS and dynamic discovery
Table Screening Roaming control
Who can send messages to whom
Accounting, Statistics and Monitoring Traffic levels as expected
Access Control RADIUS / PAM
Audit Logs
Password structure/Aging
Packet Filtering, IPSec, and Firewall are
often performed on an external router,
before traffic reaches this network element.