Signalling threats: SS7 and beyond – part three

The last in our short series of blogs based on our Signalling Threats; SS7 and Beyond white paper, this last entry takes a look at what countermeasures can be put into place to protect networks against threats, and draws conclusions.

There is no doubt that operators need to take steps towards increased security to protect their network, their subscribers, their reputation and the overall trust in mobile services. Many operators have already started exploring the available solutions on the market, and started the deployment of sophisticated and stateful firewalls.

Since 2014, signalling firewalls have become more commonplace, they come in a variety of different flavours and with varying feature sets. Some are limited feature packs that add onto existing infrastructure; some are deployed transparently and essentially act as part of the wire. Others are deployed according to the standards outlined in the signalling protocols. There are 3 main classes of signalling security countermeasures available:

1. Rudimentary protection based on a stateless solution. This solution is usually integrated into a routing node. In most cases, this must be complemented by configuration on multiple other nodes to provide some degree of protection against the more sophisticated attacker.
2. Signalling protection based on a stateful solution. Most demonstrated attacks can be mitigated by this category of countermeasure. This type of solution can protect against the attacks defined by the GSMA, and should in most cases be able to provide good protection against signalling based attacks.
3. Comprehensive protection based on a stateful analysis, as well as analysis on encoding of packets at multiple protocol layers. This solution provides the same level of protection against signalling based attacks as point 2 above, but also adds protection against sophisticated attacks using malformed packets.

So, what are the important aspects an MNO should consider when defining a strategy for countermeasures? Are there major advantages to justify investment in a separate firewall solution rather than utilising existing nodes? Many STPs do offer rudimentary opcode or GT screening, and this can provide some degree of protection. Most experts agree however, that existing infrastructure will not provide a maintainable set of countermeasures in the long-term, and that dedicated firewalling technology or at least consolidation of required rules is the more viable solution. Centralising the majority of security settings and monitoring for a given technology is a lot more efficient than keeping it spread across many network elements. When dealing with fine-grained rules that may come down to individual GTs such a solution is almost always necessary.

Keeping track of rate limits, filtering rules and exceptions in multiple places is a recipe for failure, so therefore a certain level of consolidation is beneficial, and will eventually be necessary to keep the signalling security countermeasures updated, and the network secure. Being able to create abstractions such as logical containers of operator groups, exceptions or circumstances, and then applying multi-tiered rule sets across a set of roaming partners or regions makes a lot of sense. As attacks become more sophisticated and resources remain scarce, it becomes ever more important to be able to adapt the filtering rules in a practical and manageable way.

The deployment of a dedicated signalling firewall node may also be justified by the fact that within a mobile network every single node is developed for a reason. An MSC/MME is designed to host subscribers, an HLR/HSS is designed to host subscriber data, and an STP is designed to route traffic. They are all built to do this efficiently. To ask any of these machines to suddenly become a stateful DPI node could introduce a slew of problems. If you ask a machine designed for a single purpose to suddenly perform a completely different action, it’s fair to argue that it will not remain as effective in its original capacity.

In the end, the procurement of a signalling firewall is a business decision. As such it will be affected by existing infrastructure, relations with vendors, and the risk assessment that ideally precedes the acquisition.

In closing, it should be highlighted that this series of blogs, or the white paper they are based on is not intended to be alarmist. Signalling systems are working as they were originally intended. They provide remarkable service, and as opposed to fraud, network critical incidents that occur are for the most part rare, limited in scale and contained. It is true that SS7 has been seen as flawed in terms of security and that these issues continue to trouble us today. However, the networks are still running, and given all the circumstances they are running very well. We still have time to meet the signalling security challenges, and build a layer of protection into our legacy networks. We still have time to work on enhancing the LTE networks and provide a more secure exchange network. The learnings we take with us from SS7 and LTE can be used when shaping the secure 5G networks of tomorrow. We just need to be willing to act on the problems that exist today.

Originally posted on www.symsoft.com, find out more about Symsoft’s rebrand to Sinch in the press release here.