Security Considerations for a

Diameter Signaling Network

Chuck Wesley-James
Director of Signaling Product Management

www.pt.com

The proliferation of networks and their

need interconnect creates security
and privacy concerns.

www.pt.com

Signaling messages exchanged between

networks carry a treasure of information
Subscriber
Roaming
Network Topology

www.pt.com

More Numerous and Higher bandwidth

interconnect facilities utilizing Internet Protocols
create the need to
Ensure service level agreements between carriers
Ensure and maintain security agreements and
procedures
Protect networks and revenue streams from
Fraudulent traffic
Unwarranted signaling storms
Loss of business intelligence information

www.pt.com

Todays Focus
Designing Security into the Network
Lessons Learned from
IP Networking
SS7

Security focus:

Attack vectors
Overload and Denial of Service
Redundancy
Fraudulent Network Use
(ISC)2 = International Information Systems Security Certification Consortium
CISSP = Certified Information Systems Security Professional

www.pt.com

Learning from SS7

Diameter network design
is not equal to SS7
However:
Many of the problems are
the same
Solutions similar and can
use the same infrastructure.

SS7
Sigtran is
over IP

Diameter
is over IP

www.pt.com

SS7 LSL
are not
secure

Not a
New
Problem

System
Access
issues

System
Monitoring

SS7 was NOT safer

Sigtran is over IP
Gateway Screening needed at
SS7 Network Gateways
Congested SS7 Links
Fraudulent SMS
Only as secure as last hop

Diameter is just a new

protocol requiring the same
care and treatment
SS7/Diameter IWF will be
tightly coupled

Good News / Bad News:

This is an IP network
Bad News

Good News

IP is well known, so there are many malicious

ways to harm it.

IP is well known, so there are many best

practices and solutions.
commercial solutions

IT department does not always understand

Telco operations.

IT department often knows IP network design

and security.

Open Source community

- Tools for attack

Open Source community

-Tools for detection and prevention
- Best Practices

Few Restrictions on bandwidth mean:

- DoS or proliferation of Signaling Storm
- Old SS7 was limited by LSL, not SIGTRAN

Few Restrictions on bandwidth mean:

- Operations simplification

Ubiquitous IP access leads to

- Mesh networks
- More Attack Points

A core diameter router solves mesh network

issues and provides a central point to stop
problems from propagating.
You should have many of these solutions in
place on the SS7 network already.

www.pt.com

Edge Agents
Diameter Level
GSMA calls for Diameter
Edge Agent (DEA)
DEA is considered as the
only point of contact into
and out of an operators
network at the Diameter
application level.
GSMA IR.88

IP Level
3GPP call for NDS/IP
Security Gateway into
network.
Based on IPSec (Tunneling)
3GPP 33.210-c20

www.pt.com

Signaling Network Access

IP access

Packet Filtering
IPSec
TLS/DTLS
Firewalls

Traffic Level Controls

Diameter packets may be numerous and legit
In SS7 we had Gateway Screening
In Diameter we must have deep packet inspection

Throttling
Message Discrimination
www.pt.com

Flow Control and Congestion

SS7
Expected traffic volumes were usually well understood
Legacy SS7 limited by the capacity of Low Speed TDM links
Sigtran SS7 limited by configured bandwidth and congestion procedures

Diameter
Expected traffic volumes are less predictable
Messages must be replied to, or else they will be retried
Needs bandwidth, congestion and throttling procedures on a per External Peer or
Connection basis
Throttling or Rejection based on message type

Configurable
Flow Control
Levels
www.pt.com

Configurable
Congestion
Levels

Alarms based
on defined
levels

Actions based
on Message
Priorities
10

Encryption

TLS
Application to Application over TCP

DTLS
DTLS/TLS

Application to Application over SCTP

IPSec
System to System

Specifications
IETF RFC 6733*
DTLS over IPSec
Disadvantage is that off-board Firewall cant do it.

3GPP 33.210-c20
NDS / IP
IPSec on Security Gateways

Caution: watch expiration times of public key certificates

*RFC 6733 replaces 3588 and 5719
www.pt.com

System and Network Redundancy

Five 9s availability
Hardware reliability only as good as how the software uses
it

Local redundancy and Geographical redundancy

Handling of failures of other Network Elements

Network Design must include recovery scenarios

Load-share vs Hot-standby
Network Design must understand levels: network, system,
card, and software

www.pt.com

12

Domain Name Server

DNS
No Security

DNSSEC / DNSSEC-bis
Some security, but no confidentiality
No DoS protection

DNS-Based Authentication of Named Entities (DANE)

TLS, DTLS and other with DNSSEC
RFC 6698

NSEC3
Addition of protection from zone enumeration or walking
Prevents retrieval of whole database

No DNS or fixed use of internal and trusted DNS is safer

www.pt.com

13

Virtualization
Cloud Based
DTLS and TLS work in application space
IPSec is less common (system level)
Redundancy Requirements
may mean understand the structure of the cloud

System Level
Loosely coupled solutions
Databases, Routing

Highly cohesive modules

Monitoring, OAM, Job Functionality

www.pt.com

14

System Level Virtualization

Each function has its
own database
Separation of Edge,
Core, and IWF
functionality

Benefits
Similar security tools
and infrastructure
Allows for network
design Containment
Simplifies external
firewall rules

www.pt.com

15

IWF
Translation Function

Interworking Function (IWF) between SS7 or

RADIUS based and Diameter based Interfaces
Could allow for propagation of problems from one
network to another.
DoS
Fraudulent SMS

SS7
GWS from and to application

Diameter / Radius
Packet or Message inspection
www.pt.com

16

STP / Diameter Router

Hosting both STP and Diameter Router Solutions
within a Single Platform.
Interworking Function
Shared OAM facilities
Staff training and Operational
Simplification
Capital Expense Reduction
Bridging Technologies

Legacy NGN Transparency

www.pt.com

17

Conclusions

Diameter increases attack paths

Other issues are the same as SS7

Diameter is just another protocol, but requires

the similar operational infrastructure to SS7
Access control
Monitoring
Message control, discrimination, and routing

www.pt.com

18

Diameter and SS7

Security Summary
Network
Access

IP access
Traffic level
controls

System
Availability

Hardware
Software
Data
Connectivity

Switch Filter*
Packet Level

IP Sec*
System To System

Firewall*
Linux IP Chains
Multi IP Address

Redundancy and Modularization

Software must support Hardware
Data protection
Local and Geographic

Operational

Protection
from
Operator
Error
Live
upgrades

DTLS/TLS
Application Layer
Diameter Edge Agent / Network Gateways
Limit access to your network
Topology Hiding
Flow Control and Congestion
Control storms at the source
Prioritization of Functions

Destination
Explicit declaration vs DNS and dynamic
discovery

Table Screening
Roaming control
Who can send messages to whom

Accounting, Statistics and Monitoring

Packet Filtering, IPSec, and Firewall are

often performed on an external router,
before traffic reaches this network element.
www.pt.com

Traffic levels as expected

Access Control
RADIUS / PAM
Audit Logs
Password structure/Aging

19