Beruflich Dokumente
Kultur Dokumente
Chuck Wesley-James
Director of Signaling Product Management
www.pt.com
www.pt.com
www.pt.com
www.pt.com
Todays Focus
Designing Security into the Network
Lessons Learned from
IP Networking
SS7
Security focus:
Attack vectors
Overload and Denial of Service
Redundancy
Fraudulent Network Use
(ISC)2 = International Information Systems Security Certification Consortium
CISSP = Certified Information Systems Security Professional
www.pt.com
SS7
Sigtran is
over IP
Diameter
is over IP
www.pt.com
SS7 LSL
are not
secure
Not a
New
Problem
System
Access
issues
System
Monitoring
Good News
www.pt.com
Edge Agents
Diameter Level
GSMA calls for Diameter
Edge Agent (DEA)
DEA is considered as the
only point of contact into
and out of an operators
network at the Diameter
application level.
GSMA IR.88
IP Level
3GPP call for NDS/IP
Security Gateway into
network.
Based on IPSec (Tunneling)
3GPP 33.210-c20
www.pt.com
Packet Filtering
IPSec
TLS/DTLS
Firewalls
Throttling
Message Discrimination
www.pt.com
Diameter
Expected traffic volumes are less predictable
Messages must be replied to, or else they will be retried
Needs bandwidth, congestion and throttling procedures on a per External Peer or
Connection basis
Throttling or Rejection based on message type
Configurable
Flow Control
Levels
www.pt.com
Configurable
Congestion
Levels
Alarms based
on defined
levels
Actions based
on Message
Priorities
10
Encryption
TLS
Application to Application over TCP
DTLS
DTLS/TLS
IPSec
System to System
Specifications
IETF RFC 6733*
DTLS over IPSec
Disadvantage is that off-board Firewall cant do it.
3GPP 33.210-c20
NDS / IP
IPSec on Security Gateways
Load-share vs Hot-standby
Network Design must understand levels: network, system,
card, and software
www.pt.com
12
DNSSEC / DNSSEC-bis
Some security, but no confidentiality
No DoS protection
NSEC3
Addition of protection from zone enumeration or walking
Prevents retrieval of whole database
13
Virtualization
Cloud Based
DTLS and TLS work in application space
IPSec is less common (system level)
Redundancy Requirements
may mean understand the structure of the cloud
System Level
Loosely coupled solutions
Databases, Routing
www.pt.com
14
Benefits
Similar security tools
and infrastructure
Allows for network
design Containment
Simplifies external
firewall rules
www.pt.com
15
IWF
Translation Function
SS7
GWS from and to application
Diameter / Radius
Packet or Message inspection
www.pt.com
16
www.pt.com
17
Conclusions
www.pt.com
18
IP access
Traffic level
controls
System
Availability
Hardware
Software
Data
Connectivity
Switch Filter*
Packet Level
IP Sec*
System To System
Firewall*
Linux IP Chains
Multi IP Address
Operational
Protection
from
Operator
Error
Live
upgrades
DTLS/TLS
Application Layer
Diameter Edge Agent / Network Gateways
Limit access to your network
Topology Hiding
Flow Control and Congestion
Control storms at the source
Prioritization of Functions
Destination
Explicit declaration vs DNS and dynamic
discovery
Table Screening
Roaming control
Who can send messages to whom
Access Control
RADIUS / PAM
Audit Logs
Password structure/Aging
19