Securing VoIP and PSTN from Integrated Signaling Network Vulnerabilities

Hemant Sengar, George Mason UniversityRam Dantu, University of North TexasDuminda Wijesekera, George Mason University

Background :

Integration of Voice and Data Network

PUBLIC SWITCHED TELEPHONE NETWORK

(PSTN)

PBX

Telephone

Fax

Modem

Comm. Tower

Cell PhonePager

IDC

Mobile Switching Center

InternetIP Gateway

IP Phones

IP Phones

?

?

Public Switched Telephone Network

SS7 Protocol Stack

Message Transfer Part Level 1(Physical Layer)

Message Transfer Part Level 2(Data Link Layer)

Message Transfer Part Level 3(Network Layer)

MTP

ISDN User Part

Signaling Connection ControlPart (SCCP)

ASE OMAP

TCAP

Integrated IP and SS7 Network

SIP Network

SS7 Network

SIPProxyServer

MediaGatewayController

Router

Mobile Deviceswith VoIP

IP Link

SIGTRANbased Link

Enterprise Network Carrier Networks

?

Interconnect IP Network to SS7 Network

SIGTRAN Protocol Suite

IP

SCTP

M2PA M2UA IUASUAM3UA

MTP3 ISUP SCCP ISDNTCAP

TCAP

AdaptationLayer

SignalingTransport

InternetProtocol

SS7 over IP

SIGTRANArchitecture

M2PA in Signaling Transport

MTP1

MTP2

MTP3

ISUP

Service SwitchingPoint (SSP)

SS7

IPSCTP

M2PA

MTP3

ISUP

IPNetwork

Media GatewayController (MGC)

MTP1

MTP2

MTP3

IPSCTP

M2PA

SignalingGateway (SG)

SS7 Network Security Threats

Telecommunication Deregulation Act,1996 has opened up market

SS7 design and development carried out in different environment from the presently existing one.

Convergence of voice and data networks

IP Network Security Threats

Denial of Service (DoS) attacks

Spoofing, Sniffing.

Viruses, Worms etc.

Intrusion

Marriage of SS7 and IP

Exponential growth of IP Telephony More ISPs attach to SS7 Network

Threats to Signaling Nodes

May come from SS7 side or from IP side

Signaling Nodes are Exposed

Potential Threats due to Message Content ISUP’s IAM message populated with Multilevel

Precedence and Preemption (MLPP) parameter

Populating CIC of IAM with 0000 value Caller ID may be spoofed

Contd…

Signaling Nodes are Exposed

MGC is used to bridge SIP and ISUP network Translation of ISUP to SIP and mapping

of ISUP parameters into SIP headers Blind interpretation

Signaling Nodes are Exposed

Traffic Flow Analysis Traffic nature, load, network topology Subscriber’s behavior and identity

Link Status Messages in IP Network Processor Outage Busy Out of Service

Signaling Nodes are Exposed

Misbehaving Node

M2PA based IPSPs have two identifiers

Violation of Protocol State Machine

Continuous Proving Sequence of exchanged messages

Current Status :

IP Network Side Signaling Nodes may use SSL or IPSec

Secure Signaling Architecture :

MTP3

MTP2

MTP1IP

M2PA

SCTP

Security System

SS7 Network IP Network

SecuredTunnel

SecuredTunnel

Signaling Gateway at the Interface

Key-1 Key-2

?

Secure Signaling Architecture :

TrustManagement

Authentication

Gateway Screenin

g(Firewall

) IntrusionDetection

Armor

Trust NegotiationRe-

Authentication

Rule ChangesSignatures

DoS/Vulnerabilities

Trust Management:

Define Service Level AgreementsDefine Access control Policy

Authentication:

IETF has proposed IPSec for IP NetworkOur Proposal of MTPSec for SS7 Network

Proposed Solution

Security Across MTP3 Layer

Combination of two protocol Key Exchange (KE) Protocol Authentication Header (AH) Protocol

Authentication Header Format

Conclusion

Provides Integrity and Authentication solution to all signaling nodes Enforces SLA and ACL policy at the interfacePut checks on misbehaving entities

Thank You !