by Flavio Muscetra, Product Manager
Today’s mobile networks are all interconnected, directly or through signalling hubs, to guarantee the seamless exchange of voice calls, messages, and roaming services for international travellers.
Sometimes, however, these signalling interconnections can be used as a way to execute malicious activities and attacks, including intercepting calls, messages, and disabling the service for specific subscribers or in the whole network (DoS). Executing such attacks is not so easy but there are some known weaknesses in the communication protocols and some misconfigurations that could help attackers.
The most prudent mobile operators regularly buy penetration tests from security consultants to help identify vulnerabilities in their signalling network and the appropriate countermeasures to take. Vendors of signalling nodes also play their part by providing regular patches for their products to close off vulnerabilities.
But relying on vendors to provide patches for signalling nodes is not sufficient protection for a modern wireless network. As individual, disparate nodes cannot act in concert, a more comprehensive approach is required.
For this reason, the GSMA Fraud and Security group (FASG) has instituted a team of specialists focused on the development of technical requirements for a node called Signalling Firewall.
Signalling Firewall has the scope to inspect SS7 and Diameter signals and block all anomalous messages that could be a vector for malicious attacks. Practically, it acts as a filter between home network and the external networks, providing a clear view of the signalling events going through the network border.
A Signalling Firewall blocks suspicious signalling events and messages using a range of security filters based on known attacks that are grouped in categories. The comparison of information retrieved from different sources helps to identify the suspicious events. Security filters, once in place, can block messages that do not conform with the expected message structure and alert the security manager that something unusual is happening. At the same time, all the relevant data are recorded, facilitating real time and post-event analysis.
With the media highlighting some recent high-profile cases of mobile security and privacy breaches, the last couple of years have seen growing interest for Signalling Firewalls in the market. As mobile operators revise their signalling network defences, the Signalling Firewall has become a key tool to make signalling networks more robust and secure.
The main focus, currently, is on SS7 signalling but the interest in the Diameter protocol is also growing due to the increasing interconnection of LTE networks.
Many national regulators already impose very strict rules to ensure the privacy of mobile subscribers’ communications and data, but operators must also protect their own networks against denial of service attacks and their reputations by implementing the security guidelines defined by GSMA.
The Signalling Firewall has become a key asset of the modern mobile operator, helping to comply with regulations governing personal privacy and, at the same time, limiting threats to the network itself, which could result in expensive outages.