Securing VoIP and PSTN from Integrated Signaling Network Vulnerabilities

Hemant Sengar, George Mason University Ram Dantu, University of North Texas Duminda Wijesekera, George Mason University

Background :

Integration of Voice and Data Network

?
Telephone

PBX

PUBLIC SWITCHED TELEPHONE NETWORK (PSTN)

Modem

IDC

Fax
Mobile Switching Center

IP Phones

?
IP Gateway

Comm. Tower

Internet

IP Phones

Cell Phone Pager

Public Switched Telephone Network

SS7 Protocol Stack

ASE OMAP

TCAP

ISDN User Part

Signaling Connection Control Part (SCCP)

Message Transfer Part Level 3 (Network Layer)

Message Transfer Part Level 2 (Data Link Layer) Message Transfer Part Level 1 (Physical Layer)

MTP

Integrated IP and SS7 Network

Interconnect IP Network to SS7 Network

SIP Proxy Server

IP Link

Router Mobile Devices with VoIP Media Gateway Controller

SIP Network

SS7 Network
SIGTRAN based Link

Enterprise Network

Carrier Networks

SIGTRAN Protocol Suite

TCAP

MTP3

ISUP

SCCP

TCAP

ISDN

M2PA

M2UA

M3UA SCTP IP

SUA

IUA

Adaptation Layer Signaling Transport Internet Protocol

SIGTRAN Architecture

SS7 over IP

M2PA in Signaling Transport

Service Switching Point (SSP)
ISUP MTP3
MTP3

Signaling Gateway (SG)

Media Gateway Controller (MGC)

ISUP MTP3

MTP2 MTP1

MTP2 MTP1

M2PA SCTP IP

M2PA SCTP IP

SS7

IP Network

SS7 Network Security Threats

Telecommunication Deregulation Act,1996 has opened up market SS7 design and development carried out in different environment from the presently existing one.
Convergence of voice and data networks

IP Network Security Threats

Denial of Service (DoS) attacks
Spoofing, Sniffing. Viruses, Worms etc. Intrusion

Marriage of SS7 and IP

Exponential growth of IP Telephony

More ISPs attach to SS7 Network

Threats to Signaling Nodes

May come from SS7 side or from IP side

Signaling Nodes are Exposed

Potential Threats due to Message Content

ISUPs IAM message populated with Multilevel Precedence and Preemption (MLPP) parameter Populating CIC of IAM with 0000 value Caller ID may be spoofed

Contd

Signaling Nodes are Exposed

MGC is used to bridge SIP and ISUP network

Translation of ISUP to SIP and mapping of ISUP parameters into SIP headers Blind interpretation

Signaling Nodes are Exposed

Traffic Flow Analysis

Traffic nature, load, network topology Subscribers behavior and identity

Link Status Messages in IP Network

Processor Outage Busy Out of Service

Signaling Nodes are Exposed

Misbehaving Node
M2PA based IPSPs have two identifiers

Violation of Protocol State Machine

Continuous Proving Sequence of exchanged messages

Current Status :
IP Network Side Signaling Nodes may use

SSL or IPSec

Secure Signaling Architecture :

Signaling Gateway at the Interface
SS7 Network
Security System

IP Network

MTP3 MTP2 M2PA SCTP MTP1 IP Key-1 Key-2

?
Secured Tunnel

Secured Tunnel

Secure Signaling Architecture :

Trust Management Authentication Gateway Screening (Firewall) Intrusion Detection

Armor

Rule Changes Re-Authentication

Trust Negotiation

Signatures

DoS/Vulnerabilities

Trust Management:
Define Service Level Agreements Define Access control Policy

Authentication:
IETF has proposed IPSec for IP Network Our Proposal of MTPSec for SS7 Network

Proposed Solution
Security Across MTP3 Layer
Combination of two protocol

Key Exchange (KE) Protocol Authentication Header (AH) Protocol

Authentication Header Format

Conclusion
Provides Integrity and Authentication solution to all signaling nodes Enforces SLA and ACL policy at the interface Put checks on misbehaving entities

Thank You !