White Paper

GPRS Security Threats and Solution

Recommendations

Alan Bavosa
Product Manager

Juniper Networks, Inc.

1194 North Mathilda Avenue
Sunnyvale, CA 94089 USA
408 745 2000 or 888 JUNIPER
www.juniper.net

Part Number: 200074-002 June 2004

Contents

Preface .......................................................................................................................................................3
Introduction..............................................................................................................................................3
GPRS Core Network Architecture Overview .....................................................................................3
Classification of Security Services ........................................................................................................4
Data Services on the Gp and Gi Interfaces...........................................................................................5
Security Threats on the Gp Interface ....................................................................................................5
Availability......................................................................................................................................5
Authentication and Authorization..............................................................................................6
Integrity and Confidentiality .......................................................................................................6
Security Solutions for the Gp Interface ................................................................................................7
Gp Network Solution Diagram ....................................................................................................8
Security Threats on the Gi Interface .....................................................................................................8
Availability......................................................................................................................................9
Confidentiality................................................................................................................................9
Integrity ...........................................................................................................................................9
Authentication and Authorization..............................................................................................9
Security Solutions on the Gi Interface..................................................................................................9
Gi Network Security Solution Diagram ...................................................................................10
Security Threats on the Gn Interface ..................................................................................................11
Security Solutions on the Gn Interface...............................................................................................11
Deploying GPRS Security Solutions on Juniper Security Systems ...............................................12
Conclusion ..............................................................................................................................................13
Acknowledgements and Resources ...................................................................................................14

Copyright © 2004, Juniper Networks, Inc.

GPRS Threats and Recommendations

Preface
This paper is intended to assist General Packet Radio Service (GPRS) operators and network
designers in the evaluation of potential security threats and solutions. Although a brief
review of GPRS architecture is provided, it is assumed that the reader understands the basic
GPRS architecture and Internet Protocol data networking. This paper does not attempt to
present an exhaustive list of all GPRS security issues.

Introduction
General Packet Radio Service (GPRS) is a data network architecture that is designed to
integrate with existing GSM networks and offer mobile subscribers “always on” packet
switched data services access to corporate networks and the Internet. GPRS provides mobile
operators with an opportunity to offer higher-margin data access services to subscribers. In
return, subscribers benefit from GPRS by being able to use higher bandwidth mobile
connections to the Internet and corporate networks. GPRS Tunneling Protocol (GTP) is the
protocol used by GSM or UTMS operators to convert radio signals from subscribers into data
packets, and then to transport them in non-encrypted tunnels. GTP does not provide for
inherent security.

With the addition of GPRS to GSM, mobile operators are adding mobile Internet and virtual
private network services to their existing mobile voice services. GPRS networks are connected
to several external data networks including those of roaming partners, corporate customers,
GPRS Roaming Exchange (GRX) providers, and the public Internet. By connecting their GPRS
network to a variety of external networks, mobile operators must take the appropriate steps to
protect their own network from attacks initiating from these external networks while
continuing to provide access to and from them. Juniper Network’s purpose-built
firewall/IPSec VPNs address many of the security problems operators face when developing
GPRS-based service offerings. The most recent version of GTP is GTP 99. A prior version was
called GTP 97. Juniper’s integrated firewall/VPN product line supports both versions of GTP.

GPRS Core Network Architecture Overview

In figure 1, the Mobile Station (MS) logically attaches to a Serving GPRS Support Node
(SGSN). The main function of the SGSN is to provide data support services to the MS. The
SGSN is logically connected to a Gateway GPRS Support Node (GGSN) via the GPRS
Tunneling Protocol (GTP). The GTP connection within a given operator’s Public Land Mobile
Network (PLMN) is called the Gn interface. The connection between two different PLMNs
(mainly used to implement roaming agreements between providers) is the Gp interface. The
GGSN provides the data gateway to external networks such as the public Internet or corporate
network via the Gi interface. GTP is used to encapsulate data from the MS and also includes
mechanisms for establishing, moving, and deleting tunnels between SGSN and GGSN in
roaming scenarios. And finally, the interface used to connect a providers network to its
internal Accounting and Billing systems is called the Ga interface. This is also referred to as
GTP’ or GTP prime.

Copyright © 2004, Juniper Networks, Inc. 3

 GPRS Threats and Recommendations

The Gp and the Gi interfaces are the primary points of interconnection between the Operator’s
network and untrusted external networks. Operators must take appropriate measures to
protect their network from attacks originated on these external networks.
Figure 1

Corporate Roaming
Partner #1
Network #1

VPN Gi Interface
Operator
Firewall
/IPSec VPN
Firewall
/IPSec VPN
GRX
Gn Interface
Gp Interface
VPN
Roaming
Billing/ Partner #2
Corporate
Network #2 Ga Interface Accounting DB

Operators must secure connections between trusted and untrusted networks:

•Gi – interface between GPRS network and an external network, such as the Internet.
•Gp – interface between two mobile operators networks, primarily for roaming
•Ga – interface to Billing and Accounting systems
•Gn – interface which secures mobile providers internal network

Classification of Security Services

Security services are protections and assurances that provide mitigation against various
threats. They are generally known as:
Integrity: Integrity is a security service that assures that data cannot be altered in an
unauthorized or malicious manner.
Confidentiality: Confidentiality is the protection of data from disclosure to unauthorized
third parties.
Authentication: Authentication provides assurance that a party in data communication is
who or what they claim to be.
Authorization: Authorization is a security service that ensures that a party may only
perform the actions that they’re allowed to perform
Availability: Availability means that data services are usable by the appropriate parties in
the manner intended.

4 Copyright © 2004, Juniper Networks, Inc.

GPRS Threats and Recommendations

When considering security threats and possible mitigation, it is important to consider

attacks against each of these services. In some cases, it may not be important to protect
against certain threats. For example, it is not necessary to protect confidentiality of data
that is intended to be public.

Data Services on the Gp and Gi Interfaces

In order to determine what security solutions are appropriate, it is necessary to first
understand what type of traffic and data services are to be provided and then to analyze
specific threats to those services. The Gp Interface is the logical connection between PLMNs
that is used to support mobile (roaming) data users. GTP is used to establish a connection
between a local SGSN and the user’s home GGSN. Generally the traffic that must be allowed
to and from an operators network on the Gp is:

GTP: Provides logical connectivity between the SGSN and GGSN of roaming partners
BGP: Provides routing information between the operator and the GRX and/or roaming
partners
DNS: Provides resolution for a subscribers APN

The Gi interface is the interface that data originated by the MS is sent out towards, to access
the Internet or a corporate network. It is also the interface that is exposed to public data
networks and networks of corporate customers. Traffic being sent out from the GGSN on the
Gi interface or arriving for an MS on the Gi interface can be virtually any kind of traffic since
the application being used at the MS is unknown.

Security Threats on the Gp Interface

Availability
The most common type of attack on availability is a denial of service (DOS) attack. There are
several types of denial of service attacks that are possible on the Gp interface:
Border Gateway bandwidth saturation – a malicious operator that is connected to the same
GRX (whether or not they’re actually a roaming partner) may have the ability to generate a
sufficient amount of network traffic directed at a Border Gateway such that legitimate
traffic is starved for bandwidth in or out of the PLMN, thus denying roaming access to or
from the network
DNS Flood – DNS servers on the network can be flooded with either correctly or
malformed DNS queries or other traffic thereby denying subscribers the ability to locate
the proper GGSN to use as an external gateway.
GTP Flood – SGSNs and GGSNs may be flooded with unauthorized GTP traffic that cause
them to spend their CPU cycles processing illegitimate data. This may prevent subscribers
from being able to roam, to pass data out to external networks via the Gi, or from being
able to GPRS attach to the network at all.

Copyright © 2004, Juniper Networks, Inc. 5

 GPRS Threats and Recommendations

Spoofed GTP PDP Context Delete – An attacker with the appropriate information, can
potentially craft a GTP PDP Context Delete message which will remove the GPRS Tunnel
between the SGSN and GGSN for a subscriber. Crafting other types of network traffic can
learn some of the information that must be known. If an attacker doesn’t care about whom
they are denying service, they can send many PDP Context Delete messages for every
tunnel ID that might be used.
Bad BGP Routing Information – An attacker who has control of a GRX operators’ routers
or who can inject routing information into a GRX operators’ route tables, can cause an
operator to lose routes for roaming partners thereby denying roaming access to and from
those roaming partners.
DNS Cache Poisoning – It may be possible for an attacker to forge DNS queries and/or
responses that cause a given user’s APN to resolve to the wrong GGSN or even none at all.
If a long Time To Live (TTL) is given, this can prevent subscribers from being able to pass
data at all.

Authentication and Authorization

It may be possible for an imposter to appear to be a legitimate subscriber when they are not.
Spoofed Create PDP Context Request – GTP inherently provides no authentication for the
SGSNs and GGSNs themselves. This means that given the appropriate subscriber
information , an attacker with access to the GRX, another operator attached to the GRX, or
a malicious insider can potentially create their own bogus SGSN and create a GTP tunnel
to the GGSN of a subscriber. They can then pretend to be the legitimate subscriber when
they are not. This can result in an operator providing illegitimate Internet access or
possibly unauthorized access to the network of a corporate customer.
Spoofed Update PDP Context Request – An attacker can use their own SGSN or a
compromised SGSN to send an Update PDP Context Request to an SGSN which is handling
an existing GTP session. The attacker can then insert their own SGSN into the GTP session
and hijack the subscriber data connection.
Overbilling Attacks – A new attack has emerged in GPRS networks called the “Overbilling
Attack”. Such an attack is initiated by a malicious mobile station that hijacks an IP address
of another mobile station and invokes a download from a malicious server on the Internet.
Once the download begins, the malicious mobile station exits the session. The mobile
station under attack, receiving the download traffic, gets charged for traffic it did not
solicit. The same malicious party could execute this attack for the purpose of sending
broadcasts of unsolicited data in the direction of subscriber cell phones. The effect is still
the same, in that the subscriber is billed for data that they did not solicited and might not
have wanted. Such an attack is not limited to the Gp interface. It can also occur by
exploiting the Gi or Gn interfaces as well.

Integrity and Confidentiality

Should an attacker be in a position to access GTP or DNS traffic, they can potentially alter
it mid-stream or discover confidential subscriber information. This is a fundamental issue
with GTP as noted in 3GPP TS 09.60 V6.9.0:

“No security is provided in GTP to protect the communication between different GPRS networks.”

6 Copyright © 2004, Juniper Networks, Inc.

GPRS Threats and Recommendations

Capturing a subscriber’s data session – Because GTP and the embedded T-PDUs are not
encrypted, an attacker who has access to the path between the GGSN and SGSN such as a
malicious employee or hacker who has compromised access to the GRX, can potentially
capture a subscriber’s data session. Without encryption, this data can then be read or
manipulated by illegitimate parties. This is generally true of traffic on public networks and
subscribers should be advised to utilize IPSec or similar protection.

Security Solutions for the Gp Interface

The fundamental issue with security threats on the Gp interface is the lack of security inherent
in GTP. Implementing IPSec between roaming partners and managing traffic rates, can
eliminate a majority of the Gp security risks. Specific security countermeasures to implement
should include:
Ingress and egress packet filtering – This will help prevent the PLMN from being used as
source to attack other roaming partners. If the mobile operator is connected to more than
one GRX or private roaming peering connections, then this will also help ensure that
spoofed roaming partner traffic cannot arrive on paths where that roaming partner is not
connected.
Stateful GTP packet filtering – Only allow the traffic required and only from the sources
and destinations of roaming partners. This will prevent other PLMNs connected to the
same GRX from initiating many kinds of attacks. It will also prevent GSNs from having to
process traffic from PLMNs that are not roaming partners as well as illegal or malformed
traffic. Layer 3 and layer 4 stateful inspection is useful because it minimizes the exposure
of the GPRS network, GTP stateful inspection is critical to protect GSNs. A firewall that
supports GTP stateful inspection ensures that GSNs are not processing GTP packets that
are malformed, have illegal headers, or are not of the correct state. This prevents many
types of denial of service attacks and some others such as reconnaissance.
GTP Traffic Shaping – In order to prevent the shared resources of bandwidth and the
GSN’s processor from being consumed by an attacker or a subscriber, GTP rate limiting
should be implemented. Layer 3 and layer 4 rate limiting should also be implemented to
address Denial of Service (DOS) attacks and ensure that bandwidth is appropriately
apportioned between GTP, BGP, DNS, etc.
IPSec tunnels between roaming partners – A majority of confidentiality and authentication
issues are addressed by implementing IPSec between you’re the mobile operator PLMN
and that of the roaming partners. Generally, only GTP and DNS traffic should be allowed
over the IPSec tunnel. No traffic should be permitted from roaming partners that does not
arrive on the IPSec tunnel.
Overbilling Attack Prevention - Juniper’s solution enables the GTP firewall to notify the Gi
firewall of an attack. The Gi firewall is then able to terminate the “hanging” sessions
and/or tunnels, thus cutting off the unwanted traffic. As such, this prevents the GPRS
subscriber from being “overbilled.” Again, this solution is not limited exclusively to the Gp
interface.

Copyright © 2004, Juniper Networks, Inc. 7

 GPRS Threats and Recommendations

Gp Network Solution Diagram

Figure 2 below illustrates a recommended configuration for the Gp interface. The border
gateway router supporting BGP can either be in front of or behind the firewall. DNS, Radius,
and DHCP servers should be located off of the Juniper security system on a separate network
segment. The operations and management network should be located off a separate network
segment as well.
Figure 2

GGSN SGSN

Gp Interface

IPSec GTP

GRX

Roaming Roaming
Partner #1 Partner #2

Internet

Security Threats on the Gi Interface

The Gi interface is where the GPRS network connects to the Internet, corporate networks, and
other network service providers who may provide services to subscribers. Because the
subscriber’s applications can be virtually anything, operators will expose their network at the
Gi to all types of network traffic. Subscribers are then exposed to all of the ills that we have
today on the Internet including viruses, worms, Trojan horses, denial of service attacks, and
other malicious network traffic.

8 Copyright © 2004, Juniper Networks, Inc.

GPRS Threats and Recommendations

Availability

Like the Gp interface, denial of service attacks represent the largest threat on the Gi interface.
Some examples include:
Gi bandwidth saturation – Attackers may be able to flood the link from the PDN to the
mobile operator with network traffic thereby prohibiting legitimate traffic to pass.
Flooding an MS – If a flood of traffic is targeted towards the network (IP) address of a
particular MS, that MS will most likely be unable to use the GPRS network. This is
particularly true because of the significant difference in available bandwidth on the air
interface versus the Gi interface.

Confidentiality

There is no protection of data from an MS to the public data network or corporate network.
It is assumed that third parties can see data if IP Security or application layer security is
not being used.

Integrity

Data sent over public data networks can potentially be changed by intermediaries unless
higher layer security is being used.

Authentication and Authorization

Unless layer 2 or layer 3 tunnels are used at the GGSN to connect to the corporate network,
it may be possible for one MS to access the corporate network of another customer. The
source address of network traffic cannot be relied upon for authentication and
authorization purposes because the MS or hosts beyond the MS can create packets with
any addresses regardless of the IP address assigned to the MS.

Security Solutions on the Gi Interface

A majority of the security threats associated with the Gi interface stem from the possibility of
denial of service attacks and adjacency attacks. Security solutions include:
Logical tunnels from the GGSN to corporate networks – It should not be possible to route
traffic from the Internet to a corporate network, or between corporate networks at all. In
order to implement this, make sure that the GGSN can logically separate corporate
networks in layer 2 or layer 3 tunnels. If the connection to the corporate network is via the
Internet, IPSec should be used to connect from the GGSN to the corporate network.

Copyright © 2004, Juniper Networks, Inc. 9

 GPRS Threats and Recommendations

Traffic rate limiting – On connections to the Internet, prioritize IPSec traffic from corporate
networks over that of other traffic. This will ensure that attacks from the Internet cannot
disrupt mobile intranet services. Another consideration would be to use separate physical
interfaces for corporate traffic and Internet traffic.
Stateful packet inspection – Use a security policy that only allows the MS to initiate
connections to the public network and implement stateful packet filtering so that the MS
never sees traffic that is initiated from the public network. If required, implement trusted
application servers that are permitted by policy to push public network services to the MS.
An alternative would be to consider two types of service--one where connections can be
initiated from the Internet toward the MS and one where they cannot.
Ingress and egress packet filtering – Prevent the possibility of spoofed MS to MS data by
blocking incoming traffic with the source addresses which are the same as those assigned
to an MS for public network access.
Overbilling Attack Prevention - Juniper’s solution enables the GTP firewall to notify the Gi
firewall of an attack. The Gi firewall is then able to terminate the “hanging” sessions
and/or tunnels, thus cutting off the unwanted traffic. As such, this prevents the GPRS
subscriber from being “overbilled.” Again, this solution is not limited exclusively to the Gi
interface.

Gi Network Security Solution Diagram

The Juniper Gi security solution uses a tunnel hub concept to logically separate traffic for
different corporate networks and the Internet. In addition to IPSec tunnels and 802.1q
VLANs, ATM, Frame Relay, and MPLS can be used in conjunction with third party
switches and access concentrators.
Figure 3

SGSN

GGSN

Gi Interface

Corporation A Corporation B

10 Copyright © 2004, Juniper Networks, Inc.

GPRS Threats and Recommendations

Security Threats on the Gn Interface

Providers not only need to worry about threats originating from the outside of their network.
There are also many instances where threats may originate from the inside of a provider’s
network. Or threats may emerge from the outside, but propagate within a provider’s network
once the network barrier has been breached. This section will outline threats that may occur
at the Gn interface, which is internal to a given provider’s GPRS network.

Attacks at the Gn interface in the network can potentially bring down the network depending
on the intensity of the attack. This impact can lead to network downtime, loss of service,
revenue loss and disgruntled customers

Spoofed SGSN or GGSN: There are instances where malicious users can disguise
themselves as a legitimate part of the network by spoofing the IP address of a GGSN or
SGSN. Once a party has established themselves as a legitimate network element or user,
then they can take actions which are detrimental to customers or wireless carriers, such as
deleting PDP contexts or sessions. By executing commands that a GGSN normally
executes, such attacks can go undetected until the damage is done, unless the network is
protected by a stateful firewall.
Spoofed GTP PDP Context Delete – An attacker with the appropriate
information, can potentially craft a GTP PDP Context Delete message which will
remove the GPRS Tunnel between the SGSN and GGSN for a subscriber.
Crafting other types of network traffic can learn some of the information that
must be known. If an attacker doesn’t care about whom they are denying
service, they can send many PDP Context Delete messages for every tunnel ID
that might be used.
Attacks from one mobile customer against another: Mobile customers, whether legitimate
customers or not, may attack each other. One such attack is the previously described
Overbilling attack. This attack can take the equivalent form of “spam” for a GPRS
network. In this case, the malicious user, once they have gained what appears to be
legitimate network access, can send massive amounts of data to unsuspecting users. Since
GPRS is a “usage based” service, then innocent users are “overbilled” for content that they
did not request. Such an attack would be even more harmful than spam is for email, as it
becomes much more than an annoyance. Imagine if you were charged (on a per email
basis) for every piece of junk email that you received from a spammer!

Security Solutions on the Gn Interface

Using policy based configuration and administration, providers can protect against security
threats emerging from within the GPRS network.

Policy based Firewall management allows providers to use arbitrary Juniper’s arbitrary
“any any” zone structure to protect against attacks originating from within the network. A
simple “trust-untrust” architecture does not fully allow customers to do this due to the fact
that there is often no concept of “untrust” within the confines of a given provider’s
network.

Copyright © 2004, Juniper Networks, Inc. 11

 GPRS Threats and Recommendations

Stateful Inspection Firewall: By deploying a stateful inspection firewall, and setting the
policies by which you want to allow or disallow traffic, carriers can protect against the
attacks mentioned above. For example, in the case of the spoofed GGSN messages, if a
certain PDP context message did not pass the “sanity check” detection mechanisms, then
they are dropped. In the example above, where a GTP PDP Context Delete message might
be “spoofed” by a malicious user posing as a GGSN, if there was not a prior GTP PDP
Context Create message received earlier, then this message would not pass the sanity
check, and it would be dropped by the firewall.
Juniper’s Overbilling feature would enable a carrier to prevent the “spam” example from
happening by deleting the “hijacked” session that the malicious party used to execute the
attack.

Deploying GPRS Security Solutions on Juniper Security Systems

The Juniper Networks NetScreen 500-GPRS provides security technology to mitigate a wide
variety of attacks on the Gp, Gn, Ga, Gi interfaces. These features include:
Full policy based protection at all major GPRS interfaces
Logical separation and administration via Virtual System (vsys) support
Support for both GTP 97 and GTP 99
GTP Packet Sanity Check
GTP Tunnel Limiting
Hardware-accelerated stateful packet filtering
Traffic rate limiting
GTP rate limiting by signaling or user plane
GTP stateful packet filtering
GPRS Overbilling Attack Prevention
Dynamic Routing (OSPF and BGP)
High Availability (using Juniper Redundancy Protocol – NSRP)
Route mode or Transparent mode
Web User Interface (WebUI)
Access Point Name Filtering (APN Filtering)
Active/Active mode
Active/Passive mode
Per direction APN filtering
GTP security policies including
GTP Message Type
GTP Message Length
IMSI Prefix filtering (MCC/MNC Filtering)
Filtering on a per mobile provider basis

12 Copyright © 2004, Juniper Networks, Inc.

GPRS Threats and Recommendations

GTP Tunnel Count Limits

APN and Selection Mode
GTP Management and Logging Features
GTP Traffic Counting
GTP Traffic Logging
Many other advanced logging capabilities
High-availability fail-over including:
GTP state tables
VPN gateway connections
Virtual Router support to separate intranet destined traffic
IPSec tunnels or 802.1q VLANs to the GGSN
IPSec tunnels or 802.1q VLANs toward corporate network
Hardware-accelerated support for GTP over IPSec tunnels

Conclusion
GPRS promises to benefit mobile data users greatly by providing always on higher bandwidth
connections than are widely available today. In order to be successful, data connections must
be secure and be available anytime and from anywhere.

The maturity of security in the air interface, and the low bandwidth available limit the
effectiveness of the Mobile Station as the source of attacks. However, with the introduction of
GPRS services, operators must connect their networks to those of corporate customers, public
data networks, and that of other operators to provide data access services. These connections
represent significant risks to subscribers and the operators themselves.

The lack of security inherent in GTP, the protocol used between roaming partners, represents
a significant threat. The security of the roaming network is only as good as that of the
weakest operator. Implementing IPSec between roaming partners, traffic rate limiting, and
GTP stateful inspection can mitigate a significant number of threats on the roaming network.

Stateful packet inspection, traffic rate limiting, and logical separation of traffic for each
corporate network and the public network can significantly reduce the threat between the
operator’s network, subscribers, and these networks.

Juniper Networks has developed technology and solutions that include GTP-aware stateful
inspection firewall, GTP aware traffic shaping, and a VPN/VLAN tunnel hub. These
solutions help mitigate many of the possible threats to the GPRS network, mobile subscribers,
and corporate networks.

Copyright © 2004, Juniper Networks, Inc. 13

 GPRS Threats and Recommendations

Acknowledgements and Resources

The author wishes to thank the staff of Ericsson Research Labs, Berkeley, CA, for their
assistance with the analysis of GTP and Gi interface security threats.
Also special thanks to Jesse Shu of Juniper Networks GPRS Software Engineering.

Other sources of helpful information include:

Security in GPRS. Geir Stian Bajen and Erling Kaasin. May 2001
http://siving.hia.no/ikt01/ikt6400/ekaasin/Master Thesis Web.htm

Screening and filtering: In GPRS the subscriber pays MO and MT packets, how to protect
against hackers and unwanted packets? Hannu H. KARI
http://www.cs.hut.fi/~hhk/GPRS/lect/screening/ppframe.htm

GPRS Security. Charles Brookson. December 2001.

http://www.brookson.com/gsm/gprs.pdf

Wireless and Mobile Network Architectures. Yi-Bing Lin, Herman C.-H Rao, Imrich
Chlamtac. John Wiley and Sons 2001.

Copyright © 2004 Juniper Networks, Inc. All rights reserved.

Juniper Networks, the Juniper Networks logo, NetScreen, NetScreen Technologies, GigaScreen, and the NetScreen logo are registered
trademarks of Juniper Networks, Inc. NetScreen-5GT, NetScreen-5XP, NetScreen-5XT, NetScreen-25, NetScreen-50, NetScreen-100, NetScreen-
204, NetScreen-208, NetScreen-500, NetScreen-5200, NetScreen-5400, NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-
Remote Security Client, NetScreen-Remote VPN Client, NetScreen-IDP 10, NetScreen-IDP 100, NetScreen-IDP 500, GigaScreen ASIC,
GigaScreen-II ASIC, and NetScreen ScreenOS are trademarks of Juniper Networks, Inc. All other trademarks and registered trademarks are the
property of their respective companies.

Information in this document is subject to change without notice.

No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without
receiving written permission from:

Juniper Networks, Inc.

1194 N. Mathilda Ave.Sunnyvale, CA 95014 ATTN: General Counsel

14 Copyright © 2004, Juniper Networks, Inc.