Professional Documents
Culture Documents
GPRS Security Threats and Solution Recommendations: Alan Bavosa Product Manager
GPRS Security Threats and Solution Recommendations: Alan Bavosa Product Manager
Alan Bavosa
Product Manager
Preface .......................................................................................................................................................3
Introduction..............................................................................................................................................3
GPRS Core Network Architecture Overview .....................................................................................3
Classification of Security Services ........................................................................................................4
Data Services on the Gp and Gi Interfaces...........................................................................................5
Security Threats on the Gp Interface ....................................................................................................5
Availability......................................................................................................................................5
Authentication and Authorization..............................................................................................6
Integrity and Confidentiality .......................................................................................................6
Security Solutions for the Gp Interface ................................................................................................7
Gp Network Solution Diagram ....................................................................................................8
Security Threats on the Gi Interface .....................................................................................................8
Availability......................................................................................................................................9
Confidentiality................................................................................................................................9
Integrity ...........................................................................................................................................9
Authentication and Authorization..............................................................................................9
Security Solutions on the Gi Interface..................................................................................................9
Gi Network Security Solution Diagram ...................................................................................10
Security Threats on the Gn Interface ..................................................................................................11
Security Solutions on the Gn Interface...............................................................................................11
Deploying GPRS Security Solutions on Juniper Security Systems ...............................................12
Conclusion ..............................................................................................................................................13
Acknowledgements and Resources ...................................................................................................14
Preface
This paper is intended to assist General Packet Radio Service (GPRS) operators and network
designers in the evaluation of potential security threats and solutions. Although a brief
review of GPRS architecture is provided, it is assumed that the reader understands the basic
GPRS architecture and Internet Protocol data networking. This paper does not attempt to
present an exhaustive list of all GPRS security issues.
Introduction
General Packet Radio Service (GPRS) is a data network architecture that is designed to
integrate with existing GSM networks and offer mobile subscribers “always on” packet
switched data services access to corporate networks and the Internet. GPRS provides mobile
operators with an opportunity to offer higher-margin data access services to subscribers. In
return, subscribers benefit from GPRS by being able to use higher bandwidth mobile
connections to the Internet and corporate networks. GPRS Tunneling Protocol (GTP) is the
protocol used by GSM or UTMS operators to convert radio signals from subscribers into data
packets, and then to transport them in non-encrypted tunnels. GTP does not provide for
inherent security.
With the addition of GPRS to GSM, mobile operators are adding mobile Internet and virtual
private network services to their existing mobile voice services. GPRS networks are connected
to several external data networks including those of roaming partners, corporate customers,
GPRS Roaming Exchange (GRX) providers, and the public Internet. By connecting their GPRS
network to a variety of external networks, mobile operators must take the appropriate steps to
protect their own network from attacks initiating from these external networks while
continuing to provide access to and from them. Juniper Network’s purpose-built
firewall/IPSec VPNs address many of the security problems operators face when developing
GPRS-based service offerings. The most recent version of GTP is GTP 99. A prior version was
called GTP 97. Juniper’s integrated firewall/VPN product line supports both versions of GTP.
The Gp and the Gi interfaces are the primary points of interconnection between the Operator’s
network and untrusted external networks. Operators must take appropriate measures to
protect their network from attacks originated on these external networks.
Figure 1
Corporate Roaming
Partner #1
Network #1
VPN Gi Interface
Operator
Firewall
/IPSec VPN
Firewall
/IPSec VPN
GRX
Gn Interface
Gp Interface
VPN
Roaming
Billing/ Partner #2
Corporate
Network #2 Ga Interface Accounting DB
GTP: Provides logical connectivity between the SGSN and GGSN of roaming partners
BGP: Provides routing information between the operator and the GRX and/or roaming
partners
DNS: Provides resolution for a subscribers APN
The Gi interface is the interface that data originated by the MS is sent out towards, to access
the Internet or a corporate network. It is also the interface that is exposed to public data
networks and networks of corporate customers. Traffic being sent out from the GGSN on the
Gi interface or arriving for an MS on the Gi interface can be virtually any kind of traffic since
the application being used at the MS is unknown.
Availability
The most common type of attack on availability is a denial of service (DOS) attack. There are
several types of denial of service attacks that are possible on the Gp interface:
Border Gateway bandwidth saturation – a malicious operator that is connected to the same
GRX (whether or not they’re actually a roaming partner) may have the ability to generate a
sufficient amount of network traffic directed at a Border Gateway such that legitimate
traffic is starved for bandwidth in or out of the PLMN, thus denying roaming access to or
from the network
DNS Flood – DNS servers on the network can be flooded with either correctly or
malformed DNS queries or other traffic thereby denying subscribers the ability to locate
the proper GGSN to use as an external gateway.
GTP Flood – SGSNs and GGSNs may be flooded with unauthorized GTP traffic that cause
them to spend their CPU cycles processing illegitimate data. This may prevent subscribers
from being able to roam, to pass data out to external networks via the Gi, or from being
able to GPRS attach to the network at all.
Spoofed GTP PDP Context Delete – An attacker with the appropriate information, can
potentially craft a GTP PDP Context Delete message which will remove the GPRS Tunnel
between the SGSN and GGSN for a subscriber. Crafting other types of network traffic can
learn some of the information that must be known. If an attacker doesn’t care about whom
they are denying service, they can send many PDP Context Delete messages for every
tunnel ID that might be used.
Bad BGP Routing Information – An attacker who has control of a GRX operators’ routers
or who can inject routing information into a GRX operators’ route tables, can cause an
operator to lose routes for roaming partners thereby denying roaming access to and from
those roaming partners.
DNS Cache Poisoning – It may be possible for an attacker to forge DNS queries and/or
responses that cause a given user’s APN to resolve to the wrong GGSN or even none at all.
If a long Time To Live (TTL) is given, this can prevent subscribers from being able to pass
data at all.
“No security is provided in GTP to protect the communication between different GPRS networks.”
Capturing a subscriber’s data session – Because GTP and the embedded T-PDUs are not
encrypted, an attacker who has access to the path between the GGSN and SGSN such as a
malicious employee or hacker who has compromised access to the GRX, can potentially
capture a subscriber’s data session. Without encryption, this data can then be read or
manipulated by illegitimate parties. This is generally true of traffic on public networks and
subscribers should be advised to utilize IPSec or similar protection.
GGSN SGSN
Gp Interface
IPSec GTP
GRX
Roaming Roaming
Partner #1 Partner #2
Internet
Availability
Like the Gp interface, denial of service attacks represent the largest threat on the Gi interface.
Some examples include:
Gi bandwidth saturation – Attackers may be able to flood the link from the PDN to the
mobile operator with network traffic thereby prohibiting legitimate traffic to pass.
Flooding an MS – If a flood of traffic is targeted towards the network (IP) address of a
particular MS, that MS will most likely be unable to use the GPRS network. This is
particularly true because of the significant difference in available bandwidth on the air
interface versus the Gi interface.
Confidentiality
There is no protection of data from an MS to the public data network or corporate network.
It is assumed that third parties can see data if IP Security or application layer security is
not being used.
Integrity
Data sent over public data networks can potentially be changed by intermediaries unless
higher layer security is being used.
Unless layer 2 or layer 3 tunnels are used at the GGSN to connect to the corporate network,
it may be possible for one MS to access the corporate network of another customer. The
source address of network traffic cannot be relied upon for authentication and
authorization purposes because the MS or hosts beyond the MS can create packets with
any addresses regardless of the IP address assigned to the MS.
Traffic rate limiting – On connections to the Internet, prioritize IPSec traffic from corporate
networks over that of other traffic. This will ensure that attacks from the Internet cannot
disrupt mobile intranet services. Another consideration would be to use separate physical
interfaces for corporate traffic and Internet traffic.
Stateful packet inspection – Use a security policy that only allows the MS to initiate
connections to the public network and implement stateful packet filtering so that the MS
never sees traffic that is initiated from the public network. If required, implement trusted
application servers that are permitted by policy to push public network services to the MS.
An alternative would be to consider two types of service--one where connections can be
initiated from the Internet toward the MS and one where they cannot.
Ingress and egress packet filtering – Prevent the possibility of spoofed MS to MS data by
blocking incoming traffic with the source addresses which are the same as those assigned
to an MS for public network access.
Overbilling Attack Prevention - Juniper’s solution enables the GTP firewall to notify the Gi
firewall of an attack. The Gi firewall is then able to terminate the “hanging” sessions
and/or tunnels, thus cutting off the unwanted traffic. As such, this prevents the GPRS
subscriber from being “overbilled.” Again, this solution is not limited exclusively to the Gi
interface.
SGSN
GGSN
Gi Interface
Corporation A Corporation B
Attacks at the Gn interface in the network can potentially bring down the network depending
on the intensity of the attack. This impact can lead to network downtime, loss of service,
revenue loss and disgruntled customers
Spoofed SGSN or GGSN: There are instances where malicious users can disguise
themselves as a legitimate part of the network by spoofing the IP address of a GGSN or
SGSN. Once a party has established themselves as a legitimate network element or user,
then they can take actions which are detrimental to customers or wireless carriers, such as
deleting PDP contexts or sessions. By executing commands that a GGSN normally
executes, such attacks can go undetected until the damage is done, unless the network is
protected by a stateful firewall.
Spoofed GTP PDP Context Delete – An attacker with the appropriate
information, can potentially craft a GTP PDP Context Delete message which will
remove the GPRS Tunnel between the SGSN and GGSN for a subscriber.
Crafting other types of network traffic can learn some of the information that
must be known. If an attacker doesn’t care about whom they are denying
service, they can send many PDP Context Delete messages for every tunnel ID
that might be used.
Attacks from one mobile customer against another: Mobile customers, whether legitimate
customers or not, may attack each other. One such attack is the previously described
Overbilling attack. This attack can take the equivalent form of “spam” for a GPRS
network. In this case, the malicious user, once they have gained what appears to be
legitimate network access, can send massive amounts of data to unsuspecting users. Since
GPRS is a “usage based” service, then innocent users are “overbilled” for content that they
did not request. Such an attack would be even more harmful than spam is for email, as it
becomes much more than an annoyance. Imagine if you were charged (on a per email
basis) for every piece of junk email that you received from a spammer!
Policy based Firewall management allows providers to use arbitrary Juniper’s arbitrary
“any any” zone structure to protect against attacks originating from within the network. A
simple “trust-untrust” architecture does not fully allow customers to do this due to the fact
that there is often no concept of “untrust” within the confines of a given provider’s
network.
Stateful Inspection Firewall: By deploying a stateful inspection firewall, and setting the
policies by which you want to allow or disallow traffic, carriers can protect against the
attacks mentioned above. For example, in the case of the spoofed GGSN messages, if a
certain PDP context message did not pass the “sanity check” detection mechanisms, then
they are dropped. In the example above, where a GTP PDP Context Delete message might
be “spoofed” by a malicious user posing as a GGSN, if there was not a prior GTP PDP
Context Create message received earlier, then this message would not pass the sanity
check, and it would be dropped by the firewall.
Juniper’s Overbilling feature would enable a carrier to prevent the “spam” example from
happening by deleting the “hijacked” session that the malicious party used to execute the
attack.
Conclusion
GPRS promises to benefit mobile data users greatly by providing always on higher bandwidth
connections than are widely available today. In order to be successful, data connections must
be secure and be available anytime and from anywhere.
The maturity of security in the air interface, and the low bandwidth available limit the
effectiveness of the Mobile Station as the source of attacks. However, with the introduction of
GPRS services, operators must connect their networks to those of corporate customers, public
data networks, and that of other operators to provide data access services. These connections
represent significant risks to subscribers and the operators themselves.
The lack of security inherent in GTP, the protocol used between roaming partners, represents
a significant threat. The security of the roaming network is only as good as that of the
weakest operator. Implementing IPSec between roaming partners, traffic rate limiting, and
GTP stateful inspection can mitigate a significant number of threats on the roaming network.
Stateful packet inspection, traffic rate limiting, and logical separation of traffic for each
corporate network and the public network can significantly reduce the threat between the
operator’s network, subscribers, and these networks.
Juniper Networks has developed technology and solutions that include GTP-aware stateful
inspection firewall, GTP aware traffic shaping, and a VPN/VLAN tunnel hub. These
solutions help mitigate many of the possible threats to the GPRS network, mobile subscribers,
and corporate networks.
Security in GPRS. Geir Stian Bajen and Erling Kaasin. May 2001
http://siving.hia.no/ikt01/ikt6400/ekaasin/Master Thesis Web.htm
Screening and filtering: In GPRS the subscriber pays MO and MT packets, how to protect
against hackers and unwanted packets? Hannu H. KARI
http://www.cs.hut.fi/~hhk/GPRS/lect/screening/ppframe.htm
Wireless and Mobile Network Architectures. Yi-Bing Lin, Herman C.-H Rao, Imrich
Chlamtac. John Wiley and Sons 2001.
Juniper Networks, the Juniper Networks logo, NetScreen, NetScreen Technologies, GigaScreen, and the NetScreen logo are registered
trademarks of Juniper Networks, Inc. NetScreen-5GT, NetScreen-5XP, NetScreen-5XT, NetScreen-25, NetScreen-50, NetScreen-100, NetScreen-
204, NetScreen-208, NetScreen-500, NetScreen-5200, NetScreen-5400, NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-
Remote Security Client, NetScreen-Remote VPN Client, NetScreen-IDP 10, NetScreen-IDP 100, NetScreen-IDP 500, GigaScreen ASIC,
GigaScreen-II ASIC, and NetScreen ScreenOS are trademarks of Juniper Networks, Inc. All other trademarks and registered trademarks are the
property of their respective companies.
No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without
receiving written permission from: