Multi-Layer Security Protection for Signaling Networks

Similar documents
Oracle Communications Diameter Signaling Router

Oracle CIoud Infrastructure Load Balancing Connectivity with Ravello O R A C L E W H I T E P A P E R M A R C H

Deploy VPN IPSec Tunnels on Oracle Cloud Infrastructure. White Paper September 2017 Version 1.0

Creating Custom Project Administrator Role to Review Project Performance and Analyze KPI Categories

Oracle Communications Operations Monitor

Oracle Cloud Infrastructure Virtual Cloud Network Overview and Deployment Guide ORACLE WHITEPAPER JANUARY 2018 VERSION 1.0

Cloud Operations for Oracle Cloud Machine ORACLE WHITE PAPER MARCH 2017

Repairing the Broken State of Data Protection

Generate Invoice and Revenue for Labor Transactions Based on Rates Defined for Project and Task

Achieving High Availability with Oracle Cloud Infrastructure Ravello Service O R A C L E W H I T E P A P E R J U N E

Tutorial on How to Publish an OCI Image Listing

An Oracle White Paper October The New Oracle Enterprise Manager Database Control 11g Release 2 Now Managing Oracle Clusterware

An Oracle White Paper November Primavera Unifier Integration Overview: A Web Services Integration Approach

Increasing Network Agility through Intelligent Orchestration

Oracle Communications Diameter Signaling Router Main Differentiators

Correction Documents for Poland

Veritas NetBackup and Oracle Cloud Infrastructure Object Storage ORACLE HOW TO GUIDE FEBRUARY 2018

Oracle DIVArchive Storage Plan Manager

Oracle Database Security Assessment Tool

An Oracle White Paper September Security and the Oracle Database Cloud Service

JD Edwards EnterpriseOne Licensing

Oracle Cloud Applications. Oracle Transactional Business Intelligence BI Catalog Folder Management. Release 11+

Configuring Oracle Business Intelligence Enterprise Edition to Support Teradata Database Query Banding

Bastion Hosts. Protected Access for Virtual Cloud Networks O R A C L E W H I T E P A P E R F E B R U A R Y

Oracle Data Masking and Subsetting

Oracle Clusterware 18c Technical Overview O R A C L E W H I T E P A P E R F E B R U A R Y

Automatic Receipts Reversal Processing

Extreme Performance Platform for Real-Time Streaming Analytics

Differentiate Your Business with Oracle PartnerNetwork. Specialized. Recognized by Oracle. Preferred by Customers.

Leverage the Oracle Data Integration Platform Inside Azure and Amazon Cloud

Oracle Grid Infrastructure 12c Release 2 Cluster Domains O R A C L E W H I T E P A P E R N O V E M B E R

Establishing secure connections between Oracle Ravello and Oracle Database Cloud O R A C L E W H I T E P A P E R N O V E M E B E R

Oracle API Platform Cloud Service

Siebel CRM Applications on Oracle Ravello Cloud Service ORACLE WHITE PAPER AUGUST 2017

Establishing secure connectivity between Oracle Ravello and Oracle Cloud Infrastructure Database Cloud ORACLE WHITE PAPER DECEMBER 2017

Oracle Grid Infrastructure Cluster Domains O R A C L E W H I T E P A P E R F E B R U A R Y

Migration Best Practices for Oracle Access Manager 10gR3 deployments O R A C L E W H I T E P A P E R M A R C H 2015

Oracle Database Vault

Differentiate Your Business with Oracle PartnerNetwork. Specialized. Recognized by Oracle. Preferred by Customers.

Oracle Secure Backup. Getting Started. with Cloud Storage Devices O R A C L E W H I T E P A P E R F E B R U A R Y

RAC Database on Oracle Ravello Cloud Service O R A C L E W H I T E P A P E R A U G U S T 2017

Using the Oracle Business Intelligence Publisher Memory Guard Features. August 2013

Installation Instructions: Oracle XML DB XFILES Demonstration. An Oracle White Paper: November 2011

Oracle NoSQL Database For Time Series Data O R A C L E W H I T E P A P E R D E C E M B E R

Benefits of an Exclusive Multimaster Deployment of Oracle Directory Server Enterprise Edition

ORACLE ENTERPRISE COMMUNICATIONS BROKER

An Oracle White Paper June StorageTek In-Drive Reclaim Accelerator for the StorageTek T10000B Tape Drive and StorageTek Virtual Storage Manager

Corente Cloud Services Exchange

Handling Memory Ordering in Multithreaded Applications with Oracle Solaris Studio 12 Update 2: Part 2, Memory Barriers and Memory Fences

Loading User Update Requests Using HCM Data Loader

Sun Fire X4170 M2 Server Frequently Asked Questions

Oracle Fusion Configurator

Working with Time Zones in Oracle Business Intelligence Publisher ORACLE WHITE PAPER JULY 2014

Oracle Data Provider for.net Microsoft.NET Core and Entity Framework Core O R A C L E S T A T E M E N T O F D I R E C T I O N F E B R U A R Y

Load Project Organizations Using HCM Data Loader O R A C L E P P M C L O U D S E R V I C E S S O L U T I O N O V E R V I E W A U G U S T 2018

April Understanding Federated Single Sign-On (SSO) Process

An Oracle Technical White Paper October Sizing Guide for Single Click Configurations of Oracle s MySQL on Sun Fire x86 Servers

An Oracle White Paper September, Oracle Real User Experience Insight Server Requirements

VISUAL APPLICATION CREATION AND PUBLISHING FOR ANYONE

Migrating VMs from VMware vsphere to Oracle Private Cloud Appliance O R A C L E W H I T E P A P E R O C T O B E R

Hard Partitioning with Oracle VM Server for SPARC O R A C L E W H I T E P A P E R J U L Y

Oracle Hyperion Planning on the Oracle Database Appliance using Oracle Transparent Data Encryption

August 6, Oracle APEX Statement of Direction

Oracle Database Vault

An Oracle White Paper. Released April 2013

Oracle Learn Cloud. Taleo Release 16B.1. Release Content Document

Oracle Database Vault with Oracle Database 12c ORACLE WHITE PAPER MAY 2015

Oracle Spatial and Graph: Benchmarking a Trillion Edges RDF Graph ORACLE WHITE PAPER NOVEMBER 2016

An Oracle White Paper June Enterprise Database Cloud Deployment with Oracle SuperCluster T5-8

October Oracle Application Express Statement of Direction

Oracle Database Vault

Oracle WebLogic Portal O R A C L E S T A T EM EN T O F D I R E C T IO N F E B R U A R Y 2016

ORACLE DATABASE LIFECYCLE MANAGEMENT PACK

A Distinctive View across the Continuum of Care with Oracle Healthcare Master Person Index ORACLE WHITE PAPER NOVEMBER 2015

StorageTek ACSLS Manager Software Overview and Frequently Asked Questions

Oracle WebLogic Server Multitenant:

An Oracle White Paper Released April 2008

Subledger Accounting Reporting Journals Reports

Deploying Custom Operating System Images on Oracle Cloud Infrastructure O R A C L E W H I T E P A P E R M A Y

Transitioning from Oracle Directory Server Enterprise Edition to Oracle Unified Directory

DevOps for Oracle Forms Using Developer Cloud Service

Oracle Enterprise Performance Reporting Cloud. What s New in September 2016 Release (16.09)

ORACLE FABRIC MANAGER

WebCenter Portal Task Flow Customization in 12c O R A C L E W H I T E P A P E R J U N E

Oracle Exadata Statement of Direction NOVEMBER 2017

TABLE OF CONTENTS DOCUMENT HISTORY 3

Oracle Communications Interactive Session Recorder and Broadsoft Broadworks Interoperability Testing. Technical Application Note

GSMK. Cryptography Network Security. GSMK Oversight SS7 Firewall and Intrusion Detection System

Building Networks for Competitive Advantage The value of monitoring your signaling network O R A C L E W H I T E P A P E R J U N E

Diameter, Meet Your Future

Oracle Solaris 11: No-Compromise Virtualization

An Oracle White Paper December, 3 rd Oracle Metadata Management v New Features Overview

Overview. Implementing Fibre Channel SAN Boot with the Oracle ZFS Storage Appliance. January 2014 By Tom Hanvey; update by Peter Brouwer Version: 2.

ORACLE COMMUNICATIONS INSTANT MESSAGING SERVER

Paying Employees by Paycard with JD Edwards EnterpriseOne Payroll O R A C L E W H I T E P A P E R J U L Y

How to Monitor Oracle Private Cloud Appliance with Oracle Enterprise Manager 13c O R A C L E W H I T E P A P E R J U L Y

Highly Available Mobile Services Infrastructure Using Oracle Berkeley DB O R A C L E W H I T E P A P E R J A N U A R Y

An Oracle White Paper October Minimizing Planned Downtime of SAP Systems with the Virtualization Technologies in Oracle Solaris 10

JD Edwards EnterpriseOne User Experience

Technical White Paper August Recovering from Catastrophic Failures Using Data Replicator Software for Data Replication

Transcription:

Multi-Layer Security Protection for Signaling Networks All-IP Invites Innovation, but also More Vulnerabilities O R A C L E W H I T E P A P E R J A N U A R Y 2 0 1 6

Table of Contents Introduction 2 Access Control List 3 Topology Hiding 4 Congestion Control 6 Protecting the Subscriber through Encryption 6 Conclusion 7 1 MULTI-LAYER SECURITY PROTECTION FOR SIGNALING NETWORKS

Introduction The sanctity of mobile operators networks and brands will depend greatly on their ability to deliver QoS guarantees to roaming and interconnect partners, while simultaneously protecting increasingly multimedia-savvy and socially connected subscribers. The challenge is that the all-ip architecture making mobile networks innovative and monetizable as digital lifestyle-enabling ecosystems are also making them more vulnerable to a multitude of security threats including: Denial of Service (DoS) attacks, IP address, malware, man-in-the-middle (MITM) attacks, botnets, identity theft, and service theft, to name a few. In LTE, the environment can be even more unpalatable since operators have to distribute and manage user- and control- plane traffic across new partners through interconnect and roaming arrangements with others: service providers, developer communities, content and over-the-top (OTT) application providers, and network service providers. Since partners could unwittingly harbor malware and viruses among their payloads, secure environments are harder to come by as mobile cloud, OTT-driven applications and social media strategies evolve. To address security and roaming use cases, most operators have hunkered down at the IP layer with different types of encryption and firewall approaches mostly leveraging IPSec and Transport Layer Security (TLS) security standards for security gateways, network routers, mobile VPN devices, and desktop VPN clients. Many mobile operators have investigated the IETF mandates for encryption in LTE networks, and are considering security measures and recommendations coming out of the GSM Association s Signaling Security Working Group (Sig SG) for both SS7 and Diameter networks. While these courses of action can be effective as devices and the core networks are the most heavily targeted areas for security threats they will not be enough in and of themselves as the focus shifts beyond access and transport networks. Equal attention will be needed at the Signaling and Service Layers, which increasingly tie directly to operators network assets, partner relationships, and subscriber privacy and loyalty. Consider, for instance, that in LTE networks no less than 100 percent of revenue- generating traffic becomes dependent on Diameter signaling. In multi-device/multi-screen environments, the Diameter protocol has to be appreciated and protected for its power to orchestrate critical communication among policy servers (PCRFs), charging systems, subscriber databases and many policy enforcement functions, such as packet gateways, deep packet inspection, application servers, and mobility management functions. 2 MULTI-LAYER SECURITY PROTECTION FOR SIGNALING NETWORKS

Diameter signaling will be so innate that Diameter traffic is expected to grow rapidly in the years to come. In fact, global diameter growth is accelerating at such a high rate that it could surpass global IP traffic growth in the near future, according to Oracle Communications LTE Diameter Signaling Index 1. Though Diameter is powerful in what it can engender for revenue purposes, Diameter networks require enhanced security, as the all-ip nature of LTE exposes them to the risks inherent in the Internet. This paper describes the measures that operators can implement to secure IP-based Diameter networks, namely:» Access Control Lists (ACLs)» Topology Hiding» Congestion Control» Protecting the Subscriber through Encryption It looks at these measures in the context of how operators can achieve optimal management of the control plane, partners, equipment, processes and expectations. It also explains how Diameter Signaling Routers (DSR) in the core can play a crucial security role when complemented by several layers of security at the transport and the control/application layers. A multi-layer security approach should include the elements below, all of which should be considered at the inception of LTE and Diameter deployments. Once security breaches are detected, it is more difficult to implement all necessary components of an end-to-end security strategy. Access Control List For the reasons described at the beginning of this paper, no network can be considered a truly trusted network. It is the inherent complexity of today s interconnect and roaming use cases that will prove most impactful in terms of security policy in LTE networks, as the level of control typical with SS7 can no longer be expected. Data- and content-driven services whether mobile voice, email, mobile data, mobile video, IMS-based services, or web services cannot flourish in a closed environment. In SS7 networks, routing messages into the signaling network is accomplished through generic addressing to a gateway signal transfer point (STP). The actual address of the network entity (the point code) is not advertised outside of the network. Global Title Translation (GTT) provides only the address to the gateway STP for further routing into the network. It becomes the responsibility of the STP to then route the message to the correct internal 1 Oracle Communications Diameter Signaling Index Report at Oracle.com/diametersignaling/router 3 MULTI-LAYER SECURITY PROTECTION FOR SIGNALING NETWORKS

address. The physical address is not relevant in this case, because in Time Division Multiplex (TDM) networks, network elements are interconnected via a dedicated circuit assigned to a port within the element itself. Routing tables then dictate to which port (or circuit) to send the signaling message. In an IP network, however, network elements are interconnected through routers. The routers use an IP address to determine the next hop and to determine the final destination. If the IP address of an internal element is known, any network can gain access to the IP domain and send a signaling message to the IP address of an internal node. When this happens, the IP address of the originator is also provided. This is critical in LTE networks for the prevention of unauthorized access to the LTE core. An Access Control List (ACL) can be used to determine if the originating or sending IP address is known to the network. If the IP address is not known, and therefore not entered in the ACL, then access to the network is denied, and the message is discarded. ACLs are common in data center networks today, and are effective in preventing access from unknown partners or rogue sites. However, in a multi-layer approach, the management of access by IP addressing alone is fortified with application layer security. Thus, DSR prevents unauthorized access by denying access to any network element that is not recognized, so that only known peers are allowed a session. In addition, the ability to filter messages on any AVP allows discarding messages that are not permitted in the network Figure 1.Oracle Communications DSR Roaming Proxy with Access Control List Topology Hiding It becomes easier in LTE for peer networks to learn the topology of home networks, potentially exposing the network to DOS and causing signaling surges that can flood Home Subscriber Servers (HSSs) and Mobility Management Entities (MMEs) with messages. By learning about the type and number of MMEs or HSSs deployed in a network, illicit sources can launch attacks targeted to specific nodes in home networks or gain sensitive network and subscriber data. This can also be an unintentional result from some type of event. 4 MULTI-LAYER SECURITY PROTECTION FOR SIGNALING NETWORKS

The first level of prevention is to hide details about the network topology. This is accomplished through topology hiding. When topology hiding is invoked, the host and realm names can be altered in such a way that they cannot be used to learn the network topology. To be effective, host names should never be advertised outside of the network. Some operators believe they must identify their host names for roaming agreements, but in fact this practice opens the network to more vulnerability. Topology hiding offers a different approach for interconnection by assigning multiple generic host names so that outside networks cannot learn about the identities or nodes used in networks. The Diameter Edge Agent (DEA) is responsible for changing the host name of an outgoing message prior to sending to another network. The DEA uses a pool of host names previously assigned to the originating network element and randomly selects one of the generic host names from that pool. The DEA also maintains the session ID so it can associate any Answer command received back from another entity. When an incoming message is received, the DEA is responsible for determining the real host name assigned to the generic host name in the message, and forwarding to the correct host name. This method prevents outside networks from learning the identities used in the network, and makes it more difficult to determine how many nodes are in the network since every host name is assigned multiple generic host names. If the concern is that someone could send a rogue message into the network using a generic host name and the real realm name, it must be remembered that the IP address of the originator must be present in the ACL in order to be granted access into the network. This can be implemented for all entities in the network, using mediation at the DEA. Mediation allows the DEA to substitute fields in the Attribute Value Pair (AVP) with values defined by the mediation table. For that reason, the cost of this type of implementation is minimal when compared to more stateful approaches. Figure 2.Oracle Communications DSR Topology Hiding 5 MULTI-LAYER SECURITY PROTECTION FOR SIGNALING NETWORKS

Congestion Control Another important security consideration is congestion control. By using a centralized DSR, the operator can prevent signaling storms from reaching end nodes, such as the HSS. Since this is typically the intent of a DOS, having a mechanism for handling the DOS should one occur is a wise part of any security strategy. When an attack occurs, and signaling levels reach a predetermined threshold, the DSR/DEA must slow down the flow of signaling messages to their destination. That can be accomplished by either discarding messages or throttling the flow of lower-priority signaling messages, which can then prevent a signaling storm. If congestion control is implemented at the end point, it loses its effectiveness, as the signaling already reaches its destination, leaving no choice but to discard the signaling messages and deny service. When congestion control is implemented in the core, signaling messages can be redirected to other redundant nodes, effectively load balancing wherever possible, and lessening the impact of the attack. Figure 3.Oracle Communications DSR Overload and Congestion Control Protecting the Subscriber through Encryption Protecting subscriber data and privacy is one of the most important responsibilities a mobile operator assumes. The operator s success in protecting subscriber data and privacy links directly to loyalty, trust and profitability. In essence, subscriber data is the most important payload, especially now that analytics and subscriber data management (SDM) have grown in importance for monetizing mobile data and personalizing services. Protecting that data is more important now that mobile operators are looking at ways to broker the precious subscriber information in their possession to third-party advertisers and application and content providers, and as they look for ways to become digital lifestyle providers and subscriber identity brokers to third parties. The identity of a subscriber and the daily transactions undertaken by that subscriber have more meaning now than they did in the voice world. There is much that can be learned about subscriber behaviors through their daily transactions: what Internet sites they visit, who they send emails and messaging to, the location of the device, even the time of day during which they perform certain online tasks. All become valuable subscriber data that can be monetized. As new ways to monetize subscriber data emerge, so do new security risks. With the increased use of smartphones for financial transactions, the risks will continue to rise. As that happens, encryption will be the most effective means 6 MULTI-LAYER SECURITY PROTECTION FOR SIGNALING NETWORKS

for protecting data, but its weaknesses should be acknowledged. For one, network monitoring through the use of probes is no longer as effective, because probes do not possess encryption keys. This makes monitoring of networks for performance and troubleshooting difficult. It can be assumed that this is the reason the industry has not been quick to implement TLS throughout networks. While TLS has remained part of the Diameter Base Specifications, few networks have actually implemented it. Another encryption method that has been recommended by the GSM Association at the DEA is IPSec. Encrypting the signaling between network connections is paramount to preventing man-in-the-middle attacks, eavesdropping on signaling sessions, and other common forms of intrusion in IP domains. While it is difficult to implement encryption within the network, encryption should be a requirement when interconnecting with another service provider. Conclusion 4G/LTE networks provide bandwidth that dramatically enhances the subscriber experience and drive greater use of the advanced capabilities of modern smartphones. Mobile access through smartphones to the vast world-wide-web of information and services exposes networks to greater threats than ever before. With 2.5G and 3G networks, most sophisticated access was driven by laptops with wireless cards. These offered relatively few risks, as the users were typically business travelers accessing their corporate network via VPN connections. Now, however, every smartphone can access the Internet and expose networks to the best and worst it has to offer, including malware. LTE adds an all-ip core infrastructure which brings with it new vulnerabilities to the most critical assets in network. Because Diameter is the protocol used throughout the core, protecting the core through centralized DSRs is one of the best means to ensure network and subscriber security. There are several levels of security that must be implemented, both at the transport and the control/application layers. This means several different mechanisms supported through the DSR/DEA should be leveraged. The most basic of these mechanisms is the Access Control List (ACL), which dictates which IP addresses are granted access into the network. Hiding the topology of the network prevents attackers from launching targeted DOS attacks on specific nodes within the network through Diameter signaling flood. In instances where the host name is not known, specific nodes cannot be reached. Even if the host name is known, access is denied when the IP address of the originator is not absent from the ACL. 7 MULTI-LAYER SECURITY PROTECTION FOR SIGNALING NETWORKS

Oracle Corporation, World Headquarters Worldwide Inquiries 500 Oracle Parkway Phone: +1.650.506.7000 Redwood Shores, CA 94065, USA Fax: +1.650.506.7200 C O N N E C T W I T H U S blogs.oracle.com/oracle facebook.com/oracle twitter.com/oracle oracle.com Copyright 2016, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only, and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 0116 White Paper Multi-layer Security Protection for Signaling Networks January 2016 Author: Travis Russell Contributing Authors: Francisca Segovia

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback