Cryptography Network Security GSMK Firewall and Intrusion Detection System
GSMK Firewall and intrusion detection system to prevent attacks via interconnect. Protect your Network s Achilles Heel. With the technical foundation of the protocol going back to the 70s, today's increasing network complexity requires strict policies and new tools to prevent fraud, hijacking or service disruption and espionage. The original system definition for was never meant to offer authentication or access control. The protocol designers had a closed network in mind, with only trusted parties being connected. Those inherent system vulnerabilities have recently been publicly exposed, opening the door for systematic violation on a global scale. The tremendous growth of independent entities with access, including MVNOs and certain micro-operators, has made it easier for malicious actors to purposefully exploit the protocol's weaknesses. Investigations commissioned by major network operators have shown a rapid increase in -based attacks. Basic filtering of messages to counteract intruders is neither sufficient for protecting operators from the financial impacts nor can it guarantee the network's integrity in terms of data security (see page 4). Without dedicated detection and protection beyond basic filtering, the existing core infrastructure can no longer be trusted: Subscriber privacy violations and data theft Subscribers can be located down to street level and the location can be continuously tracked. IMEI serial numbers can be read out, including call status and hardware information. Illegal interception of calls and messages Messages can be read and calls can be forwarded to unauthorized third parties using a number of alternative methods, including manipulation of subscriber data and crypto key exfiltration. Billing fraud The financial impact on billing fraud is highly relevant. Possible -based manipulations of subscriber data include unauthorized pre-paid to post-paid conversion and USSD-based attacks on credit transfers. Denial of service (DoS) Targeted attacks via ISD/DSD or general overloading of signaling links have recently gained in popularity. System Key Features Carrier-grade intrusion protection Scalable system architecture Compatible with redundancy requirements Centralized remote management Graphical UI - intuitive system handling Nodes based on Erlang/OTP Support for queries to enable plausibility checks (double check on subscriber location) 1, alternative provisioning of shadow database Support for velocity checks 1 Element profiling Rate limiting function 1 TAC (Tracking Area Code) blocking 1 Resilience 99.999% uptime Carrier grade SLA, CARE, Incidents Full M3UA support to allow integration in M2PA support Anonymised reports High flexibility in rules and actions Full OSS and cloud orchestration support 1 available with GSMK Protect 02
The Solution As a renowned industry leader in the field of strong encryption and network security, GSMK developed the system to enable comprehensive detection of network anomalies and reliable protection of interconnections, finally transcending old-style filtering. The system architecture provides seamless integration into existing signaling structures and complies with redundancy requirements within load balanced setups. Detection and Protection Network operators can choose between two implementation variants: The non-invasive Detect solution with real-time inspection, alarming and logging, or the Protect solution with active stateful packet inspection firewalling, alarming and logging. System Design The network security system, building on a modular and scalable approach, consists of the Manager, which constitutes the centralized backend, as well as a number of a number of Detector or Protector nodes according to the number of interconnect nodes to be secured. Advanced Features The system allows TCAP transaction tracking, rate limiting 1, velocity checks and TAC blocking 1 Active Countermeasures Firewall operations, filter language with pre-defined templates and network element profiling. Installation and Architecture See the following pages for an overview of the overall system architecture. Nodes are being placed in proximity to existing s and are connected via SIGTRAN. Depending on the selected system setup, signaling traffic runs through the nodes or is just being analyzed (by-passing). The system is flexible in terms of local or geo redundancy and allows multi-site setups as well as cloud orchestration support. Deployment GSMK supports its customers before, during and after deployment with an advanced requirement analysis, full deployment support, training, system swing-in calibration and tailor-made SLAs. Lab Version Lab versions are available for testing and maintenance purposes. Software The Erlang/OTP-based software and runtime environment enable a highly parallel, fault-tolerant, real-time non-stop system with maximum availability and scalability for reliable attack detection and parametrization. Hardware Collector nodes ( Protector and Detector) and the backend ( Manager) are based on high-performance industrial appliances. Analysis and visualization A major step into state-of-the-art analysis is the right graphical representation of raw data. Only then data becomes information and complex systems can be handled without time-consuming trainings. The backend system provides a state-of-the-art HTML5-based user interface ( Frontend) enabling intuitive and centralized system management. Visualizations allow different levels of operation, e.g. filter configuration, filter grouping, graphing, logs, reports and system administration. 1 available with GSMK Protect 03
Protect versus Filtering and SMS Home Routing Standard tools and their effectiveness compared with Filtering SMS Home Routing GSMK 1 Retrieving IMSI / Address Subscriber tracking Billing Fraud detection (pre-paid changed to post-paid) Call and SMS interception via CAMEL DoS via ISD/DSD (Disable calls / SMS / data) Supplementary Services 2 Stealing subscribers via updatelocation Block network-internal messages 3 4 5 Detect and block brute force and/or flooding attacks 1 available with Protect 2 E.g. setting call forwarding, executing USSD 3 E.g. Stealing Encryption keys, subscriber de-anonymisation 4 limited protection 5 not available 04
System Architecture Detect vs. Protect A Detection Setup S S Detector Node Detector Node Manager HTML Frontend Operator A Core Network S Operator B B Protection Setup Frontend Protector Node Manager S S Protector Node Core Network Operator C 05
User Interface Information visualization and system management 06
Hardware Information visualization and system management Detector or Protector Node High-grade applicance M2M Interface, Managed Code, 1RU rack mount, dual PSU, Raid 1, 4x ETH payload, 2x ETH control, dual firmware Manager Backend System Multi-Raid Setup, Databases, Storage, Shadow and Analyzer 07
- Gesellschaft für Sichere Mobile Kommunikation mbh Marienstrasse 11 10117 Berlin Germany Phone + 49-30-24 62 500-0 Telefax + 49-30-24 62 500-1 www.gsmk.de This document is provided for information purposes only, and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. The product names and logos mentioned in this document are trademarks or registered trademarks of their respective owners. V1.6_08.2015.1_MSF This document is GSMK Classified Information and not for general circulation. Regional Representative / Distributor