Protecting Legacy and Next-Gen Networks
By Brad Boston, President and CEO, NetNumber
As the former CIO at Cisco, security was one of those concerns that kept me awake at night—specifically, protecting our infrastructure and intellectual property, and ensuring we protected the information of our employees, customers and partners. Our customers often looked to my team for best practice sharing regarding our approach to mitigating security threats and vulnerabilities. In my current role as CEO at NetNumber, security is no less a critical concern for us and for our customers. The threat landscape is evolving ever more rapidly, and the potential for loss and damage is escalating more greatly. With new privacy legislation, telecom operators are being forced to pro-actively strengthen their defenses.
“As one attack vector is closed, new ones are discovered”
While our customers—global communication service providers, network operators and intermediaries—have recognized the need to protect their next-generation networks against evolving threats, many have been somewhat surprised to learn relatively recently that their legacy networks are just as vulnerable. And this is something their subscribers need to be concerned with as well.
For many of our customers, their networks were built using the Signaling System #7 (SS7) set of protocols. With SS7, trust was the basis for network operation. With the launch of mobile services, operators opened up their information sources to enable their subscribers to communicate freely when traveling. Over time, as more players have entered this fast growing mobile market, additional points of access to maintain interworking and communication freedom have become required. Additionally, operators must manage the complexity associated with the different national variants found across the SS7/C7 domain.
Tied to these burgeoning access points, new network features and services have been added to provide greater subscriber value and generate brand loyalty and revenue. A familiar example is the wide-spread use of SMS messages as a highly trusted service for secured authentication of personal banking transactions.
To ensure mobility within and across network(s), new protocols and new procedures to query and return information have been introduced including the proliferation of the global SS7 network with SIGTRAN IP-based connections. In an environment in which trust is the premise for operation, many of these protocols and procedures are unable to detect fraudulent activity which can create a multi-layer security problem. It is not enough to protect the “trust” when connecting; emerging threats are targeting subscribers who are already “in” the network and are perceived as “trusted.” There has been some work to bolster the security of the SS7 stack, but these workarounds are vulnerable and easily circumvented.
While operators are migrating to next-generation IP networks running Diameter or Session Initiation Protocol (SIP) based protocols, they will continue to run their SS7 networks likely for another 10-20 years. Many carriers have assumed Diameter networks will be inherently more secure than SS7 networks, recent testing by security “white hats” has proven otherwise. With Diameter, the security of the signaling network may be at higher risk due to several factors including new operator entrants requiring mobile roaming interconnection, the use of femtocells with direct signaling access to SS7 or Diameter network resources, and the proliferation of knowledge and technology to exploit threats and vulnerabilities.
The interworking between legacy and next-generation networks complicates security further and exposes new threats and vulnerabilities. For example, with the parallel use of SS7, Diameter and other signaling protocols in today’s networks, a security threat cannot easily be isolated to a particular protocol. Hackers may use SS7 for part of an exploit combined with Diameter for the complementary part of the exploit.
Emerging technology trends are further complicating the security landscape. Just as enterprises and operators consider moving to the cloud, deploying network functions virtualization (NFV) and software defined network (SDN) capabilities, dealing with the anticipated 20-30 billion connected Internet of Things (IoT) devices, and using Over the Top (OTT) applications, security vendors are flooding the market with new point products that aim to mitigate a limited set of security challenges. Creating a secure environment in the midst of this chaos is difficult at best.
What I have learned and share with our customers is that security and data privacy requirements must be addressed at multiple levels—the network, the operating systems, the devices and applications, the subscribers, the middleware and firmware, and the cloud.
A place to start addressing the security of the network infrastructure is at the signaling layer. Signaling is the heart of network connectivity. And, hackers are targeting that heart with spam, phone call interception, and fraudulent calls. The results of such activities include loss of private information, revenue leakage, fraudulent network use, and quality of service or network disruption.
A highly secure signaling architecture is required, and can address the challenges created by emerging technology trends such as NFV, SDN and cloud as well as the more complex interconnection scenarios that will result. A signaling firewall is key to securing the signaling layer. A signaling firewall provides network-wide ability to automatically remove unwanted traffic, to shape traffic automatically to preserve quality of service for paying customers, to manage roaming devices or non-subscribers, and to mitigate security threats at the signaling layer.
The figure below illustrates how the newest generation signaling firewall can best protect the network infrastructure. Multiple firewall instances act as one integrated Multi-Protocol Signaling Firewall solution in today’s geographically dispersed and technology complicated mobile networks. The solution on the carrier-grade TITAN platform can offer signaling protocol-agnostic protection of network functions deployed in either NFV mode or in today’s networks or any combination thereof. The signaling layer is fully protected, regardless of which phase network elements are deployed in during technology migration.
The list of threats and vectors to gain access to networks is ever changing. And as one attack vector is closed, new ones are discovered. We all are in a race to find and close vulnerabilities as quickly and efficiently as possible. A signaling firewall solution provides a multi-layer protocol stack threat evaluation and protection to support legacy and next-generation networks—and the migration between the two.