240 likes | 392 Views
Securing VoIP and PSTN from Integrated Signaling Network Vulnerabilities. Hemant Sengar , George Mason University Ram Dantu , University of North Texas Duminda Wijesekera, George Mason University. Background :. Integration of Voice and Data Network. ?. ?. Public Switched Telephone Network.
E N D
Securing VoIP and PSTN from Integrated Signaling Network Vulnerabilities Hemant Sengar, George Mason University Ram Dantu, University of North Texas Duminda Wijesekera, George Mason University
Integrated IP and SS7 Network • Interconnect IP Network to SS7 Network ?
SS7 Network Security Threats • Telecommunication Deregulation Act,1996 has opened up market • SS7 design and development carried out in different environment from the presently existing one. • Convergence of voice and data networks
IP Network Security Threats • Denial of Service (DoS) attacks • Spoofing, Sniffing. • Viruses, Worms etc. • Intrusion
Marriage of SS7 and IP • Exponential growth of IP Telephony • More ISPs attach to SS7 Network • Threats to Signaling Nodes • May come from SS7 side • or from IP side
Signaling Nodes are Exposed • Potential Threats due to Message Content • ISUP’s IAM message populated with Multilevel Precedence and Preemption (MLPP) parameter • Populating CIC of IAM with 0000 value • Caller ID may be spoofed Contd…
Signaling Nodes are Exposed • MGC is used to bridge SIP and ISUP network • Translation of ISUP to SIP and mapping of ISUP parameters into SIP headers • Blind interpretation
Signaling Nodes are Exposed • Traffic Flow Analysis • Traffic nature, load, network topology • Subscriber’s behavior and identity • Link Status Messages in IP Network • Processor Outage • Busy • Out of Service
Signaling Nodes are Exposed • Misbehaving Node M2PA based IPSPs have two identifiers • Violation of Protocol State Machine • Continuous Proving • Sequence of exchanged messages
Current Status : IP Network Side • Signaling Nodes may use • SSL • or IPSec
Secure Signaling Architecture : Trust Management Authentication Gateway Screening (Firewall) Intrusion Detection Armor DoS/Vulnerabilities Signatures Rule Changes Re-Authentication Trust Negotiation
Trust Management: • Define Service Level Agreements • Define Access control Policy
Authentication: • IETF has proposed IPSec for IP Network • Our Proposal of MTPSec for SS7 Network
Proposed Solution • Security Across MTP3 Layer • Combination of two protocol • Key Exchange (KE) Protocol • Authentication Header (AH) Protocol
Conclusion • Provides Integrity and Authentication solution to all signaling nodes • Enforces SLA and ACL policy at the interface • Put checks on misbehaving entities