Securing VoIP and PSTN
from Integrated Signaling
Network Vulnerabilities
Hemant Sengar, George Mason University
Ram Dantu, University of North Texas
Duminda Wijesekera, George Mason University
Background :
Integration of Voice and Data Network
?
PBX
PUBLIC SWITCHED
TELEPHONE NETWORK
(PSTN)
Telephone
Modem
IDC
Fax
IP Phones
Mobile Switching Center
Comm. Tower
?
IP Gateway
Cell Phone
Pager
Internet
IP Phones
Public Switched Telephone Network
SS7 Protocol Stack
ASE
OMAP
TCAP
ISDN User Part
Signaling Connection Control
Part (SCCP)
Message Transfer Part Level 3
(Network Layer)
Message Transfer Part Level 2
(Data Link Layer)
Message Transfer Part Level 1
(Physical Layer)
MTP
Integrated IP and SS7 Network
Interconnect IP Network to SS7 Network
SIP
Proxy
Server
Router
?
SIP Network
IP Link
Mobile Devices
with VoIP
Media
Gateway
Controller
Enterprise Network
SS7 Network
SIGTRAN
based Link
Carrier Networks
SIGTRAN Protocol Suite
TCAP
MTP3
M2PA
M2UA
ISUP
SCCP
M3UA
TCAP
ISDN
SUA
IUA
Adaptation
Layer
SCTP
Signaling
Transport
IP
Internet
Protocol
SS7 over IP
SIGTRAN
Architecture
M2PA in Signaling Transport
Service Switching
Point (SSP)
ISUP
Signaling
Gateway (SG)
Media Gateway
Controller (MGC)
ISUP
MTP3
MTP3
MTP3
MTP2
MTP1
SS7
MTP2
M2PA
MTP1
SCTP
IP
M2PA
SCTP
IP
IP
Network
SS7 Network Security Threats
Telecommunication Deregulation Act,1996
has opened up market
SS7 design and development carried out
in different environment from the
presently existing one.
Convergence of voice and data networks
IP Network Security Threats
Denial of Service (DoS) attacks
Spoofing, Sniffing.
Viruses, Worms etc.
Intrusion
Marriage of SS7 and IP
Exponential growth of IP Telephony

More ISPs attach to SS7 Network
Threats to Signaling Nodes


May come from SS7 side
or from IP side
Signaling Nodes are Exposed
Potential Threats due to Message Content



ISUP’s IAM message populated with Multilevel
Precedence and Preemption (MLPP) parameter
Populating CIC of IAM with 0000 value
Caller ID may be spoofed
Contd…
Signaling Nodes are Exposed
MGC is used to bridge SIP and ISUP
network


Translation of ISUP to SIP and mapping of
ISUP parameters into SIP headers
Blind interpretation
Signaling Nodes are Exposed
Traffic Flow Analysis


Traffic nature, load, network topology
Subscriber’s behavior and identity
Link Status Messages in IP Network



Processor Outage
Busy
Out of Service
Signaling Nodes are Exposed
Misbehaving Node
M2PA based IPSPs have two identifiers
Violation of Protocol State Machine


Continuous Proving
Sequence of exchanged messages
Current Status :
IP Network Side
Signaling Nodes may use


SSL
or IPSec
Secure Signaling Architecture :
Signaling Gateway at the Interface
SS7 Network
IP Network
Security System
?
MTP3
MTP2
M2PA
SCTP
MTP1
IP
Secured
Tunnel
Key-1
Key-2
Secured
Tunnel
Secure Signaling Architecture :
Trust
Management
Authentication
Gateway
Screening
(Firewall)
Intrusion
Detection
Rule Changes
Re-Authentication
Trust Negotiation
Signatures
Armor
DoS/Vulnerabilities
Trust Management:
Define Service Level Agreements
Define Access control Policy
Authentication:
IETF has proposed IPSec for IP Network
Our Proposal of MTPSec for SS7 Network
Proposed Solution
Security Across MTP3 Layer
Combination of two protocol


Key Exchange (KE) Protocol
Authentication Header (AH) Protocol
Authentication Header Format
Conclusion
Provides Integrity and Authentication
solution to all signaling nodes
Enforces SLA and ACL policy at the
interface
Put checks on misbehaving entities
Thank You !