Securing VoIP and PSTN from Integrated Signaling Network Vulnerabilities Hemant Sengar, George Mason University Ram Dantu, University of North Texas Duminda Wijesekera, George Mason University Background : Integration of Voice and Data Network ? PBX PUBLIC SWITCHED TELEPHONE NETWORK (PSTN) Telephone Modem IDC Fax IP Phones Mobile Switching Center Comm. Tower ? IP Gateway Cell Phone Pager Internet IP Phones Public Switched Telephone Network SS7 Protocol Stack ASE OMAP TCAP ISDN User Part Signaling Connection Control Part (SCCP) Message Transfer Part Level 3 (Network Layer) Message Transfer Part Level 2 (Data Link Layer) Message Transfer Part Level 1 (Physical Layer) MTP Integrated IP and SS7 Network Interconnect IP Network to SS7 Network SIP Proxy Server Router ? SIP Network IP Link Mobile Devices with VoIP Media Gateway Controller Enterprise Network SS7 Network SIGTRAN based Link Carrier Networks SIGTRAN Protocol Suite TCAP MTP3 M2PA M2UA ISUP SCCP M3UA TCAP ISDN SUA IUA Adaptation Layer SCTP Signaling Transport IP Internet Protocol SS7 over IP SIGTRAN Architecture M2PA in Signaling Transport Service Switching Point (SSP) ISUP Signaling Gateway (SG) Media Gateway Controller (MGC) ISUP MTP3 MTP3 MTP3 MTP2 MTP1 SS7 MTP2 M2PA MTP1 SCTP IP M2PA SCTP IP IP Network SS7 Network Security Threats Telecommunication Deregulation Act,1996 has opened up market SS7 design and development carried out in different environment from the presently existing one. Convergence of voice and data networks IP Network Security Threats Denial of Service (DoS) attacks Spoofing, Sniffing. Viruses, Worms etc. Intrusion Marriage of SS7 and IP Exponential growth of IP Telephony More ISPs attach to SS7 Network Threats to Signaling Nodes May come from SS7 side or from IP side Signaling Nodes are Exposed Potential Threats due to Message Content ISUP’s IAM message populated with Multilevel Precedence and Preemption (MLPP) parameter Populating CIC of IAM with 0000 value Caller ID may be spoofed Contd… Signaling Nodes are Exposed MGC is used to bridge SIP and ISUP network Translation of ISUP to SIP and mapping of ISUP parameters into SIP headers Blind interpretation Signaling Nodes are Exposed Traffic Flow Analysis Traffic nature, load, network topology Subscriber’s behavior and identity Link Status Messages in IP Network Processor Outage Busy Out of Service Signaling Nodes are Exposed Misbehaving Node M2PA based IPSPs have two identifiers Violation of Protocol State Machine Continuous Proving Sequence of exchanged messages Current Status : IP Network Side Signaling Nodes may use SSL or IPSec Secure Signaling Architecture : Signaling Gateway at the Interface SS7 Network IP Network Security System ? MTP3 MTP2 M2PA SCTP MTP1 IP Secured Tunnel Key-1 Key-2 Secured Tunnel Secure Signaling Architecture : Trust Management Authentication Gateway Screening (Firewall) Intrusion Detection Rule Changes Re-Authentication Trust Negotiation Signatures Armor DoS/Vulnerabilities Trust Management: Define Service Level Agreements Define Access control Policy Authentication: IETF has proposed IPSec for IP Network Our Proposal of MTPSec for SS7 Network Proposed Solution Security Across MTP3 Layer Combination of two protocol Key Exchange (KE) Protocol Authentication Header (AH) Protocol Authentication Header Format Conclusion Provides Integrity and Authentication solution to all signaling nodes Enforces SLA and ACL policy at the interface Put checks on misbehaving entities Thank You !