Choosing a Countermeasure
So, what are the important aspects an MNO should consider when defining a strategy for countermeasures? Are there major advantages to justify investment in a separate firewall solution rather than utilising existing nodes? Many STPs do offer rudimentary opcode or GT screening, and this can provide some degree of protection. Most experts agree however, that existing infrastructure will not provide a maintainable set of countermeasures in the long-term, and that dedicated firewalling technology or at least consolidation of required rules is the more viable solution. Centralising the majority of security settings and monitoring for a given technology is a lot more efficient than keeping it spread across many network elements. When dealing with fine-grained rules that may come down to individual GTs such a solution is almost always necessary.
Keeping track of rate limits, filtering rules and exceptions in multiple places is a recipe for failure, so therefore a certain level of consolidation is beneficial, and will eventually be necessary to keep the signalling security countermeasures updated, and the network secure. Being able to create abstractions such as logical containers of operator groups, exceptions or circumstances, and then applying multi-tiered rule sets across a set of roaming partners or regions makes a lot of sense. As attacks become more sophisticated and resources remain scarce, it becomes ever more important to be able to adapt the filtering rules in a practical and manageable way.
The deployment of a dedicated signalling firewall node may also be justified by the fact that within a mobile network every single node is developed for a reason. An MSC/MME is designed to host subscribers, an HLR/HSS is designed to host subscriber data, and an STP is designed to route traffic. They are all built to do this efficiently. To ask any of these machines to suddenly become a stateful DPI node could introduce a slew of problems. If you ask a machine designed for a single purpose to suddenly perform a completely different action, it’s fair to argue that it will not remain as effective in its original capacity.
In the end, the procurement of a signalling firewall is a business decision. As such it will be affected by existing infrastructure, relations with vendors, and the risk assessment that ideally precedes the acquisition.
In closing, it should be highlighted that this series of blogs, or the white paper they are based on is not intended to be alarmist. Signalling systems are working as they were originally intended. They provide remarkable service, and as opposed to fraud, network critical incidents that occur are for the most part rare, limited in scale and contained. It is true that SS7 has been seen as flawed in terms of security and that these issues continue to trouble us today. However, the networks are still running, and given all the circumstances they are running very well. We still have time to meet the signalling security challenges, and build a layer of protection into our legacy networks. We still have time to work on enhancing the LTE networks and provide a more secure exchange network. The learnings we take with us from SS7 and LTE can be used when shaping the secure 5G networks of tomorrow. We just need to be willing to act on the problems that exist today.
Originally posted on www.symsoft.com, find out more about Symsoft’s rebrand to Sinch in the press release here.