|THE SIGNALING SECURITY
Telephony, Apr 15, 2002
|Americans seemed to share a common perception about our security
prior to September 11. Today, we realize we are vulnerable. And as members
of the telecom community, we are vulnerable on another front: The public
network is among the nation's top three targets for terrorists, hackers
and crackers, and the bull's-eye is the signaling network. Suddenly, after
decades behind the scenes, SS7 is hot again--perhaps for all the wrong
Even without a coordinated attack on the public network on September 11, service was disrupted across the nation. Chaos and overload did the trick that time. But if the perpetrators of terror survive to strike again, what lessons will they have learned? How much worse would the disaster have seemed had there been a simultaneous network attack? And had there been a well-designed attack on the signaling network, how likely would it have been that Verizon Airfone customer service supervisor Lisa Jefferson could have aided those aboard United Flight 93 in diverting another attack?
Such scenarios have prompted the president's National Security Telecommunications Advisory Committee (NSTAC) and other groups to more closely scrutinize network vulnerability. In doing so, the NSTAC has identified the convergence of traditional public network infrastructure and packet network technology as a major — but not new — area of concern.
Last June, the NSTAC issued a convergence task force report that warned of network vulnerability. At the same time, an IEEE workshop on information assurance and security for SS7 telecommunications networks found that deregulation as well as the growth of wireless and the Internet have opened up the public network to mass-scale fraud, interception and interruption. The group also said that apart from efforts by some start-up companies, one of which is no longer in business, “published research on defending SS7 networks against attacks is virtually nonexistent.”
Post September 11, that is beginning to change. The NSTAC, for example, is taking a more hard-line stance. Last month it called for increased industry and government cooperation in a Network Security/Vulnerability Assessments Task Force Report. One remedy proposed in the report was an “increased emphasis on government participation in standards bodies as well as instituting a coordinated government approach to standards development.”
Instinctively, such rhetoric sets off a bureaucracy warning. But according to Lyn Cantor, vice president of product marketing for Inet Technologies, increased involvement by the government at this level is a good thing. “It's a benefit to have a level of coordination, active awareness and dialogue to solve some of the problems and protect the critical infrastructure,” Cantor said.
Besides, companies have internal watchdogs to worry about. And despite all the proposed economic benefit to carriers and potential new services for consumers promised by the introduction of IP, security concerns can bring new technology progress to a grinding halt.
“You have to have a buttoned-down story for how you can protect the SS7 network from attack,” said Tom Kershaw, vice president of systems engineering and market development for SS8 Networks. “Carriers can put together a business case for migrating the SS7 network to an IP overlay, but even with a [return on investment] of 40 days some security person will stand up in the end and say, ‘No way.’”
Not everyone agrees that convergence poses new security threats, but most experts agree on the type of threat that generates the most concern.
“The No. 1 concern is denial-of-service attacks,” Kershaw said. “The target — and a significant source of paranoia — is the SS7 network.”
But why now? Has the industry ignored the real vulnerabilities of the SS7 network? Or is there something inherent in IP that makes SS7 more vulnerable when the two technologies merge?
A little bit of both, Cantor said. “Most carriers and absolutely most security organizations haven't grasped that a signaling network exists within the carrier environment,” Cantor said.
He argued that today's carriers interconnect with more partners than ever, so the phenomenon is likely to continue at a voracious pace as we migrate to a packet environment. “It wouldn't be extremely difficult to get into an SS7 network and create confusion among the elements that basically results in the network seizing,” Cantor said.
The issue is whether hacking into the signaling network is easier in a packet environment than it has been in the public network. Not everyone agrees that it is. Some proponents of convergence say that certain characteristics of the IP infrastructure make the signaling network even more secure — provided that proper procedure is followed and that people remember that IP is not synonymous with the Internet.
“Just because you are using IP doesn't mean you would expose your signaling network to the general Internet,” said Ed Reaves, signaling product line manager with Nortel Networks' carrier VoIP group. “There are actually some protocols and features of the IP network that could potentially make it more secure than the current SS7 network.”
One of those features is encryption. “Today, if someone gains access to the SS7 network, they can see a lot of the setup messages and track phone calls, whereas the encryption in an IP network gives you the ability to thwart that snooping,” said Matt Jackson, Nortel's senior manager of VoIP marketing.
Since the change in focus prompted by September 11, it is not clear what network operators should be trying to thwart. Before that, SS7 was seen as a real-time tool for fighting fraud.
What has emerged since September 11, Cantor said, is the vulnerability of the network itself, and the discussion is about disaster recovery and business continuity.
However, whether the issue is fraud, malicious attack or rude adolescence, it is still not clear from where potential threats would come. “When it comes to shared threats like terror and industrial espionage, carriers' biggest concern is from internal threats — people who could launch attacks from within the network,” Cantor said.
So how does a carrier protect against that? Perhaps the answer extends to human resources, but from an operations perspective there are several options, some of which turn SS7 from a victim into part of the solution.
Jackson said that a physically secure network is critical to protecting it, but carriers can only do so much to shield their facilities. “If someone cuts the wires to a central office or blows it up, that will cause problems,” he said.
That's where the distributed nature of packet networks becomes an advantage. It decentralized the vulnerability and should result in a more limited impact.
Beyond physical security, most experts agree that physical separation of the signaling infrastructure is a good idea. But most of the ability to detect intrusions or anomalies in the network that can result in service disruptions will come from SS7 surveillance tools and expanded firewall functionality.
Inet's GeoProbe network monitoring system watches all SS7 activity on its customers' networks. It then uses Boolean logic to identify anomalous behavior in the network and triggers alarms based on several rule sets and thresholds. It also tracks destination and call-type information within the SS7 message to focus on particular calling scenarios.
While Inet looks inside SS7 messages to identify perpetrators and head off attacks, SS8 wants to use SS7 as a control mechanism for the converged network's firewall infrastructure. “Signaling needs to control the security infrastructure as an overlay so whenever you have a transaction set up, the signaling will instruct the security infrastructure to enforce rules and policies across the call,” Kershaw said.
Such a design would eliminate the bottleneck of earlier solutions, which left the job of inspecting each and every packet to the firewalls and encryption devices in order to enforce rules and policies. The network performance implications of inspecting every packet would become unacceptable as more traffic moves onto the packet network.
There will be as many security solutions proposed over the next year or two as there are villains looking to crack them. There has been a huge leap forward in firewalls and encryption, and gateway vendors have come together on real standards over the last year, but as Kershaw said, “Until you have it all deployed, we won't be near the level of security you have with the public network.”
© 2002, PRIMEDIA Business Magazines & Media Inc. All rights reserved. This article is protected by United States copyright and other intellectual property laws and may not be reproduced, rewritten, distributed, redisseminated, transmitted, displayed, published or broadcast, directly or indirectly, in any medium without the prior written permission of PRIMEDIA Business Corp.