Posted 05/01/2001 Smoke Signals: New Devices Protect SS7, IP Signaling Networks By Chris Garifo As the line separating the PSTN and the Internet increasingly has become blurred, concerns grow over the PSTN's vulnerability to attack by computer hackers and crackers. A 1999 study by the National Research Council's Committee on Information Systems Trustworthiness stated that "vulnerabilities in the [PSTN] can affect the Internet, and vulnerabilities in Internet technology can affect the telephone network." One possible avenue for unauthorized access into the PSTN could be through SS7, a dedicated data network originally designed to prevent the sort of fraud practiced in the 1960s and 1970s when "blue boxes" were used to illegally place toll-free long-distance calls. SS7 also takes some stress off the voice path because call setup and other enhanced services (caller ID, call forwarding, etc.) can travel over the SS7 network rather than the voice path. A danger of using a signaling path is that if it were to fail, call completion would be prevented, "even if there is an available route for the call itself," the National Research Council's report warned. While the use of firewalls has been a standard security measure that servers have used for years, few, if any products have been produced that are geared specifically toward protecting SS7. Now, Texas-based Sevis Systems Inc. (www.sevis.com) has introduced InteleGuard, which it touts as the world's first signaling firewall. InteleGuard uses rules established by the user to decide on whether to pass, block and/or alert on signaling messages in real time, allowing carriers to ensure the traffic traversing their network is in line with the operations policy they've established. Firewalls currently available are capable of providing security on the data side, but not on the signaling side, says Sevis Systems spokeswoman Angela Whitefield. The signaling firewall allows carriers to secure their networks for interconnection, mitigate their interconnection agreements, and stop fraud by allowing them to employ a rules-based operations policy that Sevis Systems' convergence team helps them develop based on their needs. Minnesota-based Aravox Technologies Inc. (www.aravox.com) also has a signaling firewall specifically designed to protect the systems and applications used to deliver IP voice solutions. Aravox's VoiceShield system is compatible with H.323 and SIP Session Initiation Protocol) call-control engines. It allows call control systems to manage media ports on a per-call basis by using hardware-assisted network address translation (NAT). Craig Warren, Aravox's founder and vice president of marketing says his company's security system sits in back of the WAN router and differs from other firewalls in that, rather than keeping ports open all of the time, it keeps ports shut, opening them only when a SIP proxy or H.323 gatekeeper authenticates the signaling used to set up the call. When the call is terminated, VoiceShield then closes the port being used. Steven Bellovin, a researcher with AT&T Labs (www.research.att.com) and one of the members of the committee that prepared the "Trust in Cyberspace" study, says there is indeed concern among the major carriers that the PSTN's security could be compromised by hackers and crackers. He adds that a basic issue with SS7 "is in its fundamental design assumptions." Bellovin explains that SS7's designers assumed there would be comparatively few telephone companies, all of which would be reasonably trusted. That's not the case today. There are more phone companies than imagined, all of which are using the system for a broader spectrum of purposes than originally planned. Besides putting it under greater stress than expected, the system has become more vulnerable to attack. For example, the report says, hackers could wreak havoc if they were to modify the databases used for call forwarding, or were to change the menus and distribution criteria used for network-based programmable call distribution. The SS7 network is nearly impossible to bring down, says Tom Kershaw, vice president of product marketing for SS8 Networks Inc. (www.ss8.com), an IP signaling and service platform provider. However, he says, Sevis Systems' InteleGuard can be a valuable, and even vital, security tool considering that "carriers are targets; they're hated entities." And hackers are quite aware that SS7 is out there, just waiting for them to test their abilities. In its Spring 1999 issue, the hacker magazine "2600" published an article entitled "SS7 Explained," in which author Friedo describes in detail how SS7 works. Friedo also writes, "As hackers, it's our moral responsibility to understand [the telephone network] like no one else." However, Friedo acknowledges in the article that "the hackability of SS7 does not at first appear possible, unless someone could figure out how to interface directly with the SS7 network." While PSTN security in an IP-based environment is an increasing concern, no FCC (www.fcc.gov) mandated security requirements have been established to deal with the issue, says Ken Nilsson, special counsel and deputy chief of the Network Technology Division in the FCC's Office of Engineering and Technology. Nor will there be any-time in the near future. Nilsson explains the reason for that is the myriad interfaces required among the hundreds of carriers involved. When you throw in the plethora of software vendors and equipment manufacturers, the complexities make such standards problematic in the extreme. As a result, security will be handled in most cases on the local level, with each carrier implementing the security measures necessary to prevent fraud and unauthorized access to their networks, Nilsson suggests.