Posted on by teleSys Software

Signaling Firewall: How to choose?

 

Enormous growth in global penetration rate of connected devices like handheld smartphone, tablets, automobiles, home appliances, safety devices etc., which have become integrated part of our daily life, contributed towards increased responsibility onto service providers to protect their service network and privacy of subscribers.

Operators need a robust strategy and solution to protect their network from security risks triggered from external networks. The vulnerabilities in today’s telecommunication networks were due to lack of security mechanisms built into signaling protocols being used which includes SS7 / SIGTRAN (for MAP and CAMEL traffic), Diameter, SIP and GTP. Additionally, it was assumed that inter-connections will be established only between trusted parties with dedicated one-to-one connectivity. Insurgence of technology transformation, rapid rollout of new services along with increased potential of revenue generation triggers accelerated communications and access across network boundaries. Accelerated reach to global networks facilitated by transit / hub operators (like IPX) exposes subscribers and service provider’s networks to severe security threats, from malicious or rogue operators/businesses.

Hence, Signaling Firewall has become an essential element for the operators, to confirm service availability, protect network infrastructure, secure subscriber privacy, upholding brand reputation and eliminate revenue leakage.

Continuing since last 6-8 years operators are investing to implement Signaling Firewalls for their networks, sourced from different telecom solution providers. A recent study by Research and Markets estimated that Global Network Security Firewall Market is estimated to reach USD 10.06 Bn by 2027, growing at a CAGR of 14.9%.

Identification of suitable solution from plenty of available options in the market can become a daunting task particularly when most of them claims to have similar features and capabilities towards a technology.

In this blog, we are trying to list some key points to facilitate that selection procedure for SS7 / SIGTRAN and Diameter Firewall, which are pre-dominant focal point for exploitation among rogue players.

1. Must be complaint with GSMA Recommendations and Guidelines

GSMA FASG (Fraud And Security Group) and particularly its subgroup RIFS (Roaming and Interconnect Fraud and Security) is the only official center of expertise and definitive source of information on all signaling related fraud and security topics. The recommendations FS.11 (for SS7 / SIGTRAN Firewall) and FS.19 (for Diameter Firewall) are the defacto standards for Signaling Firewalls, and compliance to the latest versions is mandatory for any telecom operators. Also, service providers can decide of list of capabilities required from these recommendations which should ensure adequate network security.

2. Must be an experienced industry leader

Security is the most important criteria for any service provider. And it is an intelligent and safe decision to address this solution need from an experienced industry supplier due to their high skills and substantial knowhow about telecom signaling and networks. Collective experience and decision-making process during planning & design phase, between the operator and supplier, guarantees solution robustness.

3. Must support multi-protocol, scalable, and carrier-grade Universal Signaling Firewall solution

Lack of features and capabilities can also lead to vulnerabilities. Some of the key reasons are due to the following:

a. Firewall missing protection against cross-generational network.

2G/3G network was primarily supported by SS7 / SIGTRAN while 4G is supported by Diameter signaling protocols. MNOs with both 3G & 4G networks, allows seamless service to its subscribers from either technology. If the Firewall solution does not co-relate information from two disparate protocols across networks, then subscriber privacy can be compromised very easily.
Main reasons for this situation can be due to

• lack of feature capability in the deployed solution, OR
• having different solution providers for SS7 / SIGTRAN & Diameter Firewall

b. MNOs believe their network is protected by SS7 STP and Diameter DRA / DEA solutions.

Network SS7 STPs and Diameter Signaling Controllers i.e. DRAs / DEAs were primarily designed for network routing. Those solution might have implemented Category 1 protection (as defined in GSMA recommendation) to certain extent (for example, Gateway Screening feature) but might not provide 100% protection for Category 1 needs, and certainly does not fulfil Category 2 and Category 3 requirements of Signaling Firewall, which needs additional validations and verifications across message contents and network nodes.

Hence, the solution must offer multi-protocol Universal Signaling capability with cross-protocol referencing, along with carrier-grade needs for high-availability and scalability.

4. Must be flexible to adapt to network needs

Every MNO has its specific deployment and service needs, which they ensure in their networks while complying to network standards. In the majority of case, supplier solutions implemented based on standard recommendations may not address network specific deployment or functional needs. Hence solution providers must be flexible to adapt their Firewall solution as per network demands in a timely fashion, to confirm time-to-market needs of the operator.

5. Must commit to protect against new threats

Even though Signaling Firewall solution provider confirm adherence to relevant GSMA recommendations, but security threats are not a one-and-done challenge. Hackers and bad players are constantly trying to exploit loopholes and technology gaps to compromise privacy and service availability. Time-to-time GSMA revises their recommendation to include those relevant guidelines so those can be mitigated by the MNOs. Hence, Signaling Firewall supplier must commit to incorporate those features/enhancements to comply with latest guidelines. Additionally, supplier must be flexible to implement firewall capabilities learnt from new network vulnerabilities outside of GSMA recommendations as well.

6. Must confirm investment protection with deployment flexibility

Along with evolutions in both technology and network standards communication industry is going through deployment transformation from bare metal to virtualized infrastructure, from Central Offices to Data Centers based approaches. Even for virtualized environment deployment can be with cloud ready or cloud native (container based) approaches. MNOs can decide from on-premises to hybrid-cloud environments. So, MNOs need to make sure that Signaling Firewall supplier must commit to deliver on the MNOs environment of choice, but also be flexible to migrate into another environment, if the concerned MNO choose that path.

The need is to secure service provider’s network against signaling attacks and threats effectively with a feature-rich solution which can check boxes on each of key points as discussed above. There can be additional criteria for solution selection, however conformance to these points makes it safe and secure.

teleSys Software with its state-of-art multi-generational, multi-protocol, any-to-any carrier-grade Universal Signaling routing and firewall solutions enables service providers in securing their network while ensuring user-satisfactions by delivering protection against threats, while accelerating revenue growth and seamless network evolution.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>