SlideShare a Scribd company logo

Computaris SS7 Firewall

Computaris
Computaris

Security breaches in SS7 networks: threats, solutions and open issues. Computaris has already implemented a firewall solution filtering all traffic which can damage the network. The firewall can hide the subscribers’ information and therefore, when the attacker tries to use fake subscriber information, the network does not respond to the operations.

Technology
1 of 23
Download to read offline
/ ... / SS7 Firewall February 2016
/ ... • robust, proven, reliable • working for decades But … • interconnect is based on trust • no protocol level security • … no equivalent in SS7 of IP TLS, IPSec The SS7 Network is
/ ... • your calls could be recorded and you wouldn’t know about this? • your subscriber’s location (cell id) could be tracked? • somebody could deny your subscribers access to the network? • somebody could alter the identity in the VLR when your users place calls? What if…
/ ... • Government US Congress/FCC • http://grayson.house.gov/index.php/newsroom/press-releases/314-grayson-asks- fcc-to-protect-privacy-of-americans-phone-calls • Research • http://www.washingtonpost.com/blogs/the-switch/wp/2014/12/18/german- researchers-discover-a-flaw-that-could-let-anyone-listen-to-your-cell-calls-and- read-your-texts/ • Press • http://www.washingtonpost.com/business/technology/for-sale-systems-that-can- secretly-track-where-cellphone-users-go-around-the-globe/2014/08/24/f0700e8a- f003-11e3-bf76-447a5df6411f_story.html Where can I find public information?
/ ... SS7 Network Legitimate Scenarios 01
/ ... • The roaming MSC (Visited MSC) requires network access from HLR • The HLR pushes subscriber data into Visited MSC • The HLR keeps record that subscriber roams in the given Visited MSC VMSC B HLR B (1) LOCATION UPDATE  CgPA = VMSC B  CdPA = HLR  [IMSI, VMSC] (3) INSERT SUBSCRIBER DATA  CgPA = HLR  CdPA = VMSC B  [MSISDN, SubscriberData] (2) LOCATION UPDATE ACCEPTED  CgPA = HLR  CdPA = VMSC B Legitimate scenario location update in HPLMN
/ ... • Foreign SMSC requests the VMSC & IMSI of the recipient (your subscriber) • The HLR returns the VMSC address and IMSI • The foreign SMSC connects to the VMSC and submits the SMS SMSC A HLR B (1) SRI-SM  CgPA = SMSC  CdPA = MSIDN  [Service Centre, MSISDN] (2) SRI-SM ANSWER  CgPA = HLR  CdPA = SMSC  [VMSC, IMSI] VMSC B (3) MT-FORWARD-SM  CgPA = SMSC  CdPA = VMSC B  [IMSI, SMS] Legitimate SMS delivery from foreign network
/ ... Malicious Usage On ‘Trusted’ SS7 Links 02
/ ... • The breached network has roaming agreement with target network • The malicious application is any application capable of sending MAP messages with SS7/SIGTRAN access to an STP • The Malicious Application is able to impersonate the real SMSC by setting the CgPA • The HLR is target network receives the same SRI-SM as the one originate Malicious Application HLR B SRI-SM  CgPA = SMSC  CdPA = MSIDN  [Service Centre, MSISDN]SRI-SM  CgPA = HLR  CdPA = SMSC  [VMSC, IMSI] Obtain subscriber IMSI & Roaming MSC
/ ... • The malicious application uses the previously obtained IMSI and VMSC • The malicious application modifies subscriber data in the Visited MSC – in this case the O-CSI • The VMSC has no standard mechanism to detect if this is a legitimate request or not • Whenever the target subscriber originates a call the call control is given by VMSC (via CAP) to the node defined within the O-CSI. This node can perform a record function and connect the call to the intended destination. VMSC B INSERT-SUBSCRIBER-DATA  CgPA = SMSC  CdPA = VMSC B  [SubscriberData(O-CSI)] Malicious Application Modify O-CSI in VMSC Your calls can be recorded
/ ... • The Malicious Application uses the previously obtained IMSI and VMSC • The Malicious Application request current location information from Visited MSC • The VMSC has no standard mechanism to detect if this a legitimate request or not VMSC B PROVIDE SUBSCRIPTION INFORMATION  CgPA = GMSC  CdPA = VMSC B  [requestedInfo (currentLocation)] Malicious Application SUBSCRIPTION INFORMATION  CgPA = VMSC B  CdPA = GMSC  [CellId] Retrieve subscriber location Your location can be tracked
/ ... • The malicious application uses the previously obtained IMSI and VMSC • The malicious application modifies subscriber data in the Visited MSC – in this case the MSISDN • The VMSC has no standard mechanism to detect if this is a legitimate request or not • Whenever the target subscriber originates a call the modified MSIDN is used as calling party VMSC B INSERT-SUBSCRIBER-DATA  CgPA = SMSC  CdPA = VMSC B  [SubscriberData(MSISDN)] Malicious Application Modify MSISDN in VMSC You can spoof your MSISDN
/ ... • The malicious application uses the previously obtained IMSI and VMSC • The malicious application modifies subscriber data in the Visited MSC – in this case the MSISDN • The VMSC has no standard mechanism to detect if this is a legitimate request or not • Whenever the target subscriber tries to originates a call the BAOC setting will not allow the call to take place VMSC B INSERT-SUBSCRIBER-DATA  CgPA = SMSC  CdPA = VMSC B  [SubscriberData(BAOC)] Malicious Application Modify ODB in VMSC Somebody can block your calls
/ ... • Blocking SRI-SM requests in STP • Can’t block all SRI-SM messages since we would kill the SMS service for all our subscribers • Block all SRI-SM requests in coming from unknown addresses • The MAP allows an application to spoof the SCCP CgPA Easy answers?
/ ... • Block ISD requests in STP • Can’t block all ISD messages since we would kill the voice service for all our subscribers • Block all ISD requests coming from interconnect links • Can’t block all ISD messages since we would kill the voice service for all our in-roamers Easy answers?
/ ... • Protects your subscribers data in MSC • Protects your subscribers location in the network • Allows the legitimate traffic to flow without disruption What a SS7 firewall does…
/ ... • All SRI-SM requests are routed by STP towards the MAP filter • The MAP filtering decides the current request is un-trustworthy and forwards the request to the HLR and stores the real IMSI and VMSC received from the HLR • The MAP Filter will provide back to the un-trusted application a fake IMSI and a fake VMSC address. The fake VMSC address is the MAP filter address. Un-trusted Application HLR B SRI-SM  CgPA = SMSC  CdPA = MSIDN  [Service Centre, MSISDN] SRI-SM  CgPA = HLR  CdPA = SMSC  [VMSC, IMSI] MAP Filter SRI-SM  CgPA = SMSC  CdPA = MSIDN  [Service Centre, MSISDN] SRI-SM  CgPA = HLR  CdPA = SMSC  [Fake VMSC, Fake IMSI] Never expose real IMSI to untrusted entities
/ ... • If the un-trusted application is in fact a legitimate SMSC trying to deliver an MT SMS then after the SRI-SM the SMSC will deliver the MT SMS to the VMSC address obtained at SRI-SM (the MAP Filter) • The MAP filtering decides that this is a legitimate request, retrieves the real IMSI and real VMSC based on the received fake IMSI and then delivers the MT SMS to the real VMSC using real IMSI • The MT SMS response is proxied back to the SMSC Legitimate SMSC VMSC B MT-FORWARD-SM  CgPA = SMSC  CdPA = MAP Filter  [Fake IMSI, MT-SMS] MT-FORWARD-SM  CgPA = VMSC B  CdPA = MAP Filter  [Delivery Status] MAP Filter MT-FORWARD-SM  CgPA = SMSC  CdPA = VMSC B  [IMSI, MT-SMS] MT-FORWARD-SM  CgPA = MAP Filter; CdPA = SMSC  [Delivery Status] Untrusted application is in fact legitimate
/ ... • If the un-trusted application is in fact a malicious application trying to alter subscriber data in VMSC then after the SRI-SM the malicious application tries to insert data into the VMSC obtained at SRI-SM (the MAP Filter) • The MAP Filtering decides that this is a malicious request and it can provide a fake answer back to malicious application (ok I have inserted the data), it can reject the ISD or it can drop silently the request • The subscriber data in VMSC is thus protected Malicious Application Protected VMSC B MAP Filter INSERT-SUBSCRIBER-DATA  CgPA = MAP Filter  CdPA = SMSC  [OK] INSERT-SUBSCRIBER-DATA  CgPA = SMSC  CdPA = MAP Filter  [SubscriberData(O-CSI)] Untrusted application is in fact malicious
/ ... • If the un-trusted application is in fact a malicious application trying to retrieve subscriber location from VMSC, then after the SRI-SM the malicious application tries to request current location data from the VMSC obtained at SRI-SM (the MAP Filter) • The MAP filtering decides that this is a malicious request and it can provide a fake answer back to malicious application (here is some fake cell id), it can reject the PSIor it can drop silently the request • The subscriber location is thus protected Malicious Application Protected VMSC B MAP Filter PROVIDE SUBSCRIPTION INFORMATION  CgPA = MAP Filter  CdPA = GMSC  [fake cell id] PROVIDE SUBSCRIPTION INFORMATION  CgPA = GMSC  CdPA = VMSC B  [requested info (current Location)] Untrusted application is in fact malicious…
/ ... • The message is received and decoded ,incoming parameters are extracted (SCCP CgPA, CdPA, TCAP Context, MAP Parameters) • Context data (fake IMSI in request) is extracted from in-memory data store • Rule Engine decides based on input parameters and based on context data what treatment should be applied to the incoming message • Action returned by the Rule Engine is applied MAP filter MAP REQUEST  CgPA  CdPA  [MAP Parameters] In-memory data store Rule engine  Get context data  Determine treatment  of current request Action How does this work?
/ ... • RELAY – the incoming request is relayed at SCCP level towards the requested destination • ABORT – the incoming request is responded with a TCAP_U_ABORT • DROP – the incoming request is silently dropped, no response is provided back • FAKE – the incoming request is answered with a default fake answer (fake answer message is configurable per MAP Operation) • PROXY – the incoming message is proxied by the MAP Filter to the destination node; the MAP filter proxies also the responses back and hides real data (e.g. fake IMSI) SS7 firewall behaviour
/ ... / Thank you! / [+44]20.7193.9189 www.computaris.com

Recommended

Vehicular ad hoc_networks
Vehicular ad hoc_networksVehicular ad hoc_networks
Vehicular ad hoc_networksAbdulrub Moshin
 
Using SS7 & SIGTRAN to Solve Today's Network Challenges
Using SS7 & SIGTRAN to Solve Today's Network ChallengesUsing SS7 & SIGTRAN to Solve Today's Network Challenges
Using SS7 & SIGTRAN to Solve Today's Network ChallengesContinuous Computing
 
SS7 & SIGTRAN
SS7 & SIGTRANSS7 & SIGTRAN
SS7 & SIGTRANStephanie Galloway-Williams
 
Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)Peter R. Egli
 
Sigtran Workshop
Sigtran WorkshopSigtran Workshop
Sigtran WorkshopLuca Matteo Ruberto
 
sigtran
sigtransigtran
sigtrankrsgowri
 
SIGTRAN - An Introduction
SIGTRAN - An IntroductionSIGTRAN - An Introduction
SIGTRAN - An IntroductionTareque Hossain
 
Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)Peter R. Egli
 

Recommended

Vehicular ad hoc_networks
Vehicular ad hoc_networksVehicular ad hoc_networks
Vehicular ad hoc_networksAbdulrub Moshin
 
Using SS7 & SIGTRAN to Solve Today's Network Challenges
Using SS7 & SIGTRAN to Solve Today's Network ChallengesUsing SS7 & SIGTRAN to Solve Today's Network Challenges
Using SS7 & SIGTRAN to Solve Today's Network ChallengesContinuous Computing
 
SS7 & SIGTRAN
SS7 & SIGTRANSS7 & SIGTRAN
SS7 & SIGTRANStephanie Galloway-Williams
 
Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)Peter R. Egli
 
Sigtran Workshop
Sigtran WorkshopSigtran Workshop
Sigtran WorkshopLuca Matteo Ruberto
 
sigtran
sigtransigtran
sigtrankrsgowri
 
SIGTRAN - An Introduction
SIGTRAN - An IntroductionSIGTRAN - An Introduction
SIGTRAN - An IntroductionTareque Hossain
 
Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)Peter R. Egli
 
Ussd call back or UCB
Ussd call back or UCBUssd call back or UCB
Ussd call back or UCBRawand Jaf
 
Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...DefCamp
 
Assaulting diameter IPX network
Assaulting diameter IPX networkAssaulting diameter IPX network
Assaulting diameter IPX networkAlexandre De Oliveira
 
SS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SS7: Locate -Track - Manipulate Attack - SPY24™.pdfSS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SS7: Locate -Track - Manipulate Attack - SPY24™.pdfSPY24
 
Gsm
GsmGsm
GsmNur Islam
 
Attacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsAttacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsPositiveTechnologies
 
The benefits of using the rules engine paradigm in telco systems
The benefits of using the rules engine paradigm in telco systems The benefits of using the rules engine paradigm in telco systems
The benefits of using the rules engine paradigm in telco systems Computaris
 
Roaming VAS (optimal routing)
Roaming VAS (optimal routing)Roaming VAS (optimal routing)
Roaming VAS (optimal routing)Rawand Jaf
 
Хакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентовХакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентовPositive Hack Days
 
Wireless technologies LTE UMTS GSM - 01.ppt
Wireless technologies LTE UMTS GSM - 01.pptWireless technologies LTE UMTS GSM - 01.ppt
Wireless technologies LTE UMTS GSM - 01.pptAsitSwain5
 
On the verge of fraud
On the verge of fraudOn the verge of fraud
On the verge of fraudPositiveTechnologies
 
Rpc
RpcRpc
RpcATS SBGI MIRAJ
 
SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.3G4G
 
Gsm architecture, gsm network identities, network cases, cell planning, and c...
Gsm architecture, gsm network identities, network cases, cell planning, and c...Gsm architecture, gsm network identities, network cases, cell planning, and c...
Gsm architecture, gsm network identities, network cases, cell planning, and c...Zorays Solar Pakistan
 
GSM security solution by FINETUNE Technologies
GSM security solution by FINETUNE TechnologiesGSM security solution by FINETUNE Technologies
GSM security solution by FINETUNE TechnologiesEngr.MEESHU SHARKER
 
Telecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasuresTelecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasuresPositiveTechnologies
 
fdocuments.net_gsm-call-flows-5584455b2833e.ppt
fdocuments.net_gsm-call-flows-5584455b2833e.pptfdocuments.net_gsm-call-flows-5584455b2833e.ppt
fdocuments.net_gsm-call-flows-5584455b2833e.pptHazemElabed2
 
Final gsm1
Final gsm1Final gsm1
Final gsm1Arun Kumar
 
Cap interface
Cap interfaceCap interface
Cap interfaceAtefe Shahrokhi
 
Intelegent network.ppt
Intelegent network.pptIntelegent network.ppt
Intelegent network.pptAbdullahAlNoman112243
 
70% less troubleshooting time and reduced network operation costs
70% less troubleshooting time and reduced network operation costs70% less troubleshooting time and reduced network operation costs
70% less troubleshooting time and reduced network operation costsComputaris
 
DevOps and 5G cloud native solutions supported by Computaris automated testin...
DevOps and 5G cloud native solutions supported by Computaris automated testin...DevOps and 5G cloud native solutions supported by Computaris automated testin...
DevOps and 5G cloud native solutions supported by Computaris automated testin...Computaris
 

More Related Content

Similar to Computaris SS7 Firewall

Ussd call back or UCB
Ussd call back or UCBUssd call back or UCB
Ussd call back or UCBRawand Jaf
 
Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...DefCamp
 
SS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SS7: Locate -Track - Manipulate Attack - SPY24™.pdfSS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SS7: Locate -Track - Manipulate Attack - SPY24™.pdfSPY24
 
Attacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsAttacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsPositiveTechnologies
 
The benefits of using the rules engine paradigm in telco systems
The benefits of using the rules engine paradigm in telco systems The benefits of using the rules engine paradigm in telco systems
The benefits of using the rules engine paradigm in telco systems Computaris
 
Roaming VAS (optimal routing)
Roaming VAS (optimal routing)Roaming VAS (optimal routing)
Roaming VAS (optimal routing)Rawand Jaf
 
Хакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентовХакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентовPositive Hack Days
 
Wireless technologies LTE UMTS GSM - 01.ppt
Wireless technologies LTE UMTS GSM - 01.pptWireless technologies LTE UMTS GSM - 01.ppt
Wireless technologies LTE UMTS GSM - 01.pptAsitSwain5
 
SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.3G4G
 
Gsm architecture, gsm network identities, network cases, cell planning, and c...
Gsm architecture, gsm network identities, network cases, cell planning, and c...Gsm architecture, gsm network identities, network cases, cell planning, and c...
Gsm architecture, gsm network identities, network cases, cell planning, and c...Zorays Solar Pakistan
 
GSM security solution by FINETUNE Technologies
GSM security solution by FINETUNE TechnologiesGSM security solution by FINETUNE Technologies
GSM security solution by FINETUNE TechnologiesEngr.MEESHU SHARKER
 
Telecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasuresTelecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasuresPositiveTechnologies
 
fdocuments.net_gsm-call-flows-5584455b2833e.ppt
fdocuments.net_gsm-call-flows-5584455b2833e.pptfdocuments.net_gsm-call-flows-5584455b2833e.ppt
fdocuments.net_gsm-call-flows-5584455b2833e.pptHazemElabed2
 

Similar to Computaris SS7 Firewall (20)

Ussd call back or UCB
Ussd call back or UCBUssd call back or UCB
Ussd call back or UCB
 
Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...
 
Assaulting diameter IPX network
Assaulting diameter IPX networkAssaulting diameter IPX network
Assaulting diameter IPX network
 
SS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SS7: Locate -Track - Manipulate Attack - SPY24™.pdfSS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SS7: Locate -Track - Manipulate Attack - SPY24™.pdf
 
Gsm
GsmGsm
Gsm
 
Attacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsAttacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOs
 
The benefits of using the rules engine paradigm in telco systems
The benefits of using the rules engine paradigm in telco systems The benefits of using the rules engine paradigm in telco systems
The benefits of using the rules engine paradigm in telco systems
 
Roaming VAS (optimal routing)
Roaming VAS (optimal routing)Roaming VAS (optimal routing)
Roaming VAS (optimal routing)
 
Хакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентовХакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентов
 
Wireless technologies LTE UMTS GSM - 01.ppt
Wireless technologies LTE UMTS GSM - 01.pptWireless technologies LTE UMTS GSM - 01.ppt
Wireless technologies LTE UMTS GSM - 01.ppt
 
On the verge of fraud
On the verge of fraudOn the verge of fraud
On the verge of fraud
 
Rpc
RpcRpc
Rpc
 
SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.
 
Gsm architecture, gsm network identities, network cases, cell planning, and c...
Gsm architecture, gsm network identities, network cases, cell planning, and c...Gsm architecture, gsm network identities, network cases, cell planning, and c...
Gsm architecture, gsm network identities, network cases, cell planning, and c...
 
GSM security solution by FINETUNE Technologies
GSM security solution by FINETUNE TechnologiesGSM security solution by FINETUNE Technologies
GSM security solution by FINETUNE Technologies
 
Telecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasuresTelecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasures
 
fdocuments.net_gsm-call-flows-5584455b2833e.ppt
fdocuments.net_gsm-call-flows-5584455b2833e.pptfdocuments.net_gsm-call-flows-5584455b2833e.ppt
fdocuments.net_gsm-call-flows-5584455b2833e.ppt
 
Final gsm1
Final gsm1Final gsm1
Final gsm1
 
Cap interface
Cap interfaceCap interface
Cap interface
 
Intelegent network.ppt
Intelegent network.pptIntelegent network.ppt
Intelegent network.ppt
 

More from Computaris

70% less troubleshooting time and reduced network operation costs
70% less troubleshooting time and reduced network operation costs70% less troubleshooting time and reduced network operation costs
70% less troubleshooting time and reduced network operation costsComputaris
 
DevOps and 5G cloud native solutions supported by Computaris automated testin...
DevOps and 5G cloud native solutions supported by Computaris automated testin...DevOps and 5G cloud native solutions supported by Computaris automated testin...
DevOps and 5G cloud native solutions supported by Computaris automated testin...Computaris
 
Complex cloudification: Porting bare metal apps to telco cloud vnf
Complex cloudification: Porting bare metal apps to telco cloud vnfComplex cloudification: Porting bare metal apps to telco cloud vnf
Complex cloudification: Porting bare metal apps to telco cloud vnfComputaris
 
Solid combination of Diameter and Computaris plugins in automated testing tool
Solid combination of Diameter and Computaris plugins in automated testing toolSolid combination of Diameter and Computaris plugins in automated testing tool
Solid combination of Diameter and Computaris plugins in automated testing toolComputaris
 
First development of Cr interface for MRF equipment by Computaris
First development of Cr interface for MRF equipment by ComputarisFirst development of Cr interface for MRF equipment by Computaris
First development of Cr interface for MRF equipment by ComputarisComputaris
 
Swisscom’s prepaid billing system: A case of successful project and solid par...
Swisscom’s prepaid billing system: A case of successful project and solid par...Swisscom’s prepaid billing system: A case of successful project and solid par...
Swisscom’s prepaid billing system: A case of successful project and solid par...Computaris
 
Automated testing in migration to 5G network and the cloud
Automated testing in migration to 5G network and the cloudAutomated testing in migration to 5G network and the cloud
Automated testing in migration to 5G network and the cloudComputaris
 
Digital value in telecom and beyond
Digital value in telecom and beyondDigital value in telecom and beyond
Digital value in telecom and beyondComputaris
 
Computaris presentation
Computaris presentationComputaris presentation
Computaris presentationComputaris
 
VoLTE implementation for Magenta Telekom awarded "best network in Austria" in...
VoLTE implementation for Magenta Telekom awarded "best network in Austria" in...VoLTE implementation for Magenta Telekom awarded "best network in Austria" in...
VoLTE implementation for Magenta Telekom awarded "best network in Austria" in...Computaris
 
Computaris cloud and DevOps services
Computaris cloud and DevOps servicesComputaris cloud and DevOps services
Computaris cloud and DevOps servicesComputaris
 
TOP Testing Suite
TOP Testing SuiteTOP Testing Suite
TOP Testing SuiteComputaris
 
Mobile application development
Mobile application developmentMobile application development
Mobile application developmentComputaris
 
Innovative analytics solution for large datacenter network traffic
Innovative analytics solution for large datacenter network trafficInnovative analytics solution for large datacenter network traffic
Innovative analytics solution for large datacenter network trafficComputaris
 
Romanian software market statistics and forecast
Romanian software market statistics and forecastRomanian software market statistics and forecast
Romanian software market statistics and forecastComputaris
 
Computaris DevOps technology expertise
Computaris DevOps technology expertiseComputaris DevOps technology expertise
Computaris DevOps technology expertiseComputaris
 
Computaris builds analytics solution for large datacenter network traffic
Computaris builds analytics solution for large datacenter network trafficComputaris builds analytics solution for large datacenter network traffic
Computaris builds analytics solution for large datacenter network trafficComputaris
 
Romania's success in software outsourcing
Romania's success in software outsourcingRomania's success in software outsourcing
Romania's success in software outsourcingComputaris
 
Computaris cloud expertise
Computaris cloud expertiseComputaris cloud expertise
Computaris cloud expertiseComputaris
 

More from Computaris (20)

70% less troubleshooting time and reduced network operation costs
70% less troubleshooting time and reduced network operation costs70% less troubleshooting time and reduced network operation costs
70% less troubleshooting time and reduced network operation costs
 
DevOps and 5G cloud native solutions supported by Computaris automated testin...
DevOps and 5G cloud native solutions supported by Computaris automated testin...DevOps and 5G cloud native solutions supported by Computaris automated testin...
DevOps and 5G cloud native solutions supported by Computaris automated testin...
 
Complex cloudification: Porting bare metal apps to telco cloud vnf
Complex cloudification: Porting bare metal apps to telco cloud vnfComplex cloudification: Porting bare metal apps to telco cloud vnf
Complex cloudification: Porting bare metal apps to telco cloud vnf
 
Solid combination of Diameter and Computaris plugins in automated testing tool
Solid combination of Diameter and Computaris plugins in automated testing toolSolid combination of Diameter and Computaris plugins in automated testing tool
Solid combination of Diameter and Computaris plugins in automated testing tool
 
First development of Cr interface for MRF equipment by Computaris
First development of Cr interface for MRF equipment by ComputarisFirst development of Cr interface for MRF equipment by Computaris
First development of Cr interface for MRF equipment by Computaris
 
Swisscom’s prepaid billing system: A case of successful project and solid par...
Swisscom’s prepaid billing system: A case of successful project and solid par...Swisscom’s prepaid billing system: A case of successful project and solid par...
Swisscom’s prepaid billing system: A case of successful project and solid par...
 
Automated testing in migration to 5G network and the cloud
Automated testing in migration to 5G network and the cloudAutomated testing in migration to 5G network and the cloud
Automated testing in migration to 5G network and the cloud
 
Digital value in telecom and beyond
Digital value in telecom and beyondDigital value in telecom and beyond
Digital value in telecom and beyond
 
Computaris presentation
Computaris presentationComputaris presentation
Computaris presentation
 
VoLTE implementation for Magenta Telekom awarded "best network in Austria" in...
VoLTE implementation for Magenta Telekom awarded "best network in Austria" in...VoLTE implementation for Magenta Telekom awarded "best network in Austria" in...
VoLTE implementation for Magenta Telekom awarded "best network in Austria" in...
 
Computaris cloud and DevOps services
Computaris cloud and DevOps servicesComputaris cloud and DevOps services
Computaris cloud and DevOps services
 
TOP Testing Suite
TOP Testing SuiteTOP Testing Suite
TOP Testing Suite
 
IoT STARTER
IoT STARTERIoT STARTER
IoT STARTER
 
Mobile application development
Mobile application developmentMobile application development
Mobile application development
 
Innovative analytics solution for large datacenter network traffic
Innovative analytics solution for large datacenter network trafficInnovative analytics solution for large datacenter network traffic
Innovative analytics solution for large datacenter network traffic
 
Romanian software market statistics and forecast
Romanian software market statistics and forecastRomanian software market statistics and forecast
Romanian software market statistics and forecast
 
Computaris DevOps technology expertise
Computaris DevOps technology expertiseComputaris DevOps technology expertise
Computaris DevOps technology expertise
 
Computaris builds analytics solution for large datacenter network traffic
Computaris builds analytics solution for large datacenter network trafficComputaris builds analytics solution for large datacenter network traffic
Computaris builds analytics solution for large datacenter network traffic
 
Romania's success in software outsourcing
Romania's success in software outsourcingRomania's success in software outsourcing
Romania's success in software outsourcing
 
Computaris cloud expertise
Computaris cloud expertiseComputaris cloud expertise
Computaris cloud expertise
 

Recently uploaded

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 

Computaris SS7 Firewall

  • 2. / ... • robust, proven, reliable • working for decades But … • interconnect is based on trust • no protocol level security • … no equivalent in SS7 of IP TLS, IPSec The SS7 Network is
  • 3. / ... • your calls could be recorded and you wouldn’t know about this? • your subscriber’s location (cell id) could be tracked? • somebody could deny your subscribers access to the network? • somebody could alter the identity in the VLR when your users place calls? What if…
  • 4. / ... • Government US Congress/FCC • http://grayson.house.gov/index.php/newsroom/press-releases/314-grayson-asks- fcc-to-protect-privacy-of-americans-phone-calls • Research • http://www.washingtonpost.com/blogs/the-switch/wp/2014/12/18/german- researchers-discover-a-flaw-that-could-let-anyone-listen-to-your-cell-calls-and- read-your-texts/ • Press • http://www.washingtonpost.com/business/technology/for-sale-systems-that-can- secretly-track-where-cellphone-users-go-around-the-globe/2014/08/24/f0700e8a- f003-11e3-bf76-447a5df6411f_story.html Where can I find public information?
  • 6. / ... • The roaming MSC (Visited MSC) requires network access from HLR • The HLR pushes subscriber data into Visited MSC • The HLR keeps record that subscriber roams in the given Visited MSC VMSC B HLR B (1) LOCATION UPDATE  CgPA = VMSC B  CdPA = HLR  [IMSI, VMSC] (3) INSERT SUBSCRIBER DATA  CgPA = HLR  CdPA = VMSC B  [MSISDN, SubscriberData] (2) LOCATION UPDATE ACCEPTED  CgPA = HLR  CdPA = VMSC B Legitimate scenario location update in HPLMN
  • 7. / ... • Foreign SMSC requests the VMSC & IMSI of the recipient (your subscriber) • The HLR returns the VMSC address and IMSI • The foreign SMSC connects to the VMSC and submits the SMS SMSC A HLR B (1) SRI-SM  CgPA = SMSC  CdPA = MSIDN  [Service Centre, MSISDN] (2) SRI-SM ANSWER  CgPA = HLR  CdPA = SMSC  [VMSC, IMSI] VMSC B (3) MT-FORWARD-SM  CgPA = SMSC  CdPA = VMSC B  [IMSI, SMS] Legitimate SMS delivery from foreign network
  • 8. / ... Malicious Usage On ‘Trusted’ SS7 Links 02
  • 9. / ... • The breached network has roaming agreement with target network • The malicious application is any application capable of sending MAP messages with SS7/SIGTRAN access to an STP • The Malicious Application is able to impersonate the real SMSC by setting the CgPA • The HLR is target network receives the same SRI-SM as the one originate Malicious Application HLR B SRI-SM  CgPA = SMSC  CdPA = MSIDN  [Service Centre, MSISDN]SRI-SM  CgPA = HLR  CdPA = SMSC  [VMSC, IMSI] Obtain subscriber IMSI & Roaming MSC
  • 10. / ... • The malicious application uses the previously obtained IMSI and VMSC • The malicious application modifies subscriber data in the Visited MSC – in this case the O-CSI • The VMSC has no standard mechanism to detect if this is a legitimate request or not • Whenever the target subscriber originates a call the call control is given by VMSC (via CAP) to the node defined within the O-CSI. This node can perform a record function and connect the call to the intended destination. VMSC B INSERT-SUBSCRIBER-DATA  CgPA = SMSC  CdPA = VMSC B  [SubscriberData(O-CSI)] Malicious Application Modify O-CSI in VMSC Your calls can be recorded
  • 11. / ... • The Malicious Application uses the previously obtained IMSI and VMSC • The Malicious Application request current location information from Visited MSC • The VMSC has no standard mechanism to detect if this a legitimate request or not VMSC B PROVIDE SUBSCRIPTION INFORMATION  CgPA = GMSC  CdPA = VMSC B  [requestedInfo (currentLocation)] Malicious Application SUBSCRIPTION INFORMATION  CgPA = VMSC B  CdPA = GMSC  [CellId] Retrieve subscriber location Your location can be tracked
  • 12. / ... • The malicious application uses the previously obtained IMSI and VMSC • The malicious application modifies subscriber data in the Visited MSC – in this case the MSISDN • The VMSC has no standard mechanism to detect if this is a legitimate request or not • Whenever the target subscriber originates a call the modified MSIDN is used as calling party VMSC B INSERT-SUBSCRIBER-DATA  CgPA = SMSC  CdPA = VMSC B  [SubscriberData(MSISDN)] Malicious Application Modify MSISDN in VMSC You can spoof your MSISDN
  • 13. / ... • The malicious application uses the previously obtained IMSI and VMSC • The malicious application modifies subscriber data in the Visited MSC – in this case the MSISDN • The VMSC has no standard mechanism to detect if this is a legitimate request or not • Whenever the target subscriber tries to originates a call the BAOC setting will not allow the call to take place VMSC B INSERT-SUBSCRIBER-DATA  CgPA = SMSC  CdPA = VMSC B  [SubscriberData(BAOC)] Malicious Application Modify ODB in VMSC Somebody can block your calls
  • 14. / ... • Blocking SRI-SM requests in STP • Can’t block all SRI-SM messages since we would kill the SMS service for all our subscribers • Block all SRI-SM requests in coming from unknown addresses • The MAP allows an application to spoof the SCCP CgPA Easy answers?
  • 15. / ... • Block ISD requests in STP • Can’t block all ISD messages since we would kill the voice service for all our subscribers • Block all ISD requests coming from interconnect links • Can’t block all ISD messages since we would kill the voice service for all our in-roamers Easy answers?
  • 16. / ... • Protects your subscribers data in MSC • Protects your subscribers location in the network • Allows the legitimate traffic to flow without disruption What a SS7 firewall does…
  • 17. / ... • All SRI-SM requests are routed by STP towards the MAP filter • The MAP filtering decides the current request is un-trustworthy and forwards the request to the HLR and stores the real IMSI and VMSC received from the HLR • The MAP Filter will provide back to the un-trusted application a fake IMSI and a fake VMSC address. The fake VMSC address is the MAP filter address. Un-trusted Application HLR B SRI-SM  CgPA = SMSC  CdPA = MSIDN  [Service Centre, MSISDN] SRI-SM  CgPA = HLR  CdPA = SMSC  [VMSC, IMSI] MAP Filter SRI-SM  CgPA = SMSC  CdPA = MSIDN  [Service Centre, MSISDN] SRI-SM  CgPA = HLR  CdPA = SMSC  [Fake VMSC, Fake IMSI] Never expose real IMSI to untrusted entities
  • 18. / ... • If the un-trusted application is in fact a legitimate SMSC trying to deliver an MT SMS then after the SRI-SM the SMSC will deliver the MT SMS to the VMSC address obtained at SRI-SM (the MAP Filter) • The MAP filtering decides that this is a legitimate request, retrieves the real IMSI and real VMSC based on the received fake IMSI and then delivers the MT SMS to the real VMSC using real IMSI • The MT SMS response is proxied back to the SMSC Legitimate SMSC VMSC B MT-FORWARD-SM  CgPA = SMSC  CdPA = MAP Filter  [Fake IMSI, MT-SMS] MT-FORWARD-SM  CgPA = VMSC B  CdPA = MAP Filter  [Delivery Status] MAP Filter MT-FORWARD-SM  CgPA = SMSC  CdPA = VMSC B  [IMSI, MT-SMS] MT-FORWARD-SM  CgPA = MAP Filter; CdPA = SMSC  [Delivery Status] Untrusted application is in fact legitimate
  • 19. / ... • If the un-trusted application is in fact a malicious application trying to alter subscriber data in VMSC then after the SRI-SM the malicious application tries to insert data into the VMSC obtained at SRI-SM (the MAP Filter) • The MAP Filtering decides that this is a malicious request and it can provide a fake answer back to malicious application (ok I have inserted the data), it can reject the ISD or it can drop silently the request • The subscriber data in VMSC is thus protected Malicious Application Protected VMSC B MAP Filter INSERT-SUBSCRIBER-DATA  CgPA = MAP Filter  CdPA = SMSC  [OK] INSERT-SUBSCRIBER-DATA  CgPA = SMSC  CdPA = MAP Filter  [SubscriberData(O-CSI)] Untrusted application is in fact malicious
  • 20. / ... • If the un-trusted application is in fact a malicious application trying to retrieve subscriber location from VMSC, then after the SRI-SM the malicious application tries to request current location data from the VMSC obtained at SRI-SM (the MAP Filter) • The MAP filtering decides that this is a malicious request and it can provide a fake answer back to malicious application (here is some fake cell id), it can reject the PSIor it can drop silently the request • The subscriber location is thus protected Malicious Application Protected VMSC B MAP Filter PROVIDE SUBSCRIPTION INFORMATION  CgPA = MAP Filter  CdPA = GMSC  [fake cell id] PROVIDE SUBSCRIPTION INFORMATION  CgPA = GMSC  CdPA = VMSC B  [requested info (current Location)] Untrusted application is in fact malicious…
  • 21. / ... • The message is received and decoded ,incoming parameters are extracted (SCCP CgPA, CdPA, TCAP Context, MAP Parameters) • Context data (fake IMSI in request) is extracted from in-memory data store • Rule Engine decides based on input parameters and based on context data what treatment should be applied to the incoming message • Action returned by the Rule Engine is applied MAP filter MAP REQUEST  CgPA  CdPA  [MAP Parameters] In-memory data store Rule engine  Get context data  Determine treatment  of current request Action How does this work?
  • 22. / ... • RELAY – the incoming request is relayed at SCCP level towards the requested destination • ABORT – the incoming request is responded with a TCAP_U_ABORT • DROP – the incoming request is silently dropped, no response is provided back • FAKE – the incoming request is answered with a default fake answer (fake answer message is configurable per MAP Operation) • PROXY – the incoming message is proxied by the MAP Filter to the destination node; the MAP filter proxies also the responses back and hides real data (e.g. fake IMSI) SS7 firewall behaviour