Access Mediation: Preserving Network Security and Integrity



Similar documents
Internet Protocol (IP)/Intelligent Network (IN) Integration

1. Public Switched Telephone Networks vs. Internet Protocol Networks

Introduction to SS7 Signaling This tutorial provides an overview of Signaling System No. 7 (SS7) network architecture and protocols

White Paper. avaya.com 1. Table of Contents. Starting Points

How the ETM (Enterprise Telephony Management) System Relates to Session Border Controllers (SBCs) A Corporate Whitepaper by SecureLogix Corporation

Signaling System 7 (SS7) Gateway Solution for Internet Access

Dialogic. BorderNet Products Interwork and Connect Seamlessly and Securely at the Network Edge

HOW WE DELIVER A SECURE & ROBUST HOSTED TELEPHONY SOLUTION

S-Series SBC Interconnect Solutions. A GENBAND Application Note May 2009

SIP Signaling Router (SSR) Use Cases

Oracle s Session Initiation Protocol Trunking Solution. Increase Agility and Reduce Costs with Session Initiation Protocol Trunks

Case Study. PAETEC minimizes Fraud Costs using Equinox Protector

International Dialing and Roaming: Preventing Fraud and Revenue Leakage

White Paper. Is VoIP Without E9-1-1 Worth the Risk? Challenges, Approaches, and Recommendations for VoIP Service Providers

Dialogic BorderNet Session Border Controller Solutions

Ingate Firewall/SIParator SIP Security for the Enterprise

How To Protect Your Business From A Voice Firewall

Cisco Advanced Services for Network Security

EXPLOITING SIMILARITIES BETWEEN SIP AND RAS: THE ROLE OF THE RAS PROVIDER IN INTERNET TELEPHONY. Nick Marly, Dominique Chantrain, Jurgen Hofkens

Voice over IP is Transforming Business Communications

Paving the Way to Next Generation Media and Signaling VoIP Gateways

PSTN IXC PSTN LEC PSTN LEC STP STP. Class 4. Class 4 SCP SCP STP. Switch. Switch STP. Signaling Media. Class 5. Class 5. Switch.

SIP Trunking with Microsoft Office Communication Server 2007 R2

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

CONSULTATION. National Numbering Plan Review. A short Consultation issued by the Telecommunications Regulatory Authority 28 August 2007

VoIP in the Enterprise

GHEM Secure Access Control

SITEL Voice Architecture

Migrating from Circuit to Packet: The Business Case for IP Telephony. Or What s In it for Me?

How To Support An Ip Trunking Service

Brochure. Dialogic BorderNet Session Border Controller Solutions

Contents. Specialty Answering Service. All rights reserved.

OfficeMaster Gate (Virtual) Enterprise Session Border Controller for Microsoft Lync Server. Quick Start Guide

Best Effort gets Better with MPLS. Superior network flexibility and resiliency at a lower cost with support for voice, video and future applications

Enabling Innovation with KPI-based Service Management Operator Key Performance Indicators (KPIs)

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

Converged Voice Service Summary

OpenScape UC Firewall and OpenScape Session Border Controller

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

Your new VoIP Network is working great Right? How to Know. April 2012 WHITE PAPER

Parlay i60 - Application

Sprint s Partner Interexchange Network (PIN) A New Approach to Scalable Voice Peering

Protecting Mobile Networks from SS7 Attacks. Telesoft White Papers

Introduction. Channel Associated Signaling (CAS) Common Channel Signaling (CCS) Still widely deployed today Considered as old technology

How To Save Money On An Ip Trunking (Ip Trunking)

BT Assure DoS Mitigation UK

SIP Trunking Configuration with

Securing SIP Trunks APPLICATION NOTE.

Gateways and Their Roles

Oracle s SIP Network Consolidation Solutions. Using SIP to Reduce Expenditures and Improve Communications

GARTNER REPORT: SIP TRUNKING

RESERVATION TELEPHONE COOPERATIVE BROADBAND INTERNET SERVICE DISCLOSURES

An Oracle White Paper February Centralized vs. Distributed SIP Trunking: Making an Informed Decision

Voice Over Internet Protocol (VoIP) Issues and Challenges William McCrum

Datawire Secure Transport Value Proposition

How To Make A Phone Line A Network Connection With An Ipnet (Ipnet) On An Ip Network On An Hp Network On A Pc Or Ipnet On A Microsoft Phone (Ip) On A Pbnet On An Pc Or P

TELECOM FRAUD CALL SCENARIOS

SIP Trunking Steps to Success, Part One: Key Lessons from IT Managers Who ve Been There

Business Continuity protection for SIP trunking service

Connecting MPLS Voice VPNs Enabling the Secure Interconnection of Inter-Enterprise VoIP

Oracle s Unified Communications Infrastructure Solution. Delivering Secure, Reliable, and Scalable Unified Communications Services

SPRINT SIP TRUNKING SERVICE PRODUCT ANNEX

Symantec Enterprise Firewalls. From the Internet Thomas Jerry Scott

The benefits of using a perimeter-based managed service

What is an E-SBC? WHITE PAPER

AVG AntiVirus. How does this benefit you?

PBX Security in the VoIP environment

Review Of The Commission Workplace (O1) And Its Role In SIP Interconnection Services

A Model-based Methodology for Developing Secure VoIP Systems

Solace s Solutions for Communications Services Providers

WHITE PAPER. Gaining Total Visibility for Lawful Interception

Voice Over IP and Firewalls

UK Interconnect White Paper

An Oracle White Paper October Gneis Turns to Oracle to Secure and Manage SIP Trunks

IP Telephony Management

2 Voice over IP Network

SPRINT GLOBAL SIP TRUNKING EUROPE PRODUCT ANNEX

9-1-1 Services for Interconnected VoIP and Local Exchange Carriers

Low Investment, High Returns

VOIP SECURITY: BEST PRACTICES TO SAFEGUARD YOUR NETWORK ======

Confessions of a Telecommunications Provider. Five things you MUST know about Global Voice over IP (VoIP) Providers

Hosted PBX Platform-asa-Service. Offering

Fundamentals of Interconnection and Convergence

Building integrated services intranets

Networking and High Availability

NOS for Network Support (903)

Transcription:

Access Mediation: Preserving Network Security and Integrity Definition Access mediation is the process of examining and controlling signaling traffic between networks, resources and users by filtering Signaling System 7 (SS7) traffic. This process enables carriers to inspect the syntax and content of every signaling message entering or exiting the network. Each message is checked against the carrier's operations policy to determine whether to permit, deny and/or modify the message traffic. Access mediation devices are typically used to mitigate the risks associated with widespread interconnection and network convergence. Overview The telecommunications market has changed dramatically since the SS7 network's inception. Deregulation and convergence have moved the industry beyond a relatively small group of carriers and equipment manufacturers. Now there are thousands of SS7 nodes connecting a wide variety of carriers across the globe. This pervasive interconnection has also introduced newer and more powerful technologies that don't always meet the existing telephone provider's reliability and certification standards. Growing demand for nontraditional services running on the SS7 network continues to make access that's not regulated even more commonplace. These changing market dynamics have left the door open to an inadvertent or malicious disruption--catalyzing the need for an access mediation device to mitigate risk. This tutorial will take its readers through the concept of access mediation and explain how it can be applied to help carrier's regain control of their signaling networks. Topics Definition and Overview 1. Historical Perspective 1/15

2. The Role of Access Mediation 3. System Requirements 4. Technological Benefits 5. Application Scenarios 6. Conclusion 1. Historical Perspective Service providers worldwide rely on the SS7 network. It is the backbone of the modern telecommunications network, enabling service providers to interconnect and offer the advanced voice services customer's demand. The SS7 network provides wireline and wireless call control as well as intelligent network (IN) services such as 8XX and 900 number calling, calling name (CNAM) and calling card verification. SS7 also supports government-mandated services like local and mobile number portability (LNP and MNP). Since the SS7 network was designed for a closed community, the standards bodies developing it were primarily concerned with high availability and redundancy. This ensured the network's ability to protect itself against system failures. The Telecom Act of 1996 and the advent of voice and data convergence brought unforeseen threats to the signaling environment. The 1996 Act mandated that the small community of incumbent carriers provide nondiscriminatory access to their SS7 networks on an unbundled basis. Unbundling introduced a host of new providers into the SS7 environment. Similar deregulation is occurring worldwide. At about the same time, demand for Internet Protocol (IP) telephony services interoperating with the SS7 network began to grow. The proliferation of IP to SS7 gateways that have made this possible, coupled with the added complexity and linked nature of SS7, has brought unprecedented instability to this once closed environment. To address growing security and reliability concerns, Telcordia developed gateway screening standards (GR-82-CORE). These standards set forth limited provisions for examining and controlling inappropriate and potentially harmful traffic. The Telcordia standards may have been adequate at the time. However, as the market evolves, the carrier's ability to control its network interconnections 2/15

continues to diminish. A more comprehensive approach must be taken to protect the SS7 network. 2. The Role of Access Mediation Carriers across the globe are now interconnected through SS7, and the demand for non-traditional voice services running on the network continues to grow. Unlike legacy providers, many new carriers are accessing the network with equipment based on off-the-shelf computing platforms. The inherent flexibility of this equipment makes it much more powerful and capable of generating signaling traffic at very high volumes, and often in non-standard forms. Inexperienced carriers using either new equipment or existing legacy technology could send inappropriate signaling traffic. While it's unlikely that inappropriate traffic sent to a single network node would cause a widespread outage, the last mile impact could be devastating to critical services like E-911. Perhaps more troubling than a potential inadvertent malfunction is the open door that deregulation and convergence has left this once closed, secure environment. The National Research Council (NRC) pointed out in its book titled "Trust in Cyberspace" that essentially anyone can interconnect to the SS7 network for the modest fee of $10,000. Unregulated access heightens the chance an attack orchestrated by a terrorist organization or a hacker could cause a widespread disruption capable of putting national security at risk and crippling the economy. Figure 1. Widespread SS7 Interconnection 3/15

The carrier's need to regain control of the SS7 network, in order to ensure its integrity and reliability, underscores the need for access mediation technology. Access mediation can mitigate interconnection risks brought on by inexperienced carriers and unproven technologies, enforce interconnect agreements at a granular level, and enhance security to prevent a malicious attack. 3. System Requirements A comprehensive access mediation system provides a protective barrier against unwanted and inappropriate signaling traffic. The following system requirements are fundamental to ensuring the continued reliability, service quality and security of the SS7 network. Granular Inspection Access mediation devices shouldn't be limited to analyzing traffic based on the message header. These devices should be capable of both syntax and content inspection. Syntax inspection will ensure each message is properly formatted based on standards and requirements used in the network. Messages that are not coded correctly should not be permitted into the network. Content inspection will operate at multiple layers of the protocol stack to validate messages, parameters and their values for compliance with the carrier's policies and agreements. Coupling these two types of analysis gives carriers a strong barrier against traffic that threatens network security and integrity. Figure 2: Syntax and Content Inspection of Each Message Analyze every message Access mediation devices must be able to perform a detailed analysis of every message entering and exiting the network. The device should be capable of checking these messages against the service provider's operations policies and interconnect agreements. Using the results of its examination, the access mediation device should have the intelligence to pass, block, modify and/or alert on each message. In addition, the alerting function should have a logging capability that enables messages to be collected for further analysis. 4/15

Policy-based enforcement Access mediation devices should govern how the network can be used through policy-based enforcement. This type of enforcement should be interconnection specific. And each rule should determine how in-depth each message is examined. The level of detail must be configurable since each interconnection may require different levels of analysis depending on the types of traffic it carries. Network Transparency To minimize the impact of a new network infrastructure deployment, installation time and effort should be minimal. Therefore, deploying an access mediation device should not require a point code. Access mediation devices should be transparent, in-line devices. This eliminates the need for network re-engineering, enabling rapid deployment. 4. Technological Benefits Any service provider that relies on the PSTN and its SS7 interconnections can realize substantial benefits from an access mediation device that meets the aforementioned requirements. It can benefit ILECs, CLECs, wireless carriers, voice over IP (VoIP) providers, competitive access providers, call center operations, large enterprises, SS7 hub providers, government agencies and Internet service providers. Security Access mediation devices act as intelligent signaling firewalls. Using an access mediation device, network operators can control traffic based on protocol conformance and application level analysis. Both traffic streams and services can be examined based on information at any layer of the protocol stack. The enhanced security offered through access mediation mitigates the risks of inadvertent or malicious disturbances. Enforce Interconnect Agreements Interconnect agreements dictate network access between carriers. But whether or not interconnecting partners follow the terms of those agreements is largely left to trust. Access mediation devices enable carriers to enforce their agreements at a granular level. Prevent Fraud Since the PSTN relies on SS7 to maintain call control and provide advanced services, it's a major hotbed for fraudulent activity. Billions are lost annually to 5/15

corporate toll fraud, calls to hot for fraud destinations and interconnect agreement abuse. Most systems today can report on suspicious activity but lack the control necessary to stop fraud as it occurs. Access mediation devices can serve as the active component of a fraud system, enabling carriers to be proactive in the fight against fraud. Value-added Applications Access mediation can also be leveraged to enable a wide range of value-added applications. Access mediation devices can manipulate, monitor and control SS7 traffic. This functionality serves as a powerful troubleshooting device for network operators. Message modification capabilities can help carriers avoid costly equipment upgrades by quickly and efficiently resolving compatibility and interoperability problems. Access mediation technology can also perform intelligent filtering, a function that can be used to reroute high-volume traffic like SMS off of an overloaded network. And the intelligence gathered by examining every SS7 message traversing the network can be used to help make planning decisions. 5. Application Scenarios The following examples illustrate how to access mediation can be used: Deny badly formatted messages: For example, a carrier using new equipment might be generating messages with incorrect length. Access mediation can be used to block these messages, preventing them from having a detrimental effect on the network." Stop fraud in progress: Access mediation devices can be used to block calls to and from blacklisted phone numbers as well as abandoned international mobile subscriber identities. Restrict AIN traffic: ILECs can use access mediation devices to restrict Advanced Intelligent Network (AIN) messages allowed onto their networks. For example, ILECs can establish a policy that restricts AIN traffic originating from a CLEC's interconnected SCP that is used for offering enhanced services to the CLEC's customers who are part of the ILEC switch. Control ISUP traffic: For example, if ISUP traffic is being sent at random from a VoIP interconnection using trunk circuit values that do not exist. The recipient carrier can block that traffic, allowing only traffic expressly permitted by the interconnect agreement. 6/15

Block SMS spam: Wireless carriers can install access mediation devices at their network's entry points to block short message service (SMS) spam bogging down the network and causing customer dissatisfaction. New revenue source: SS7 hub providers can sell signaling security as part of their product suite. Secure gateway functionality: Carriers can integrate access mediation capabilities into existing signal transfer point (STP) nodes to enhance their functionality. SS7 proxy: Network operators can use access mediation devices to mask network and protocol differences. This helps carriers avoid costly upgrades by quickly and efficiently resolving compatibility and interoperability problems. SMS filtering and routing: Wireless carriers can implement access mediation devices to perform filtering and routing for different types of SMS traffic, enabling new back-end applications and premium services. Collect market intelligence: Carriers can use an access mediation system to collect subscriber and service provider calling patterns. LNP proxy: Carriers can use an access mediation device as an LNP proxy that allows a switch to process inbound LNP calls. That way, carriers can avoid purchasing new LNP switch software. Monitor network performance: Carriers can use access mediation devices to gather network performance statistics-track link utilization, message counts and link status in real-time to optimize network planning and maintenance. 6. Conclusion The signaling network is the carrier's most critical asset. Deregulation and convergence has been a double-edged sword for carriers. While these market changes have brought many exciting new opportunities, they have also opened the network up to serious threats. New carriers, technology and equipment are vastly connected worldwide to the PSTN via the signaling network. This increasingly complex interconnection brings greater risk of a network outage due to inadvertent or malicious malfunctions. Consequently, carriers need access mediation technology to examine and control the signaling traffic entering and 7/15

exiting the network. Access mediation protects the network against inappropriate signaling traffic to ensure network integrity and security in the evolving signaling environment. Self-Test 1. Deregulation and convergence have catalyzed the need for access mediation. 2. Any carrier that relies on the PSTN and its SS7 interconnections for service delivery can benefit from access mediation. 3. SMS filtering is a function that can be performed by access mediation. 4. Current gateway screening standards are adequate for ensuring the network is protected. 5. Access mediation is not able to mask protocol differences between networks. 6. If system implementation requires a point code, carriers must reconfigure the network for deployment. 8/15

7. The standards bodies developing SS7 were concerned about protecting the network from harmful outside sources. 8. Which is a main benefit or purpose for implementing access mediation? a. network security b. enforce interconnect agreements c. prevent fraud d. all of the above 9. Access mediation devices should provide both and inspection. a. syntax and header b. content and node c. syntax and content d. message and node 10. What is the key difference between gateway screening and access mediation? a. access mediation looks at the message header while gateway screening checks message syntax and content. b. gateway screening devices are limited to analyzing traffic based on the message header, while access mediation enables carriers to examine message syntax and content. c. there is no difference. Gateway screening and access mediation is the same thing. d. All of the above 9/15

11. ISUP traffic is being sent at random from a VoIP interconnection using trunk circuit values that do not exist. Which example demonstrates how access mediation can be used to resolve this problem? a. The recipient carrier can block those messages, allowing only the traffic permitted by the interconnect agreement. b. The network operations manager alerts the provider they are sending harmful messages and tells them not to do it again. c. Access mediation does not apply to this scenario. 12. What type of traffic can access mediation control? a. ISUP b. AIN c. SMS d. all of the above 13. Access mediation devices act as intelligent. a. gateways b. routers c. firewalls 14. Access mediation devices inspect SS7 message traversing the network to ensure compliance with the carrier s operations policy. a. every b. most c. none 15. What is syntax inspection? a. validating message parameters and their values b. validating protocol conformance c. validating protocol conformance 10/15

Correct Answers 1. Deregulation and convergence have catalyzed the need for access mediation. 2. Any carrier that relies on the PSTN and its SS7 interconnections for service delivery can benefit from access mediation. 3. SMS filtering is a function that can be performed by access mediation. 4. Current gateway screening standards are adequate for ensuring the network is protected. 5. Access mediation is not able to mask protocol differences between networks. 6. If system implementation requires a point code, carriers must reconfigure the network for deployment. 11/15

7. The standards bodies developing SS7 were concerned about protecting the network from harmful outside sources. 8. Which is a main benefit or purpose for implementing access mediation? a. network security b. enforce interconnect agreements c. prevent fraud d. all of the above 9. Access mediation devices should provide both and inspection. a. syntax and header b. content and node c. syntax and content d. message and node 10. What is the key difference between gateway screening and access mediation? a. access mediation looks at the message header while gateway screening checks message syntax and content. b. gateway screening devices are limited to analyzing traffic based on the message header, while access mediation enables carriers to examine message syntax and content. c. there is no difference. Gateway screening and access mediation is the same thing. d. All of the above 12/15

11. ISUP traffic is being sent at random from a VoIP interconnection using trunk circuit values that do not exist. Which example demonstrates how access mediation can be used to resolve this problem? a. The recipient carrier can block those messages, allowing only the traffic permitted by the interconnect agreement. b. The network operations manager alerts the provider they are sending harmful messages and tells them not to do it again. c. Access mediation does not apply to this scenario. 12. What type of traffic can access mediation control? a. ISUP b. AIN c. SMS d. all of the above 13. Access mediation devices act as intelligent. a. gateways b. routers c. firewalls 14. Access mediation devices inspect SS7 message traversing the network to ensure compliance with the carrier s operations policy. a. every b. most c. none 13/15

15. What is syntax inspection? a. validating message parameters and their values b. validating protocol conformance c. validating protocol conformance Glossary Acronyms Guide AIN advanced intelligent network CLEC competitive local exchange carrier CNAM calling name delivery service ILEC incumbent local exchange carrier IN intelligent network IP internet protocol ISUP ISDN user part LNP local number portability MNP mobile number portability NRC National Research Council 14/15

PSTN public switched telephone network SCP service control point SMS short message service SS7 signaling system 7 SSN subsystem number STP signal transfer point VoIp Voice over Internet protocol 15/15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information