IP networks introduce the vulnerabilities of the Internet to telecoms infrastructure, as the concept of “trusted partners” falls apart in ever-expanding digital- and IoT-driven ecosystems in which illicit actors purchase roaming network connectivity and network credentials from wireless service providers, using IP connections (i.e., via SIGTRAN in SS7).
Because SS7 and Diameter are the standard for roaming interconnects, they become the vehicles for network-connections abuse. Readily accessible tools for location tracking and SMS/voice interception mean that once-effective authentication such as two-factor sign-in used by banks and credit card companies is no longer secure enough to protect subscribers’ personal information.
Deploying a security appliance is not the answer. It’s important for CSPs to create a security framework and implement security at the gateways (session border controllers (SBCs), signaling transfer points (STPs) and Diameter edge agents).
It also necessitates defense-in-depth, with security in the home location register (HLR)/ home subscriber server (HSS), the Serving GPRS Support Node (SGSN) / Gateway GPRS Support Node (GGSN), and other points in the network. Defense in depth means security implemented in as many places as possible.
Persistent monitoring and analytics is critical. Without visibility, CSPs will not be able to identify attacks on subscribers. Visibility is critical in all networks, especially as we move towards 5G.
While many have discussed encryption as the solution, the reality is encryption (at the MAP or AVP layers) will not prevent SS7 or Diameter location tracking, SMS intercept, or call intercept. Only solid, comprehensive security frameworks implemented in the signaling gateways ensures robust signaling security.
To learn more about securing the network, watch this TIA NOW panel debate about the best path forward.