GSMA FS.11 & FS.19 Diameter Interconnect Security – How to Maintain an Effective Signalling Protection Capability

As an industry, mobile services providers, suppliers and the GSMA have worked together to create a framework of recommendations covering the various network protocols involved in mobile network internetworking. From GSM MAP and CAMEL using SS7, LTE/IMS using DIAMETER, SIP/ISUP for VOICE and GTP-C for mobile data services. Corresponding interconnection security recommendations such as FS.11 (SS7 Interconnect Security Monitoring and Firewall Guideline) and FS.19 (Diameter Interconnect Security) have provided a basis for navigating the task of securing mobile networks effectively. It is clear that whilst these defences when implemented with an active firewall have been effective at significantly enhancing network security, attackers have not been deterred. In particular well organized and well-funded nation state intelligence and privately operated organizations have continued to attack networks with increasing sophistication and deception.

Signaling Firewalls: Correct Configuration and Optimisation

The AdaptiveMobile Security Signaling Protection Platform provides enhanced security to our customers by the addition of expert security services delivered by our Signaling Threat Intelligence Unit. This team has enabled the successful deployment of security protection to an operationally active status using a rigorous and repeatable process. With a security solution tailored to the specific configuration of our customer networks. It is critically important to complete this optimization and tuning process so that we are able to reduce the security “Noise” level. We have found that networks often contained legacy configurations, misconfigured services and testing configurations that have been left unmanaged. Using a methodical process to triage these configurations into managed and allowed, discontinued and removed or blocked from a 3rd party connection, we reduce the number of events triggered per day to a lower level allowing the real security threats to become more clearly visible. A well configured firewall will only generate about 1500 security events per million subscribers per day. A badly configured network will produce significantly more than that number.

Does this mean that the job is done after a firewall is optimised?

It turns out that once defences are deployed attackers don’t just accept this and move onto another network. They get creative and use more and more sophisticated methods. It should not be a surprise that they look for unprotected parts of the network and/or unprotected parts of the protocol. The original intent of the “Category 3” name in FS.11, was really to convey to mobile carriers that there would be an ongoing arms race between the attackers and defenders. It was intended to means that defences would have to be actively maintained and reviewed continuously. Compliance to FS.11 is not about a checklist of protected call flows, but actually more about a process of review, vulnerability detection and countermeasure deployment. This naturally leads to the need for an ongoing audit and analysis process that identifies new vulnerabilities and management of the deployment of effective countermeasures. Attackers are already changing their methods based on defences blocking their attacks.

These review and audit processes can be done or a regular cycle, say on a 3 monthly basis where the frequency of review minimized the window of vulnerability to any new threats. From a timing perspective and depending upon the application being attacked a 3-month cycle could be acceptable, however as we move towards 5G and support for critical services it is likely that a shorter if not continuous update cycle is needed.

Continually Evolving Threat Landscape

If we look at parallels from other IT security sectors security often takes the form of penetration testing to pre-empt vulnerabilities and security gaps, combined with active firewalls, passive analytics and data retention for root-cause-analysis Threats and vulnerabilities are collected centrally and updates pushed out to all security platforms. It makes sense that mobile network security should mirror these types of activities and ensure that all signaling firewalls are maintained with the latest threat prevention algorithms and detection methods. Even if specific attack types have not targeted your network yet. This is extending the best practice recommendations with real world experience and observations. In my mind this is what “Category 3” in FS.11 was intending to cover. Not a static technology, but a call to action for the security experts to get involved and contribute to industry research.

We need to walk-the-walk, and we have, ensuring the tuning phase of deployments our Signaling Protection firewalls are maintained on a frequent, regular cycle with continuous audits from our Threat Intelligence Team and the latest security updates pushed to our supported customers. My view is if we better protect our customers, we build a more secure mobile community which is good for everyone.

If you have any questions on the points discussed above, get in touch with our experts.