Moving from closed, circuit switched networks to IP connectivity opened up operators to the full range of weaknesses that internet service providers and users have come to know. Keith Dyer numbers the threats, answers and potential benefits of an IP security policy.
Tunnel hi-jacking may sound like a plot line from the next James Bond film involving fast trains and bombs with menacing digital timers but, more prosaically, it is in fact the name for just one of the threats mobile operators face as they move into the world of IP.
Since operators first started introducing GPRS networks, at around the beginning of 2001, they have been forced to face up to the range of security problems that any business connected to IP networks has had to.
Early problems with GPRS were mainly related to incompatibility of equipment as standards were so loose, according to David Aminzade, EMEA sales manager of CheckPoint Software Technologies’s cellular division.
“In GPRS a standard is no standard so networks were set up on a non-secure basis,” he recalls.
Initially, operators were worried about the security risk from partner networks with roaming agreements onto their home network. The growth of the GRX exacerbated this problem, as the GRX works as a network hub for operators that may not have any direct relationship.
Operators could check IP addresses to determine which operators could get access to their own network. But this would not protect the home operator from receiving malformed or threatening traffic from IP addresses that were acceptable according to the list.
To combat this, Aminzade says, operators were able to deliver security policies by installing a firewall at the GN interface — that is, the interface between an operator’s network and any external connection. The next area of concern came when operators started to look at activity within their own network.
“IP networks are prone to inconsistent behaviour,” Aminzade points out. “Operators couldn’t predict the impact of a bad packet on the network. I have seen one malformed packet taking down a GGSN, for instance. And when you are faced with non-defined input you can’t have a defined output.”
The big problem for operators was that the SGSN handles handles all the authentication on the network, back to the HLR, VLR and mobile device itself. But the networking elements such as end user IP addresses, IP connectivity and corporate access are served by the GGSN, which makes no judgements on the value of any subscription information it receives. A malicious intruder could spoof the SGSN signaling to gain network resource where he shouldn’t, or deny service to a valid user.
Aminzade the threat of accepting unwanted packets onto a GPRS network is real.
“I have personally talked to two operators who have found worms inside their GPRS network and were quite flabbergasted to see how they got there,” he confirms.
Another potential threat is exploiting the handover between SGSNs when a user moves from one node to another. The two nodes exchange information to allow the handover, and the information from the new SGSN is fully trusted by the GGSN. If an intruder were to impersonate a completed handover on the network, then that person’s subscriber information would be accepted by the GGSN. You could impersonate this handover by sending network signalling messages such as a spoof “Update” or “Create PDP Context Request” message from a valid SGSN address, referencing a third party SGSN address. The user could also send a spoof message to terminate a valid session and steal it for himself.
Then last year the industry became subject to a known IP weakness known as over-billing. Operators are naturally unwilling to share too much information on this, but Aminzade says he knows of at least eight operators who have suffered from the over-billing attack.
An over-billing attack is similar to tunnel hijacking in that it exploits a supposedly closed connection. Except in this instance it is the attacker who sends a message to deactivate a GTP tunnel. When the attackers “closed” IP address is then reallocated from the operator’s pool to a new user, the attacker uses the tunnel to flood unwanted content to the new user, who subsequently gets over-billed.
Again, the accepted response to this is a firewall on the Gi interface, between the GGSN and an external IP network, as well as on the Gn itself. This means that you can set a rule so that whenever a GTP tunnel is deactivated the firewall will block all further packets coming from the closed connection.
Although these issues are still current for many operators, and were making life difficult as recently as last year, they have been the subject of discussion for a couple of years. Aminzade says more recent concerns are related to the infection of handsets themselves.
“We are just beginning to see the start of problems associated with smartphones being attacked and taken down. Going forward, operators will need to provide protection for the network from those phones, so the network itself doesn’t get infected.”
But the biggest step will be to be able to provide a single management architecture for security elements within a network.
“We need to look at next generation mobile service deployment and at what sort of need for support of future mobile services there is. The secret will be to have one architecture that looks after all of it. So if you have a Checkpoint firewall on the IP side and a cellular firewall on the GPRS side, they will talk to each other on a common interface.”
This approach will be particularly attractive and necessary for enterprise IT managers, he says.
“IT managers need a multitude of security enforcement points all managed by a central management architecture. It will be the same on cellular networks.”
To aid development on this front Checkpoint has published APIs to allow other vendors of complementary security products to write programmes to use firewall log information or which cause the firewall to take action.
One example of such an integrated approach in a cellular environment might be in revenue assurance and fraud prevention. If a fraud protection system identifies fraudulent activity from a phone then the operator can use that the firewall will cut the GTP tunnel.
An operator that can offer such an integrated solution may be doing more than merely protecting itself. They may also make themselves more attractive to enterprise customers.
“Mobile is viewed as just one part of a solution — in the sense that enterprises are looking to go mobile. However, IT departments are saying they don’t care about the connection, they want to be able to enforce their security policy irrespective of the mode of connection. By extending security management tools to operators in the core network it enables them to enforce a company security policy through a GPRS/ UMTS connection in the same way as an IPSec connection.”
The realisation that security could actually be beneficial, rather than an irritant cost, has woken up a market that was sluggish for at least a couple of years.
“Last year things really woke up,’ Aminzade says. “It was hard going in 2001 and 2002. But more users mean there is more vulnerability, and the cost to the operator is greater if the network goes down. There is also greater and wider awareness of worms and trojans. The origins of many operators’ technical experts were in the radio world. They appreciate the concerns but wouldn’t make the connection to their own world. But they need to view the mobile network now as just another connection to the internet.”