JP6980885B2 - Transport layer signal safety with next-generation firewall - Google Patents

Description

Firewalls generally allow authorized communication to pass through the firewall, while protecting the network from unauthorized access. A firewall is typically a device or set of devices, such as a computer, or software that runs on the device and provides firewall functionality for network access. For example, a firewall can be integrated into the operating system of a device (eg, a computer, smartphone, or other type of network communicable device). Firewalls are also integrated or integrated as software on computer servers, gateways, network / routing devices (eg network routers), or data appliances (eg security appliances or other types of special purpose devices). You can also do it.

Firewalls typically deny or allow network transmissions based on a set of rules. These sets of rules are often referred to as policies. For example, a firewall can filter inbound traffic by applying a set of rules or policies. Firewalls can also filter outbound traffic by applying a set of rules or policies. Firewalls can also perform basic routing functions.

Various embodiments of the invention are disclosed in the following detailed description and accompanying drawings.
FIG. 1A is a block diagram of a 3G wireless network with a security platform to provide enhanced security according to some embodiments. FIG. 1B is a block diagram of a 4G / LTE wireless network with a security platform for providing enhanced security according to some embodiments. FIG. 2A is an example of a GTPv1-C message exchanged between SGSNs and GGSNs in a 3G network, according to some embodiments. FIG. 2B is an example of a GTPv2-C message exchanged between entities including MMEs, SGWs, and PGWs in a 4G / LTE network according to some embodiments. FIG. 3A is another example of a GTPv1-C message flow between an SGSN and a GGSN in a 3G network, according to some embodiments. FIG. 3B is another example of a GTPv2-C message flow between MMEs, SGWs, and PGWs in a 4G / LTE network, according to some embodiments. Figure 4A shows 4G with a security platform for providing Diameter (Diameter over SCTP) security services over SCTP using next-generation firewalls in mobile networks for service providers, according to some embodiments. It is a block diagram of the / LTE wireless network. FIG. 4B is a block diagram of a 4G / LTE wireless network with a security platform for providing SIGTRAN security with a next generation firewall in a mobile network for service providers, according to some embodiments. .. FIG. 4C is a block diagram of a 4G / LTE wireless network with a security platform for providing SCCP security with a next generation firewall in a mobile network for service providers, according to some embodiments. .. Figure 4D shows a block of a 4G / LTE wireless network with a security platform to provide OSI Layer 7 signaling security with a next generation firewall in a mobile network for service providers, according to some embodiments. It is a figure. Figure 4E shows an example of a signaling protocol stack. Figure 4F shows an example of the SS7 over IP protocol stack. Figure 5A can be prevented to provide enhanced security to the mobile service provider network using a security platform for security policy enforcement, according to some examples, MAP messages. This is an example of a signaling attack using. Figure 5B is a MAP message that can be prevented from providing enhanced security to the mobile service provider network using a security platform for security policy enforcement, according to some examples. Is another example of a signaling attack using. Figure 5C can be prevented to provide enhanced security to the mobile service provider network using a security platform for security policy enforcement, according to some examples, MAP messages. Is another example of a signaling attack using. FIG. 6 is a functional diagram relating to the hardware component of the network device for implementing the security policy in the mobile service provider network environment according to some embodiments. FIG. 7 is a functional diagram relating to the logic component of the network device for implementing the security policy in the mobile service provider network environment according to some embodiments. FIG. 8 is a flow diagram relating to the process for performing transport layer signaling-based security in a mobile network for a service provider, according to some embodiments. FIG. 9 is a flow diagram relating to the process for performing application layer signaling-based security in a mobile network for a service provider, according to some embodiments. FIG. 10 is a flow diagram relating to the process for performing network layer signaling-based security in a mobile network for a service provider, according to some embodiments. FIG. 11 is a flow diagram of the process for running Diameter over SCTP-based security in a mobile network for service providers, according to some embodiments.

The present invention is stored and / or provided in a process, device, system, configuration of matters, a computer program product embodied on a computer-readable storage medium, and / or a memory coupled to a processor. It can be implemented in a number of ways, including a processor, such as a processor configured to execute an instruction to be executed. In this specification, these embodiments, or any other embodiment that can be adopted by the present invention, can be referred to as techniques. In general, the order of the steps in the disclosed process can be varied within the scope of the invention. Unless otherwise stated, a component such as a processor or memory described as being configured to perform a task is a general component that is temporarily configured to perform a task at a given time. , Or it can be implemented as a given component manufactured to perform a task. As used herein, the term "processor" refers to one or more devices, circuits, and / or processing cores configured to process data, such as computer program instructions. It is for reference.

A detailed description of one or more embodiments of the invention is provided below, along with accompanying drawings illustrating the principles of the invention. The present invention will be described in connection with such embodiments, but the invention is not limited to all embodiments. The scope of the invention is limited by claim alone, and the invention includes a number of alternatives, modifications, and equivalents. To provide a complete understanding of the invention, a number of specific details will be provided in the description below. These details are provided by way of illustration, and the present invention may be carried out according to the claims without using some or all of these predetermined details. For clarity, the technical matters known in the art related to the invention are not described in detail so as not to unnecessarily obscure the invention.

Firewalls generally allow authorized communications to pass through the firewall, while protecting the network from unauthorized access. A firewall is typically a device, a set of devices, or software running on a device that provides firewall functionality for network access. For example, a firewall can be integrated into the operating system of a device (eg, a computer, smartphone, or other type of network communicable device). Firewalls can also be various types of devices, such as computer servers, gateways, network / routing devices (eg, network routers), or data appliances (eg, security appliances, or other types of special purpose devices). Or it can be integrated or run as a software application on a security device.

Firewalls typically deny or allow network transmissions based on a set of rules. These sets of rules are often referred to as policies (eg, network policies, or network security policies). For example, a firewall can filter inbound traffic by applying a set of rules or policies to prevent unwanted external traffic from reaching the protected device. Firewalls can also filter outbound traffic by applying a set of rules or policies (eg, allow, block, monitor, notify, or log). ) And / or other actions that can be specified in a firewall / security rule or firewall / security policy, which can be triggered based on various criteria as described herein.)

Security devices (eg, security appliances, security gateways, security services, and / or other security devices) have various security features (eg, firewalls, anti-malware, intrusion prevention / detection, proxies, and / or others. Security features), network features (eg, routing, quality of service (QoS), workload balancing of network-related resources, and / or other network features), and / or may include other features. can. For example, the routing function can be based on source information (eg, source IP address and port), destination information (eg, destination IP address and port), and protocol information.

A basic packet filtering firewall is a packet filtering firewall or a packet filtering firewall that filters network communication traffic by inspecting individual packets sent over the network (eg, a stateless packet filtering firewall). 1st generation firewall). Stateless packet filtering firewalls typically inspect individual packets themselves, and based on the inspected packets (eg, a combination of source and destination address information, protocol information, and port numbers). Apply the rule (using).

The application firewall can also perform application layer filtering (eg, using an application layer filtering firewall or a second generation firewall that works at the application level of the TCP / IP stack). Application tier filtering firewalls or application firewalls typically refer to certain applications and protocols (eg, web browsing using HyperText Transfer Protocol (HTTP), Domain Name System (DNS) requests, File Transfer Protocol (FTP). File transfer using, and various other types of applications and other protocols such as Telnet, DHCP, TCP, UDP, and TFTP (GSS)) can be identified. For example, an application firewall can block an unauthorized protocol that attempts to communicate on a standard port (for example, silently bypassing it by using a non-standard port for that protocol (for example). Unlicensed / unlicensed policies that attempt sneak through) can generally be identified using an application firewall).

Stateful firewalls can also perform stateful-based packet inspection, where each packet is in the context of a set of packets associated with its network-transmitted packet flow (packets / packets). Inspected (for example, stateful firewall or 3rd generation firewall). This firewall technology is commonly referred to as stateful packet inspection. It keeps a record of all connections that pass through the firewall and can determine if the packet is the start of a new connection, part of an existing connection, or an invalid packet. Because. For example, the state of the connection can itself be one of the criteria that triggers the rules in the policy.

Advanced or next-generation firewalls can perform stateless and stateful packet filtering and application layer filtering, as described above. Next-generation firewalls can also implement additional firewall technologies. For example, certain new firewalls, often referred to as advanced or next-generation firewalls, can also identify users and content. In particular, certain next-generation firewalls have expanded the list of applications that these firewalls can automatically identify to thousands of applications. Examples of such next-generation firewalls are commercially available from Palo Alto Networks (for example, Palo Alto Networks PA Series Next Generation Firewalls and Palo Alto Networks VM Series Virtualized Next Generation Firewalls).

For example, Palo Alto Networks next-generation firewalls use a variety of identification technologies to allow enterprises and service providers to identify applications, users, and content-not just ports, IP addresses, and packets. , Allows control. Various identification techniques include Application ID (App-ID ^TM ) for accurate application identification (eg, App ID), User-ID ^TM for user identification (eg, User ID), and ^{Something like Content-ID TM} (eg Content ID) for real-time content scanning (eg, controlling web surfing and limiting data and file transfers). These identification technologies allow enterprises to securely enable the use of applications using business-related concepts instead of following the traditional approach provided by traditional port blocking firewalls. Also, purpose-built hardware for next-generation firewalls, implemented as dedicated equipment, for example, generally provides a higher level of performance for application inspection than software running on general purpose hardware (eg, for example). Palo Alto Networks PA Series Next Generation Firewall, Palo Alto Networks PA Series Next Generation Firewall, leverages dedicated, feature-specific processing that is tightly integrated with the single-pass software engine, such as a security appliance from Palo Alto Networks. Maximize network throughput while minimizing latency).

Today's technical and security challenges in mobile networks for service providers

In today's service provider network environments, service providers can typically only implement static security policies for wireless devices that communicate over the service provider's wireless network (for example, a service provider is a service provider. Security / firewall policies cannot be defined per endpoint and / or per flow for wireless devices that communicate over the wireless network), and any changes are generally made to the network infrastructure. Needs an update. In addition, in today's service provider network environments, service providers typically implement security policies based on the hardware attributes or location information associated with the wireless device for wireless devices that communicate over the service provider's wireless network. Cannot (for example, the service provider has a security policy based on packet content inspection and / or a security policy based on various other related parameters associated with the wireless device, such as the access point of the device communicating over the wireless network. , Cannot be implemented).

Therefore, there are technical and security challenges for service provider networks. Thus, what is needed is a new and improved security technology for such service provider network environments. Specifically, what is needed is a new and improved solution for monitoring service provider network traffic, and more specifically, signal traffic related security issues for service provider networks. An improved solution to solve. For example, GSM (Global System for Mobile Communication), UMTS (Universal Mobile Telecommunication System), LTE (Long Term Evolution) network, GTPv1-C used in 3G network, and / or used in 4G / LTE network. Security in the service provider network to perform packet content inspection of various protocols used in the various interfaces in GTPv2-C, and to promote enhanced security for the service provider network. Applying a policy (eg, a firewall policy).

An overview of technologies for enhancing security in mobile networks for service providers

Therefore, technologies for enhanced security platforms in the service provider network environment are disclosed. Specifically, different system architectures for implementing security platforms in a service provider network environment capable of monitoring different protocols used on different interfaces, and different for providing. The process is disclosed. More specifically, it is used in various interfaces in GSM, UMTS, LTE networks, GTPv1-C used in 3G networks, and / or GTPv2-C used in 4G / LTE networks. In a service provider network environment that can monitor various protocols, various system architectures for implementing a security platform, various processes for providing, and security policies in the service provider network ( For example, applying a firewall policy) is disclosed. For example, the technologies disclosed include applications, IP addresses, content IDs, subscriber locations, and unique device identifiers (eg, mobile phones for Global Systems for Mobile Communications (GSM) networks. International Mobile Equipment Identifier (IMEI) for generally unique 3GPP device identifiers, unique subscriber identifiers (eg International Mobile Sub for unique identification of GSM subscribers, etc.) Scrubbing Equipment Identifier (IMSI), Wireless Access Technology (RAT) (for example, to identify relevant RATs for mobile devices), Decryption on mobile service provider networks to solve signaling security issues Facilitates the application of security policies based on any other information extracted from the signaled traffic, and provides enhanced security in the service provider network (eg, in one or more signaling protocols). Throttling certain messages / traffic to prevent / mitigate DoS attacks and to counter other attacks / vulnerabilities), and / or further described below. Use next-generation firewalls on service provider networks, such as those that facilitate any combination of them.

In one embodiment, the security platform is configured to monitor traffic within the mobile core / service provider's core network (eg, 3GPP release for 3G networks, 3GPP release for 4G networks, and 5G networks. (Includes monitoring the various protocols used for signaling traffic specified in the 3GPP release), extracted from signaling messages and / or user session traffic, as further described below. Implement packet content inspection security monitoring techniques that can be used to apply security policies based on the information provided. For example, a security platform can be configured to dynamically apply security policies for wireless devices on a per IP flow basis (eg, per source / destination IP address).
In one exemplary implementation, the security platform monitors signaling traffic on the mobile service provider network (at one or more layers, such as the transport layer, network layer, and / or application layer). And by dynamically correlating the signaling layer with the security of the data layer, security policies can be dynamically applied per IP flow for wireless devices on the service provider network. Promotes enhanced security in (eg, offers various signaling protocols to implement views integrated into the security platform of the signaling and data layers. Various signaling protocols are, for example: Includes Stream Control Transport Protocol (SCTP) (the signaling transport layer protocol specified in RFC 4960 available at https://tools.ietf.org/html/rfc4960), S1- APP / MME, Diameter (SCTP is an authentication, authorization, and accounting signaling protocol available for its signaling transport protocol, and Diameter is the Internet Engineering Task Force. (IETF) specified in multiple RFCs, including RFC6733 available at https://tools.ietf.org/html/rfc6733), Mobile Application Part (MAP) (http: // www. SS7 / Application Layer Signaling Protocol specified in ITU Q.2220 available at itu.int/rec/T-REC-Q.2220/en/), CAMEL Application Part (CAP) (https://portal) At .3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx-specificationId=1597 Available 3GPP TS29.078 SS7 / Application Layer Signaling Protocol), Intelligent Network Application Part (INAP) (http://www.etsi.org/deliver/etsi_i_ets/300300_300399/30037401/01_60/ets_30037401e01p. SS7 / Application Layer Signaling Protocol as specified in the ETSI specification ETS 300 374-1 available in pdf), Signaling Control Connection Protocol (SCCP) (SCTP is available for its signaling transport protocol). • A network layer protocol, and SCCP is specified in multiple ITU recommendations of the International Tekecon Union (ITU), http://www.itu.int/rec/T-REC-Q.711. Includes ITU Q.711 available at and ITU Q.714 available at http://www.itu.int/rec/T-REC-Q.714/en/), signaling transformers Port (SIGTRAN) (the signaling transport layer protocol specified in RFC 2719 available at https://tools.ietf.org/html/rfc2719), GTPv2-C specified in 3GPP TS 29.274. , And GTPv1-C, as specified in 3GPP TS29.060).

When a mobile device connects to a network (eg, a 3GPP / LTE EPC network), the anchor gateway (eg, a Packet Data Network (PDN) gateway in a 3GPP / LTE EPC network, or PGW) typically goes through a Gx interface. Query the Policy Charging Function and Control (PCRF) entity in to determine its subscriber policy. The PCRF entity sends the information back to the PGW. The information is, for example, QoS, filters, and / or other policy-related information stored within the PCRF entity for that subscriber that should be applied to this subscriber (eg, the PCRF entity is common). Used to manage / control bandwidth and QoS in wireless networks, and AAA servers are commonly used for authentication purposes in wireless networks).

In one embodiment, the security platform is configured to monitor GTP communication between SGSN and GGSN within the mobile core network (eg, next generation firewalls are configured as further described below. Various GTP-C messages exchanged for activation, update, and / or deactivation of GTP sessions within the service provider's network can be monitored), and security platforms (eg, for example). Firewalls (FWs), network sensors that act on behalf of firewalls, or other devices / components that can implement security policies using disclosed technologies) are GTPs, as further described below. -C It is configured to apply security policies using one or more parameters extracted from the message. Therefore, service providers, IoT device providers, and / or system integrators use one or more parameters extracted from GTP-C messages to enhance security, as further described below. The disclosed techniques can be used to construct and implement the policy.

In one embodiment, the security platform is configured to monitor GTP communication between SGSN and GGSN within the mobile core network (eg, next generation firewalls are configured as further described below. GTP-U traffic can be monitored during a GTP session within the service provider's network), and a security platform (eg, a firewall (FW), a network sensor acting on behalf of the firewall, or disclosed. Another device / component that can implement a security policy using technology) uses one or more parameters extracted from the GTP-C message, as described further below. And user session traffic monitored by the security platform during the GTP session (eg, application ID, content ID, URL filtering, and / or other stateful packets extracted from the user traffic during the GTP session. It is configured to apply security policies based on inspection). Therefore, the service provider, IoT device provider, and / or system integrator may be one or more extracted from the information extracted from the user traffic in the GTP-C message and GTP session, as further described below. The disclosed technology can be used to configure and implement enhanced security policies using the parameters of.

For example, the service provider, IoT device provider, and / or system integrator may use IMEI, IMSI, location, RAT, any other information extracted from the decrypted signaling traffic on the mobile service provider network, and / or the system integrator. / Or, different security policies can be applied based on any combination thereof, using next-generation firewalls on the service provider network, as further described below. As another example, service providers, IoT device providers, and / or system integrators are mobile service providers based on user traffic monitored during IMEI, IMSI, location, RAT, and / or GTP sessions. • Different security policies can be applied based on other information extracted from the decrypted signaling traffic on the network.

In one embodiment, a security platform (eg, a firewall, a network sensor acting on behalf of a firewall, or another device / component capable of implementing a security policy), data calls, is further described below. Security policy (eg, granular security policy, subscriber (eg, IMSI) / real-time per IP when set up and / or modified / updated using disclosed technology, such as Dynamically apply mobile devices (eg IMEI) / IP per real time, subscriber location / IP real time, RAT / IP real time, and / or any combination thereof). It is configured to use the existing 3GPP to apply to. For example, a security platform can be configured to dynamically apply security policies for each IP flow for wireless devices.

In one embodiment, signaling messages in the mobile core / service provider's core network (eg, messages exchanged for starting, updating, and stopping tunneling sessions) are current 3GPP EPCs (eg, messages). GTP-C messages), such as GTPv1-C messages for 3G networks and GTPv2-C messages for 4G networks), and / or existing and / or standard messages used in other wireless network environments, and , The security platform is configured to monitor such messages in order to extract one or more parameters available for applying security policies from these messages, as further described below. ing.

In one embodiment, the security platform is configured to monitor user session traffic within a tunnel session (eg, GTP-U traffic) in the mobile core / service provider's core network, further described below. As such, implement packet content inspection security monitoring techniques available to apply security policies based on user session traffic.

In one embodiment, the security platform is a service provider to perform packet content inspection security monitoring techniques available to apply security policies based on session traffic, as further described below. Monitor sessions to / from various network elements in the network (eg, various used for signaling traffic specified in 3GPP releases for 3GPP networks, 3GPP releases for 4G networks, and 3GP releases for 5G networks. It is configured to include monitoring of various protocols).

In one embodiment, the subscriber / IP address is associated with a security policy to facilitate the implementation of a security policy per IP flow using a security platform (eg, Next Generation Firewall (NGFW)) (eg). For example, it maps to it). For example, security platforms can apply fine-grained security policies based on information extracted from signaling messages and / or user session traffic, as further described below.

In one embodiment, the security platform (eg, Next Generation Firewall (NGFW)) monitors signaling transport traffic, including SCTP protocol traffic. For example, the security platform involves performing stateful inspection, SCTP protocol validation, and / or SCTP multi-chunk inspection (eg, those configured within the SCTP protection security profile in the security policy implemented by the security platform). , SCTP protocol traffic can be filtered.

In one embodiment, the security platform (eg, Next Generation Firewall (NGFW)) is a higher layer of signaling transport traffic (eg, signaling transport traffic and signaling traffic) on the service provider's core network. ) Is monitored. For example, the security platform includes performing stateful inspection, SCTP protocol validation, and / or SCTP multi-chunk inspection (eg, those configured within the SCTP protection security profile in the security policy implemented by the security platform). , Signaling transport traffic (eg, SIGTRAN messages) can be filtered.

In one embodiment, the security platform (eg, Next Generation Firewall (NGFW)) monitors the upper layer signaling protocol. For example, security platforms can filter the Layer-7 / Application Layer signaling protocol layer (eg, SSN, GT, including support for filtering protocols used in signaling system No. 7 (SS7) networks. , And filtering by Opcode).

In one embodiment, a security platform (eg, Next Generation Firewall (NGFW)) monitors Diameter signaling traffic. For example, the security platform can be an application ID (eg, an exemplary application ID for Diameter filtering is Diameter Common Message, Diameter Based Accounting, Diameter Credit Control, 3GPP S6a / S6d, 3GPP S9, 3GPP S13 / S13' , 3GPP S6c, 3GPP Sh, and 3GPP Rx, which can contain one or more), command code (eg for 3GPP Application ID: 3GPP-S6a / S6d 3GPP-Update-Location, Application ID: 3GPP -Credit-Control for S9, 3GPP-ME-Identity-Check for 3GPP-S13, Credit-Control for Application ID: Diamter Credit Control, and one or more of AVPs (eg, range 0-16777215). Diameter protocol filtering can be performed on a case-by-case basis (which can include the above).

These and other embodiments and other embodiments, as well as embodiments, are further described below with respect to techniques for providing a security platform that facilitates enhanced signaling security in a service provider network environment.

Illustrative system architecture for implementing enhanced signaling security in mobile networks for service providers

FIG. 1A is a block diagram of a 3G wireless network with a security platform to provide enhanced security according to some embodiments. Figure 1A shows 3G networks (eg, Wired, Wi-Fi, 4G, 5G, and / or (see Figure 1A) to facilitate data communication for subscribers over the Internet and / or other networks. Is an exemplary service provider network environment for 3G network architectures, including (not shown) other networks, which may also be included). As shown in FIG. 1A, the radio access network (RAN) 130 communicates with the mobile core network 120. The RAN 130 may include macrocells 142 in the wireless network and small cells such as 3G microcells 144, 3G picocells 146, and 3G femtocells 148 in the wireless network. As shown, the various user devices 132, 134, and 136 can communicate using different cells in the RAN 130.

As also shown in Figure 1A, small cells, shown as 3G microcells (144), 3G picocells (146), and 3G femtocells (148), are home nodes on the IP broadband wireless network 140. It is networked with a B (Home Node B) gateway (HNB GW) 108, and in this embodiment, the traffic is configured to perform the disclosed security techniques, as further described below. Includes a security platform 102 (eg, a firewall (FW), a network sensor that acts on behalf of a firewall, or another device / component that can perform security policies using the disclosed technology (virtual). Monitored / filtered using equipment / equipment). Also, as shown, the macrocell (NodeB) 142 is in network communication with the wireless network controller (RNC) 110, and the traffic implements the disclosed security techniques, as further described below. A security platform 102 configured to (eg, a firewall (FW), a network sensor that acts on behalf of a firewall, or another device / component that can perform security policies using the disclosed technology). Used to monitor / filter.

As also shown in Figure 1A, the HNB GW 108 and RNC 110 packets through the serving GPRS support node (SGSN) 112 and gateway GPRS support node (GGSN) 114 of the mobile (3G) core network 120, respectively. It communicates with the data network (PDN) 122 and with the public switched telephone network (PSTN) 124 via the mobile switching center (MSC) 116 of the mobile core network 120. As shown, traffic through the mobile core network between SGSN 112 and GGSN 114 on the mobile core network 120 is configured to perform the disclosed security techniques, as further described below. Monitoring using a security platform 102 (eg, a firewall (FW), a network sensor that acts on behalf of the firewall, or another device / component that can perform security policies using the disclosed technology) / Be filtered.

Various UEs, for example the UEs indicated by 132, 134, and 136, are network enabled for mobile and / or fixed wireless networks that can communicate via RAN 130 to access PDN 122. Can include devices. Devices include security cameras (eg, may be in a fixed position), watches, mobile / smartphones, tablets, laptops, computers / PCs or other computing devices (may be in a mobile or fixed position), cars, babies. Monitors, thermostats, and / or various other network-enabled computing devices (eg, any device associated with the Internet of Things (IoT)). Various use case scenarios that apply the disclosed security technologies to wireless network enabled devices to promote new and enhanced security are further described below.

Therefore, in this example, a network architecture is provided to implement the security techniques disclosed for the 3rd generation network implementation, where a security platform is provided to perform traffic monitoring and filtering, further described below. As described, new and enhanced security technologies may be provided based on signaling and packet content inspection information. Given the disclosed embodiments, as is now apparent to those of skill in the art, security platforms are network architectures (eg, inline, pass-through NGFW, and / or, as indicated by FW 102). At various other locations within (implemented as agents or virtual machine (VM) instances) that can run on existing devices in the service provider's network, such as SGSN 112 and / or GGSN 114, and As further described below, it may be provided as well in various wireless network environments, such as 3G, 4G, 5G, and / or other wireless network environments for implementing the disclosed security techniques. Also, as further described below, the disclosed security techniques may be similarly applied to roaming devices connected to the mobile core in a wireless network environment.

FIG. 1B is a block diagram of a 4G / LTE wireless network with a security platform for providing enhanced security according to some embodiments. Figure 1B shows a service provider network environment for a 4G / Long Term Evolution (LTE) Evolved Packet Core (EPC) network architecture, including 4G / LTE networks (eg Wired, Wi-Fi, 3G, 5G, and). / Or other networks can also be included), facilitating data communication for subscribers on the Internet and / or other networks. As shown in FIG. 1B, the radio access network (RAN) 180 communicates with the evolved packet core (EPC) network 170. The RAN 180 may include small cells such as LTE macrocell 192 in the wireless network and LTE microcell 194, LTE picocell 196, and LTE femtocell 198 in the wireless network. As shown, the various user devices (UE) 182, 184, and 186 can communicate using different cells in the RAN 180.

As also shown in FIG. 1B, the femtocell 198 is network communicating with the home eNode B gateway (HeNB GW) 158 over the IP broadband wireless network 190, and in this example the traffic is: As further described in, using a security platform 156E configured to perform the disclosed security technology (eg, a firewall (FW), a network sensor acting on behalf of the firewall, or using the disclosed technology. It is monitored / filtered using a (virtual) device / device) that contains another device / component capable of performing security policies. Also, as shown, macrocell 192 is in network communication with mobility management entity (MME) 160 and service gateway (SGW) 162, and traffic is monitored / filtered using FW 156D. And in this example, the traffic is a security platform configured to perform the disclosed security techniques (eg, a firewall (FW), a network sensor acting on behalf of a firewall, as further described below. Alternatively, it is monitored / filtered using another device / component that can perform security policies using the disclosed technology.

As also shown in Figure 1B, the HeNB GW 158 communicates with the Packet Data Network (PDN) 172 via the SGW 162 and the PDN gateway 164 of the Evolved Packet Core (EPC) network 170. There is. As shown, traffic traversing the mobile core network between the SGW 162 and the EPC 170's GGSN / PGW 164 was configured to perform the disclosed security techniques, as further described below. A (virtual) device / that includes a security platform 152 (eg, a firewall (FW), a network sensor that acts on behalf of the firewall, or another device / component that can perform security policies using the disclosed technology. Monitored / filtered using the device).

It may include mobile and / or fixed wireless network enabled devices such as the UEs represented by 174, 176, 182, 184, and 186. The device allows various UEs to communicate via RAN 180, untrusted non-3GPP Wi-Fi access 177, and / or trusted 3GPP Wi-Fi access 178 to PDN 172 via EPC 170. to access. Here, security platforms 152, 156A, 156B, 156C, 156D, 156E, 156F, and / or 156G, as shown in Figure 1B, can be used to monitor such communications (eg, security platforms are: Can be located at various locations / interfaces within the EPC 170, as shown in Figure 1B). And it will be further explained below. An exemplary UE is a security camera (eg, which may be in a fixed position), a watch, mobile / smartphone, tablet, laptop, computer / PC or other computing device (which may be in a mobile or fixed position), It may include automobiles, baby monitors, thermostats, and / or various other network-enabled computing devices (eg, any device associated with the Internet of Things (IoT)). Various use case scenarios that apply the disclosed security technologies to wireless network enabled devices to promote new and enhanced security are further described below.

Thus, in this example, a network architecture for implementing the security techniques disclosed for 4G / LTE EPC network implementations is provided, where signaling and packet content inspection information, as further described below. Based on this, a security platform for performing traffic monitoring and filtering may be provided to provide new and enhanced security technologies. In view of the disclosed embodiments, as is now apparent to those of skill in the art, the security platform is a network architecture (eg, inline, pass-through NGFW, and / or SGW 162 and / or as indicated by FW 152). In various other locations within (implemented as agents or virtual machines (VMs) instances) that can run on existing devices in the service provider's network, such as PGW 164, and are further described below. As such, it may be provided as well in various wireless network environments, such as 3G, 4G, 5G, and / or other wireless network environments for implementing the disclosed security techniques. Also, as further described below, the disclosed security techniques may be similarly applied to roaming devices connected to the mobile core in a wireless network environment.

FIG. 2A is an example of a GTPv1-C message exchanged between SGSNs and GGSNs in a 3G network, according to some embodiments. Specifically, Figure 2A shows the GTPv1-C messages exchanged to start, update, and stop a GTP session between SGSN 212 and GGSN 214 in a 3G network using the Gn / Gp interface. Shows. GTP is a standardized protocol based on the User Datagram Protocol (UDP).

Referring to FIG. 2A, the first message sent from SGSN 212 to GGSN 214 is a Create PDP Context Request message, as shown in 220. A PDP context creation request message is a message for allocating control and data channels for new network communication access requests to mobile devices in a 3G network (for example, for network communication on a mobile service provider's network). A tunnel for user IP packets is provided). For example, a PDP context creation request message can be a new network communication access request to a mobile device with location, hardware identifier (eg IMEI), subscriber identifier (eg IMSI), and / or wireless access technology (RAT) information. Can be included in.

In one embodiment, the security platform monitors the GTP-C message in the mobile core to extract certain information contained within the GTP-C message based on the security policy (eg, Figure 1A). A pass-through firewall / NGFW located between the SGSN and GGSN in the mobile core as shown in and / or between various other elements / entities in the mobile core / EPC as shown in Figure 1B. Or using a firewall / NGFW implemented as a VM instance or agent running on SGSN, GGSN, SGW, PGW, and / or other entities within the mobile core network / EPC. , Monitoring GTPv1-C messages). For example, the security platform monitors GTP-C messages, and from PDP context creation request messages, location, hardware identifiers (eg IMEI), subscriber identifiers (eg IMSI), as described further below. ) And / or wireless access technology (RAT) information can be extracted.

As shown in Figure 2A, the GGSN 214 sends a PDP context creation request message to the SGSN 212, as shown by 222, and the PDP context creation request message is granted to the mobile device. Indicates whether or not (for example, whether or not to allow mobile devices tunneled user data traffic in the mobile core network). PDP context creation requests and PDP Context Response messages sent using UDP communication on port 2123 are used to create PDP contexts, as shown in Figure 2A.

As also shown in Figure 2A, the PDP Context Request message, indicated by 224, and the Update PDP Context Response message, indicated by 226. Exchanged between SGSN and GGSN. For example, a PDP context update request / response message sent using UDP communication on port 2123 can be used to update one or more parameters for a connection / session.

Referring to FIG. 2A, in this example, a request for network communication access to a mobile device on the mobile service provider's network is allowed, and the SGSN sends the T-PDU message indicated by 228. For example, T-PDU messages can be used for mobile user network communication in tunnels (eg IP packets) (eg control / signaling messages typically use the GTP-C protocol. Communicated on port 2123, and user data messages are typically communicated on port 2152 using the GTP-U protocol). As indicated by 230, T-PDU messages generally include a GTP header, an IP header, a TCP header, and an HTTP payload.

As also shown in Figure 2A, the PDP context is deleted after the user data session is complete. Specifically, the PDP context is deleted after the transfer of user data is complete, and the SGSN and GGSN are indicated by the Delete PDP Context Request message, as indicated by 232, and by 234. Exchange PDP Context Response messages so that they can be deleted. The PDP context delete request and PDP context delete response messages are used to delete the PDP context, as also shown in Figure 2A.

In one embodiment, the disclosed techniques are inspection of signaling / control traffic in a service provider network, such as GTP-C traffic, and tunneled user traffic in a service provider network, such as GTP-U traffic. Perform URL filtering, and use security platforms, such as performing inspections (eg, using NGFWs that can perform packet content inspections to identify application IDs, user IDs, and content IDs). / Or perform other firewalls / security policies for security / threat detection / prevention). In one embodiment, the disclosed technique performs an inspection of signaling / control traffic within the service provider network, such as GTP-C traffic, and the information exchanged within the GTP-C traffic (eg, parameters, hereinafter). Extract subscriber / mobile device, device ID / IMEI, subscriber information / IMSI, and / or location information related to RAT, as described further in. In one embodiment, the disclosed technique performs inspection of signaling / control traffic within a service provider network, such as GTP-C traffic, and information exchanged within GTP-C traffic (eg, described above, And to extract (parameters as described further below) and monitor tunneled user traffic within the service provider network (eg, packets as described above and further described below). Use content inspection).

In one exemplary implementation, the security platform interfaces with SGSN and GGSN respectively to monitor control / signaling traffic (eg, GTP-C messages) and tunneled user traffic (eg, GTP-U). Implement a security platform with GTP monitoring capabilities that is configured to monitor and implement security policies. The security platform can be extracted from control / signaling traffic (eg, GTP-C messages), eg, subscriber / mobile device, device ID / IMEI, subscriber information / IMSI, as described further below. , And / or RAT-related location information can be used, as well as performing packet content inspection on IP packets in the tunnel (eg, T-PDUs), as further described below. As mentioned above, location information / parameters, hardware identifiers (eg IMEI), subscriber identifiers (eg IMSI), and / or radio access technology (RAT) are security as described further below. It can be extracted from the Create PDP Request message by the platform. It is based on the extracted information and / or packet content inspection (eg, SIGTRAN, SCTP, Diameter over SCTP, SCCP, CAP / MAP / INAP, and / or other signaling protocol traffic, and / Or stored for use in the application of security policies, as further described below) in combination with packet content inspection of various other network protocols used on the service provider network). Get (eg cached for IP flow).

FIG. 2B is an example of a GTPv2-C message exchanged between entities including MMEs, SGWs, and PGWs in a 4G / LTE network according to some embodiments. Specifically, Figure 2B shows GTPv2-C exchanged between MME 252, SGW 254, and PDN-GW (PGW) 256 (eg, as shown as GGSN / PGW in Figure 1B) in a 4G / LTE network. The message details are used to show the GTPv2-C messages that are exchanged for the LTE Attach procedure. As mentioned above, GTP is a standardized protocol based on the User Datagram Protocol (UDP).

Referring to FIG. 2B, various Diameter messages are indicated from the MME 252 to the Home Subscriber Server (HSS) 258 and the Equipment Identity Register (EIR) 274, as well as at 264. Is transmitted between PGW 256 and PCRF 276. In one embodiment, various information / parameters can be extracted from such Diameter message / session traffic based on security policy (eg, MME, SGW, PGW, HSS, as described further below. VM instances or agents running using pass-through firewalls / NGFW located between EIRs and / or PCRFs, or on these entities and / or other entities within the mobile core network. Monitor Diameter messages using a firewall / NGFW implemented as). It may be stored for use in the application of security policies based on the extracted information and / or in combination with packet content inspection of Diameter network protocol traffic as described further below (eg,). , Cached for IP flow).

As shown in Figure 2B, the Create Session Request message is sent from MME 252 to SGW 254, as shown by 260, and then SGW 254, as shown by 262. Is sent to PGW 256. A session creation request message is a message that allocates controls and data channels for new network communication access requests to mobile devices in a 4G / LTE network (for example, for network communication on the mobile service provider's network). A tunnel is provided for IP packets). For example, a GTP session creation request message provides location, hardware identifier (eg IMEI), subscriber identifier (eg IMSI), and / or wireless access technology (RAT) information to new network communication access to mobile devices. Can be included in the request.

In one embodiment, the security platform monitors the GTP-C message among the MME, SGW, and PGW and extracts certain information contained within the GTP-C message based on the security policy (eg,). VM instances running using a pass-through firewall / NGFW located between MMEs, SGWs, and PGWs, or on MMEs, SGWs, and PGWs, and / or other entities in the mobile core network. Or use a firewall / NGFW implemented as an agent to monitor GTPv2-C messages). For example, the security platform monitors GTP-C messages and provides location, hardware identifiers (eg IMEI), subscriber identifiers (eg IMSI), and / or wireless access technology (RAT) below. As described further, it can be extracted from the session creation request message.

After Session Establishment, as shown in Figure 2B, PGW 256 sends a Create Session Response message to SGW 254, as shown in 266. And then, as indicated by 268, whether the session creation request is accepted for the mobile device by sending from SGW 254 to MME 252 (eg, mobile core for the mobile device). Whether to allow tunneled user data traffic in the network). Session creation requests and session creation response messages sent using UDP communication on port 2123 are used to create the initialization context for the session, as shown in Figure 2B.

As also shown in Figure 2B, the Modify Bearer Request message, indicated by 270, and the Modify Bearer Response message, indicated by 272, are between the MME, SGW, and PGW. Will be exchanged at. For example, bearer change request / response messages sent using UDP communication on port 2123 can be used to update one or more parameters for a connection / session.

In one embodiment, the disclosed techniques are signaling in a service provider network such as GTP-C traffic, SIGTRAN, SCTP, Diameter over SCTP, SCCP, CAP / MAP / INAP, and / or other signaling protocol traffic. / Performs control traffic inspection and inspection of tunneled user traffic in the service provider network, such as GTP-U and various other network protocols used on the service provider network (eg, application ID). URL filtering and / or security / threat detection / using a security platform, such as performed using NGFW, which can perform packet content inspection to identify user IDs, content IDs. Perform other firewall / security policies for prevention). In one embodiment, the disclosed technique performs an inspection of signaling / control traffic within the service provider network, such as GTP-C traffic, and the information exchanged within the GTP-C traffic (eg, parameters, hereinafter). Extract subscriber / mobile device, device ID / IMEI, subscriber information / IMSI, and / or location information related to RAT, as described further in. In one embodiment, the disclosed technique performs inspection of signaling / control traffic within a service provider network, such as GTP-C traffic, and information exchanged within GTP-C traffic (eg, described above, And to extract (parameters as described further below) and monitor tunneled user traffic within the service provider network (eg, packets as described above and further described below). Use content inspection).

In one exemplary implementation, the security platform is configured to monitor the respective interfaces for MME, SGW, PGW, HSS, EIR, and PCRF for control / signaling traffic (eg Diameter messages and GTP). -C message), tunneled user traffic (GTP-U), including GTP, SIGTRAN, SCTP, Diameter over SCTP, SCCP, CAP / MAP / INAP, and / or other signaling protocol traffic. And / or various other network protocols used on the service provider network, such as GTP, SIGTRAN, SCTP, Diameter over SCTP, SCCP, CAP / MAP / INAP, and / or other signaling protocols. Those that implement the traffic and / or various other network traffic that monitors the ability to implement the security platform, eg, parameters, subscriber / mobile device, device ID / as further described below. Parameters that can be used, such as IMEI, subscriber information / IMSI, and / or location information related to RAT, and / or any other parameter / information that can be extracted from control / signaling traffic (eg, GTP-. C message and / or message type), as well as packet content inspection and SIGTRAN, SCTP, Diameter over SCTP, SCCP, CAP / MAP / INAP, and / or other signaling protocol traffic for IP packets in tunnels. And / or various other network protocols used on the service provider network, as further described below. As mentioned above, location / parameters, hardware identifiers (eg IMEI), subscriber identifiers (eg IMSI), and / or wireless access technology (RAT) may be extracted from the session creation request message by the security platform. .. It may be stored for use in applying security policies based on this extracted information and / or in combination with packet content inspection, as further described below (eg, IP flow). Cached in relation to).

The disclosed technology is
GTPv1-C and GTP-U, SIGTRAN, SCTP, Diameter over SCTP, SCCP, CAP / MAP / INAP, and / or other signaling protocol traffic, and / or within 3G Mobile Packet Core (MPC) and 4G Evolved A service provider that uses GTPv2-C and GTP-U protocols, SIGTRAN, SCTP, Diameter over SCTP, SCCP, CAP / MAP / INAP, and / or other signaling protocol traffic within the Packet Core (EPC). Shown and generalized herein with respect to performing network traffic inspection for various other network protocols used above and / or various other network protocols used on service providers. And / or location, device, subscriber, and / or RAT parameters / information (eg, location information, hardware identifier, subscriber identifier information, RAT type information, and / or respective protocols. Other specific mobile network protocols (eg, 5G cores), including user / equipment / other specific parameters of the network in) and / or tunneled user traffic on the service provider network for mobile device communication. It can be implemented in other mobile core networks as well, using networks (such as networks or other mobile network protocols).

FIG. 3A is another example of a GTPv1-C message flow between an SGSN and a GGSN in a 3G network, according to some embodiments. Specifically, Figure 3A shows the exchanged GTPv1-C messages for the GTPv1-C Create PDP Message flow between SGSN 302 and GGSN 304 in the 3G network.

Referring to Figure 3A, a Create PDP Request message is sent from SGSN 302 to GGSN 304 using the Gn / Gp interface, as shown by 310. As indicated by 312, a Create PDP Response message is sent from the GGSN 304 to the SGSN 302 using the Gn / Gp interface.

FIG. 3B is another example of a GTPv2-C message flow between MMEs, SGWs, and PGWs in a 4G / LTE network, according to some embodiments. Specifically, Figure 3B shows GTPv2-C between MME 322, SGW 324, and PDN-GW (PGW) 326 (eg, shown as GGSN / PGW in Figure 1B) in a 4G / LTE network. Shows the exchanged GTPv2-C messages for the Create Session Message flow.

Referring to Figure 3B, a Create Session Request message is sent from MME 322 to SGW 324 using the S11 interface, as shown at 330, and then at 332. As such, it is sent from SGW 324 to PGW 326 using the S5 / S8 interface. A Create Session Response message is sent from PGW 326 to SGW 324 using the S5 / S8 interface, as indicated by 334, and then S11, as indicated by 336. Sent from SGW 324 to MME 322 using the interface.

Various information / parameters such as location, hardware identifier (eg, IMEI), subscriber identifier (eg, IMSI), and / or radio access technology (RAT) information, as described further below. Control / signaling traffic monitored by the security platform (eg, GTPv1-CPDP PDP creation request message, GTPv2-C session creation request message, and / or other control / signaling protocol message in the mobile core network). Can be extracted from. It is based on this extracted information and / or packets executed by the security platform on user data traffic (eg, GTP-U traffic and / or other tunnel user data protocols in the mobile core network). Can be stored for use in applying security policies in combination with content inspection (eg cached in connection with IP flows).

Technology for Transport Layer Signaling Security with Next Generation Firewalls in Mobile Networks for Service Providers

In one embodiment, the technology disclosed for enhanced security in a mobile network for a service provider is to provide transport layer signaling security in the mobile network for a service provider (eg, the SIGTRAN protocol). including. For example, mobile service providers (eg, mobile network service providers, mobile devices or IoT service providers, security service providers, or other entities that provide devices / services related to the use of mobile networks), and , Mobile Virtual Network Operator (MVNO) is a user device (eg, subscriber's mobile device) and / or IoT that connects to a mobile network using 3G, 4G, or 5G wireless access technology (RAT). The disclosed techniques can be applied to provide transport layer signaling-based security for the device.

For example, mobile service providers (eg, mobile network service providers, mobile devices or IoT service providers, security service providers, or other entities that provide devices / services related to the use of mobile networks), and , MVNO providers provide application tier signaling to network elements in 3G Mobile Packet Core (MPC), 4G Evolved Packet Core (EPC), and / or other mobile core networks (eg, 5G core networks). The disclosed technology can be applied to apply the base security.

As another example, Internet Private Exchange (IPX) and GPRS Roaming Exchange (GRX) providers are mobile service providers that receive network interconnection services for 3G, 4G, and / or 5G technologies (eg, mobile networks). To provide application tier signaling-based security to service providers, mobile devices or IoT service providers, security service providers, or other entities that provide devices / services related to the use of mobile networks. , The disclosed technology can be applied.

Yet another example is a mobile service provider (eg, a mobile network service provider, a mobile device or IoT service provider, a security service provider, or other device / service that provides devices / services related to the use of a mobile network. An entity) may be another mobile service provider (eg, a mobile network service provider, mobile device or IoT service provider, security service provider, or) that receives network connectivity services for 3G, 4G, and / or 5G technologies. , Other entities that provide devices / services related to the use of mobile networks) can apply the disclosed technology to provide application tier signaling-based security.

In one embodiment, the mobile service provider can apply the disclosed technology to provide new and enhanced transport layer signaling security in the mobile network for the service provider. .. For example, mobile service providers can apply the disclosed technology to provide transport layer signaling-based security services. As another example, mobile service providers offer transport layer signaling-based threat detection services (eg, transport layer signaling-based basic threat detection services for known threats, transport layer signaling-based services for unknown threats. Apply the disclosed technology to provide advanced threat detection services and / or other threat detection services that can utilize transport layer signaling-based information to apply security policies). Can be done. As yet another example, mobile service providers can apply the disclosed technology to provide transport layer signaling-based threat protection services for known threats (eg, transport to known threats). Basic threat protection services based on layered signaling, advanced threat prevention services based on transport layer signaling against unknown threats, and / or the use of transport layer signaling-based information to apply security policies. Other threat protection services that can be).

Therefore, the technologies disclosed for enhanced security in mobile networks for service providers include performing transport layer signaling-based security, as well as to higher layers of signaling traffic in mobile networks. It involves using a security platform that can enforce security policies based on filtered transport layer signaling information / messages or higher layer signaling information / messages (eg, application signaling layer).

As is now apparent to those of skill in the art, mobile service providers (eg, mobile network service providers, mobile devices or IoT service providers, security service providers, or devices / services related to the use of mobile networks. Other entities that provide) may provide these transport layer signaling-based security services or combinations thereof, as well as various other signaling layer-based security services that use the disclosed technology. Mobile service providers also offer a variety of other enhanced security services, such as subscriber / user identification base, hardware identification base, RA base, and / or combinations thereof, as further described below. In combination with, the disclosed technology can also be applied to provide such transport layer signaling-based security services.

A mobile network for service providers based on transport layer signaling information / messages (and / or other packet content inspection and / or in combination with NGFW technologies such as application IDs, user IDs, content IDs, URL filtering). These and other techniques for providing enhanced security in are detailed below.

Technology for Application Layer Signaling Security with Next Generation Firewalls in Mobile Networks for Service Providers

In one embodiment, the disclosed technology for enhancing security in a mobile network for a service provider is application layer signaling security in the mobile network for a service provider (eg, CAP, MAP, INAP, and /. Or other layer-7 / application layer signaling protocol). For example, mobile service providers (eg, mobile network service providers, mobile devices or IoT service providers, security service providers, or other entities that provide devices / services related to the use of mobile networks), and , MVNO providers are application-tier signaling-based for user equipment (eg, subscriber mobile devices) and / or IoT devices that connect to mobile networks using 3G, 4G, or 5G wireless access technology (RAT). The disclosed technology can be applied to provide security for the Internet of Things.

For example, mobile service providers (eg, mobile network service providers, mobile devices or IoT service providers, security service providers, or other entities that provide devices / services related to the use of mobile networks), and , MVNO providers provide application tier signaling to network elements in 3G Mobile Packet Core (MPC), 4G Evolved Packet Core (EPC), and / or other mobile core networks (eg, 5G core networks). The disclosed technology can be applied to apply the base security.

As another example, Internet Private Exchange (IPX) and GPRS Roaming Exchange (GRX) providers are mobile service providers that receive network interconnection services for 3G, 4G, and / or 5G technologies (eg, mobile networks). To provide application tier signaling-based security to service providers, mobile devices or IoT service providers, security service providers, or other entities that provide devices / services related to the use of mobile networks. , The disclosed technology can be applied.

Yet another example is a mobile service provider (eg, a mobile network service provider, a mobile device or IoT service provider, a security service provider, or other device / service that provides devices / services related to the use of a mobile network. An entity) may be another mobile service provider (eg, a mobile network service provider, mobile device or IoT service provider, security service provider, or) that receives network connectivity services for 3G, 4G, and / or 5G technologies. , Other entities that provide devices / services related to the use of mobile networks) can apply the disclosed technology to provide application tier signaling-based security.

In one embodiment, the mobile service provider can apply the disclosed technology to provide new and enhanced application layer signaling security in the mobile network for the service provider. For example, mobile service providers can apply the disclosed technology to provide application layer signaling-based security services. As another example, mobile service providers offer application layer signaling-based threat detection services (eg, application-layer signaling-based basic threat detection services for known threats, application-layer signaling-based advanced threats for unknown threats. The disclosed technology can be applied to provide detection services and / or other threat detection services that can utilize application layer signaling-based information to apply security policies. As yet another example, mobile service providers can apply the disclosed technology to provide application layer signaling-based threat protection services for known threats (eg, application layer signaling for known threats). Basic threat protection services based, advanced threat protection services based on application layer signaling against unknown threats, and / or other threats that can utilize application layer signaling-based information to apply security policies. Prevention service).

Thus, technologies disclosed for enhanced security in mobile networks for service providers include performing application layer signaling-based security, filtered application layer signaling information / messages, or lower layer signaling. Use a security platform that can enforce security policies based on information / messages (eg transport and network signaling layers).

As is now apparent to those of skill in the art, mobile service providers (eg, mobile network service providers, mobile devices or IoT service providers, security service providers, or devices / services related to the use of mobile networks. Other entities that provide) may provide these application tier signaling-based security services or combinations thereof, as well as various other signaling tier-based security services that use the disclosed technology. Mobile service providers also offer a variety of other enhanced security services, such as subscriber / user identification base, hardware identification base, RA base, and / or combinations thereof, as further described below. In combination with, the disclosed technology can also be applied to provide such application layer signaling-based security services.

In mobile networks for service providers based on application layer signaling information / messages (and / or other packet content inspection and / or in combination with NGFW technologies such as application IDs, user IDs, content IDs, URL filtering). These and other technologies for providing enhanced security are detailed below.

Technology for network layer signaling security with next-generation firewalls in mobile networks for service providers

In one embodiment, the techniques disclosed for enhancing security in a mobile network for a service provider include providing network layer signaling security in the mobile network for a service provider. For example, mobile service providers (eg, mobile network service providers, mobile devices or IoT service providers, security service providers, or other entities that provide devices / services related to the use of mobile networks), and , MVNO providers are SCCP-based (SCCP) for user devices (eg, subscriber mobile devices) and / or IoT devices that connect to mobile networks using 3G, 4G, or 5G wireless access technology (RAT). The disclosed technology can be applied to provide -based) security.

For example, mobile service providers (eg, mobile network service providers, mobile devices or IoT service providers, security service providers, or other entities that provide devices / services related to the use of mobile networks), and , MVNO providers provide application tier signaling to network elements in 3G Mobile Packet Core (MPC), 4G Evolved Packet Core (EPC), and / or other mobile core networks (eg, 5G core networks). The disclosed technology can be applied to apply the base security.

As another example, Internet Private Exchange (IPX) and GPRS Roaming Exchange (GRX) providers are mobile service providers that receive network interconnection services for 3G, 4G, and / or 5G technologies (eg, mobile networks). To provide application tier signaling-based security to service providers, mobile devices or IoT service providers, security service providers, or other entities that provide devices / services related to the use of mobile networks. , The disclosed technology can be applied.

Yet another example is a mobile service provider (eg, a mobile network service provider, a mobile device or IoT service provider, a security service provider, or other device / service that provides devices / services related to the use of a mobile network. An entity) may be another mobile service provider (eg, an MVNO provider, mobile device or IoT service provider, security service provider, or mobile network) that receives network connectivity services for 3G, 4G, and / or 5G technologies. The disclosed technology can be applied to provide application tier signaling-based security to other entities that provide devices / services related to their use.

In one embodiment, the mobile service provider can apply the disclosed technology to provide new and enhanced network layer signaling security in the mobile network for the service provider. For example, mobile service providers can apply the disclosed technology to provide network layer signaling-based security services. As another example, mobile service providers offer network layer signaling-based threat detection services (eg, SCCP-based, network-layer signaling-based basic threat detection services for known threats, advanced threat detection for unknown threats. The disclosed technology may be applied to provide services and / or other threat detection services that can utilize SCCP-based information to apply security policies). As yet another example, mobile service providers can apply disclosed technologies to provide network layer signaling-based threat protection services for known threats (eg, SCCP-based, known threats). Network layer signaling-based basic threat protection services against, advanced threat protection services against unknown threats, and / or other threat protection services that can utilize SCCP-based information to apply security policies). ..

Therefore, technologies disclosed for enhanced security in mobile networks for service providers include performing network layer signaling-based security, including filtered network layer signaling information / messages (eg, SCCP information /). Use a security platform that can enforce security policies based on (messages) or lower / upper layer signaling information / messages.

As is now apparent to those of skill in the art, mobile service providers (eg, mobile network service providers, mobile devices or IoT service providers, security service providers, or devices / services related to the use of mobile networks. Other entities that provide) may provide these network tier signaling-based security services or combinations thereof, as well as various other signaling tier-based security services that use the disclosed technology. Mobile service providers also offer a variety of other enhanced security services, such as subscriber / user identification base, hardware identification base, RA base, and / or combinations thereof, as further described below. In combination with, the disclosed technology can also be applied to provide such network layer signaling-based security services.

In a mobile network for service providers based on network layer signaling information / messages (and / or other packet content inspection and / or in combination with NGFW technologies such as application IDs, user IDs, content IDs, URL filtering). These and other technologies for providing enhanced security are detailed below.

Technology for Diameter Security on SCTP with Next Generation Firewall in Mobile Networks for Service Providers

In one embodiment, the technology disclosed for enhanced security in a mobile network for a service provider is Diameter over SCTP security with a next generation firewall in the mobile network for the service provider. ) Includes providing. For example, mobile service providers and MVNOs use Diameter security on SCTP (eg, using NGFW with an application ID) for user equipment that connects to a mobile network via a 3G, 4G, or 5G network. The disclosed technology can be applied to provide (in combination).

For example, mobile service providers (eg, mobile network service providers, mobile devices or IoT service providers, security service providers, or other entities that provide devices / services related to the use of mobile networks), and , MVNO providers provide application tier signaling to network elements in 3G Mobile Packet Core (MPC), 4G Evolved Packet Core (EPC), and / or other mobile core networks (eg, 5G core networks). The disclosed technology can be applied to apply the base security.

As another example, Internet Private Exchange (IPX) and GPRS Roaming Exchange (GRX) providers are mobile service providers that receive network interconnection services for 3G, 4G, and / or 5G technologies (eg, mobile networks). To provide application tier signaling-based security to service providers, mobile devices or IoT service providers, security service providers, or other entities that provide devices / services related to the use of mobile networks. , The disclosed technology can be applied.

Yet another example is a mobile service provider (eg, a mobile network service provider, a mobile device or IoT service provider, a security service provider, or other device / service that provides devices / services related to the use of a mobile network. An entity) may be another mobile service provider (eg, a mobile network service provider, mobile device or IoT service provider, security service provider, or) that receives network connectivity services for 3G, 4G, and / or 5G technologies. , Other entities that provide devices / services related to the use of mobile networks) can apply the disclosed technology to provide application tier signaling-based security.

In one embodiment, the techniques disclosed for enhanced security in mobile networks for service providers include providing Diameter security over SCTP in mobile networks for service providers. For example, a mobile service provider applies the disclosed technology to provide Diameter security over SCTP for user equipment (eg, a subscriber's mobile device) and / or IoT equipment connecting to a mobile network. can do.

In one embodiment, the mobile service provider may apply the disclosed technology to provide a new and enhanced Diameter security service on SCTP in the mobile network for the service provider. can. For example, mobile service providers can apply the disclosed technology to provide Diameter security services over SCTP. As another example, mobile service providers use information extracted from Diameter on SCTP to provide threat detection services (eg, basic threat detection services for known threats in Diameter on SCTP, Diameter on SCTP). To provide advanced threat detection services for unknown threats, and / or other threat detection services that can utilize Diameter's decoded / extracted information on SCTP to apply security policies. , The disclosed technology can be applied. As yet another example, mobile service providers can apply disclosed technology to provide threat protection services for known threats using information extracted from Diameter on SCTP (eg,). , Basic threat protection services for known Diameter-based threats on SCTP, Advanced threat protection services for unknown Diameter-based threats on SCTP, and / or Diameter on SCTP to apply security policies. Other threat protection services that can utilize the decoded / extracted information).

In one embodiment, the technology disclosed for security enhancements in mobile networks for service providers uses a security platform that can implement a security policy based on Diameter's decoded / extracted information on SCTP. Includes performing Diameter-based security on SCTP in mobile networks. For example, a security platform can monitor (eg, parse) Protocol / Payload to monitor Diameter traffic on SCTP in a mobile network and extract various information.

An exemplary system architecture for implementing enhanced signaling security in mobile networks for service providers

Figure 4A shows a 4G / LTE wireless network with a security platform for providing Diameter security services over SCTP with a next generation firewall in a mobile network for service providers, according to some embodiments. It is a block diagram. Figure 4A is exemplary for 4G / LTE EPC network architectures that include 4G / LTE networks (and can also include, for example, wired, Wi-Fi, 3G, 5G, and / or other networks). A service provider network environment that facilitates data communication for subscribers on the Internet and / or other networks. As shown in Figure 4A, the Home Public Land Mobile Network (PLMN) 424 is a wireless access network (RAN) that communicates with the Evolved Packet Core (EPC) network 402 over the backhaul (BH) network. ) Communicates with 436 and facilitates access to the Packet Data Network (PDN) 438 (eg, the Internet). As shown, the visitor PLMN 426 also communicates with the RAN 432, which communicates with the EPC network 412 over the BH network, facilitating access to the PDN 434 (eg, the Internet). As shown, a variety of mobile user devices such as mobile user devices 428 (eg mobile phones, tablets, watches, laptops, and / or other computing devices) and connected mono 430s (eg, various IoT devices). The user device can communicate using various cells in RAN 432.

Figure 4A shows a network of security platforms, shown as FW 404s (eg, NGFW or other security platform similar to the above) for monitoring and decoding Diameter traffic on SCTP between EPC 402 and EPC 412. Shows the placement. Specifically, the FW 404 monitors Diameter traffic on SCTP between the Mobile Management Entity (MME) 414 and the Equipment Identity Register (EIR) 406 (eg, through the S13 interface). As shown in 418, it promotes SCTP association and inspects the Diameter payload. The FW also monitors Diameter traffic on the SCTP between the MME 414 and the Home Subscriber Server (HSS) 408 (eg, via the S6a interface) and associates with the SCTP as shown in 420. And inspect the Diameter payload. Similarly, the FW 404 is on the SCTP between the Visitor Policy Control and Billing Rule Function (V-PCRF) 416 and the Home Policy Control and Billing Rule Function (H-PCRF) 410 (eg, via the S9 interface). Monitor Diameter traffic to facilitate SCTP associations and inspect Diameter payloads, as shown in 422.

For example, using the disclosed technology, various security policies can be enforced by the FW 404 based on the parameters / information extracted from Diameter traffic on such SCTP (eg, roaming subscribers are common). In addition, to promote enhanced roaming security on the service provider network, a separate security policy may be enforced that is different from the security policy enforced for non-roaming subscribers). In one exemplary implementation, roaming subscribers have restricted access based on application IDs (and / or information determined by other packet content inspections such as content IDs, user IDs, URLs, etc.). And / or various other security policies may be implemented.

As is now apparent to those of skill in the art, mobile service providers (eg, mobile network service providers, mobile devices or IoT service providers, security service providers, or devices / services related to the use of mobile networks. Other entities that provide), and MVNO providers, using the disclosed technology, each of these Diameter-based security services on SCTP, or combinations thereof, as well as Diameter-based services on other SCTPs. Can be provided. Mobile service providers will also apply the disclosed technology to provide Diameter-based services on such SCTP in combination with various other enhanced security services, as further described below. .. Other enhanced security services include location-based, mobile device identifier-based, mobile user identifier-based, and / or combinations thereof.

Various of these and other technologies (eg, application ID, user ID, content ID, URL filtering, etc.) to provide technology for Diameter security on SCTP using next-generation firewalls in mobile networks for service providers. Packet content inspection and / or those using NGFW technology) are further described below.

FIG. 4B is a block diagram of a 4G / LTE wireless network with a security platform for providing SIGTRAN security with a next generation firewall in a mobile network for service providers, according to some embodiments. .. Figure 4B is an example of a service provider network environment for a 4G / LTE EPC network architecture, including 4G / LTE networks (eg, and also Wired, Wi-Fi, 3G, 5G, and / Or other networks can also be included), facilitating data communication for subscribers via the Internet and / or other networks. As shown in Figure 4B, the home PLMN 424 communicates with the RAN 436, and the RAN communicates via the BH network with the mobile core network, shown as the EPC 450. The EPC includes a serving GPRS support node (SGSN) 442, a mobile switching center (MSC) 444, a home location register (HLR) 446, and a visitor location register (VLR) 448. Also, as shown, the visitor PLMN 426 communicates with the global signaling system No. 7 (SS7) network 452, and SS7 communicates with the mobile core network. As will be apparent to those of skill in the art, various UEs, such as mobile user devices (eg, mobile phones, tablets, watches, laptops, and / or other computing devices), and connected objects (eg, various). The IoT device) can communicate via the home PLMN 424 (eg, using various cells in the RAN 436), or similarly via the visitor PLMN 426.

Figure 4B shows a security platform (eg, NGFW or NGFW) between the EPC 450 and the global SS7 network 452, shown as the FW 440, for monitoring and decoding SIGTRAN traffic between the EPC 450 and the global SS7 network 452. It shows the network layout of other security platforms similar to the above).

For example, using the disclosed technology, various security policies may be enforced by the FW 440 based on the parameters / information extracted from such SIGTRAN traffic (eg, roaming subscribers are generally non-roaming). A separate security policy may be enforced that is different from the security policy enforced on the subscriber). In one exemplary implementation, roaming subscribers have restricted access based on application IDs (and / or information determined by other packet content inspections such as content IDs, user IDs, URLs, etc.). And / or various other security policies may be implemented.

As is now apparent to those of skill in the art, mobile service providers (eg, mobile network service providers, mobile devices or IoT service providers, security service providers, or devices / services related to the use of mobile networks. Other entities that provide), and MVNO providers may use the disclosed technology to provide each of these SIGTRAN-based security services, or a combination thereof, as well as other SIGTRAN-based services. .. Mobile service providers also apply the disclosed technology to provide such SIGTRAN-based services in combination with various other enhanced security services, as further described below. Other enhanced security services include location-based, mobile device identifier-based, mobile user identifier-based, and / or combinations thereof.

Various packet content inspections and / or various technologies for providing SIGTRAN security with next-generation firewalls in mobile networks for service providers, such as application IDs, user IDs, content IDs, URL filtering, etc. Those that use NGFW technology) are described further below.

FIG. 4C is a block diagram of a 4G / LTE wireless network with a security platform for providing SCCP security with a next generation firewall in a mobile network for service providers, according to some embodiments. .. Figure 4C is an example of a service provider network environment for a 4G / LTE EPC network architecture, including 4G / LTE networks (eg, and also Wired, Wi-Fi, 3G, 5G, and / Or other networks), facilitating data communication for subscribers via the Internet and / or other networks. As shown in Figure 4C, the home PLMN 424 communicates with the RAN 436, and the RAN communicates via the BH network with the mobile core network, shown as the EPC 450. EPCs include SGSN42, MSC444, HLR446, and VLR448. Also, as shown, the visitor PLMN 426 communicates with the global sig SS7 network 452 and the SS7 communicates with the mobile core network. As will be apparent to those of skill in the art, various UEs, such as mobile user devices (eg, mobile phones, tablets, watches, laptops, and / or other computing devices), and connected objects (eg, various). The IoT device) can communicate via the home PLMN 424 (eg, using various cells in the RAN 436), or similarly via the visitor PLMN 426.

Figure 4C shows a security platform (eg, NGFW or NGFW) between the EPC 450 and the global SS7 network 452, shown as the FW 460, for monitoring and decoding SCCP traffic between the EPC 450 and the global SS7 network 452. It shows the network layout of other security platforms similar to the above).

For example, using the disclosed technology, various security policies can be enforced by the FW 460 based on the parameters / information extracted from such SCCP traffic (eg, roaming subscribers are generally non-roaming). A separate security policy may be enforced that is different from the security policy enforced on the subscriber). In one exemplary implementation, roaming subscribers have restricted access based on application IDs (and / or information determined by other packet content inspections such as content IDs, user IDs, URLs, etc.). And / or various other security policies may be implemented.

As is now apparent to those of skill in the art, mobile service providers (eg, mobile network service providers, mobile devices or IoT service providers, security service providers, or devices / services related to the use of mobile networks. Other entities that provide), and MVNO providers may use the disclosed technology to provide each of these SCCP-based security services, or a combination thereof, as well as other SCCP-based services. .. Mobile service providers will also apply the disclosed technology to provide such SCCP-based services in combination with various other enhanced security services, as further described below. Other enhanced security services include location-based, mobile device identifier-based, mobile user identifier-based, and / or combinations thereof.

These and other technologies for providing SCCP security with next-generation firewalls in mobile networks for service providers (eg, various packet content inspections and / or NGFW such as application IDs, user IDs, content IDs, URL filtering, etc. Those that use technology) are further described below.

Figure 4D shows a block of a 4G / LTE wireless network with a security platform to provide OSI Layer 7 signaling security with a next generation firewall in a mobile network for service providers, according to some embodiments. It is a figure. Figure 4D is an example of a service provider network environment for a 4G / LTE EPC network architecture, including 4G / LTE networks (eg, and also Wired, Wi-Fi, 3G, 5G, and / Or other networks), facilitating data communication for subscribers via the Internet and / or other networks. As shown in Figure 4D, the home PLMN 424 communicates with the RAN 436, and the RAN communicates via the BH network with the mobile core network, shown as the EPC 450. EPCs include SGSN442, MSC444, HLR446, and VLR448. Also, as shown, the visitor PLMN 426 is communicating with the global SS7 network 452 and the SS7 is communicating with the mobile core network. As will be apparent to those of skill in the art, various UEs, such as mobile user devices (eg, mobile phones, tablets, watches, laptops, and / or other computing devices), and connected objects (eg, various). The IoT device) can communicate via the home PLMN 424 (eg, using various cells in the RAN 436), or similarly via the visitor PLMN 426.

Figure 4D shows a security platform (eg, FW 440) between the EPC 450 and the global SS7 network 452 for monitoring and decoding OSI Layer 7 signaling traffic between the EPC 450 and the global SS7 network 452. , NGFW or other security platform similar to the above) network deployment.

For example, using the disclosed technology, the FW 470 will vary based on the parameters / information extracted from such OSI Layer 7 signaling traffic (eg, CAP / MAP / INAP or other OSI Layer 7 signaling traffic). A security policy may be enforced (eg, roaming subscribers may implement a separate security policy that is generally different from the security policy enforced for non-roaming subscribers). In one exemplary implementation, roaming subscribers have restricted access based on application IDs (and / or information determined by other packet content inspections such as content IDs, user IDs, URLs, etc.). And / or various other security policies may be implemented.

As is now apparent to those of skill in the art, mobile service providers (eg, mobile network service providers, mobile devices or IoT service providers, security service providers, or devices / services related to the use of mobile networks. Other entities that provide), and MVNO providers, use the disclosed technology to provide security services based on such OSI Layer 7 signaling (eg, CAP / MAP / INAP or other OSI Layer 7 signaling traffic), or Each of these combinations, as well as other OSI Layer 7 signaling-based services, can be provided. Mobile service providers will also apply the disclosed technology to provide such OSI Layer 7 signaling-based services in combination with various other enhanced security services, as further described below. .. Other enhanced security services include location-based, mobile device identifier-based, mobile user identifier-based, and / or combinations thereof.

These and other technologies for providing OSI Layer 7 signaling security with next-generation firewalls in mobile networks for service providers (eg, various packet content inspections such as application IDs, user IDs, content IDs, URL filtering, and so on. / Or those using NGFW technology) are further described below.

Figure 4E shows an exemplary signaling protocol stack. Referring to FIG. 4E, the exemplary signaling layer includes CAP, MAP, INAP, TCAP, SCCP, SIGTRAN, Diameter, and SCTP.

Figure 4F shows an example of the SS7 over IP protocol stack SS7 over IP protocol stack. Referring to Figure 4F, Layer 7 / application signaling layers such as CAP, MAP, and INAP are also shown.

Examples of signaling attacks that can be prevented to provide enhanced security to mobile / service provider networks using a security platform for security policy enforcement.

An exemplary MAP protocol vulnerability and security platform solution against attacks

Figure 5A can be prevented to provide enhanced security to the mobile service provider network using a security platform for security policy enforcement, according to some examples, MAP messages. This is an example of a signaling attack using. In this first example of a signaling attack, when a MAP anyTimeInterrogation (ATI) message 502 is sent from an unauthorized user / attacker 530 to a subscriber's HLR 514 (eg, such an ATI message is the subscriber's cell identifier). (Can query the subscriber's HLR for Cell-ID) and IMEI), ATI messages trigger provideSubscriberInfo (PSI) message 504, and PSI messages then to MSC / VLR 516. Will be sent. The MSC / VLR is connected / wirelessly communicated with the subscriber's device 518, as indicated by paging request message 506. In response, the subscriber's device 518 returns the subscriber's cell identifier along with other information, as indicated by paging response message 508. Then, the MSC / VLR 516 returns the provideSubscriberInfo response message 510, and the HLR 514 returns the anyTimeInterrogation response message 512, as indicated.

In the signaling attack using the MAP message in this example, the unauthorized user / attacker can then use the anyTimeInterrogation response message to obtain the cell identifier of the subscriber's device. The cell identifier can then be mapped to the actual location (eg, street level) using publicly available mapping information. Thus, signaling attacks using this type of MAP message can be used by unauthorized users / attackers to monitor the location of subscribers with the permission or knowledge of the subscribers.

In one embodiment, the disclosed technique can be performed by a security platform to monitor OSI Layer 7 / Application Layer signaling traffic, including MAP traffic, and decode the monitored MAP traffic. The security policy may be configured to identify signaling attacks with such MAP messages and to block / drop anyTimeInterrogation request messages from untrusted / external networks. This does not allow unauthorized users / attackers to obtain the cell identifier of the subscriber's device, and as a result prevents the discovery of the subscriber's location.

Figure 5B is a MAP message that can be prevented from providing enhanced security to the mobile service provider network using a security platform for security policy enforcement, according to some examples. Is another example of a signaling attack using. In this second example of a signaling attack, the MSC may be required by an unauthorized user / attacker to return the IMSI if the TMSI is known. The MSC can also be queried for a session key for a subscriber. If an unauthorized user / attacker obtains an encrypted GSM or UMTS call (call), the unauthorized user / attacker can use the session key to decrypt it.

Referring to FIG. 5B, the unlicensed user / attacker 530 first captures the targeted traffic through the air interface (for example, in general, the unlicensed user / attacker is the target). Including being in a given physical neighborhood). Using access to the SS7 network, the unauthorized user / attacker then sends a sendIdentification request message 540 with TMSI to the MSC / VLR 516 and a provideSubscriberLocation response containing a session key message. The decryption key for the target device 518 can be retrieved via 542. These decryption / session keys can be used to decrypt subscriber traffic, as described above.

In one embodiment, the disclosed technique can be performed by a security platform to monitor OSI Layer 7 / Application Layer signaling traffic, including MAP traffic, and to decode the monitored MAP traffic. The security policy may be configured to identify signaling attacks with such MAP messages and block / drop sendIdentification request messages from untrusted / external networks.

Figure 5C can be prevented to provide enhanced security to the mobile service provider network using a security platform for security policy enforcement, according to some examples, MAP messages. Is another example of a signaling attack using. In this third example of a signaling attack, authentication at the Gateway Mobile Location Center (GMLC) 558 can be bypassed by directly querying the VLR. In this example signaling attack, the unauthorized user / attacker 530 sends a provideSubscriberLocation request message 550 to the MSC 556 and then receives a provideSubscriberLocation response message 552, as indicated.

In one embodiment, the disclosed technique can be performed by a security platform to monitor OSI Layer 7 signaling traffic, including MAP traffic, and to decode the monitored MAP traffic. The security policy is configured to identify signaling attacks with such MAP messages and block / drop sendIdentification request messages from untrusted / external networks to prevent this type of signaling attack. can.

An exemplary Diameter protocol vulnerability and security platform solution against attacks

The signaling flood of authentication messages is an example of a Diameter-related attack. A signaling flood attack on a Diameter authentication message is an example of outage of a signaling-related network and can cause congestion problems on the service provider network. Specifically, the signaling flood of Diameter authentication messages causes congestion problems related to the number of devices that are re-authenticated on the network of the service provider network, and for some subscribers they. May drop out of mobile connectivity. For example, Spark Telecom in New Zealand was affected by congestion issues due to a Signaling flood of Diameter authentication messages, such as the Diameter S6a Credential Request (AIR) (eg https://www.stuff). See .co.nz/business/88869002/Spark-network-outages-reported-around-the-country). In one embodiment, it is disclosed to monitor signaling traffic (eg, Diameter traffic including Diameter traffic, such as Diameter messages such as Diameter S6a ULR (Update Location Request) and Diameter s6a AIR (Authentication Information Request)). Techniques are performed to implement security policies and perform stateful inspections (eg, such signaling floods for Diameter authentication message attacks based on throttling / threshold limits on such authentication messages. It constitutes a security policy that can detect and prevent attacks. It may include throttling for each Diameter message type based on these parameters. The parameters are (a) source, destination, source and Destinations, per-aggregation criteria, and (b) thresholds (ie, the number of seconds messages are counted and the number of messages per time interval during stateful inspection by the NFGW / security platform).

An exemplary SS7 protocol vulnerability and security platform solution against attacks

Various SS7 related attacks are well known (for example, the 2016 Telenor SS7 attack, for example https://www.digi.no/artikler/et-ondsinnet-angrep-mot-telenor-ville). See -hatt-samme-konsekvens / 320604 (due to SS7 vulnerability in affected Telenor HLR, the entire network outage being discussed was 3 in the Telenor network in Norway in February 2016. An outage of the entire network over time, which allows individuals with sufficient information to remotely access networks in other countries throughout the public SS7 network without having physical access to the target network. In one embodiment, the techniques disclosed for monitoring signaling traffic (including, for example, SS7 traffic) are for implementing security policies. Configure a security policy that can detect and prevent such SS7 attacks based on being performed and performing stateful inspections (eg, throttling / threshold limits and / or filtering certain messages). The message may include throttling per MAP message type, such as DeleteSubscriberData, SendIdentification, SendRoutingInfo, and / or other SS7 protocol message types, which may be tuned based on these parameters. The parameters are (a) source, destination, source and destination, aggregate criteria per unit, and (b) thresholds (ie, seconds and time for messages to be counted during stateful inspection by the NFGW / security platform. The number of messages per interval).)

An exemplary SCCP protocol vulnerability and security platform solution against attacks

SCCP message signaling floods are examples of SCCP-related attacks (for example, various SCCP message types such as Connection Confirmed and Connection Released). Specifically, signaling message floods at the SCCP layer overload and compromise signaling points such as STP, SSP, and SCP by attackers. It can be used and is causing different types of DoS attacks. In one embodiment, the techniques disclosed to monitor network layer signaling traffic (eg, including SCCP traffic) are performed to implement security policies and perform stateful inspections (eg, slots). Consists of a security policy that can detect and prevent signaling message floods at such SCCP layers based on ring / threshold limits and / or filtering of predetermined messages. Messages are Connection Confirmed. , Connection Released, and / or other SCCP message types, which may include throttling per SCCP message type, which may be adjusted based on these parameters. Destinations, sources and destinations, aggregate criteria per unit, and (b) thresholds (ie, the number of messages per second and time interval during stateful inspection by the NFGW / security platform). )

Given the disclosed embodiments, as is now apparent, network service providers / mobile operators (eg, cellular service provider entities), MVNO providers, device manufacturers (eg, automotive entities, IoT device entities, and / or). , Other device manufacturers), and / or system integrators can use the disclosed technology to specify such security policies that can be enforced by security platforms, these exemplary signaling-related security issues. , And / or solve security-related problems that exist or have not yet been discovered on other service provider networks.

An exemplary hardware component of a network device for implementing security policies in a mobile / service provider network environment

FIG. 6 is a functional diagram relating to the hardware component of the network device for implementing the security policy in the mobile service provider network environment according to some embodiments. The example shown represents a physical / hardware component that may be included in the network device 600 (eg, an appliance, gateway, or server that can implement the security platform disclosed herein). Specifically, the network device 600 includes a high performance multi-core CPU 602 and RAM 604. The network device 600 also includes a storage 610 (eg, one or more hard disk or solid state storage devices) that can be used to store policies and other configuration information, as well as signatures. In one embodiment, the storage 610 has location information, hardware identifier information, subscriber identifier information, RAT information, and associated IP addresses, and / or various other information (eg, application IDs, content IDs, etc.). User ID, URL, and / or other information, including SCTP, Diameter on SCTP, SIGTRAN, SCCP, and / or, CAP, MAP, and / or INAP, as also described herein. , Layer 7 / application layer signaling traffic, other information monitored and / or extracted from decrypted network traffic), which are disclosed using the security platform / firewall device. Monitored to implement security policy implementation technology. The network device 600 may also include one or more optional hardware accelerators. For example, the network device 600 performs a cryptographic engine 606 configured to perform cryptographic and decryption operations, and performs signature matching, acts as a network processor, and / or other tasks. May include one or more FPGA 608s configured to perform.

An exemplary logic component of a network device for implementing security policies in a mobile / service provider network environment

FIG. 7 is a functional diagram relating to the logic component of the network device for implementing the security policy in the mobile service provider network environment according to some embodiments. The example shown represents a logic component that may be included in the network device 700 (eg, a data appliance capable of implementing the disclosed security platform and performing the disclosed technology). As shown, the network device 700 includes a management plane 702 and a data plane 704. In one embodiment, the management plane is responsible for managing user interaction, such as providing a user interface for configuring policies and displaying log data. The data plane is responsible for managing the data, such as performing packet processing and session processing.

Suppose a mobile device attempts to access a resource (eg, a remote website / server, IoT device, or other resource) using an encrypted session protocol, such as SSL. The network processor 706 is configured to monitor packets from mobile devices and provide packets to the data plane 704 for processing. Flow 708 identifies the packet as part of a new session and creates a new session flow. Subsequent packets will be identified as belonging to the session based on the flow lookup. Where applicable, SSL decryption is applied by the SSL decryption engine 710 using various techniques as described herein. Otherwise, the processing by the SSL decryption engine 710 is omitted. The application identification (ID) module 712 is configured to determine the type of traffic in which the session is involved and to identify the user associated with the traffic flow (eg, the application ID as described herein). Identify). For example, application ID 712 can recognize a GET request in the received data and conclude that the session requires an HTTP decoder. As another example, application ID 712 can recognize a Session Create or Create PDP Request in the received data and conclude that the session requires a GTP decoder. can. Each type of protocol (eg, various signaling protocols described above, SCTP, Diameter on SCTP, SIGTRAN, SCCP, and / or Layer 7 / Application Layer signaling traffic, CAP, MAP, and / or INAP. , And / or those containing other signaling protocols), there is a corresponding decoder 714. In one embodiment, application identification is performed by an application identification module (eg, application ID component / engine), and user identification is performed by another component / engine. Based on the decision made by application ID 712, the packet is sent to the appropriate decoder 714. The decoder 714 is configured to assemble packets (eg, those that can be received out of order) into the correct order, perform tokenization, and extract information. The decoder 714 also performs signature matching to determine what should happen to the packet. The SSL encryption engine 716 performs SSL encryption using various techniques as described herein, and the packet then uses the forward component 718 as shown. Will be transferred. As shown, policy 720 is also received and stored in management plane 702. In one embodiment, the implementation of the policy applies as described herein for various embodiments based on the monitored, decoded, and decoded session traffic flow (eg, the policy). Can include one or more rules that can be specified using a domain name and / or a host / server name, and the rules can contain one or more signatures or other matching. Criteria or heuristics can be applied. Various extracted parameters / information from monitored GTP-C messages and / or CAPs, MAPs, and / or disclosed herein. Layer 7 /, including monitored GTP-U, SCTP, Diameter, SIGTRAN, SCCP, and / or, as disclosed herein, CAP, MAP, and / or INAP traffic, including INAP traffic. To enforce security policies for subscriber / IP flows in service provider networks based on packet content inspection for application heuristic traffic).

As also shown in FIG. 7, the interface (I / F) communicator 722 is also a security platform manager communication (eg, (REST) API, message, or network protocol communication, or , Also provided for (via other communication mechanisms). In some cases, network communications of other network elements on the service provider network are monitored using network equipment 700, and the data plane 704 supports decryption of such communications (eg, I /). The network device 700, including the F communicator 722 and the decoder 714, includes, for example, Gn, Gp, S1-MME, S5, S6a / S6d, S8, X2, S9, S11, S13 / S13', Gr, Gd, Gf, B, C, D, E, and / or radio or radio network traffic flows may be configured to monitor and / or communicate on other interfaces that are similarly present as described herein). Thus, the network device 700, including the I / F communicator 722, incorporates the technologies disclosed for implementing security policies in a mobile / service provider network environment, as described above and further described below. Can be used to implement.

Further exemplary processes are described here for the techniques disclosed for monitoring signaling traffic and performing security policies in mobile / service provider network environments.

An exemplary process for transport layer signaling security with next-generation firewalls in mobile networks for service providers

FIG. 8 is a flow diagram relating to the process for performing transport layer signaling-based security in a mobile network for a service provider, according to some embodiments. In some embodiments, process 800, as shown in FIG. 8, includes embodiments described above with respect to FIGS. 1A-7, and is performed by security platforms and techniques similar to those described above. In one embodiment, process 800 is a data appliance 600 as described above with respect to FIG. 6, a network appliance 700 as described above with respect to FIG. 7, a virtual appliance, an SDN security solution, a cloud security service, and / or here. Performed by a combination of those described above, or by a hybrid implementation as described.

This process starts at 802. In 802, monitoring of transport layer signaling traffic on the service provider network is performed on the security platform. For example, a security platform (eg, a firewall, a network sensor acting on behalf of a firewall, or another device / component that can implement a security policy) can monitor SIGTRAN traffic on a mobile core network.

In the 804, transport layer signaling traffic is filtered on the security platform based on the security policy. For example, the security platform can filter transport layer signaling traffic protocols (eg, SIGTRAN protocol) and upper layer signaling protocols (eg, SCCP protocol) based on security policies.

In 806, the state and packet verification of the lower layer signaling protocol is performed based on the security policy. For example, the security platform performs underlying SCTP protocol state and packet validation by payload protocol identifier (PPID) and source / destination IP address while filtering SIGTRAN protocol messages. be able to.

In one embodiment, the security platform uses the PPID and any SIGTRAN protocol, for each source / destination or both IP / IP, while performing the underlying SCTP protocol state and packet validation. Perform message filtering. For example, security platforms can filter M3UA protocol messages by PPID and source / destination IP address (IP) while performing underlying SCTP protocol state and packet validation. As another example, the security platform can filter M2UA protocol messages by PPID and source / destination IP while performing underlying SCTP protocol state and packet validation. As another example, the security platform can filter M2PA protocol messages by PPID and source / destination IP while performing underlying SCTP protocol state and packet validation.

In 808, the security policy will be implemented using the security platform. For example, various enforcement actions (eg, allow / pass, block / drop, alert, tag, monitor, log). , Throttle, restrict access, and / or other enforcement actions) can be performed using the security platform as described above. For example, a security platform can block filtered messages in transport layer signaling traffic or higher tier signaling traffic based on security policy.

In one exemplary implementation, the security platform can extract adaptation layer information from the PPID field of the SCTP data chunk received for the firewall session installed for the SCTP protocol. These firewall sessions are associated with successful SCTP associations that have completed the 4-way handshake and other packet level checks. The PPID is assigned by IAN (for example, specified at https://www.iana.org/assignments/sctp-parameters/sctp-parameters.xhtml). PPID information can be used by security platforms to apply filtering and rate limiting mechanisms, facilitating enhanced signaling security on mobile service provider networks.

In one embodiment, the security platform relates to source, destination, or aggregate criteria, hits relating to source and destination IP / IP while performing state and packet validation of the underlying SCTP protocol. Perform rate limiting for any SIGTRAN protocol message using the time interval in seconds and the threshold / number. For example, while the security platform is performing the underlying SCTP protocol state and packet validation, the source, destination, or aggregate criteria for the source and destination IP / IP, the time in seconds for the hit. Rate limiting of M3UA protocol messages can be performed using intervals and thresholds / numbers. As another example, the security platform performs source, destination, or aggregate criteria for source and destination IP / IP, seconds for hits while performing underlying SCTP protocol state and packet validation. Rate limiting of M2UA protocol messages can be performed using the time interval and threshold / number in. As another example, the security platform performs source, destination, or aggregate criteria for source and destination IP / IP, seconds for hits while performing underlying SCTP protocol state and packet validation. Rate limiting of M2PA protocol messages can be performed using the time interval and threshold / number in. As another example, the security platform performs source, destination, or aggregate criteria for source and destination IP / IP, seconds for hits while performing underlying SCTP protocol state and packet validation. Rate limiting of SUA protocol messages can be performed using the time interval and threshold / number in.

An exemplary process for application layer signaling security with next-generation firewalls in mobile networks for service providers

FIG. 9 is a flow diagram relating to the process for performing application layer signaling-based security in a mobile network for a service provider, according to some embodiments. In some embodiments, process 900, as shown in FIG. 9, includes embodiments described above with respect to FIGS. 1A-7, and is performed by security platforms and techniques similar to those described above. In one embodiment, process 900 is a data appliance 600 as described above with respect to FIG. 6, a network appliance 700 as described above with respect to FIG. 7, a virtual appliance, an SDN security solution, a cloud security service, and / or here. Performed by a combination of those described above, or by a hybrid implementation as described.

The process starts at 902. In 902, monitoring of application layer signaling traffic on the service provider network is performed on the security platform. For example, a security platform (eg, a firewall, a network sensor acting on behalf of a firewall, or another device / component capable of implementing a security policy) monitors MAP, CAP, and / or INAP traffic on a mobile core network. be able to.

In 904, application layer signaling traffic is filtered on the security platform based on the security policy. For example, the security platform may filter application layer signaling traffic protocols (eg, MAP, CAP, and / or INAP protocols) and lower layer signaling protocols (eg, SCCP protocols) based on security policies. Can be done.

In 906, the state and packet verification of the lower layer signaling protocol is performed based on the security policy. For example, a security platform may perform underlying SCTP protocol state and packet validation while filtering MAP, CAP, or INAP protocol messages (eg, other Layer 7 / Application Layer messages). can.

In one embodiment, the security platform performs state and packet validation of the underlying SCTP protocol while filtering MAP, CAP, or INAP protocol messages. For example, the security platform is filtering the MAP, CAP, or INAP protocol messages by subsystem number (SSN) and source / destination IP address (IP), while the underlying SCTP protocol state and Packet verification can be performed. As another example, the security platform provides underlying SCTP protocol state and packet validation while filtering MAP, CAP, or INAP protocol messages by SSN, Global Title (GT), and IP. Can be executed. As another example, the security platform performs underlying SCTP protocol state and packet validation while filtering MAP, CAP, or INAP protocol messages by SSN, GT, opcode, and IP. be able to.

In 908, the security platform will be used to implement the security policy. For example, various enforcement actions (eg, allow / pass, block / drop, warning, tag, monitoring, log, throttle, access restriction, and / or other enforcement actions) use the security platform as described above. Can be executed. For example, a security platform can block filtered messages in application layer signaling traffic or lower layer signaling traffic based on security policy.

In one embodiment, the security platform relates to source, destination, or aggregate criteria, hits relating to source and destination IP / IP while performing state and packet validation of the underlying SCTP protocol. Perform rate limiting for any OSI Layer 7 / Application Layer signaling protocol message (eg, MAP, CAP, or INAP) using time intervals and thresholds / numbers in seconds. For example, while the security platform is performing the underlying SCTP protocol state and packet validation, the source, destination, or aggregate criteria for the source and destination IP / IP, the time in seconds for the hit. Rate limiting of any OSI Layer 7 signaling protocol message (eg, MAP, CAP, or INAP) can be performed per opcode (eg, where applicable) using intervals and thresholds / numbers.

Illustrative Process for Network Layer Signaling Security with Next Generation Firewall in Mobile Networks for Service Providers

FIG. 10 is a flow diagram relating to the process for performing network layer signaling-based security in a mobile network for a service provider, according to some embodiments. In some embodiments, Process 1000, as shown in FIG. 10, includes embodiments described above with respect to FIGS. 1A-7, and is performed by security platforms and techniques similar to those described above. In one embodiment, process 1000 is a data appliance 600 as described above with respect to FIG. 6, a network appliance 700 as described above with respect to FIG. 7, a virtual appliance, an SDN security solution, a cloud security service, and / or here. Performed by a combination of those described above, or by a hybrid implementation as described.

This process starts at 1002. In 1002, monitoring of network layer signaling traffic on the service provider network is performed on the security platform. For example, a security platform (eg, a firewall, a network sensor acting on behalf of a firewall, or another device / component that can implement a security policy) can monitor SCCP traffic on a mobile core network.

In 1004, network layer signaling traffic is filtered on the security platform based on the security policy. For example, the security platform is based on the security policy, the SCCP protocol and the lower layer signaling protocol (eg, SCTP protocol), or the upper layer signaling protocol (eg, MAP, CAP, or INAP, or other. Layer 7 / application layer message) can be filtered.

In 1006, the state and packet verification of the lower layer signaling protocol are performed based on the security policy. For example, a security platform can perform underlying SCTP protocol state and packet validation while filtering SCCP protocol traffic.

In one embodiment, the security platform performs underlying SCTP protocol state and packet validation while filtering SCCP protocol traffic. For example, a security platform can perform underlying SCTP protocol state and packet validation while filtering SCCP protocol traffic by source / destination IP address (IP). As another example, the security platform can perform underlying SCTP protocol state and packet validation while filtering SCCP protocol traffic by GT and source / destination IP.

In 1008, security policies will be implemented using the security platform. For example, various enforcement actions (eg, allow / pass, block / drop, warning, tag, monitoring, log, throttle, access restriction, and / or other enforcement actions) use the security platform as described above. Can be executed. For example, a security platform can block filtered messages in SCCP protocol traffic or lower / upper layer signaling traffic based on security policy.

In one embodiment, the security platform relates to a source, destination, or aggregate criteria, hits relating to the source and destination IP / IP while performing state and packet validation of the underlying SCTP protocol. Perform rate limiting for any SCCP message using the time interval in seconds and the threshold / number.

Illustrative Process for Diameter Security on SCTP with Next Generation Firewall in Mobile Networks for Service Providers

FIG. 11 is a flow diagram relating to the process for performing Diameter-based security on SCTP in a mobile network for service providers, according to some embodiments. In some embodiments, process 1100, as shown in FIG. 11, includes embodiments described above with respect to FIGS. 1A-7, and is performed by security platforms and techniques similar to those described above. In one embodiment, process 1100 is a data appliance 600 as described above with respect to FIG. 6, a network appliance 700 as described above with respect to FIG. 7, a virtual appliance, an SDN security solution, a cloud security service, and / or here. Performed by a combination of those described above, or by a hybrid implementation as described.

This process starts at 1102. In 1102, the Diameter protocol traffic on the service provider network on the security platform (for example, the Diameter protocol refers to the Authentication, Authorization, and Accounting (AAA) protocol, and S6a / S6d, Diameter applications such as S9 and Gx extend the functionality of Diameter-based protocols for mobile network-specific use cases). For example, a security platform (eg, a firewall, a network sensor acting on behalf of a firewall, or another device / component that can implement a security policy) can monitor Diameter traffic on a mobile core network.

In 1104, Diameter protocol traffic is filtered on the security platform based on the security policy. For example, the security platform can filter the Diameter protocol and the lower layer signaling protocol (eg, SCTP protocol) based on the security policy.

In 1106, the state and packet verification of the lower layer signaling protocol is performed based on the security policy. For example, a security platform can perform underlying SCTP protocol state and packet validation while filtering Diameter protocol traffic.

In one embodiment, the security platform performs state and packet validation of the underlying SCTP protocol while filtering Diameter protocol traffic. For example, a security platform can perform underlying SCTP protocol state and packet validation while filtering Diameter protocol traffic by source / destination IP address (IP). As another example, the security platform can perform underlying SCTP protocol state and packet validation while filtering Diameter protocol traffic by application ID and source / destination IP. As another example, the security platform can perform underlying SCTP protocol state and packet validation while filtering Diameter protocol traffic by application ID, command code, and source / destination IP. can. As another example, the security platform performs underlying SCTP protocol state and packet validation while filtering Diameter protocol traffic by application ID, command code, AVP, and source / destination IP. be able to.

In 1108, the security platform will be used to implement the security policy. For example, various enforcement actions (eg, allow / pass, block / drop, warning, tag, monitoring, log, throttle, access restriction, and / or other enforcement actions) use the security platform as described above. Can be executed. For example, a security platform can block filtered messages in Diameter protocol traffic or lower / upper layer signaling traffic based on security policy.

In one embodiment, the security platform relates to a source, destination, or aggregate criteria, hits relating to the source and destination IP / IP while performing state and packet validation of the underlying SCTP protocol. Perform rate limiting for any Diameter message using time intervals in seconds and thresholds / numbers. For example, a security platform may perform source, destination, or aggregate criteria for source and destination IP / IP, time in seconds for hits while performing underlying SCTP protocol state and packet validation. Any Diameter message rate limit can be implemented for each application ID using intervals and thresholds / numbers. As another example, a security platform may perform source, destination, or source and destination IP / IP aggregate criteria, hit seconds while performing underlying SCTP protocol state and packet validation. Any Diameter message rate limit can be implemented for each command code using the time interval and threshold / number in. As another example, a security platform may perform source, destination, or source and destination IP / IP aggregate criteria, hit seconds while performing underlying SCTP protocol state and packet validation. Any Diameter message rate limit can be performed per AVP using the time interval and threshold / number in.

Although the embodiments described above have been described in some detail for the purpose of clarifying understanding, the present invention is not limited to the details provided. There are many alternative ways to carry out the present invention. The disclosed embodiments are exemplary and not limiting.

Claims (16)

It ’s a processor,
Monitor network layer, signaling, protocol, and traffic on the service provider network with a security platform, and
Based on the security policy, the security platform filters the network layer signaling protocol traffic, and the network layer signaling protocol is a signaling connection control part (SCCP) protocol, which is a signaling transport protocol. Is a signaling transport (SIGTRAN) protocol and
Perform stream control transport protocol (SCTP) protocol status and packet validation by payload protocol identifier (PPID) and source / destination IP address while filtering SIGTRAN protocol messages.
The processor, which is configured as
A memory that is coupled to the processor and is configured to provide instructions to the processor.
Including the system. The security platform is composed of a plurality of security policies based on the signaling, connection control, and part (SCCP) protocol.
The system according to claim 1. The processor further
It is configured to implement a security policy based on the network layer signaling protocol.
The system according to claim 1. The processor further
It is configured to perform state and packet verification of the network layer signaling protocol based on the security policy.
The system according to claim 1. The processor further
It is configured to perform threat protection based on the signaling transport protocol.
The system according to claim 1. The security platform monitors wireless interfaces in mobile core networks for 3G and / or 4G networks, including a plurality of interfaces for signaling control protocols and user data traffic.
The system according to claim 1. The processor further
Based on the security policy, it is configured to block filtered messages in the network layer signaling protocol traffic.
The system according to claim 1. The processor further
Based on the security policy, it is configured to block filtered messages in said network layer signaling protocol traffic or upper layer signaling traffic.
The system according to claim 1. Steps to monitor network layer, signaling, protocol, and traffic on the service provider network on the security platform,
A step of filtering the network layer signaling protocol traffic on the security platform based on the security policy, the network layer signaling protocol is a signaling connection control part (SCCP) protocol, a signaling transformer. The port protocol is a signaling transport (SIGTRAN) protocol, step and
With steps to perform Stream Control Transport Protocol (SCTP) protocol status and packet validation by payload protocol identifier (PPID) and source / destination IP address while filtering SIGTRAN protocol messages. ,
Including, how. The security platform is composed of a plurality of security policies based on the signaling, connection control, and part (SCCP) protocol.
The method according to claim 9. The method further comprises
Including the step of implementing a security policy based on the network layer signaling protocol.
The method according to claim 9. The method further comprises
A step of performing state and packet verification of the network layer signaling protocol based on the security policy.
The method according to claim 9. A computer program that contains multiple instructions
Steps to monitor network layer, signaling, protocol, and traffic on the service provider network on the security platform,
A step of filtering the network layer signaling protocol traffic on the security platform based on the security policy, the network layer signaling protocol is a signaling connection control part (SCCP) protocol, a signaling transformer. The port protocol is a signaling transport (SIGTRAN) protocol, step and
With steps to perform Stream Control Transport Protocol (SCTP) protocol status and packet validation by payload protocol identifier (PPID) and source / destination IP address while filtering SIGTRAN protocol messages. ,
Allows computing devices to perform operations, including
Computer program. The security platform is composed of a plurality of security policies based on the signaling, connection control, and part (SCCP) protocol.
The computer program according to claim 13. The computer program further
To execute the step of implementing the security policy based on the network layer signaling protocol.
The computer program according to claim 13. The computer program further
To execute the step of performing the state and packet verification of the network layer signaling protocol based on the security policy.
The computer program according to claim 13.

Images