JP7340582B2 - Transport layer signal safety using next-generation firewalls - Google Patents

Description

Firewalls typically allow authorized communications to pass through the firewall while protecting the network from unauthorized access. A firewall is typically a device or set of devices, or software running on a device, such as a computer, that provides firewall functionality for network access. For example, a firewall can be integrated into the operating system of a device (eg, computer, smartphone, or other type of network-enabled device). A firewall may also be integrated as software on a computer server, gateway, network/routing device (e.g., network router), or data appliance (e.g., security appliance or other type of special purpose device), or It can also be executed.

Firewalls typically deny or allow network transmissions based on a set of rules. These sets of rules are often referred to as policies. For example, a firewall can filter inbound traffic by applying a set of rules or policies. A firewall can also filter outbound traffic by applying a set of rules or policies. Firewalls can also perform basic routing functions.

Various embodiments of the invention are disclosed in the following detailed description and accompanying drawings.
FIG. 1A is a block diagram of a 3G wireless network with a security platform to provide enhanced security, according to some embodiments. FIG. 1B is a block diagram of a 4G/LTE wireless network with a security platform to provide enhanced security, according to some embodiments. FIG. 2A is one example of GTPv1-C messages exchanged between an SGSN and a GGSN in a 3G network, according to some embodiments. FIG. 2B is one example of GTPv2-C messages exchanged between entities including an MME, SGW, and PGW in a 4G/LTE network, according to some embodiments. FIG. 3A is another example of a GTPv1-C message flow between an SGSN and a GGSN in a 3G network, according to some embodiments. FIG. 3B is another example of a GTPv2-C message flow between an MME, a SGW, and a PGW in a 4G/LTE network, according to some embodiments. FIG. 4A shows a 4G security platform for providing Diameter over SCTP security services using a next-generation firewall in a mobile network for service providers, according to some embodiments. FIG. 1 is a block diagram of a /LTE wireless network. FIG. 4B is a block diagram of a 4G/LTE wireless network having a security platform for providing SIGTRAN security with a next generation firewall in a mobile network for a service provider, according to some embodiments. . FIG. 4C is a block diagram of a 4G/LTE wireless network having a security platform for providing SCCP security with a next generation firewall in a mobile network for a service provider, according to some embodiments. . FIG. 4D is a block diagram of a 4G/LTE wireless network with a security platform for providing OSI layer 7 signaling security with next-generation firewalls in mobile networks for service providers, according to some embodiments. It is a diagram. FIG. 4E shows one example of a signaling protocol stack. FIG. 4F shows one example of an SS7 over IP protocol stack. FIG. 5A illustrates MAP messages that may be prevented using a security platform for security policy enforcement to provide enhanced security for a mobile service provider network, according to some embodiments. This is an example of a signaling attack using FIG. 5B illustrates MAP messages that may be prevented using a security platform for security policy enforcement to provide enhanced security for a mobile service provider network, according to some embodiments. This is another example of a signaling attack using FIG. 5C illustrates MAP messages that may be prevented using a security platform for security policy enforcement to provide enhanced security for a mobile service provider network, according to some embodiments. This is another example of a signaling attack using FIG. 6 is a functional diagram of hardware components of a network device for security policy enforcement in a mobile service provider network environment, according to some embodiments. FIG. 7 is a functional diagram of logic components of a network device for security policy enforcement in a mobile service provider network environment, according to some embodiments. FIG. 8 is a flow diagram of a process for implementing transport layer signaling-based security in a mobile network for a service provider, according to some embodiments. FIG. 9 is a flow diagram of a process for implementing application layer signaling-based security in a mobile network for a service provider, according to some embodiments. FIG. 10 is a flow diagram of a process for implementing network layer signaling-based security in a mobile network for a service provider, according to some embodiments. FIG. 11 is a flow diagram of a process for implementing Diameter over SCTP-based security in a mobile network for a service provider, according to some embodiments.

The invention relates to a process, apparatus, system, arrangement of matter, computer program product embodied on a computer readable storage medium, and/or stored in a memory coupled to a processor and/or provided. The invention may be implemented in a number of ways, including a processor, such as a processor configured to execute instructions to be executed. In this specification, these embodiments, or any other form the invention may take, may be referred to as techniques. In general, the order of steps in the disclosed processes may be varied within the scope of the invention. Unless otherwise noted, a component such as a processor or memory that is described as being configured to perform a task is referred to as a general component that is temporarily configured to perform a task at a given time. , or may be implemented as a predetermined component manufactured to perform a task. As used herein, the term "processor" refers to one or more devices, circuits, and/or processing cores configured to process data, such as computer program instructions. It is for reference.

A detailed description of one or more embodiments of the invention is provided below along with accompanying drawings that explain the principles of the invention. Although the invention is described in connection with such embodiments, the invention is not limited to any embodiment. The scope of the invention is limited only by the claims, and the invention encompasses numerous alternatives, modifications, and equivalents. Numerous specific details are set forth in the following description to provide a thorough understanding of the invention. These details are provided for purposes of illustration and the invention may be practiced according to the claims without some or all of these given details. For the sake of clarity, technical matters known in the art related to the present invention have not been described in detail so as not to unnecessarily obscure the present invention.

Firewalls typically allow authorized communications to pass through the firewall while protecting the network from unauthorized access. A firewall is typically a device, set of devices, or software running on a device that provides firewall functionality for network access. For example, a firewall can be integrated into the operating system of a device (eg, computer, smartphone, or other type of network-enabled device). Firewalls may also be connected to various types of devices, such as computer servers, gateways, network/routing devices (e.g., network routers), or data appliances (e.g., security appliances, or other types of special purpose devices). or may be integrated or executed as a software application on a security device.

Firewalls typically deny or allow network transmissions based on a set of rules. These sets of rules are often referred to as policies (eg, network policies, or network security policies). For example, a firewall can filter inbound traffic by applying a set of rules or policies to prevent unwanted external traffic from reaching the protected device. A firewall can also filter outbound traffic by applying a set of rules or policies (e.g., allow, block, monitor, notify, or log ), and/or other actions that may be specified in a firewall/security rule or firewall/security policy, which may be triggered based on various criteria, such as those described herein.)

Security devices (e.g., security appliances, security gateways, security services, and/or other security devices) may have various security functions (e.g., firewalls, anti-malware, intrusion prevention/detection, proxies, and/or other security functions), network functions (e.g., routing, quality of service (QoS), workload balancing of network-related resources, and/or other network functions), and/or other functions. can. For example, routing functions can be based on source information (eg, source IP address and port), destination information (eg, destination IP address and port), and protocol information.

A basic packet-filtering firewall is a packet-filtering firewall that filters network communication traffic by inspecting individual packets sent over the network (e.g., a stateless packet-filtering firewall or 1st generation firewall). Stateless packet filtering firewalls typically inspect individual packets themselves, and based on the inspected packets (e.g., a combination of the packet's source and destination address information, protocol information, and port numbers) ) to apply the rule.

Application firewalls can also perform application layer filtering (eg, using application layer filtering firewalls or second generation firewalls that function at the application level of the TCP/IP stack). Application layer filtering firewalls, or application firewalls, are typically used to protect a given application and protocol (e.g., web browsing using Hypertext Transfer Protocol (HTTP), Domain Name System (DNS) requests, File Transfer Protocol (FTP) and various other types of applications and other protocols, such as Telnet, DHCP, TCP, UDP, and TFTP (GSS). For example, an application firewall can block an unauthorized protocol that attempts to communicate on a standard port (e.g., allows that protocol to pass silently by using a non-standard port). Unauthorized/deviant policy protocols that attempt to sneak through (sneak through) can typically be identified using an application firewall).

Stateful firewalls can also perform stateful-based packet inspection, where each packet is inspected within the context of a set of packets associated with its network transmission packet flow. Inspected (e.g., stateful firewall or 3rd generation firewall). This firewall technology is commonly referred to as stateful packet inspection. Keeps a record of all connections that pass through the firewall and can determine whether a packet is the start of a new connection, part of an existing connection, or an invalid packet It is from. For example, the state of a connection can itself be one of the criteria that triggers a rule in a policy.

Advanced or next-generation firewalls can perform stateless and stateful packet filtering and application layer filtering, as described above. Next generation firewalls may also implement additional firewall technologies. For example, certain new firewalls, often referred to as advanced or next generation firewalls, can also identify users and content. In particular, certain next-generation firewalls are expanding the list of applications that these firewalls can automatically identify to thousands of applications. Examples of such next-generation firewalls are commercially available from Palo Alto Networks (e.g., Palo Alto Networks' PA series next-generation firewalls and Palo Alto Networks' VM series virtualized next-generation firewalls).

For example, Palo Alto Networks' next-generation firewalls use a variety of identification technologies to help enterprises and service providers identify applications, users, and content—not just ports, IP addresses, and packets—and , allowing you to control. Various identification technologies include application ID (App-ID ^TM ) (e.g., App ID) for precise application identification, user-ID TM (User-ID ^TM ) (e.g., User ID) for user identification, and Content-ID ^™ (eg, Content-ID) for real-time content scanning (eg, controlling web surfing and restricting data and file transfers). These identification technologies allow enterprises to use business-related concepts to securely enable application usage instead of following the traditional approach provided by traditional port-blocking firewalls. Additionally, special-purpose hardware for next-generation firewalls, implemented as dedicated devices, typically provides higher performance levels for application inspection than software running on general-purpose hardware (e.g. , a security appliance offered by Palo Alto Networks, Inc., utilizes purpose-built, feature-specific processing that is tightly integrated with a single-pass software engine to deliver low latency (maximize network throughput while minimizing latency).

Today's technical and security challenges in mobile networks for service providers

In today's service provider network environment, service providers typically can only implement static security policies for wireless devices that communicate via the service provider's wireless network (e.g., the service provider security/firewall policies cannot be defined on a per-endpoint and/or per-flow basis for wireless devices communicating over a Requires update. Additionally, in today's service provider network environment, service providers typically implement security policies for wireless devices that communicate over the service provider's wireless network based on hardware attributes or location information associated with the wireless device. (For example, a service provider may not be able to implement a security policy based on packet content inspection and/or various other relevant parameters associated with the wireless device, such as the access point of the device communicating over the wireless network.) , cannot be implemented).

Therefore, technical and security challenges exist for service provider networks. Thus, what is needed are new and improved security techniques for such service provider network environments. Specifically, what is needed are new and improved solutions for monitoring service provider network traffic and, more specifically, for service provider networks to address traffic-related security issues. This is an improved solution to solve the problem. For example, GSM (Global System for Mobile Communication), UMTS (Universal Mobile Telecommunication System), LTE (Long Term Evolution) networks, GTPv1-C used in 3G networks, and/or used in 4G/LTE networks. GTPv2-C, which performs packet content inspection of various protocols used on various interfaces within the service provider network, and facilitates enhanced security for the service provider network. Applying policies (e.g. firewall policies).

Overview of technologies for enhancing security in mobile networks for service providers

Accordingly, techniques for an enhanced security platform within a service provider network environment are disclosed. Specifically, different system architectures for implementing and providing security platforms within a service provider network environment that can monitor different protocols used at different interfaces. The process is disclosed. More specifically, used in various interfaces in GSM, UMTS, LTE networks, GTPv1-C used within 3G networks, and/or GTPv2-C used within 4G/LTE networks. Various system architectures for implementing security platforms and various processes for providing security policies ( For example, applying a firewall policy) is disclosed. For example, the disclosed technology can identify applications, IP addresses, content IDs, subscriber locations, unique device identifiers (e.g., for mobile phones for Global System for Mobile Communications (GSM) networks), International Mobile Equipment Identifier (IMEI) for unique 3GPP device identifiers in general, such as International Mobile Equipment Identifier (IMEI) for unique subscriber identifiers (e.g. Scrubber Equipment Identifier (IMSI)), Radio Access Technology (RAT) (e.g., to identify the associated RAT for a mobile device), and decryption on mobile service provider networks to resolve signaling security issues. enhanced security in the service provider network (e.g., in one or more signaling protocols, throttling certain messages/traffic to prevent/mitigate denial of service (DoS) attacks and counter other attacks/vulnerabilities) and/or as further described below. facilitate the use of next-generation firewalls on service provider networks, such as

In one embodiment, the security platform is configured to monitor traffic within the mobile core/service provider's core network (e.g., 3GPP releases for 3G networks, 3GPP releases for 4G networks, and 5G networks). (including monitoring the various protocols used for signaling traffic as specified in 3GPP releases pertaining to the Perform packet content inspection security monitoring techniques that can be used to apply security policies based on the information obtained. For example, a security platform can be configured to dynamically apply security policies on a per-IP flow (eg, per source/destination IP address) for wireless devices.
In one example implementation, the security platform monitors signaling traffic on a mobile service provider network (e.g., at one or more layers, such as a transport layer, a network layer, and/or an application layer). By doing so, and by dynamically correlating the signaling layer with data layer security, wireless devices can be configured to dynamically apply security policies on a per-IP flow and Promote enhanced security at the Stream Control Transport Protocol (SCTP) (signaling transport layer protocol specified in RFC 4960 available at https://tools.ietf.org/html/rfc4960), S1- APP/MME, Diameter (SCTP) is an authentication, authorization, and accounting signaling protocol available for its signaling transport protocol, and Diameter is an Internet Engineering Task Force (IETF) (including RFC 6733, available at https://tools.ietf.org/html/rfc6733), Mobile Application Part (MAP) (http://www. SS7/application layer signaling protocol specified in ITU Q.2220 available at itu.int/rec/T-REC-Q.2220/en/), CAMEL Application Part (CAP) (https://portal SS7/Application Layer Signaling Protocol (SS7/Application Layer Signaling Protocol) specified in 3GPP TS 29.078 available at .3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx-specificationId=1597 SS7/Application Layer Signaling Protocol (SS7/Application Layer Signaling Protocol), Signaling Control Connection Protocol (SCCP ) (SCTP is a signaling network layer protocol available for its signaling transport protocol, and SCCP is specified in several ITU Recommendations of the International Tekecon Union (ITU), http: ITU Q.711 available at //www.itu.int/rec/T-REC-Q.711 and http://www.itu.int/rec/T-REC-Q.714/en/ Signaling Transport (SIGTRAN), as specified in RFC 2719, available at https://tools.ietf.org/html/rfc2719 layer protocols), GTPv2-C specified in 3GPP TS29.274, and GTPv1-C specified in 3GPP TS29.060).

When a mobile device connects to a network (e.g., a 3GPP/LTE EPC network), an anchor gateway (e.g., a Packet Data Network (PDN) gateway, or PGW, in a 3GPP/LTE EPC network) typically connects the query the Policy Charging Function and Control (PCRF) entity of the subscriber to determine the policy for that subscriber. The PCRF entity sends information back to the PGW. The information may be, for example, QoS, filters, and/or other policy-related information stored within the PCRF entity for that subscriber that should be applied to this subscriber (e.g., the PCRF entity may AAA servers are commonly used for authentication purposes in wireless networks).

In one embodiment, the security platform is configured to monitor GTP communications between the SGSN and the GGSN within the mobile core network (e.g., a next generation firewall, as further described below). various GTP-C messages exchanged for GTP session activation, renewal, and/or deactivation within a service provider's network), and security platforms (e.g. A firewall (FW), network sensor acting on behalf of a firewall, or another device/component capable of implementing security policies using the disclosed technology) uses GTP as described further below. -C configured to apply a security policy using one or more parameters extracted from the message. Accordingly, service providers, IoT device providers, and/or system integrators may use one or more parameters extracted from GTP-C messages to provide enhanced security, as described further below. The disclosed techniques can be used to configure and enforce policies.

In one embodiment, the security platform is configured to monitor GTP communications between the SGSN and the GGSN within the mobile core network (e.g., a next generation firewall, as further described below). GTP-U traffic during GTP sessions within a service provider's network) and security platforms (e.g., firewalls (FWs), network sensors acting on behalf of firewalls, or disclosed Another device/component capable of implementing a security policy using the GTP-C message uses one or more parameters extracted from the GTP-C message, as further described below. and user session traffic monitored by the security platform during the GTP session (e.g., application ID, content ID, URL filtering, and/or other stateful packets extracted from the user traffic during the GTP session). is configured to apply security policies based on inspections). Accordingly, the service provider, IoT device provider, and/or system integrator may use one or more of the information extracted from the GTP-C messages and user traffic in the GTP session, as further described below. The disclosed techniques can be used to configure and enforce enhanced security policies using the parameters of .

For example, the service provider, IoT device provider, and/or system integrator may collect information such as IMEI, IMSI, location, RAT, and any other information extracted from the decrypted signaling traffic on the mobile service provider network. Different security policies may be applied based on/or any combination thereof using next generation firewalls on the service provider network, as described further below. As another example, the service provider, IoT device provider, and/or system integrator may be able to determine whether or not the mobile service provider, based on IMEI, IMSI, location, RAT, and/or user traffic monitored during a GTP session, - Different security policies can be applied based on other information extracted from the decrypted signaling traffic on the network.

In one embodiment, a security platform (e.g., a firewall, a network sensor acting on behalf of a firewall, or another device/component capable of implementing a security policy) makes data calls, as further described below. Security policies (e.g., granular security policies), when set up and/or modified/updated using the disclosed technology, such as real-time per subscriber (e.g., IMSI)/IP dynamically, per mobile device (e.g., IMEI)/IP, real-time per subscriber location/IP, real-time per RAT/IP, and/or any combination thereof). is configured to use existing 3GPP to apply. For example, the security platform can be configured to dynamically apply security policies on a per-IP flow basis for wireless devices.

In one embodiment, signaling messages in the mobile core/service provider's core network (e.g., messages exchanged for starting, updating, and deactivating tunneling sessions) are based on current 3GPP EPC (e.g., GTP-C messages), such as GTPv1-C messages for 3G networks and GTPv2-C messages for 4G networks), and/or existing and/or standard messages used in other wireless network environments, and , the security platform is configured to monitor such messages in order to extract one or more parameters from these messages that can be used to apply a security policy, as further described below. ing.

In one embodiment, the security platform is configured to monitor user session traffic (e.g., GTP-U traffic) within a tunnel session in a mobile core/service provider's core network, as further described below. Perform packet content inspection security monitoring techniques that can be used to enforce security policies based on user session traffic.

In one embodiment, the security platform engages the service provider to perform available packet content inspection security monitoring techniques to enforce security policies based on session traffic, as further described below. Monitoring sessions to/from various network elements in the network (e.g. the various used for signaling traffic as specified in the 3GPP release for 3GPP networks, the 3GPP release for 4G networks, and the 3GP release for 5G networks) (including protocol monitoring).

In one embodiment, the subscriber/IP address is associated with a security policy (e.g., next generation firewall (NGFW)) to facilitate enforcement of the security policy on a per-IP flow basis using a security platform (e.g., Next Generation Firewall (NGFW)). e.g. mapped to it). For example, the security platform may apply fine-grained security policies based on information extracted from signaling messages and/or user session traffic, as described further below.

In one embodiment, a security platform (eg, next generation firewall (NGFW)) monitors signaling transport traffic, including SCTP protocol traffic. For example, the security platform may include performing stateful inspection, SCTP protocol validation, and/or SCTP multi-chunk inspection (e.g., as configured within an SCTP protection security profile in a security policy implemented by the security platform). , SCTP protocol traffic can be filtered.

In one embodiment, a security platform (e.g., a next-generation firewall (NGFW)) is configured to transport signaling transport traffic (e.g., signaling transport traffic and higher layers of signaling traffic) on a service provider's core network. ) to monitor. For example, the security platform may include performing stateful inspection, SCTP protocol validation, and/or SCTP multi-chunk inspection (e.g., as configured within an SCTP protection security profile in a security policy implemented by the security platform). , signaling transport traffic (eg, SIGTRAN messages) can be filtered.

In one embodiment, a security platform (eg, next generation firewall (NGFW)) monitors upper layer signaling protocols. For example, the security platform may filter Layer-7/application layer signaling protocol layers (e.g., including support for filtering protocols used in Signaling System No. 7 (SS7) networks, SSN, GT , and filtering by Opcode).

In one embodiment, a security platform (eg, next generation firewall (NGFW)) monitors Diameter signaling traffic. For example, the security platform may include application IDs (e.g., exemplary application IDs for Diameter filtering are Diameter Common Message, Diameter Base Accounting, Diameter Credit Control, 3GPP S6a/S6d, 3GPP S9, 3GPP S13/S13' , 3GPP S6c, 3GPP Sh, and 3GPP Rx), command code (e.g., 3GPP-Update-Location, Application ID:3GPP for 3GPP Application ID:3GPP-S6a/S6d) -Credit-Control for S9, Application ID: 3Gpp-ME-Identity-Check for 3GPP-S13, Credit-Control for Application ID: Diamter Credit Control, and one or more of AVP (for example, in the range 0-16777215) (which may include the above), Diameter protocol filtering may be performed.

These and other embodiments and examples of techniques for providing a security platform that facilitates enhanced signaling security in a service provider network environment are described further below.

Exemplary system architecture for implementing enhanced signaling security in mobile networks for service providers

FIG. 1A is a block diagram of a 3G wireless network with a security platform to provide enhanced security, according to some embodiments. Figure 1A shows a 3G network (e.g., wired, Wi-Fi, 4G, 5G, and/or is an exemplary service provider network environment for a 3G network architecture, including (not shown) other networks may also be included. As shown in FIG. 1A, a radio access network (RAN) 130 is in communication with a mobile core network 120. RAN 130 may include macro cells 142 within the wireless network and small cells such as 3G micro cells 144, 3G pico cells 146, and 3G femto cells 148 within the wireless network. As shown, various user equipment 132, 134, and 136 may communicate using various cells within RAN 130.

As also shown in FIG. 1A, small cells, shown as 3G microcells (144), 3G picocells (146), and 3G femtocells (148), are home nodes on the IP broadband wireless network 140. A Home Node B (B) is in network communication with a gateway (HNB GW) 108 and, in this example, the traffic is configured to perform the disclosed security techniques, as further described below. a (virtual) security platform 102 (e.g., including a firewall (FW), a network sensor acting on behalf of the firewall, or another device/component capable of enforcing security policies using the disclosed technology); monitored/filtered using equipment/equipment). Also, as shown, a macro cell (NodeB) 142 is in network communication with a radio network controller (RNC) 110, and traffic performs the disclosed security techniques, as further described below. A security platform 102 (e.g., a firewall (FW), a network sensor acting on behalf of a firewall, or another device/component capable of enforcing security policies using the disclosed technology) configured to monitored/filtered using

As also shown in FIG. 1A, the HNB GW 108 and RNC 110 transmit packets via the Serving GPRS Support Node (SGSN) 112 and Gateway GPRS Support Node (GGSN) 114 of the mobile (3G) core network 120, respectively. A data network (PDN) 122 and, via a mobile switching center (MSC) 116 of a mobile core network 120, a public switched telephone network (PSTN) 124. As shown, traffic passing through the mobile core network between SGSN 112 and GGSN 114 of mobile core network 120 was configured to perform the disclosed security techniques, as further described below. Monitoring/monitoring using the security platform 102 (e.g., a firewall (FW), a network sensor acting on behalf of the firewall, or another device/component capable of enforcing security policies using the disclosed technology) filtered.

Various UEs, e.g., UEs shown at 132, 134, and 136, may be network enabled, mobile and/or fixed, capable of communicating via RAN 130 to access PDN 122. may include a device. The device may include, for example, a security camera (which may be in a fixed location), a watch, a mobile/smartphone, a tablet, a laptop, a computer/PC or other computing device (which may be mobile or in a fixed location), a car, a baby monitors, thermostats, and/or various other network-enabled computing devices (eg, any devices associated with the Internet of Things (IoT)). Various use case scenarios for applying the disclosed security techniques to wireless network-enabled devices to facilitate new and enhanced security are further described below.

Thus, in this example, a network architecture for implementing the security techniques disclosed for third generation network implementations is provided, where a security platform is provided for performing traffic monitoring and filtering, and further discussed below. As described, new and enhanced security techniques may be provided based on signaling and packet content inspection information. As will now be apparent to those skilled in the art in light of the disclosed embodiments, a security platform may be configured to include a network architecture (e.g., an in-line, pass-through NGFW, as illustrated by FW 102, and/or at various other locations within the SGSN 112 and/or GGSN 114 (implemented as an agent or virtual machine (VM) instance, executable on an existing device within the service provider's network); As described further below, it may similarly be provided in a variety of wireless network environments, such as 3G, 4G, 5G, and/or other wireless network environments, to implement the disclosed security techniques. Also, as described further below, the disclosed security techniques may be similarly applied to roaming devices that connect to the mobile core of a wireless network environment.

FIG. 1B is a block diagram of a 4G/LTE wireless network with a security platform to provide enhanced security, according to some embodiments. Figure 1B illustrates a service provider network environment (e.g., wired, Wi-Fi, 3G, 5G, and and/or other networks may also be included) to facilitate data communications for subscribers over the Internet and/or other networks. As shown in FIG. 1B, a radio access network (RAN) 180 is in communication with an evolved packet core (EPC) network 170. RAN 180 may include LTE macrocells 192 within the wireless network and smaller cells such as LTE microcells 194, LTE picocells 196, and LTE femtocells 198 within the wireless network. As shown, different user equipment (UE) 182, 184, and 186 may communicate using different cells within RAN 180.

As also shown in FIG. 1B, a femtocell 198 is in network communication with a home eNode B gateway (HeNB GW) 158 via an IP broadband wireless network 190, and in this example, the traffic is as follows: A security platform 156E configured to perform the disclosed security techniques (e.g., a firewall (FW), a network sensor operating on behalf of a firewall, or using the disclosed techniques) as further described in . monitored/filtered using (virtual) equipment/equipment), including another device/component that can implement security policies. Also shown, the macro cell 192 is in network communication with a mobility management entity (MME) 160 and a services gateway (SGW) 162, and traffic is monitored/filtered using the FW 156D; And, in this example, the traffic is directed to a security platform configured to perform the disclosed security techniques (e.g., a firewall (FW), a network sensor acting on behalf of the firewall, or monitored/filtered using another device/component that can enforce the security policy using the disclosed technology.

As also shown in FIG. 1B, the HeNB GW 158 communicates with a packet data network (PDN) 172 via an SGW 162 and a PDN gateway 164 of an evolved packet core (EPC) network 170. There is. As shown, traffic passing through the mobile core network between SGW 162 and GGSN/PGW 164 of EPC 170 was configured to perform the disclosed security techniques, as further described below. A (virtual) appliance/component including a security platform 152 (e.g., a firewall (FW), a network sensor acting on behalf of the firewall, or another device/component capable of implementing security policies using the disclosed technology) monitored/filtered using

For example, mobile and/or fixed wireless network-enabled devices such as UEs shown at 174, 176, 182, 184, and 186 may be included. The device can communicate via RAN 180, untrusted non-3GPP Wi-Fi access 177, and/or trusted 3GPP Wi-Fi access 178, and PDN 172 via EPC 170. to access. Here, security platforms 152, 156A, 156B, 156C, 156D, 156E, 156F, and/or 156G, such as those shown in FIG. 1B, may be used to monitor such communications (e.g., the security platform may (can be located at various locations/interfaces within EPC 170, as shown in FIG. 1B). and will be further explained below. Exemplary UEs include a security camera (e.g., may be in a fixed location), a watch, a mobile/smartphone, a tablet, a laptop, a computer/PC or other computing device (which may be mobile or in a fixed location), It may include a car, a baby monitor, a thermostat, and/or a variety of other network-enabled computing devices (eg, any device associated with the Internet of Things (IoT)). Various use case scenarios are further described below that apply the disclosed security techniques to wireless network-enabled devices to facilitate new and enhanced security.

Therefore, in this example, a network architecture is provided for implementing the security techniques disclosed for a 4G/LTE EPC network implementation, where signaling and packet content inspection information are Based on the above, a security platform may be provided for performing traffic monitoring and filtering to provide new and enhanced security techniques. As will now be apparent to those skilled in the art in view of the disclosed embodiments, the security platform may be configured to include network architectures (e.g., in-line, pass-through NGFW, as illustrated by FW 152, and/or SGW 162 and/or PGW 164 (implemented as an agent or virtual machine (VM) instance that can run on an existing device within a service provider's network), and as further described below. The present invention may similarly be provided in a variety of wireless network environments, such as 3G, 4G, 5G, and/or other wireless network environments, for implementing the disclosed security techniques. Also, as described further below, the disclosed security techniques may be similarly applied to roaming devices that connect to the mobile core of a wireless network environment.

FIG. 2A is one example of GTPv1-C messages exchanged between an SGSN and a GGSN in a 3G network, according to some embodiments. Specifically, Figure 2A shows the GTPv1-C messages exchanged to start, update, and stop the GTP session between SGSN 212 and GGSN 214 within the 3G network using the Gn/Gp interface. It shows. GTP is a standardized protocol based on the User Datagram Protocol (UDP).

Referring to FIG. 2A, the first message sent from SGSN 212 to GGSN 214 is a Create PDP Context Request message, as shown at 220. A Create PDP Context Request message is a message for allocating control and data channels for a new network communication access request for a mobile device in a 3G network (e.g., for network communication on a mobile service provider's network). tunnel is provided for user IP packets). For example, the Create PDP Context Request message may include location, hardware identifier (e.g., IMEI), subscriber identifier (e.g., IMSI), and/or radio access technology (RAT) information to request a new network communication access for the mobile device. may be included in

In one embodiment, the security platform monitors GTP-C messages in the mobile core to extract predetermined information contained within the GTP-C messages based on a security policy (e.g., Figure 1A and/or between various other elements/entities within the mobile core/EPC as shown in Figure 1B. or using a firewall/NGFW implemented as a VM instance or agent running on the SGSN, GGSN, SGW, PGW, and/or other entities within the mobile core network/EPC. , monitoring GTPv1-C messages). For example, the security platform monitors GTP-C messages and, as described further below, from the Create PDP Context Request message, the location, hardware identifier (e.g., IMEI), subscriber identifier (e.g., IMSI), etc. ), and/or Radio Access Technology (RAT) information may be extracted.

As shown in FIG. 2A, the GGSN 214 sends a Create PDP Context Request message to the SGSN 212, as shown at 222, and indicates that the Create PDP Context Request message has been granted to the mobile device. (e.g., whether to allow tunneled user data traffic in the mobile core network for mobile devices). Create PDP Context Request and Create PDP Context Response messages, sent using UDP communication on port 2123, are used to create a PDP context as shown in FIG. 2A.

As also shown in FIG. 2A, the Update PDP Context Request message, shown at 224, and the Update PDP Context Response message, shown at 226, Exchanged between SGSN and GGSN. For example, a PDP context update request/response message sent using UDP communication on port 2123 may be used to update one or more parameters for a connection/session.

Referring to FIG. 2A, in this example, a request for network communication access to a mobile device on a mobile service provider's network is granted, and the SGSN sends a T-PDU message shown at 228. For example, T-PDU messages may be used for mobile user network communications (e.g., IP packets) within the tunnel (e.g., control/signaling messages are typically sent using the GTP-C protocol). and user data messages are typically communicated on port 2152 using the GTP-U protocol). As shown at 230, a T-PDU message typically includes a GTP header, an IP header, a TCP header, and an HTTP payload.

As also shown in FIG. 2A, the PDP context is deleted after the user data session is completed. Specifically, the PDP context is deleted after the transfer of user data is completed, and the SGSN and GGSN send a Delete PDP Context Request message as shown at 232 and a Delete PDP Context Request message as shown at 234. Delete PDP Context Response messages are exchanged so that the The Delete PDP Context Request and Delete PDP Context Response messages are used to delete a PDP context, as also shown in FIG. 2A.

In one embodiment, the disclosed technique provides inspection of signaling/control traffic in a service provider network, such as GTP-C traffic, and tunneled user traffic in a service provider network, such as GTP-U traffic. Perform inspections (e.g., performed using a NGFW that can perform packet content inspection to identify application IDs, user IDs, content IDs, URL filtering, and / or implement other firewall/security policies for security/threat detection/prevention). In one embodiment, the disclosed techniques perform inspection of signaling/control traffic within a service provider network, such as GTP-C traffic, and determine information exchanged within the GTP-C traffic (e.g., parameters, such as the subscriber/mobile device, device ID/IMEI, subscriber information/IMSI, and/or location information associated with the RAT, as further described in . In one embodiment, the disclosed technique performs inspection of signaling/control traffic within a service provider network, such as GTP-C traffic, and includes information exchanged within the GTP-C traffic (e.g., as described above and and parameters as described further below) as well as monitoring tunneled user traffic within the service provider network (e.g., packet parameters as described above and as further described below). using content inspection).

In one example implementation, the security platform connects the respective interfaces of the SGSN and GGSN to monitor control/signaling traffic (e.g., GTP-C messages) and tunneled user traffic (e.g., GTP-U). Implement a security platform with GTP monitoring capabilities that is configured to monitor and implement security policies. The security platform may e.g. subscriber/mobile device, device ID/IMEI, subscriber information/IMSI, which may be extracted from control/signaling traffic (e.g. GTP-C messages) as further described below. , and/or the location information associated with the RAT may be used, as well as to perform packet content inspection on IP packets (eg, T-PDUs) within the tunnel, as further described below. As mentioned above, location information/parameters, hardware identifiers (e.g., IMEI), subscriber identifiers (e.g., IMSI), and/or radio access technologies (RATs) may be used for security purposes, as described further below. Depending on the platform, it can be extracted from the Create PDP Request message. This is based on extracted information and/or packet content inspection (e.g., SIGTRAN, SCTP, Diameter over SCTP, SCCP, CAP/MAP/INAP, and/or other signaling protocol traffic and/or or packet content inspection of various other network protocols used on the service provider network) and stored for use in enforcing security policies, as further described below. (e.g., cached for IP flows).

FIG. 2B is one example of GTPv2-C messages exchanged between entities including an MME, SGW, and PGW in a 4G/LTE network, according to some embodiments. Specifically, FIG. 2B shows GTPv2-C exchanged between an MME 252, a SGW 254, and a PDN-GW (PGW) 256 (e.g., shown as GGSN/PGW in FIG. 1B) in a 4G/LTE network. 2 shows GTPv2-C messages exchanged for an LTE Attach procedure with message details; As mentioned above, GTP is a standardized protocol based on the User Datagram Protocol (UDP).

Referring to FIG. 2B, various Diameter messages are sent from MME 252 to Home Subscriber Server (HSS) 258 and Equipment Identity Register (EIR) 274, as well as as shown at 264. between PGW 256 and PCRF 276. In one embodiment, various information/parameters may be extracted from such Diameter message/session traffic based on the security policy (e.g., MME, SGW, PGW, HSS, VM instances or agents running on these entities and/or other entities within the mobile core network using a pass-through firewall/NGFW placed between the EIR and/or PCRF; Monitor Diameter messages using a firewall/NGFW implemented as a Firewall/NGFW). This may be stored for use in security policy enforcement based on the extracted information and/or in combination with packet content inspection of Diameter network protocol traffic, as described further below (e.g. , cached for IP flows).

As shown in FIG. 2B, a Create Session Request message is sent from MME 252 to SGW 254, shown at 260, and then sent to SGW 254, shown at 262. to PGW 256. A session creation request message is a message that allocates control and data channels for a new network communication access request for a mobile device in a 4G/LTE network (e.g., a user tunnel is provided for IP packets). For example, a GTP session creation request message may include location, hardware identifier (e.g., IMEI), subscriber identifier (e.g., IMSI), and/or radio access technology (RAT) information for new network communication access to the mobile device. Can be included in the request.

In one embodiment, the security platform monitors GTP-C messages among the MME, SGW, and PGW and extracts predetermined information contained within the GTP-C messages based on a security policy (e.g., VM instances running with a pass-through firewall/NGFW located between the MME, SGW, and PGW or on the MME, SGW, and PGW, and/or other entities within the mobile core network or using a firewall/NGFW implemented as an agent to monitor GTPv2-C messages). For example, the security platform may monitor GTP-C messages and include location, hardware identifier (e.g., IMEI), subscriber identifier (e.g., IMSI), and/or radio access technology (RAT) below. It can be extracted from the create session request message, as further described.

As shown in Figure 2B, after Session Establishment, as shown at 264, PGW 256 sends a Create Session Response message to SGW 254, as shown at 266. and, as indicated at 268, from the SGW 254 to the MME 252 to determine whether the session creation request is granted to the mobile device (e.g., if the mobile core whether tunneled user data traffic is allowed in the network. Create Session Request and Create Session Response messages sent using UDP communication on port 2123 are used to create the initialization context for the session, as shown in Figure 2B.

As also shown in FIG. 2B, a Modify Bearer Request message, shown at 270, and a Modify Bearer Response message, shown at 272, are sent between the MME, SGW, and PGW. will be exchanged. For example, a change bearer request/response message sent using UDP communication on port 2123 can be used to update one or more parameters for a connection/session.

In one embodiment, the disclosed technology applies to signaling in a service provider network, such as GTP-C traffic, SIGTRAN, SCTP, Diameter over SCTP, SCCP, CAP/MAP/INAP, and/or other signaling protocol traffic. /control traffic and inspects tunneled user traffic in the service provider network, such as GTP-U and various other network protocols used on the service provider network (e.g. application ID URL filtering and/or security/threat detection/ (enforce other firewall/security policies to prevent this). In one embodiment, the disclosed techniques perform inspection of signaling/control traffic within a service provider network, such as GTP-C traffic, and determine information exchanged within the GTP-C traffic (e.g., parameters, such as the subscriber/mobile device, device ID/IMEI, subscriber information/IMSI, and/or location information associated with the RAT, as further described in . In one embodiment, the disclosed technology performs inspection of signaling/control traffic within a service provider network, such as GTP-C traffic, and includes information exchanged within the GTP-C traffic (e.g., as described above and and parameters as described further below) as well as monitoring tunneled user traffic within the service provider network (e.g., packet parameters as described above and as further described below). using content inspection).

In one exemplary implementation, the security platform is configured to monitor respective interfaces for MME, SGW, PGW, HSS, EIR, and PCRF and control/signaling traffic (e.g., Diameter messages and GTP -C messages), tunneled user traffic (GTP-U), including GTP, SIGTRAN, SCTP, Diameter over SCTP, SCCP, CAP/MAP/INAP, and/or other signaling protocol traffic. and/or various other network protocols used on the service provider network, such as GTP, SIGTRAN, SCTP, Diameter over SCTP, SCCP, CAP/MAP/INAP, and/or other signaling protocols. traffic and/or various other network traffic that monitors the ability of the security platform to implement, e.g., parameters such as subscriber/mobile device, device ID/ Parameters such as IMEI, subscriber information/IMSI, and/or location information related to the RAT may be used and/or any other parameters/information that may be extracted from the control/signaling traffic (e.g. GTP- C messages and/or message types) and packet content inspection on IP packets in the tunnel and SIGTRAN, SCTP, Diameter over SCTP, SCCP, CAP/MAP/INAP, and/or other signaling protocol traffic. and/or various other network protocols used on the service provider network, as described further below. As mentioned above, location information/parameters, hardware identifier (e.g., IMEI), subscriber identifier (e.g., IMSI), and/or radio access technology (RAT) may be extracted from the session creation request message by the security platform. . It may be stored for use in enforcing security policies based on this extracted information and/or in combination with packet content inspection (e.g., IP flow ).

The disclosed technology supports GTPv1-C and GTP-U, SIGTRAN, SCTP, Diameter over SCTP, SCCP, CAP/MAP/INAP, and/or other signaling protocol traffic, and/or 3G Mobile Packet Core ( GTPv2-C and GTP-U protocols, SIGTRAN, SCTP, Diameter over SCTP, SCCP, CAP/MAP/INAP, and/or other signaling protocol traffic within the 4G Evolved Packet Core (EPC) and within the 4G Evolved Packet Core (EPC) The methods herein are described with respect to performing network traffic inspections on various other network protocols used on a service provider and/or using various other network protocols used on a service provider. and/or generally described and/or location, device, subscriber, and/or RAT parameters/information (e.g., location information, hardware identifier, subscriber identifier information, RAT type information, and/or other specific parameters of users/devices/networks in their respective protocols) and/or other mobile networks, including tunneled user traffic on service provider networks for mobile device communications. It can be similarly implemented in other mobile core networks using protocols such as 5G core networks or other mobile network protocols.

FIG. 3A is another example of a GTPv1-C message flow between an SGSN and a GGSN in a 3G network, according to some embodiments. Specifically, FIG. 3A shows GTPv1-C messages exchanged between SGSN 302 and GGSN 304 in a 3G network for a GTPv1-C Create PDP Message flow.

Referring to FIG. 3A, as shown at 310, a Create PDP Request message is sent from SGSN 302 to GGSN 304 using the Gn/Gp interface. As shown at 312, a Create PDP Response message is sent from GGSN 304 to SGSN 302 using the Gn/Gp interface.

FIG. 3B is another example of a GTPv2-C message flow between an MME, a SGW, and a PGW in a 4G/LTE network, according to some embodiments. Specifically, Figure 3B shows how GTPv2-C is implemented between MME 322, SGW 324, and PDN-GW (PGW) 326 (e.g., shown as GGSN/PGW in Figure 1B) in a 4G/LTE network. It shows the GTPv2-C messages exchanged for the Create Session Message flow.

Referring to FIG. 3B, a Create Session Request message is sent from MME 322 to SGW 324 using the S11 interface, as shown at 330, and then, as shown at 332. , from SGW 324 to PGW 326 using the S5/S8 interface. A Create Session Response message is sent from PGW 326 to SGW 324 using the S5/S8 interface, as shown at 334, and then to S11, as shown at 336. Sent from SGW 324 to MME 322 using the interface.

As will now be explained further below, various information/parameters such as location, hardware identifier (e.g. IMEI), subscriber identifier (e.g. IMSI), and/or radio access technology (RAT) information may be Control/signaling traffic monitored by the security platform (e.g., GTPv1-CPDP Create PDP Request message, GTPv2-C Create Session Request message, and/or other control/signaling protocol messages in the mobile core network) It can be extracted from. It is based on this extracted information and/or packets performed by the security platform on user data traffic (e.g. GTP-U traffic and/or other tunneled user data protocols in the mobile core network). It may be stored (eg, cached in association with IP flows) for use in enforcing security policies in combination with content inspection.

Technologies for Transport Layer Signaling Security Using Next Generation Firewalls in Mobile Networks for Service Providers

In one embodiment, a technique disclosed for enhancing security in a mobile network for a service provider provides transport layer signaling security (e.g., SIGTRAN protocol) in a mobile network for a service provider. including. For example, mobile service providers (e.g., mobile network service providers, mobile device or IoT service providers, security service providers, or other entities that provide devices/services related to the use of mobile networks); , a mobile virtual network operator (MVNO) is a mobile virtual network operator (MVNO) that provides user equipment (e.g., a subscriber's mobile device) and/or IoT that connects to a mobile network using 3G, 4G, or 5G radio access technology (RAT). The disclosed techniques can be applied to provide transport layer signaling-based security for devices.

For example, mobile service providers (e.g., mobile network service providers, mobile device or IoT service providers, security service providers, or other entities that provide devices/services related to the use of mobile networks); , the MVNO provider provides application layer signaling to network elements in the 3G Mobile Packet Core (MPC), 4G Evolved Packet Core (EPC), and/or other mobile core networks (e.g., 5G core network). The disclosed techniques can be applied to apply security-based security.

As another example, Internet Private Exchange (IPX) providers and GPRS Roaming Exchange (GRX) providers may be used by mobile service providers (e.g., mobile network mobile device or IoT service provider, security service provider, or other entity providing devices/services related to the use of mobile networks). , the disclosed technology can be applied.

As yet another example, mobile service providers (e.g., mobile network service providers, mobile device or IoT service providers, security service providers, or other providers of devices/services related to the use of mobile networks) entity) may receive network connectivity services for 3G, 4G, and/or 5G technologies from other mobile service providers (e.g., mobile network service providers, mobile device or IoT service providers, security service providers, or The disclosed techniques can be applied to provide application layer signaling-based security for devices/other entities providing services related to the use of mobile networks).

In one embodiment, a mobile service provider can apply the disclosed technology to provide new and enhanced transport layer signaling security in a mobile network for the service provider. . For example, mobile service providers can apply the disclosed technology to provide transport layer signaling-based security services. As another example, a mobile service provider may provide transport layer signaling-based threat detection services (e.g., transport-layer signaling-based basic threat detection services for known threats, transport-layer signaling-based threat detection services for unknown threats, etc.). Applying the disclosed technology to provide advanced threat detection services (and/or other threat detection services that can utilize transport layer signaling-based information to apply security policies) I can do it. As yet another example, a mobile service provider may apply the disclosed technology to provide transport layer signaling-based threat prevention services for known threats (e.g., transport layer signaling for known threats). basic threat prevention services based on layer signaling, advanced threat prevention services based on transport layer signaling against unknown threats, and/or utilizing transport layer signaling based information to apply security policies. Other threat prevention services available).

Accordingly, the techniques disclosed for enhanced security in mobile networks for service providers include implementing transport layer signaling-based security, as well as for higher layers of signaling traffic in mobile networks. and using a security platform that can enforce security policies based on filtered transport layer signaling information/messages or higher layer signaling information/messages (eg, application signaling layer).

As is now clear to those skilled in the art, mobile service providers (e.g., mobile network service providers, mobile device or IoT service providers, security service providers, or devices/services related to the use of mobile networks) These transport layer signaling-based security services or combinations thereof, as well as various other signaling layer-based security services using the disclosed techniques, may be provided by other entities providing these transport layer signaling-based security services, or a combination thereof, as well as various other signaling layer-based security services using the disclosed techniques. Mobile service providers may also provide various other enhanced security services, such as subscriber/user identity-based, hardware identity-based, RA-based, and/or combinations thereof, as further described below. The disclosed techniques can also be applied to provide such transport layer signaling-based security services in combination with.

mobile network for service providers based on transport layer signaling information/messages (and/or in combination with other packet content inspection and/or NGFW techniques such as application ID, user ID, content ID, URL filtering) These and other techniques for providing enhanced security are detailed below.

Technology for application layer signaling security using next generation firewalls in mobile networks for service providers

In one embodiment, the disclosed technique for enhancing security in a mobile network for a service provider provides application layer signaling security (e.g., CAP, MAP, INAP, and/or or other layer-7/application layer signaling protocols). For example, mobile service providers (e.g., mobile network service providers, mobile device or IoT service providers, security service providers, or other entities that provide devices/services related to the use of mobile networks); , the MVNO provider provides application-layer signaling-based communication to user equipment (e.g., subscriber mobile devices) and/or IoT devices that connect to the mobile network using 3G, 4G, or 5G radio access technology (RAT). The disclosed technology can be applied to provide security for.

For example, mobile service providers (e.g., mobile network service providers, mobile device or IoT service providers, security service providers, or other entities that provide devices/services related to the use of mobile networks); , the MVNO provider provides application layer signaling to network elements in the 3G Mobile Packet Core (MPC), 4G Evolved Packet Core (EPC), and/or other mobile core networks (e.g., 5G core network). The disclosed techniques can be applied to apply security-based security.

As another example, an Internet Private Exchange (IPX) provider and a GPRS Roaming Exchange (GRX) provider may be a mobile service provider (e.g., mobile network mobile device or IoT service provider, security service provider, or other entity providing devices/services related to the use of mobile networks). , the disclosed technology can be applied.

As yet another example, mobile service providers (e.g., mobile network service providers, mobile device or IoT service providers, security service providers, or other providers of devices/services related to the use of mobile networks) entity) may receive network connectivity services for 3G, 4G, and/or 5G technologies from other mobile service providers (e.g., mobile network service providers, mobile device or IoT service providers, security service providers, or The disclosed techniques can be applied to provide application layer signaling-based security for devices/other entities providing services related to the use of mobile networks).

In one embodiment, a mobile service provider can apply the disclosed technology to provide new and enhanced application layer signaling security in a mobile network for the service provider. For example, mobile service providers can apply the disclosed technology to provide application layer signaling-based security services. As another example, a mobile service provider may provide application-layer signaling-based threat detection services (e.g., application-layer signaling-based basic threat detection services for known threats, application-layer signaling-based advanced threat detection services for unknown threats, etc.) The disclosed techniques can be applied to provide detection services and/or other threat detection services that can utilize application layer signaling-based information to apply security policies. As yet another example, a mobile service provider may apply the disclosed technology to provide application layer signaling-based threat prevention services for known threats (e.g., application layer signaling for known threats). -based basic threat prevention services, application-layer signaling-based advanced threat prevention services for unknown threats, and/or other threats that can utilize application-layer signaling-based information to enforce security policies. prevention services).

Accordingly, the techniques disclosed for enhanced security in mobile networks for service providers include implementing application layer signaling-based security, in which filtered application layer signaling information/messages or lower layer signaling Use a security platform that can enforce security policies based on information/messages (eg, transport and network signaling layers).

As is now clear to those skilled in the art, mobile service providers (e.g., mobile network service providers, mobile device or IoT service providers, security service providers, or devices/services related to the use of mobile networks) These application layer signaling-based security services or a combination thereof, as well as various other signaling layer-based security services using the disclosed technology, may be provided by other entities providing these application layer signaling-based security services or a combination thereof. Mobile service providers may also provide various other enhanced security services, such as subscriber/user identity-based, hardware identity-based, RA-based, and/or combinations thereof, as further described below. The disclosed technology can also be applied to provide such application layer signaling-based security services in combination with.

in mobile networks for service providers based on application layer signaling information/messages (and/or in combination with other packet content inspection and/or NGFW techniques such as application ID, user ID, content ID, URL filtering). These and other techniques for providing enhanced security are detailed below.

Technology for network layer signaling security using next generation firewalls in mobile networks for service providers

In one embodiment, a technique disclosed for enhancing security in a mobile network for a service provider includes providing network layer signaling security in a mobile network for a service provider. For example, mobile service providers (e.g., mobile network service providers, mobile device or IoT service providers, security service providers, or other entities that provide devices/services related to the use of mobile networks); , an MVNO provider uses SCCP-based (SCCP -based) security.

For example, mobile service providers (e.g., mobile network service providers, mobile device or IoT service providers, security service providers, or other entities that provide devices/services related to the use of mobile networks); , the MVNO provider provides application layer signaling to network elements in the 3G Mobile Packet Core (MPC), 4G Evolved Packet Core (EPC), and/or other mobile core networks (e.g., 5G core network). The disclosed techniques can be applied to apply security-based security.

As another example, Internet Private Exchange (IPX) providers and GPRS Roaming Exchange (GRX) providers may be used by mobile service providers (e.g., mobile network mobile device or IoT service provider, security service provider, or other entity providing devices/services related to the use of mobile networks). , the disclosed technology can be applied.

As yet another example, mobile service providers (e.g., mobile network service providers, mobile device or IoT service providers, security service providers, or other providers of devices/services related to the use of mobile networks) entity) may receive network connectivity services for 3G, 4G, and/or 5G technologies from other mobile service providers (e.g., MVNO providers, mobile device or IoT service providers, security service providers, or mobile network The disclosed techniques can be applied to provide application layer signaling-based security for devices/other entities providing services related to the use of the Internet.

In one embodiment, a mobile service provider can apply the disclosed technology to provide new and enhanced network layer signaling security in a mobile network for the service provider. For example, mobile service providers can apply the disclosed technology to provide network layer signaling-based security services. As another example, a mobile service provider may provide network-layer signaling-based threat detection services (e.g., SCCP-based, network-layer signaling-based basic threat detection services for known threats, advanced threat detection services for unknown threats, etc.). The disclosed techniques can be applied to provide services (and/or other threat detection services that can utilize SCCP-based information to apply security policies). As yet another example, a mobile service provider can apply the disclosed technology to provide network layer signaling-based threat prevention services for known threats (e.g., SCCP-based known threat network-layer signaling-based basic threat prevention services for unknown threats, advanced threat prevention services for unknown threats, and/or other threat prevention services that can utilize SCCP-based information to enforce security policies). .

Accordingly, the techniques disclosed for enhanced security in mobile networks for service providers include implementing network layer signaling-based security, including filtered network layer signaling information/messages (e.g., SCCP information/ messages) or use a security platform that can enforce security policies based on lower/upper layer signaling information/messages.

As is now clear to those skilled in the art, mobile service providers (e.g., mobile network service providers, mobile device or IoT service providers, security service providers, or devices/services related to the use of mobile networks) These network layer signaling-based security services or combinations thereof, as well as various other signaling layer-based security services using the disclosed techniques, may be provided by other entities providing these network layer signaling-based security services or a combination thereof. Mobile service providers may also provide various other enhanced security services, such as subscriber/user identity-based, hardware identity-based, RA-based, and/or combinations thereof, as further described below. The disclosed techniques can also be applied to provide such network layer signaling-based security services in combination with.

in mobile networks for service providers based on network layer signaling information/messages (and/or in combination with other packet content inspection and/or NGFW techniques such as application ID, user ID, content ID, URL filtering). These and other techniques for providing enhanced security are detailed below.

Technology for Diameter Security over SCTP with Next Generation Firewalls in Mobile Networks for Service Providers

In one embodiment, the disclosed technology for enhancing security in mobile networks for service providers includes Diameter over SCTP security using next generation firewalls in mobile networks for service providers. ). For example, mobile service providers and MVNOs are using Diameter security over SCTP (e.g., NGFW) to provide application ID and The disclosed technology can be applied to provide (in combination)

For example, mobile service providers (e.g., mobile network service providers, mobile device or IoT service providers, security service providers, or other entities that provide devices/services related to the use of mobile networks); , the MVNO provider provides application layer signaling to network elements in the 3G Mobile Packet Core (MPC), 4G Evolved Packet Core (EPC), and/or other mobile core networks (e.g., 5G core network). The disclosed techniques can be applied to apply security-based security.

As another example, an Internet Private Exchange (IPX) provider and a GPRS Roaming Exchange (GRX) provider may be a mobile service provider (e.g., mobile network mobile device or IoT service provider, security service provider, or other entity providing devices/services related to the use of mobile networks). , the disclosed technology can be applied.

As yet another example, mobile service providers (e.g., mobile network service providers, mobile device or IoT service providers, security service providers, or other providers of devices/services related to the use of mobile networks) entity) may receive network connectivity services for 3G, 4G, and/or 5G technologies from other mobile service providers (e.g., mobile network service providers, mobile device or IoT service providers, security service providers, or The disclosed techniques can be applied to provide application layer signaling-based security for devices/other entities providing services related to the use of mobile networks).

In one embodiment, a technique disclosed for enhancing security in a mobile network for a service provider includes providing Diameter security over SCTP in a mobile network for a service provider. For example, a mobile service provider may apply the disclosed technology to provide Diameter over SCTP security to user equipment (e.g., a subscriber's mobile device) and/or IoT devices that connect to a mobile network. can do.

In one embodiment, a mobile service provider may apply the disclosed technology to provide new and enhanced Diameter over SCTP security services in a mobile network for the service provider. can. For example, a mobile service provider can apply the disclosed technology to provide Diameter security services over SCTP. As another example, a mobile service provider may use information extracted from Diameter over SCTP to provide threat detection services (e.g., basic threat detection services for known threats in Diameter over SCTP, to provide advanced threat detection services against unknown threats and/or other threat detection services that can utilize Diameter over SCTP decoded/extracted information to enforce security policies. , the disclosed technology can be applied. As yet another example, a mobile service provider may apply the disclosed technology to utilize information extracted from Diameter over SCTP to provide threat prevention services for known threats (e.g. , basic threat prevention services against Diameter-based known threats over SCTP, advanced threat prevention services against Diameter-based unknown threats over SCTP, and/or Diameter over SCTP to enforce security policies. other threat prevention services that may utilize the decoded/extracted information).

In one embodiment, the disclosed technology for security enhancement in mobile networks for service providers uses a security platform that can implement security policies based on Diameter over SCTP decoded/extracted information. and implementing Diameter-based security over SCTP in mobile networks. For example, a security platform can monitor Diameter traffic over SCTP within a mobile network and process (eg, parse) the protocol/payload to extract various information.

Exemplary system architecture for implementing enhanced signaling security in mobile networks for service providers

FIG. 4A is a diagram of a 4G/LTE wireless network with a security platform for providing Diameter security services over SCTP using a next generation firewall in a mobile network for service providers, according to some embodiments. It is a block diagram. FIG. 4A is an exemplary 4G/LTE EPC network architecture that includes a 4G/LTE network (e.g., and can also include wired, Wi-Fi, 3G, 5G, and/or other networks). A service provider network environment that facilitates data communications for subscribers over the Internet and/or other networks. As shown in FIG. 4A, a Home Public Land Mobile Network (PLMN) 424 is connected to a Radio Access Network (RAN) that communicates with an Evolved Packet Core (EPC) network 402 via a backhaul (BH) network. ) 436 and facilitates access to a packet data network (PDN) 438 (eg, the Internet). As shown, Visitor PLMN 426 is also in communication with RAN 432, which communicates with EPC network 412 via the BH network, facilitating access to PDN 434 (eg, the Internet). As shown, various devices such as mobile user equipment 428 (e.g., mobile phone, tablet, watch, laptop, and/or other computing device) and connected things 430 (e.g., various IoT devices) User equipment may communicate using various cells within RAN 432.

FIG. 4A shows a network of security platforms, shown as FW 404 (e.g., NGFW or other security platform similar to those described above), for monitoring and decoding Diameter traffic over SCTP between EPC 402 and EPC 412. It shows the arrangement. Specifically, the FW 404 monitors Diameter traffic over SCTP (e.g., via the S13 interface) between the mobile management entity (MME) 414 and the equipment identity register (EIR) 406 to 418, facilitates the SCTP association and inspects the Diameter payload. The FW also monitors Diameter traffic over SCTP between the MME 414 and the Home Subscriber Server (HSS) 408 (e.g., via the S6a interface) to determine the SCTP association, as shown at 420. and inspect the Diameter payload. Similarly, the FW 404 communicates between the Visitor Policy Control and Charging Rules Function (V-PCRF) 416 and the Home Policy Control and Charging Rules Function (H-PCRF) 410 (e.g., via an S9 interface) over SCTP. Monitor Diameter traffic to facilitate SCTP associations and inspect Diameter payloads, as indicated at 422.

For example, using the disclosed techniques, various security policies may be enforced by the FW 404 based on parameters/information extracted from such Diameter over SCTP traffic (e.g., roaming subscribers may (In order to facilitate enhanced roaming security on the service provider network, a separate security policy may be implemented that is different from the security policy implemented for non-roaming subscribers). In one example implementation, a roaming subscriber has limited access based on application ID (and/or other information determined by packet content inspection, such as content ID, user ID, URL, etc.). and/or various other security policies may be implemented.

As is now clear to those skilled in the art, mobile service providers (e.g., mobile network service providers, mobile device or IoT service providers, security service providers, or devices/services related to the use of mobile networks) MVNO providers may use the disclosed technology to provide such Diameter-based security services over SCTP, or combinations thereof, as well as each other Diameter-based security services over SCTP. can be provided. Mobile service providers also apply the disclosed technology to provide such Diameter-based services over SCTP in combination with various other enhanced security services, as further described below. . Other enhanced security services may be location-based, mobile device identifier-based, mobile user identifier-based, and/or combinations thereof.

These and other technologies (e.g., various application ID, user ID, content ID, URL filtering, packet content inspection and/or using NGFW techniques) are further described below.

FIG. 4B is a block diagram of a 4G/LTE wireless network having a security platform for providing SIGTRAN security with a next generation firewall in a mobile network for a service provider, according to some embodiments. . FIG. 4B is one example of a service provider network environment for a 4G/LTE EPC network architecture, including a 4G/LTE network (e.g., and also wired, Wi-Fi, 3G, 5G, and/or and/or other networks) to facilitate data communications for subscribers over the Internet and/or other networks. As shown in FIG. 4B, home PLMN 424 is in communication with RAN 436, which is in communication with the mobile core network, shown as EPC 450, via the BH network. The EPC includes a Serving GPRS Support Node (SGSN) 442, a Mobile Switching Center (MSC) 444, a Home Location Register (HLR) 446, and a Visitor Location Register (VLR) 448. Also shown, visitor PLMN 426 is in communication with Global Signaling System No. 7 (SS7) network 452, and SS7 is in communication with the mobile core network. As will be apparent to those skilled in the art, various UEs, such as mobile user equipment (e.g., mobile phones, tablets, watches, laptops, and/or other computing devices) and connected things (e.g., various IoT devices) may communicate via the home PLMN 424 (eg, using various cells within the RAN 436) or similarly via the visitor PLMN 426.

FIG. 4B shows a security platform (e.g., NGFW or Network deployments for other security platforms (similar to those listed above) are shown.

For example, using the disclosed techniques, various security policies may be enforced by the FW 440 based on parameters/information extracted from such SIGTRAN traffic (e.g., roaming subscribers typically may enforce a separate security policy that is different from the security policy enforced for subscribers). In one example implementation, a roaming subscriber has limited access based on application ID (and/or other information determined by packet content inspection, such as content ID, user ID, URL, etc.). and/or various other security policies may be implemented.

As is now clear to those skilled in the art, mobile service providers (e.g., mobile network service providers, mobile device or IoT service providers, security service providers, or devices/services related to the use of mobile networks) MVNO providers may use the disclosed technology to provide each of these SIGTRAN-based security services, or a combination thereof, as well as other SIGTRAN-based services. . Mobile service providers also apply the disclosed technology to provide such SIGTRAN-based services in combination with various other enhanced security services, as further described below. Other enhanced security services may be location-based, mobile device identifier-based, mobile user identifier-based, and/or combinations thereof.

These and other technologies (e.g., various packet content inspection and/or (using NGFW technology) are further described below.

FIG. 4C is a block diagram of a 4G/LTE wireless network having a security platform for providing SCCP security with a next generation firewall in a mobile network for a service provider, according to some embodiments. . FIG. 4C is one example of a service provider network environment for a 4G/LTE EPC network architecture, including a 4G/LTE network (e.g., and also wired, Wi-Fi, 3G, 5G, and/or and/or other networks) to facilitate data communications for subscribers over the Internet and/or other networks. As shown in FIG. 4C, home PLMN 424 is in communication with RAN 436, which is in communication with the mobile core network, shown as EPC 450, via the BH network. EPC includes SGSN42, MSC444, HLR446, and VLR448. Also shown, the visitor PLMN 426 is in communication with the global Sig SS7 network 452, and the SS7 is in communication with the mobile core network. As will be apparent to those skilled in the art, various UEs, such as mobile user equipment (e.g., mobile phones, tablets, watches, laptops, and/or other computing devices) and connected things (e.g., various IoT devices) may communicate via the home PLMN 424 (eg, using various cells within the RAN 436) or similarly via the visitor PLMN 426.

FIG. 4C shows a security platform (e.g., NGFW or Network deployments for other security platforms (similar to those listed above) are shown.

For example, using the disclosed techniques, various security policies may be enforced by the FW 460 based on parameters/information extracted from such SCCP traffic (e.g., roaming subscribers typically may enforce a separate security policy that is different from the security policy enforced for subscribers). In one example implementation, a roaming subscriber has limited access based on application ID (and/or other information determined by packet content inspection, such as content ID, user ID, URL, etc.). and/or various other security policies may be implemented.

As is now clear to those skilled in the art, mobile service providers (e.g., mobile network service providers, mobile device or IoT service providers, security service providers, or devices/services related to the use of mobile networks) MVNO providers may use the disclosed technology to provide each of these SCCP-based security services, or combinations thereof, as well as other SCCP-based services. . Mobile service providers also apply the disclosed technology to provide such SCCP-based services in combination with various other enhanced security services, as further described below. Other enhanced security services may be location-based, mobile device identifier-based, mobile user identifier-based, and/or combinations thereof.

These and other technologies for providing SCCP security using next-generation firewalls in mobile networks for service providers (e.g., various packet content inspections such as application ID, user ID, content ID, URL filtering and/or NGFW) techniques) are further described below.

FIG. 4D is a block diagram of a 4G/LTE wireless network with a security platform for providing OSI layer 7 signaling security with next-generation firewalls in mobile networks for service providers, according to some embodiments. It is a diagram. FIG. 4D is one example of a service provider network environment for a 4G/LTE EPC network architecture, including a 4G/LTE network (e.g., and also wired, Wi-Fi, 3G, 5G, and/or and/or other networks) to facilitate data communications for subscribers over the Internet and/or other networks. As shown in FIG. 4D, home PLMN 424 is in communication with RAN 436, which is in communication with the mobile core network, shown as EPC 450, via the BH network. EPC includes SGSN442, MSC444, HLR446, and VLR448. Also shown, visitor PLMN 426 is in communication with global SS7 network 452, and SS7 is in communication with the mobile core network. As will be apparent to those skilled in the art, various UEs, such as mobile user equipment (e.g., mobile phones, tablets, watches, laptops, and/or other computing devices) and connected things (e.g., various IoT devices) may communicate via the home PLMN 424 (eg, using various cells within the RAN 436) or similarly via the visitor PLMN 426.

FIG. 4D shows a security platform (e.g., , NGFW, or other security platforms similar to those listed above).

For example, various operations may be performed by the FW 470 based on parameters/information extracted from such OSI Layer 7 signaling traffic (e.g., CAP/MAP/INAP or other OSI Layer 7 signaling traffic) using the disclosed techniques. Security policies may be enforced (eg, roaming subscribers may generally enforce a separate security policy that is different from the security policy enforced for non-roaming subscribers). In one example implementation, a roaming subscriber has limited access based on application ID (and/or other information determined by packet content inspection, such as content ID, user ID, URL, etc.). and/or various other security policies may be implemented.

As is now clear to those skilled in the art, mobile service providers (e.g., mobile network service providers, mobile device or IoT service providers, security service providers, or devices/services related to the use of mobile networks) MVNO providers may use the disclosed technology to provide such OSI Layer 7 signaling (e.g., CAP/MAP/INAP or other OSI Layer 7 signaling traffic)-based security services; Combinations thereof, as well as each of the other OSI Layer 7 signaling-based services, can be provided. Mobile service providers also apply the disclosed technology to provide such OSI Layer 7 signaling-based services in combination with various other enhanced security services, as further described below. . Other enhanced security services may be location-based, mobile device identifier-based, mobile user identifier-based, and/or combinations thereof.

These and other technologies for providing OSI Layer 7 signaling security using next-generation firewalls in mobile networks for service providers (e.g., various packet content inspection and and/or using NGFW technology) are further described below.

FIG. 4E shows an example signaling protocol stack. Referring to FIG. 4E, example signaling layers include CAP, MAP, INAP, TCAP, SCCP, SIGTRAN, Diameter, and SCTP.

FIG. 4F shows an example of an SS7 over IP protocol stack. Referring to FIG. 4F, Layer 7/application signaling layers are also shown, such as CAP, MAP, and INAP.

Examples of signaling attacks that can be prevented using a security platform for security policy enforcement to provide enhanced security for mobile/service provider networks

Security Platform Solutions for Exemplary MAP Protocol Vulnerabilities and Attacks

FIG. 5A illustrates MAP messages that may be prevented using a security platform for security policy enforcement to provide enhanced security for a mobile service provider network, according to some embodiments. This is an example of a signaling attack using In this first example signaling attack, when a MAP anyTimeInterrogation (ATI) message 502 is sent from an unauthorized user/attacker 530 to a subscriber's HLR 514 (e.g., such ATI message is (can query the subscriber's HLR for the Cell-ID and IMEI), the ATI message triggers a provideSubscriberInfo (PSI) message 504, which is then sent to the MSC/VLR 516. Sent. A subscriber device 518 is connected to/in wireless communication with the MSC/VLR, as indicated by a paging request message 506. In response, the subscriber's device 518 returns the subscriber's cell identifier along with other information, as shown in a paging response message 508. MSC/VLR 516 then returns a provideSubscriberInfo response message 510 and HLR 514 returns an anyTimeInterrogation response message 512, as shown.

In a signaling attack using this example MAP message, an unauthorized user/attacker can then use the anyTimeInterrogation response message to obtain the cell identity of the subscriber's device. The cell identifier may then be mapped to the actual location (eg, street level) using publicly available mapping information. Thus, signaling attacks using this type of MAP messages can be used by unauthorized users/attackers to monitor the location of a subscriber with the subscriber's permission or knowledge.

In one embodiment, the disclosed techniques may be executed by a security platform to monitor OSI layer 7/application layer signaling traffic, including MAP traffic, and to decode the monitored MAP traffic. Security policies may be configured to identify signaling attacks using such MAP messages and block/drop anyTimeInterrogation request messages from untrusted/external networks. This disallows unauthorized users/attackers from obtaining the cell identifier of the subscriber's device, and as a result prevents detection of the subscriber's location.

FIG. 5B illustrates MAP messages that may be prevented using a security platform for security policy enforcement to provide enhanced security for a mobile service provider network, according to some embodiments. This is another example of a signaling attack using In this second example signaling attack, the MSC may be requested by an unauthorized user/attacker to return the IMSI if the TMSI is known. The MSC may also be queried for the session key for the subscriber. If an unauthorized user/attacker obtains an encrypted GSM or UMTS call, the unauthorized user/attacker can decrypt it using the session key.

Referring to FIG. 5B, the unauthorized user/attacker 530 first obtains the target's traffic over the air interface (e.g., typically (including being within a given physical vicinity). Next, with access to the SS7 network, the unauthorized user/attacker then sends a sendIdentification request message 540 with a TMSI to the MSC/VLR 516 and a provideSubscriberLocation response containing a session key message. Via 542, the decryption key for the target device 518 may be retrieved. These decryption/session keys may be used to decrypt the subscriber's traffic, as described above.

In one embodiment, the disclosed techniques may be executed by a security platform to monitor OSI layer 7/application layer signaling traffic, including MAP traffic, and to decode the monitored MAP traffic. Security policies may be configured to identify signaling attacks using such MAP messages and block/drop sendIdentification request messages from untrusted/external networks.

FIG. 5C illustrates MAP messages that may be prevented using a security platform for security policy enforcement to provide enhanced security for a mobile service provider network, according to some embodiments. This is another example of a signaling attack using In this third example signaling attack, authentication at the Gateway Mobile Location Center (GMLC) 558 may be bypassed by directly querying the VLR. In this example signaling attack, an unauthorized user/attacker 530 sends a provideSubscriberLocation request message 550 to the MSC 556 and then receives a provideSubscriberLocation response message 552, as shown.

In one embodiment, the disclosed techniques may be executed by a security platform to monitor OSI Layer 7 signaling traffic, including MAP traffic, and to decode the monitored MAP traffic. The security policy is configured to identify signaling attacks using such MAP messages and block/drop sendIdentification request messages from untrusted/external networks to prevent this type of signaling attack. can.

Security Platform Solutions for Exemplary Diameter Protocol Vulnerabilities and Attacks

A signaling flood of authentication messages is an example of a Diameter-related attack. A signaling flood attack of Diameter authentication messages is an example of a signaling-related network outage that can cause congestion problems on a service provider network. Specifically, the signaling flood of Diameter authentication messages creates congestion problems related to the number of devices being re-authenticated on the service provider network's network and, for some subscribers, their mobile connectivity may drop out. For example, Spark Telecom in New Zealand was affected by congestion issues due to a signaling flood of Diameter authentication messages, e.g. Diameter S6a Authentication Request (AIR) (e.g. https://www.stuff .co.nz/business/88869002/Spark-network-outages-reported-around-the-country). In one embodiment, the information is disclosed for monitoring signaling traffic (e.g., including Diameter traffic, such as Diameter messages such as Diameter S6a ULR (Update Location Request) and Diameter s6a AIR (Authentication Information Request)). Techniques are implemented to implement security policies and perform stateful inspection (e.g., based on throttling/threshold limits on such authenticated messages, such signaling floods of Diameter authenticated message attacks). Configure a security policy that can detect and prevent attacks, which may include throttling per Diameter message type based on these parameters: (a) source, destination, aggregation criteria per destination, and (b) thresholds (i.e., number of messages per second and time interval at which messages are counted during stateful inspection by the NFGW/security platform).

Security Platform Solutions for Exemplary SS7 Protocol Vulnerabilities and Attacks

Examples of various SS7-related attacks are well known (e.g. the 2016 Telenor SS7 attack, e.g. https://www.digi.no/artikler/et-ondsinnet-angrep-mot-telenor-ville See -hatt-samme-konsekvens/320604 (The discussed network-wide outage, due to an SS7 vulnerability in the affected Telenor HLR, occurred in February 2016 on the Telenor network in Norway. An entire network outage over an extended period of time, which allows a well-informed individual to remotely access a network anywhere on a public SS7 network or even in another country without having physical access to the target network. In one embodiment, the techniques disclosed for monitoring signaling traffic (e.g., including SS7 traffic) can be used to implement security policies. and perform stateful inspection (e.g., configure security policies that can detect and prevent such SS7 attacks based on throttling/threshold limiting and/or predetermined message filtering). Messages may include throttling per MAP message type, such as DeleteSubscriberData, SendIdentification, SendRoutingInfo, and/or other SS7 protocol message types, which may be adjusted based on these parameters. The parameters are (a) source, destination, aggregation criteria per source and destination, and (b) thresholds (i.e. seconds and times at which messages are counted during stateful inspection by the NFGW/security platform). (number of messages per interval).

Security Platform Solutions for Exemplary SCCP Protocol Vulnerabilities and Attacks

A signaling flood of SCCP messages is an example of an SCCP-related attack (eg, various SCCP message types such as Connection Confirmed, Connection Released, etc.). Specifically, signaling message floods at the SCCP layer are used by attackers to overload signaling points such as STP, SSP, and SCP and to compromise their functionality. can be used to create different types of DoS attacks. In one embodiment, the techniques disclosed for monitoring network layer signaling traffic (e.g., including SCCP traffic) are performed to implement security policies and perform stateful inspection (e.g., slot Configuring a security policy that can detect and prevent such signaling message floods at the SCCP layer based on ring/threshold limits and/or filtering of predetermined messages. , Connection Released, and/or other SCCP message types, which may be adjusted based on these parameters. The parameters include: (a) source; aggregation criteria for each destination, source and destination, and (b) a threshold (i.e., the number of messages per second and time interval at which messages are counted during stateful inspection by the NFGW/security platform). )

In view of the disclosed embodiments, it will now be apparent that network service providers/mobile operators (e.g., cellular service provider entities), MVNO providers, device manufacturers (e.g., automotive entities, IoT device entities, and/or , other device manufacturers), and/or system integrators can use the disclosed techniques to specify such security policies that may be implemented by a security platform and address these exemplary signaling-related security issues. and/or resolve existing or as yet undiscovered security-related issues on other service provider networks.

Exemplary hardware components of network equipment for security policy enforcement in mobile/service provider network environments

FIG. 6 is a functional diagram of hardware components of a network device for security policy enforcement in a mobile service provider network environment, according to some embodiments. The illustrated examples represent physical/hardware components that may be included in network device 600 (eg, appliances, gateways, or servers that may implement the security platform disclosed herein). Specifically, network device 600 includes a high-performance multi-core CPU 602 and RAM 604. Network device 600 also includes storage 610 (eg, one or more hard disks or solid state storage devices) that may be used to store policies and other configuration information as well as signatures. In one embodiment, storage 610 stores location information, hardware identifier information, subscriber identifier information, RAT information, and associated IP addresses and/or various other information (e.g., application ID, content ID, User ID, URL, and/or other information, including SCTP, Diameter over SCTP, SIGTRAN, SCCP, and/or CAP, MAP, and/or INAP, as also described herein. , Layer 7/application layer signaling traffic, and other information monitored and/or extracted from decrypted network traffic) that is disclosed using a security platform/firewall device. Monitored to implement security policy enforcement techniques. Network device 600 may also include one or more optional hardware accelerators. For example, network device 600 may include a cryptographic engine 606 configured to perform encryption and decryption operations, perform signature matching, operate as a network processor, and/or perform other tasks. may include one or more FPGAs 608 configured to perform.

Exemplary logic components of a network device for security policy enforcement in a mobile/service provider network environment

FIG. 7 is a functional diagram of logic components of a network device for security policy enforcement in a mobile service provider network environment, according to some embodiments. The illustrated example represents logic components that may be included in network device 700 (eg, a data appliance that implements the disclosed security platform and is capable of executing the disclosed techniques). As shown, network device 700 includes a management plane 702 and a data plane 704. In one embodiment, the management plane is responsible for managing user interactions, such as by providing a user interface for configuring policies and viewing log data. The data plane is responsible for managing data, such as by performing packet processing and session processing.

Assume that a mobile device attempts to access a resource (eg, a remote website/server, IoT device, or other resource) using an encrypted session protocol, such as SSL. Network processor 706 is configured to monitor packets from mobile devices and provide the packets to data plane 704 for processing. Flow 708 identifies the packet as part of a new session and creates a new session flow. Subsequent packets will be identified as belonging to the session based on the flow lookup. If applicable, SSL decryption is applied by SSL decryption engine 710 using various techniques as described herein. Otherwise, processing by SSL decryption engine 710 is omitted. Application identification (ID) module 712 is configured to determine the type of traffic that the session involves and to identify the user associated with the traffic flow (e.g., an application ID as described herein). identify). For example, application ID 712 may recognize a GET request in the received data and conclude that the session requires an HTTP decoder. As another example, application ID 712 may recognize a Create Session Request or Create PDP Request in the received data and conclude that the session requires a GTP decoder. can. Each type of protocol (e.g., the various signaling protocols mentioned above, such as SCTP, Diameter over SCTP, SIGTRAN, SCCP, and/or Layer 7/application layer signaling traffic, CAP, MAP, and/or INAP) , and/or other signaling protocols), there is a corresponding decoder 714. In one embodiment, application identification is performed by an application identification module (eg, an application ID component/engine) and user identification is performed by another component/engine. Based on the decision made by application ID 712, the packet is sent to the appropriate decoder 714. Decoder 714 is configured to assemble packets (eg, those that may be received out of order) into correct order, perform tokenization, and extract information. Decoder 714 also performs signature matching to determine what should happen to the packet. SSL encryption engine 716 performs SSL encryption using various techniques such as those described herein, and packets are then forwarded using forward component 718 as shown. be transferred. As shown, policy 720 is also received and stored at management plane 702. In one embodiment, policy enforcement is applied (e.g., policy enforcement is applied as described herein with respect to various embodiments) based on monitored, decrypted, and decrypted session traffic flows. may include one or more rules, which may be specified using a domain name and/or host/server name, and the rules may include one or more signatures or other matching Criteria or heuristics may be applied to various extracted parameters/information from monitored GTP-C messages and/or the CAPs, MAPs, and/or Monitored GTP-U, SCTP, Diameter over SCTP, SIGTRAN, SCCP, including INAP traffic, and/or Layer 7/7, including CAP, MAP, and/or INAP traffic, as disclosed herein. (e.g., for enforcement of security policies for subscriber/IP flows in service provider networks based on packet content inspection of application layer signaling traffic).

As also shown in FIG. 7, an interface (I/F) communicator 722 also provides security platform manager communications (e.g., (REST) APIs, messages, or network protocol communications, or , via other communication mechanisms). In some cases, network communications of other network elements on the service provider network are monitored using network equipment 700, and data plane 704 supports decoding of such communications (e.g., I/ The network device 700 including the F communication device 722 and the decoder 714 includes, for example, Gn, Gp, S1-MME, S5, S6a/S6d, S8, X2, S9, S11, S13/S13', Gr, Gd, Gf, B, C, D, E, and/or other interfaces where wireless or wireless network traffic flows similarly exist as described herein). Thus, network device 700, including I/F communicator 722, implements the disclosed techniques for security policy enforcement in a mobile/service provider network environment, as described above and further explained below. can be used to implement.

Further exemplary processes will now be described for the disclosed techniques for monitoring signaling traffic and performing security policy enforcement in a mobile/service provider network environment.

Exemplary Process for Transport Layer Signaling Security with Next Generation Firewalls in Mobile Networks for Service Providers

FIG. 8 is a flow diagram of a process for implementing transport layer signaling-based security in a mobile network for a service provider, according to some embodiments. In some embodiments, the process 800 as shown in FIG. 8 is performed by security platforms and techniques similar to those described above, including the embodiments described above with respect to FIGS. 1A-7. In one embodiment, the process 800 includes a data appliance 600 as described above with respect to FIG. 6, a network device 700 as described above with respect to FIG. 7, a virtual appliance, an SDN security solution, a cloud security service, and/or herein A combination of the above or a hybrid implementation may be implemented as described.

The process begins at 802. At 802, monitoring of transport layer signaling traffic on a service provider network at a security platform is performed. For example, a security platform (eg, a firewall, a network sensor acting on behalf of the firewall, or another device/component capable of implementing security policies) can monitor SIGTRAN traffic on the mobile core network.

At 804, filtering of transport layer signaling traffic at the security platform is performed based on the security policy. For example, the security platform can filter transport layer signaling traffic protocols (eg, SIGTRAN protocol) and upper layer signaling protocols (eg, SCCP protocol) based on security policies.

At 806, lower layer signaling protocol status and packet validation is performed based on the security policy. For example, while filtering SIGTRAN protocol messages, the security platform performs underlying SCTP protocol state and packet validation by payload protocol identifier (PPID) and source/destination IP address. be able to.

In one embodiment, the security platform detects any SIGTRAN protocol while performing underlying SCTP protocol state and packet validation for each PPID and source/destination/or both IP/IP. Perform message filtering. For example, the security platform can filter M3UA protocol messages while performing underlying SCTP protocol state and packet validation by PPID and source/destination IP address (IP). As another example, the security platform can filter M2UA protocol messages while performing underlying SCTP protocol state and packet validation by PPID and source/destination IP. As another example, the security platform can filter M2PA protocol messages while performing underlying SCTP protocol state and packet validation by PPID and source/destination IP.

At 808, security policy enforcement is performed using a security platform. For example, various enforcement actions (e.g., allow/pass, block/drop, alert, tag, monitor, log) , throttles, restrict access, and/or other enforcement actions) may be performed using the security platform in the same manner as described above. For example, the security platform may block filtered messages in transport layer signaling traffic or upper layer signaling traffic based on a security policy.

In one example implementation, the security platform may extract adaptation layer information from the PPID field of an SCTP data chunk received for a firewall session installed for the SCTP protocol. These firewall sessions involve successful SCTP associations that have completed a 4-way handshake and other packet-level checks. PPIDs are assigned by the IAN (e.g., specified at https://www.iana.org/assignments/sctp-parameters/sctp-parameters.xhtml). PPID information can be used by security platforms to apply filtering and rate limiting mechanisms, facilitating enhanced signaling security on mobile service provider networks.

In one embodiment, the security platform determines the source, destination, or aggregate criteria regarding the source, destination, or source and destination IP/IP of the hit while performing the underlying SCTP protocol state and packet validation. Perform rate limiting of any SIGTRAN protocol messages using a time interval in seconds and a threshold/number. For example, the security platform can determine the state of the underlying SCTP protocol and the aggregate criteria for source, destination, or source and destination IP/IP, time in seconds for hits, while performing packet validation. Rate limiting of M3UA protocol messages can be performed using intervals and thresholds/numbers. As another example, the security platform can determine the source, destination, or aggregate criteria for the source, destination, or source and destination IP/IP, hits in seconds, while performing underlying SCTP protocol state and packet validation. Rate limiting of M2UA protocol messages can be performed using a time interval and a threshold/number of . As another example, the security platform can determine the source, destination, or aggregate criteria for the source, destination, or source and destination IP/IP, hits in seconds, while performing underlying SCTP protocol state and packet validation. Rate limiting of M2PA protocol messages can be performed using a time interval and a threshold/number at . As another example, the security platform can determine the source, destination, or aggregate criteria for the source, destination, or source and destination IP/IP, hits in seconds, while performing underlying SCTP protocol state and packet validation. Rate limiting of SUA protocol messages can be performed using a time interval and a threshold/number at .

Exemplary Process for Application Layer Signaling Security with Next Generation Firewalls in Mobile Networks for Service Providers

FIG. 9 is a flow diagram of a process for implementing application layer signaling-based security in a mobile network for a service provider, according to some embodiments. In some embodiments, a process 900 as shown in FIG. 9 is performed by security platforms and techniques similar to those described above, including the embodiments described above with respect to FIGS. 1A-7. In one embodiment, the process 900 includes a data appliance 600 as described above with respect to FIG. 6, a network device 700 as described above with respect to FIG. 7, a virtual appliance, an SDN security solution, a cloud security service, and/or herein A combination of the above or a hybrid implementation may be implemented as described.

The process begins at 902. At 902, monitoring of application layer signaling traffic on a service provider network at a security platform is performed. For example, a security platform (e.g., a firewall, a network sensor acting on behalf of the firewall, or another device/component capable of implementing security policies) monitors MAP, CAP, and/or INAP traffic on the mobile core network. be able to.

At 904, filtering of application layer signaling traffic at the security platform is performed based on the security policy. For example, the security platform may filter application layer signaling traffic protocols (e.g., MAP, CAP, and/or INAP protocols) and lower layer signaling protocols (e.g., SCCP protocol) based on security policies. I can do it.

At 906, lower layer signaling protocol status and packet verification is performed based on the security policy. For example, a security platform may perform underlying SCTP protocol state and packet validation while filtering MAP, CAP, or INAP protocol messages (e.g., other Layer 7/application layer messages). can.

In one embodiment, the security platform performs underlying SCTP protocol state and packet validation while filtering MAP, CAP, or INAP protocol messages. For example, while filtering MAP, CAP, or INAP protocol messages by subsystem number (SSN) and source/destination IP address (IP), the security platform Packet verification can be performed. As another example, a security platform may check the underlying SCTP protocol state and packet validation while filtering MAP, CAP, or INAP protocol messages by SSN, global title (GT), and IP. can be executed. As another example, the security platform performs underlying SCTP protocol state and packet validation while filtering MAP, CAP, or INAP protocol messages by SSN, GT, opcode, and IP. be able to.

At 908, security policy enforcement is performed using a security platform. For example, various enforcement actions (e.g., allow/pass, block/drop, alert, tag, monitor, log, throttle, restrict access, and/or other enforcement actions) may be performed using the security platform in the same manner as described above. It can be executed by For example, the security platform may block filtered messages in application layer signaling traffic or lower layer signaling traffic based on a security policy.

In one embodiment, the security platform determines the source, destination, or aggregate criteria regarding the source, destination, or source and destination IP/IP of the hit while performing the underlying SCTP protocol state and packet validation. Perform rate limiting of any OSI layer 7/application layer signaling protocol messages (eg, MAP, CAP, or INAP) using time intervals and thresholds/numbers in seconds. For example, the security platform can determine the state of the underlying SCTP protocol and the aggregate criteria for source, destination, or source and destination IP/IP, time in seconds for hits, while performing packet validation. Rate limiting of any OSI Layer 7 signaling protocol messages (eg, MAP, CAP, or INAP) can be performed on a per opcode basis using intervals and thresholds/numbers (eg, if applicable).

Exemplary Process for Network Layer Signaling Security with Next Generation Firewalls in Mobile Networks for Service Providers

FIG. 10 is a flow diagram of a process for implementing network layer signaling-based security in a mobile network for a service provider, according to some embodiments. In some embodiments, the process 1000 as shown in FIG. 10 is performed by security platforms and techniques similar to those described above, including the embodiments described above with respect to FIGS. 1A-7. In one embodiment, the process 1000 includes a data appliance 600 as described above with respect to FIG. 6, a network device 700 as described above with respect to FIG. 7, a virtual appliance, an SDN security solution, a cloud security service, and/or herein A combination of the above or a hybrid implementation may be implemented as described.

The process begins at 1002. At 1002, monitoring of network layer signaling traffic on a service provider network at a security platform is performed. For example, a security platform (eg, a firewall, a network sensor acting on behalf of the firewall, or another device/component capable of implementing security policies) can monitor SCCP traffic on the mobile core network.

At 1004, filtering of network layer signaling traffic at the security platform is performed based on the security policy. For example, the security platform may configure the SCCP protocol and lower layer signaling protocols (e.g., SCTP protocol) or upper layer signaling protocols (e.g., MAP, CAP, or INAP, or other layer 7/application layer messages).

At 1006, lower layer signaling protocol status and packet verification is performed based on the security policy. For example, the security platform may perform underlying SCTP protocol state and packet validation while filtering SCCP protocol traffic.

In one embodiment, the security platform performs underlying SCTP protocol state and packet validation while filtering SCCP protocol traffic. For example, the security platform may perform underlying SCTP protocol state and packet validation while filtering SCCP protocol traffic by source/destination IP address (IP). As another example, the security platform may perform underlying SCTP protocol state and packet validation while filtering SCCP protocol traffic by GT and source/destination IP.

At 1008, security policy enforcement is performed using a security platform. For example, various enforcement actions (e.g., allow/pass, block/drop, alert, tag, monitor, log, throttle, restrict access, and/or other enforcement actions) may be performed using the security platform in the same manner as described above. It can be executed by For example, the security platform may block filtered messages in SCCP protocol traffic or lower/upper layer signaling traffic based on a security policy.

In one embodiment, the security platform determines the source, destination, or aggregate criteria regarding the source, destination, or source and destination IP/IP of the hit while performing the underlying SCTP protocol state and packet validation. Perform rate limiting of any SCCP messages using a time interval in seconds and a threshold/number.

Exemplary Process for Diameter Security over SCTP with Next Generation Firewalls in Mobile Networks for Service Providers

FIG. 11 is a flow diagram of a process for implementing Diameter-based security over SCTP in a mobile network for a service provider, according to some embodiments. In some embodiments, the process 1100 as shown in FIG. 11 is performed by security platforms and techniques similar to those described above, including the embodiments described above with respect to FIGS. 1A-7. In one embodiment, the process 1100 includes a data appliance 600 as described above with respect to FIG. 6, a network device 700 as described above with respect to FIG. 7, a virtual appliance, an SDN security solution, a cloud security service, and/or herein A combination of the above or a hybrid implementation may be implemented as described.

The process begins at 1102. At 1102, Diameter protocol traffic (e.g., Diameter protocol refers to Authentication, Authorization, and Accounting (AAA) protocol) on a service provider network at a security platform; Diameter applications such as S9 and Gx extend the functionality of Diameter-based protocols for mobile network-specific use cases. For example, a security platform (eg, a firewall, a network sensor acting on behalf of the firewall, or another device/component capable of implementing security policies) can monitor Diameter traffic on the mobile core network.

At 1104, filtering of Diameter protocol traffic at the security platform is performed based on the security policy. For example, the security platform can filter Diameter protocols and lower layer signaling protocols (eg, SCTP protocols) based on security policies.

At 1106, lower layer signaling protocol status and packet verification is performed based on the security policy. For example, the security platform may perform underlying SCTP protocol state and packet validation while filtering Diameter protocol traffic.

In one embodiment, the security platform performs underlying SCTP protocol state and packet validation while filtering Diameter protocol traffic. For example, the security platform may perform underlying SCTP protocol state and packet validation while filtering Diameter protocol traffic by source/destination IP address (IP). As another example, the security platform may perform underlying SCTP protocol state and packet validation while filtering Diameter protocol traffic by application ID and source/destination IP. As another example, a security platform may perform underlying SCTP protocol state and packet validation while filtering Diameter protocol traffic by application ID, command code, and source/destination IP. can. As another example, the security platform performs underlying SCTP protocol state and packet validation while filtering Diameter protocol traffic by application ID, command code, AVP, and source/destination IP. be able to.

At 1108, security policy enforcement is performed using the security platform. For example, various enforcement actions (e.g., allow/pass, block/drop, alert, tag, monitor, log, throttle, restrict access, and/or other enforcement actions) may be performed using the security platform in the same manner as described above. It can be executed by For example, the security platform may block filtered messages in Diameter protocol traffic or lower/upper layer signaling traffic based on a security policy.

In one embodiment, the security platform determines the source, destination, or aggregate criteria regarding the source, destination, or source and destination IP/IP of the hit while performing the underlying SCTP protocol state and packet validation. Perform rate limiting of any Diameter messages using a time interval in seconds and a threshold/number. For example, the security platform can determine the state of the underlying SCTP protocol and the aggregate criteria for source, destination, or source and destination IP/IP, time in seconds for hits, while performing packet validation. Rate limiting of any Diameter messages can be performed per application ID using intervals and thresholds/numbers. As another example, the security platform can determine the source, destination, or aggregate criteria for the source, destination, or source and destination IP/IP, hits in seconds, while performing underlying SCTP protocol state and packet validation. Rate limiting of any Diameter messages can be performed per command code using a time interval and a threshold/number of . As another example, the security platform can determine the source, destination, or aggregate criteria for the source, destination, or source and destination IP/IP, hits in seconds, while performing underlying SCTP protocol state and packet validation. Rate limiting of any Diameter messages can be performed per AVP using a time interval and a threshold/number of .

Although the embodiments described above have been described in some detail for purposes of clarity of understanding, the invention is not limited to the details provided. There are many alternative ways of implementing the invention. The disclosed embodiments are illustrative and not restrictive.

Claims (20)

is a processor,
A security platform that monitors transport layer and signaling traffic on service provider networks, and
performing rate limiting on the transport layer signaling traffic in the security platform based on a security policy, the transport layer signaling protocol being a signaling transport (SIGTRAN) protocol, and
performing Stream Control Transport Protocol (SCTP) state and packet validation per payload protocol identifier (PPID) and source/destination IP address while performing rate limiting of SIGTRAN protocol messages;
a processor configured to:
a memory coupled to the processor and configured to provide instructions to the processor;
system, including. The processor further includes:
configured to implement the security policy based on the SIGTRAN protocol;
The system of claim 1. The processor further includes:
configured to perform lower layer/signaling protocol status and packet verification based on the security policy;
The system of claim 1. The processor further includes:
Aggregation criteria for source, destination, or source and destination IP, and time interval and threshold/number of hits in seconds while performing underlying SCTP protocol state and packet validation. configured to perform rate limiting of the SIGTRAN protocol messages using
The system according to claim 1. The processor further includes:
Aggregation criteria for source, destination, or source and destination IP, and time interval and threshold/number of hits in seconds while performing underlying SCTP protocol state and packet validation. configured to perform rate limiting of SIGTRAN protocol messages using
The SIGTRAN protocol messages include one or more of M2UA protocol messages, M3UA protocol messages, M2PA protocol messages, and SUA protocol messages.
The system of claim 1. The processor further includes:
Aggregation criteria for source, destination, or source and destination IP, and time interval and threshold/number of hits in seconds while performing underlying SCTP protocol state and packet validation. configured to perform rate limiting of the SIGTRAN protocol messages using
The SIGTRAN protocol messages include one or more of M2UA protocol messages, M3UA protocol messages, M2PA protocol messages, and SUA protocol messages.
The system of claim 1. The processor further includes:
configured to perform threat prevention based on the transport layer signaling protocol;
The system of claim 1. the security platform monitors radio interfaces, including a plurality of interfaces for the transport layer signaling protocols and user data traffic in a mobile core network for 3G and/or 4G networks;
The system of claim 1. The processor further includes:
configured to block filtered messages in the transport layer signaling traffic based on the security policy;
The system of claim 1. The processor further includes:
configured to block filtered messages in the transport layer signaling traffic or upper layer signaling traffic based on the security policy;
The system of claim 1. the processor monitors transport layer signaling traffic on the service provider network with the security platform;
the processor performs rate limiting on the transport layer signaling traffic at the security platform based on a security policy, the transport layer signaling protocol being a signaling transport (SIGTRAN) protocol; There are steps and
Stream Control Transport Protocol (SCTP) state and packet validation by payload protocol identifier (PPID) and source/destination IP address while the processor performs rate limiting of SIGTRAN protocol messages; and the steps to perform
including methods. The method further includes:
the processor performing enforcement of the security policy based on the SIGTRAN protocol message ;
The method according to claim 11. The method further includes:
the processor performing lower layer signaling protocol state and packet verification based on the security policy;
The method according to claim 11. The method further includes:
aggregation criteria for source, destination, or source and destination IP, and time interval in seconds for hits while the processor performs underlying SCTP protocol state and packet validation; and performing rate limiting of said SIGTRAN protocol messages using a threshold/number;
The method according to claim 11. The method further includes:
aggregation criteria for source, destination, or source and destination IP, and time interval in seconds for hits while the processor performs underlying SCTP protocol state and packet validation; and performing rate limiting of said SIGTRAN protocol messages using a threshold/number;
The SIGTRAN protocol messages include one or more of M2UA protocol messages, M3UA protocol messages, M2PA protocol messages, and SUA protocol messages.
The method according to claim 11. A computer program including a plurality of instructions,
monitoring transport layer signaling traffic on the service provider network with a security platform;
performing rate limiting on the transport layer signaling traffic in the security platform based on a security policy, the transport layer signaling protocol being a signaling transport (SIGTRAN) protocol; ,
performing Stream Control Transport Protocol (SCTP) state and packet validation for each payload protocol identifier (PPID) and source/destination IP address while performing rate limiting of SIGTRAN protocol messages; and,
causing a computing device to perform operations including;
computer program. The computer program further includes:
performing the step of enforcing the security policy based on the SIGTRAN protocol message ;
The computer program according to claim 16. The computer program further includes:
performing the step of performing lower layer/signaling protocol status and packet verification based on the security policy;
The computer program according to claim 16. The computer program further includes:
Aggregation criteria for source, destination, or source and destination IP, and time interval and threshold/number of hits in seconds while performing underlying SCTP protocol state and packet validation. performing rate limiting of the SIGTRAN protocol messages using the SIGTRAN protocol message;
The computer program according to claim 16. The computer program further includes:
Aggregation criteria for source, destination, or source and destination IP, and time interval and threshold/number of hits in seconds while performing underlying SCTP protocol state and packet validation. performing rate limiting of the SIGTRAN protocol messages using
The SIGTRAN protocol messages include one or more of M2UA protocol messages, M3UA protocol messages, M2PA protocol messages, and SUA protocol messages.
The computer program according to claim 16.

Images