The signaling firewall is a core network firewall, which detects any changes in mobile network behavior and allows alerts to be raised and rogue network elements to be blocked proactively. The use of signaling firewalls prevents cyber criminals from remotely intercepting SMS messages and calls, and it prevents the tracking of subscribers of a particular network operator regardless of whether they are roaming or not. Firewalls are needed due to the vulnerability of networks to signaling attacks. However, these are the top ten limitations of signaling firewalls.
1. Lack Of Cross Protocol Integration
SS7 and Diameter modules in signaling firewalls lack integration with other network elements that process protocols such as ISUP, SIP, GTPv0, GTPv1, and GTPv2. This lack of integration makes it difficult for signaling firewalls to block GSMA GTP version 1 and version 2 category 3 related attacks and others, which require SS7 and Diameter to feed location-related information of the subscriber to the GTP firewall module.
2. Outdated System Software
Signaling firewalls are only scanned for vulnerabilities before they are deployed in production networks. Once they enter production they are rarely scanned due to their position in the network. These signaling firewalls sit behind a provider edge (PE) router or PE firewall in a zone called a service network.
The devices placed in the service network are rarely updated and they are not continuously scanned by vulnerability management systems due to IP firewalling rules preventing certain traffic from crossing multiple security zones. Expensive licenses to cover all the network devices in a core network are also one of the reasons why core network elements are not scanned for vulnerabilities.
Signaling firewalls are hardly patched because the newest operating systems patches need to be tested rigorously before they break the signaling firewall application. Once the vendor patches the firewall, new vulnerabilities are discovered and therefore risks are not easily reduced or managed.
3. Complex Rule Sets
Signaling firewalls are complex systems to manage, and require deep knowledge of telecommunication protocols and flows. Most of the firewall engineers at telecom operators are not skilled enough to understand the rationale behind the attacks and how the rules should be adjusted.
4. Complex Operational Mode
Mobile operators mistakenly treat the signaling firewall as a traditional core network node instead of a security node. Major changes to signaling firewalls are executed by the core network operations team instead of the telco’s IT security function. This complicates operations, leading to internal politics and causing further delay to the application of patches, rule set updates, and integration with other security systems.
5. Lack Of Statefulness
One must be aware that not all firewalls are fully stateful and do not necessarily keep track of all TCAP transactions, a layer of the SS7 protocol. If Transaction Capabilities Application Part (TCAP) transactions are not handled correctly this will leave signaling firewalls vulnerable to other attacks.
6. Limited Modularity
Signaling firewalls are not modular enough to support, consume or exchange knowledge via APIs from external systems. Examples include:
- Signaling firewalls without GTP-C modules need to expose their API to dedicated IP firewalls that run GTP-C firewall modules to enable the detection or blocking of category 3 GTP-related attacks.
- Signaling firewalls should have ways of connecting to external sources of threat intelligence so they can block traffic from known malicious sources.
- Signaling firewalls should be connected to fraud management systems to exchange information which is useful for fraud prevention.
7. Poor Reporting
Most signaling firewalls only provide poor reporting functionality where the output tends to be machine-like. Understanding this output requires deep knowledge of telecommunication protocols, making it difficult for newcomers in the field to comprehend the significance of what is being reported.
Poor reporting also makes it difficult to justify the cost of the firewall because relevant information is not understood or communicated to decision-makers. Too much terminology and too much technical detail get in the way of putting an intelligible value on the work done by the firewall.
8. Obstacles to Scalability
Signaling firewalls are still run on physical ‘bare metal’ servers instead of virtual machines. It is therefore extremely difficult to scale signaling firewalls. Many operators are turning off their 3G networks but 2G, 4G, and 5G core networks will still support multiple devices, and the demand to accommodate more traffic will continue to increase.
9. Poor Hardening Hygine
It is typical for signaling firewalls to run on Linux or Unix operating systems, although that means most firewall administrators will lack the appropriate skills to manage the underlying operating system. This increases the chances of misconfiguration errors. The most noticeable issues are as follows.
- Management services are bounded to all interfaces.
- Clear text management services such as telnet and FTP are still used.
- Self-signed certificates or clear text HTTP management portals.
- Lack of continuous hardening of the solution.
- Not integrated with authentication, authorization, and accounting (AAA) solutions.
10. Inadequate Monitoring
An insider could disable rules unless the signaling firewall is integrated with the corporate security information and event management (SIEM) solution. All the systems and application-related logs should be ingested by the SIEM and monitored for patterns of compromise. Continuous monitoring reduces the threat posed by insiders and should be coupled with the clear separation of duties.
Bring It Altogether
Signaling firewalls are very powerful security solutions that enable mobile operators to prevent multiple attacks which affect their infrastructure and the privacy of subscribers. It is important to make sure that the firewalls are deployed correctly without placing unhelpful limits on their effectiveness.
The original version of this article was published at Josué Martins’ account on Medium. It has been reproduced with permission.
