The view from the other side of the fence
IV. SS7 SECURITY ISSUES Dave Henderson (SEVIS Systems) gave a presentation entitled, "Public Switched Network is Now Really Public (Attachment 4)." Dave noted he has spent a number of years working in information warfare and protection. He noted that his work addresses issues on network security and open network connection. Points Noted 10. Dave noted there are concerns with reliability of equipment. He noted that while the PSTN was formerly relatively closed, it is now wide open. 11. Dave noted in the past, the internet was relatively safe; however recent events have opened security issues while teaching vulnerability lessons. He noted that with an increase in network users, there is also an increase in vulnerabilities identified by users and decreased ability to control the network. 12. Dave reviewed the emerging threats to the PSTN. He noted the cost resulting from fraud is presently $12 billion and growing. With the rapid development of technology, there is less time for adequate testing. He noted that the quality of intruder tools is improving and they are becoming more available. He further noted hacker magazines are writing SS7 articles. 13. Dave reviewed some of the major threats to individual networks. Among these he noted theft of SS7 service (calling card numbers, wireless fraud and rerouting of call traffic) and denial of service. 14. Dave noted the solutions that are presently available for addressing security issues are inadequate. He noted the present gateway screening capabilities are unreliable, there is no standard security guideline for interconnection, there is a progressive skills gap, and there is currently no mechanisms to control or authenticate traffic on the network. 15. Dave noted the networks are very fragile with a tremendous number of vulnerabilities. 16. Dan noted if the network was compromised by a problem caused by a new piece of equipment, this could be devastating to a company's reputation. 17. Dave noted in order for convergence to take place interoperation with different transport and signaling technologies is imperative. 18. Dave noted the industry needs to be more proactive in addressing the security issues in order to avoid having the government impose mandates and to ensure the US is protected from information warfare attacks that could result in the draining of bank reserves and the cutting off of power sources. 19. Dan noted that like interoperability testing, security testing discoveries provide insurance against issues that arise. Unfortunately, until problems arise, people are not quick to act.
This was the industry view 2 years ago. In light of the technological advances that have been made in the last 2 years regarding the profileration of packet-switched voice traffic I'm interested to see what the community thinks. Let's face it as the industry moves towards a more converged state, we haven't even really begun to consider the security implications that present themselves in this new enviroment. -Scott On Sun, 10 Mar 2002, Sean Donelan wrote:
IV. SS7 SECURITY ISSUES
Dave Henderson (SEVIS Systems) gave a presentation entitled, "Public Switched Network is Now Really Public (Attachment 4)." Dave noted he has spent a number of years working in information warfare and protection. He noted that his work addresses issues on network security and open network connection.
Points Noted
10. Dave noted there are concerns with reliability of equipment. He noted that while the PSTN was formerly relatively closed, it is now wide open.
11. Dave noted in the past, the internet was relatively safe; however recent events have opened security issues while teaching vulnerability lessons. He noted that with an increase in network users, there is also an increase in vulnerabilities identified by users and decreased ability to control the network.
12. Dave reviewed the emerging threats to the PSTN. He noted the cost resulting from fraud is presently $12 billion and growing. With the rapid development of technology, there is less time for adequate testing. He noted that the quality of intruder tools is improving and they are becoming more available. He further noted hacker magazines are writing SS7 articles.
13. Dave reviewed some of the major threats to individual networks. Among these he noted theft of SS7 service (calling card numbers, wireless fraud and rerouting of call traffic) and denial of service.
14. Dave noted the solutions that are presently available for addressing security issues are inadequate. He noted the present gateway screening capabilities are unreliable, there is no standard security guideline for interconnection, there is a progressive skills gap, and there is currently no mechanisms to control or authenticate traffic on the network.
15. Dave noted the networks are very fragile with a tremendous number of vulnerabilities.
16. Dan noted if the network was compromised by a problem caused by a new piece of equipment, this could be devastating to a company's reputation.
17. Dave noted in order for convergence to take place interoperation with different transport and signaling technologies is imperative.
18. Dave noted the industry needs to be more proactive in addressing the security issues in order to avoid having the government impose mandates and to ensure the US is protected from information warfare attacks that could result in the draining of bank reserves and the cutting off of power sources.
19. Dan noted that like interoperability testing, security testing discoveries provide insurance against issues that arise. Unfortunately, until problems arise, people are not quick to act.
On Mon, 11 Mar 2002, Scott Madley wrote:
Let's face it as the industry moves towards a more converged state, we haven't even really begun to consider the security implications that present themselves in this new enviroment.
With convergence, do you think we will get the best security practices from both worlds, or the worst?
### On Wed, 13 Mar 2002 05:51:46 -0500 (EST), Sean Donelan ### <sean@donelan.com> casually decided to expound upon Scott Madley ### <scott@xgcic.net> the following thoughts about "Re: The view from the ### other side of the fence": SD> On Mon, 11 Mar 2002, Scott Madley wrote: SD> > Let's face it as the industry moves towards a more converged state, we SD> > haven't even really begun to consider the security implications that SD> > present themselves in this new enviroment. SD> SD> With convergence, do you think we will get the best security practices SD> from both worlds, or the worst? My off-the-cuff prediction is, as with any convergence process, it will be first the latter and then the former... but then again, I'm a cynic. -- /*===================[ Jake Khuon <khuon@NEEBU.Net> ]======================+ | Packet Plumber, Network Engineers /| / [~ [~ |) | | --------------- | | for Effective Bandwidth Utilisation / |/ [_ [_ |) |_| N E T W O R K S | +=========================================================================*/
A network is only as secure as its weakest link.... sounds like a cliche, but am afraid this least-common-denominator rule will hold as networks converge. rajesh. "--- begin message from Sean Donelan ---"
On Mon, 11 Mar 2002, Scott Madley wrote:
Let's face it as the industry moves towards a more converged state, we haven't even really begun to consider the security implications that present themselves in this new enviroment.
With convergence, do you think we will get the best security practices from both worlds, or the worst?
On Wed, 13 Mar 2002, Rajesh Talpade wrote:
A network is only as secure as its weakest link....
sounds like a cliche, but am afraid this least-common-denominator rule will hold as networks converge.
Is there anything we can do to improve this? How can we make sure the people who "need-to-know" find out how to secure their weakest links instead of waiting for each company to stumble along their learning curve. The usual answer is hire an expert (or SAIC :-). But there aren't enough qualified experts to go around in the best of circumstances. The problems include divergent cultures, technologies, and even generations. Until the technology crash, the so-called next generation networking companies didn't want to "converge" with the existing companies; they wanted to wipe them out. There wasn't a lot of sharing between the different groups, even within the same company. I'm not sure one security approach is better than the other, but they mix like oil and water when you combine traditional telephone security and Internet security methods.
### On Wed, 13 Mar 2002 08:00:41 -0500 (EST), Sean Donelan ### <sean@donelan.com> casually decided to expound upon Rajesh Talpade ### <rrt@research.telcordia.com> the following thoughts about "Re: The view ### from the other side of the fence": SD> On Wed, 13 Mar 2002, Rajesh Talpade wrote: SD> > A network is only as secure as its weakest link.... SD> > SD> > sounds like a cliche, but am afraid this least-common-denominator rule SD> > will hold as networks converge. SD> SD> Is there anything we can do to improve this? How can we make sure SD> the people who "need-to-know" find out how to secure their weakest SD> links instead of waiting for each company to stumble along their SD> learning curve. That's a good question. Unlike the system's world where there seems to be quite a few free as well as commercial toolkits alongside stuff that gets distributed OEM to run security audits (many OSes are preconfigured as part of their installation process to generate periodic audits), there doesn't seem to be many such toolkits for auditting networks as a whole. I think this stems from several reasons (and I'm probably missing a few). [1] Diversity in network designs force security folks to tailor their auditing tools to a particular network. [2] Exposure of homegrown auditting methods and procedures viewed as a security breach so such things simply are kept in secrecy. I suspect however that no one has really developed a comprehensive generic auditting tool or toolkit but instead relies on a combination of handcrafted scripts and security policies to run manual audits instead of automated ones. Someone please prove me wrong. [3] Networks are not really thought of hollistically like a server is in the system's world. Security tools are targetted more towards auditting devices in an individual manner because modelling the entire network is too difficult. I suppose some of the folks doing IDS and/or distributed firewall (Oh Mr. Bellovin? |8^) development may be able to shed better light on the subject. But IDS seems to be a reactive measure rather than a proactive one and distributed firewalls may address some issues with device security but doesn't seem to really touch on enforcing sane routing practises. -- /*===================[ Jake Khuon <khuon@NEEBU.Net> ]======================+ | Packet Plumber, Network Engineers /| / [~ [~ |) | | --------------- | | for Effective Bandwidth Utilisation / |/ [_ [_ |) |_| N E T W O R K S | +=========================================================================*/
On Wed, 13 Mar 2002, Sean Donelan wrote: :With convergence, do you think we will get the best security practices :from both worlds, or the worst? Most organizations security policies have grown organically, or by precedent, as opposed to being 'architected'. When convergence occurs, the company with the most existing security infrastructure 'wins'. By this I mean their practices are adopted by the less organized one. Also, I have seen some very elaborate, enterprise wide free software security solutions that were technically elegant, and very robust, but they were swept aside because the owners of these systems could not adequately communicate their business value. It has been my observation that convergence doesn't relate so much to the integration of technologies to provide new services, as it does the rationaliztion of differing business models into new ones.
From a big picture security perspective, the security challenges of a convergence between a telco and a satellite tv company aren't as much about integrating the various networking technologies and exposing ground station computers to the Internet, as they would be about DRM, fraud mitigation, subscriber privacy and infrastructure protection.
The reason I'm mentioning this is because I have heard some security people talking about the problems with IP gateways to the PSTN, which is legitimately frightening to many, but the issue isn't about what will happen when some PBX manufacturer puts an IP stack and an ethernet card in their product without doing security QA testing. It is about whether the traditional telcom security models that look alot like corporate IT, where network people don't touch servers, and vice versa, will work when the line blurs between the network and the application. In corporate IT, I am one of those "Internet guys" that thinks he can manage systems _and_ networks, which is like saying to me that I play both kinds of music, country _and_ western. Worst case scenario, we get kafka'esque bureacracy with no standards or procedures. Best case, we get a hybrid of strong, auditable and enforcable policy, with an understanding of the systems and networks as a single service as presented to the customer. So, as for whether we will see better or worse security policy, I can garuntee we will see the most cost effective solutions, meeting the minimum legal requirements, which serve customers needs, and improve overall ROI for stakeholders. In other words, not much will change by virtue of convergence alone. It will take education, possibly regulation, and market incentives to create better security policy, and I think these things are independant of the features of new technologies. Cheers, -- batz
participants (5)
-
batz -
Jake Khuon -
Rajesh Talpade -
Scott Madley -
Sean Donelan