Skip navigation
Like what you’re reading?

How can mobile service providers ensure resiliency and privacy through secure signaling?

Telecom signaling is an essential component of mobile networks, used to manage calls, data connections, and mobility services. Securing the signaling network is critical for mobile service providers to prevent unauthorized access to the network, protect subscriber’s data, and ensure the integrity of the network. This blog explores why mobile service providers must leverage purpose-built signaling firewalls and analytics to protect their networks and subscribers from known and unknown signaling threats. We explore how Ericsson’s Signaling Security Solution not only protects the service provider’s network but also offers insights on transforming it into a resilient signaling network with the help of improved visibility, advanced analytics, and automation.

Technical Product Manager

Strategic Product Manager

Strategic Product Manager

How can mobile service providers ensure resiliency and privacy by secure signaling?

Technical Product Manager

Strategic Product Manager

Strategic Product Manager

Technical Product Manager

Contributor (+2)

Strategic Product Manager

Strategic Product Manager

Why signaling security?

Mobile networks rely on signaling connections to enable domestic and international roaming for their users. Roaming depends on partnerships between mobile network providers, who must share user data, including activity status and location, to maintain uninterrupted services. Legacy networks, such as 2G, 3G, and 4G, use signaling protocols like SS7, Diameter, and GTP to exchange this data. However, these protocols lack robust, built-in security mechanisms. In contrast, 5G networks employ HTTP/2 signaling, which offers enhanced security for roaming connections. 

Figure 1 Attacks on mobile networks and targeted UEs using roaming connections

Figure 1: Attacks on mobile networks and targeted UEs using roaming connections

Mobile service providers allow partner companies to access their signaling networks to facilitate roaming. Unfortunately, if a roaming partner's security is compromised, this access can be exploited to launch attacks against other service providers or their subscribers. Attackers can carry out activities such as targeted surveillance, call interception, and SMS fraud. One notable example is explained in the "Ghost on the Network" article, where several mobile service providers and their customers fell victim to message and call interceptions and surveillance by a rogue roaming partner. 

The increasing number of signaling attacks through roaming connections demands urgent attention from mobile service providers. As a result, many regulatory authorities have imposed stricter regulations on signaling networks. Failure to comply could result in financial penalties and legal repercussions against company leadership. 

Approach to building resiliency in signaling security   

In roaming, a service provider connects to partner networks using an interconnected network or a peer-to-peer connection. To facilitate roaming communication, 2G and 3G networks rely on the SS7 protocol, while 4G and 5G non-standalone (NSA) networks rely on the Diameter protocol.  One of the challenges with these protocols is their lack of built-in security measures. This allows malicious signaling traffic to be sent through the interconnect interface by roaming partners, posing a serious threat to network integrity.  Although 5G Standalone networks offer enhanced security features compared to previous generations, they cannot eliminate these threats, particularly when a roaming partner engages in dishonest practices. The complexity of the interconnect network and the widespread practice of service providers reselling number plans further exacerbates the issue.  

Service providers can mitigate these risks by adopting a resilient network through an adaptable signaling security strategy. This strategy involves developing a robust security framework that integrates advanced analytics, process automation, and continuous operational assessments of the signaling system. Below, we outline several key components of this strategy that many service providers already implement, along with the essential capabilities required to build a resilient signaling network. 

Filtering unwanted signaling traffic 

In the SS7 protocol, the signaling transfer point (STP) serves as the initial point of contact in the operator's network for incoming and outgoing traffic in the interconnect network. Similarly, the diameter edge agent (DEA) and the secure edge protection proxy (SEPP) act as the first point of contact in the Diameter and 5G HTTP/2 protocols.  In many deployments, these nodes or a dedicated signaling firewall in front of these nodes filter out unwanted signaling traffic. With filtering in place, suspicious traffic is first checked against known threats, and only unsuspicious traffic is passed for processing to the signaling nodes. The actual filtering process typically applies several techniques. For example, by utilizing the filtering rules defined in the GSMA recommendations for category 1, 2, and 3 threats and rules derived from the industry’s extensive experience with operating signaling networks.   

In large network deployments, there are often multiple interconnection points to roaming networks, using different protocols for various mobile network generations. Attackers can exploit this complexity, targeting the network or its subscribers through the weakest protocol. To counter such threats, signaling firewalls synchronize and correlate data across multiple interconnection points and protocols, enabling  more effective detection and mitigation of attacks. 

Employing upfront intelligence 

Network edge filtering with a signaling firewall improves security and is mostly effective against known threats. However, this cannot detect and protect against all types of threats originating from external networks. Powerful attackers can employ sophisticated techniques to exploit weaknesses (for example zero-day vulnerabilities) in the signaling protocol to attack the network.  Often attackers employ multi-step techniques over a long-time window to attack the network. Uncovering such threats requires cross-correlation of protocol messages sent and received over an extended period. This process involves understanding adversary behavior, co-relating protocol messages with the latest threat intelligence and ensuring a comprehensive and proactive approach to security. Signaling analytics employs these capabilities with both rules and machine learning to profile the signaling traffic. As a result, it detects many subtle threats and can even detect threats before they are realized.  Deploying such advanced capabilities upfront can make a difference for service providers looking to protect their networks against new and unknown threats.  

Visibility and closed-loop automation for signaling firewall 

While signaling firewalls and analytics are critical for securing signaling networks, a disjointed setup lacking visibility and automation can complicate operations and lead to configuration errors. Integrating these tools with the service provider’s security operations ensures a seamless, efficient, and error-free approach to network security.  Signaling firewall and signaling analytics should offer visibility of the configuration state, applied ruleset, and information about the detected and prevented threats. This capability should be further integrated with security operations and change management tools to create a unified view from the perspective of security operations. The unified view helps security operations personnel to easily perform threat investigations, identify configuration mistakes, and take corrective actions quickly.  

In a closed-loop feedback system, the actual response of the firewall is compared continuously with that of the desired response. Thereby, service providers can build a closed-loop feedback system by fine-tuning their firewalls using the desired response, for example,  to protect from novel threats detected using signaling analytics. In this step, service providers should particularly focus on automation among signaling firewalls, analytics, and operation tools. This setup eases the configuration of the firewall, eliminates errors, and increases operational efficiency for signaling security.   

Transform towards zero trust security

Boundary protection with the firewall and analytics offers a strong defense against threats to the service provider’s network. However, they are not enough to detect all types of threats originating from internal and external sources. A service provider's network comprises many layers. An attacker can exploit vulnerabilities in any layer to bypass boundary protection at the network edge. For example, attackers may exploit zero-day vulnerabilities in the software stack or use a misconfiguration within a service provider’s node to cause a signaling attack.   

Zero trust aims to detect and prevent all types of threats, both internal and external. This approach does not put implicit trust in any internal or external requests and does not rely on external perimeter boundaries for protection. Instead, the network is micro-segmented, and each request to or from the segment is verified per session using dynamic policies.  Decisions are made based on the confidence level in the requestor's identity and integrity. This leads to a resilient network protected against both internal and external attackers.  

Ericsson’s Signaling Security Solution  

Ericsson supports zero trust architecture (ZTA) to enhance telecom security and aid mobile network operators (MNOs) in achieving their security goals while complying with regulatory guidelines. Ericsson does this by improving individual products, refining processes, and complementing 3GPP/GSMA standards with specialized products necessary for a robust ZTA. We recommend service providers follow the zero-trust architecture guidelines and employ robust products to build resiliency in the network.   

Ericsson’s Signaling Security Solution is composed of three key components: Unified signaling firewall (USFW), telecom intrusion detection system (TIDS), and Ericsson Security Manager (ESM). The combined capabilities of these components help service providers to achieve zero trust in their signaling network.   

Figure 2:  Ericsson’s Signaling Security Solution

Figure 2: Ericsson’s Signaling Security Solution

Figure 2 shows a schematic diagram of these key components and message flows in a typical signaling network. USFW is a purpose-built signaling firewall designed to filter out unwanted traffic. It’s positioned at the network edge in front of or together with Ericsson’s Signaling Controller (offering functionalities such as  STP, DEA, and SEPP).  TIDS offers advanced analytics capabilities to detect both known and unknown threats. It complements the protection offered by the USFW with advanced detection capabilities, actionable threat intelligence, and easy investigation. Finally, ESM enhances zero trust maturity for signaling nodes by improving security and enabling automated closed-loop feedback between the TIDS and the USFW.  Figure 3 summarizes the key capabilities offered by the three components.  

 

Figure 3:  Ericsson’s signaling security solution – Closedloop in action

Figure 3: Ericsson’s Signaling Security Solution – Closedloop in action

1. Ericsson’s unified signaling firewall (USFW) 

USFW is a purpose-built firewall to protect the service provider’s network from signaling threats originating outside the network. It supports filtering for SS7, Diameter, and HTTP/2 signaling protocols across all mobile network generations (2G, 3G, 4G, and 5G).  Designed to maximize the network’s throughput and sophisticated algorithms to take care of threats online, USFW is best suited for security-conscious and performance-driven service providers.

The USFW is fully embedded in the Ericsson SEPP and DEA. This makes it possible for customers to minimize the number of network elements, and there is no need for an additional element manager. The SS7 messages can be routed from the STP to the USFW for further inspection.  

Figure 4: USFW deployment set up

Figure 4: USFW deployment set up

The well-known security threats can be easily eliminated by activating the pre-configured security checks in the USFW. The security findings can be conveniently monitored by the security dashboard. In addition to supporting GSMA’s category 1 and category 2, the USFW can seamlessly cross-correlate messages across SS7, Diameter, and hypertext transfer protocol (HTTP) domains. For example, if the USFW receives a location update from a subscriber via the HTTP roaming interfaces from Sydney and then there is a location update for the same subscriber from Stockholm via an SS7 link two minutes later, the USFW applies the time and location vector analysis and concludes that one cannot travel from Sydney to Stockholm in two minutes. For advanced analysis, the USFW can stream out messages to the TIDS. 

2. Telecom intrusion detection system (TIDS)  

Ericsson has recently partnered with POST Luxembourg’s telecom intrusion detection system (TIDS) to offer advanced signaling threat detection capabilities to mobile and mission-critical network customers. This complements Ericsson’s existing signaling security and Ericsson Security Manager capabilities. TIDS detects attacks on SS7, Diameter, GTP-C, service based architecture (SBA) HTTP/2, SMS, and cross-protocol attacks in 2G, 3G, 4G, and 5G technologies.  It detects a wide range of call and SMS frauds, interception, spoofing, location tracking, misconfiguration, and denial of service (DoS) attacks.  It also tracks and detects anomalies and unknown threats from an attacker targeting the home network. It does these detections using a combination of approaches: Applying GSMA-defined signaling threat and abnormality rules; complementing GSMA’s rules with industry-best practices developed over years by running TIDS on several live networks; and applying machine learning techniques to detect anomalies. These detection capabilities together with its real-time signaling threat visibility and investigation features are critical for telecom service providers to measure how their signaling defenses are performing, ensuring firewalls are not bypassed.   

Signaling threat intelligence is an in-built feature of TIDS. TIDS includes an in-built threat actor database, which is updated regularly as new actors are detected. The detection and investigation capabilities of the TIDS are enriched with the threat intelligence gathered worldwide via partners, carriers, GSMA T-ISAC, and TIDS global customer deployments. Actionable threat intelligence offered by TIDS reduces false positives, increases confidence while investigating, and reduces time spent on investigation. 

3. Ericsson Security Manager (ESM) 

ESM is a cybersecurity platform designed for mobile networks to enhance zero trust maturity by providing several essential functions—security visibility and analytics, automation and orchestration, and governance. By integrating ESM, mobile service providers can ensure proper implementation of a security function as outlined in industry standards and regulatory guidance. 

ESM automates closed-loop feedback between the TIDS and the unified signaling firewall. With this feature, security operation personnel can easily fine-tune the signaling nodes and firewall using feedback from the TIDS. ESM also assists operational personnel  in enforcing and monitoring signaling security policies to signaling nodes. 

Figure 5: ESM enabling closed-loop protection

Figure 5: ESM enabling closed-loop protection

Moreover, ESM improves visibility, analytics, and automation for Ericsson signaling nodes, such as unified signaling firewall, and TIDS. It offers capabilities for policy and configuration monitoring, applying security configuration, and threat detection at the node level. These capabilities ensure the operator's signaling nodes are free of configuration mistakes and detect attacks from the software stack. 

In summary, Ericsson’s signaling security solution provides best-in-class signaling security protection for mobile service providers. This is achieved with three key components: first, USFW prevents unauthorized access to malicious traffic; second, TIDS detects known and unknown threats using the power of threat intelligence; finally, ESM automates closed-loop feedback for the identified threats.  

Conclusion 

Mobile service providers face constant threats where trust is dwindling and attack vectors are evolving. To protect networks and comply with regulations, service providers must remain vigilant and proactive in their approach to security. Service providers are well-prepared to ensure the security and resiliency of their signaling networks when equipped with purpose-built security tools that prioritize automation and strive towards zero trust.  By leveraging purpose-built signaling firewalls and signaling intrusion detection systems enhanced with closed-loop automation, service providers can stay ahead of malicious actors and safeguard their networks from potential breaches. 

 

The Ericsson Blog

Like what you’re reading? Please sign up for email updates on your favorite topics.

Subscribe now

At the Ericsson Blog, we provide insight to make complex ideas on technology, innovation and business simple.