contact@p1sec.com
Comment are off

SS7 Security Perimeters and INAT0 NAT0 NAT1 definitions

While P1 Security professional services team are busy deploying Core Network security monitoring with PTM Signaling IDS on SS7, Diameter, GTP, SIP IMS VoLTE, and Radius, one question keeps coming back: the concept of Network Perimeter in SS7.

This recurring misunderstood aspect in SS7 shows the discrepancy of security conception between the IP-oriented domains (Diameter, GTP, Radius, SIP) and the SS7 domain.

While it’s a concept that is clearly understood from IP, it seems that in SS7 domain it is at best a fuzzy notion, and there are a couple of reason to that.

Network Indicators and regional differences

NI=Network Indicator field in MTP3 messages (same in SIGTRAN, be it transported over M2UA/M2PA or in M3UA).

NI (Network Indicator) value:

NI=0: INAT0 (The Global SCCP roaming and call delivery network between operators)

NI=1: INAT1

NI=2: NAT0

NI=3: NAT1

Now clearly, the dangerous perimeter is INAT0, as it is the group of external roaming partners, the other operators.

The Point Codes within INAT0 are assigned per country by ITU. In turn, the national regulators assign prefixes to national operators.

The Global Titles (MSISDN, phone numbers)within INAT0 are assigned per operator by ITU.

But there’s also another external perimeter, that is the national inter-operator network. Despite specifications and text, this part is much more fuzzy and unclear. In some country, NAT0 is being used for inter-operator national communications, in some other countries it’s NAT1.

These two (INAT0 and NAT0 OR NAT1) are the ones to be monitored, with the overwhelming majority of the monitoring importance and alerts coming from INAT0.

In order to prioritize security monitoring, it is vital to monitor INAT0 first, go deeper in INAT0 once one set of basic detection are mastered (for example Category 0 and 1 attacks), and then when all categories are monitored on INAt0 and that filters start to be added routinely, move to the national inter-operator network (NAT0 or NAT1) monitoring.

tektronix-umts-125-638-edit

Network Indicators and Network Appearance

Sometime also what brings doubt is that closely named fields mean two totally separate things. NI is defined globally whereas NA is defined by an operator for its own use, to recognize and separate entities and interconnection.

NI is small (4 bits used in a bytes). NI is global.

NA is large, 8 bytes, allowing a lot of room for network segmentation and organization. NA is operator local, it is only used and communicated between direct MTP3 (or M3UA) peers.

Network still seen as a walled garden

Another root cause of this difficulty to establish network perimeters for security is the old notion that SS7 was only between nice people (operators). It is definitely not the case anymore.

Conclusion

The SS7 security is still a problem, but with emerging solution. The hype around SS7 Firewall shows that there is still a lot of immature solutions and very few actual SS7 Firewall implementations.

Some operator with a mature security governance are successfully managing such SS7 Security projects by first looking (attack monitoring) and then filtering based on this monitoring. While the tools mature, it is also necessary to use these monitoring tools and security initiatives to help the SS7 SIGTRAN teams to ramp up and understand the security concepts that help them better defend their network.

Stay tuned: We will publish a follow-up blog post on P1 Security current methodology for monitoring prioritization based on perimeters and steps sequencing in monitoring depth and coverage in Signaling networks.

References

 

About the Author