Are You Sure Your Mobile Network is Secure?
NOTE: This is Part 2 of a 2 Part series covering the vulnerabilities in today’s mobile networks and how service providers can address them.
In the first part of this blog, I discussed the pervasiveness of mobile devices and some of the security vulnerabilities facing mobile service providers. In Part 2, I will describe in more detail the security challenges that many mobile network operators face and offer practical solutions regarding how they can address them.
Today mobile network operators manage billions of VoIP minutes on their networks at peering points with other operators and deep within their IMS architectures for calls originating within their networks. Interconnection Border Control Functions (IBCF) are used at these edge network points to perform important call management and transcoding functions. Moreover, the IBCFs in a IMS architecture have the ability to protect the network from threats such as
Proxy Call Session Control Functions (P-CSCF) serve as the entry point to the IMS domain and as the outbound proxy server for the endpoint device (e.g. smartphone). The P-CSCF protects against unauthorized IMS registrations and service abuse in which unauthorized users can use the services more than expected or gain access to services that are not allowed for them.
However, the challenge becomes how to further secure VoLTE traffic and mitigate bad actor infiltration and rogue endpoints generating DOS attacks, robo-calls, Telephony DoS (TDoS) attacks, network intrusions using SIP or having an endpoint device register to a fake application server.
With the growing demand of smartphones enabled for both
Figure 1: Today’s architecture: The IMS core for VoLTE, VoWiFi and VoIP call management
To completely protect the VoLTE network starts with a deep understanding of attack vectors targeting VoLTE. With the wide varieties and inherent complexities of SIP and VoIP protocols, VoLTE networks can only stand to benefit from the added value of behavioral analytics and machine learning. Specific to the connected smartphone applications, behavior analysis combined with machine learning will be crucial for detecting many types of fraudulent activity. Whether it be in the core of the mobile provider network or delivered as a service to the end customer, behavioral analytics has an important role to play in securing these network environments.
How Would it Work?
The IBCF’s position in the network is important as all VoLTE signaling traffic exchanged with peering partners must transit that platform. The IBCF inherently verifies the validity of the VoLTE and VoWiFi signaling protocols, provides user authentication, media protocol pin-holing (UDP and TCP) as well as understanding media protocol syntax and allowable bit-rates. As the IBCF is performing its core interconnection functions with peering partners, data about the VoLTE sessions, subscribers and routes are being logged and stored. A network behavioral analytics platform uses the IBCF as a “sensor” in the network. It gathers the collected data such as call detail records (CDRs), syslogs and event log data for analysis, trending and policy decisions.
Similarly, the P-CSCF’s position in the network is equally important as all VoLTE signaling and media traffic exchanged with access endpoints must transit the platform. End user smartphones must connect through the P-CSCF in which registration and service access metrics are logged and monitored. A network
As this network behavioral analytics platform collects data from the network “sensors,” transactional and behavioral analytics are performed to develop a new unified policy-based set of security enforcement rules for VoLTE traffic. These new security policies are provided to the enforcement points, or “enforcers” in the network which are capable of actually securing or altering the nature of the traffic. For example, the P-CSCF becomes the “enforcer” detection point for DoS and BOT originated attacks from mobile endpoints. Applying network behavioral analytics to these traffic flows allows MNOs to be able to identify threats in ways that simply weren’t possible even one year ago.
Finally, the integration across disparate enforcement points – such as NGFW,
Figure 2: IBCF and P-CSCF provide input to network behavioral analytics platform on SIP flows which signals the firewall to take action against unwanted traffic
By using analytics on the data collected from existing IBCF and P-CSCF elements (“Sensors”) and applying recursive security policies back to those existing IBCF and P-CSCF elements (“Enforcers”), mobile network operators can reduce costs due to service abuse and provide a more secure subscriber experience against breaches such as toll fraud.
Differentiation is the Key to Success
As the mobile market shifts to 5G and billions more of new devices are being connected to mobile networks, security will become even more important to new IoT providers and consumers. Establishing and monetizing the mobile network as a security platform that can be leveraged by the next wave of applications will be an important game-changing differentiator for the mobile operator and their customers.