Professional Documents
Culture Documents
Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408 745 2000 or 888 JUNIPER www.juniper.net
Part Number: 200074-002 June 2004
Contents
Preface .......................................................................................................................................................3 Introduction..............................................................................................................................................3 GPRS Core Network Architecture Overview .....................................................................................3 Classification of Security Services ........................................................................................................4 Data Services on the Gp and Gi Interfaces...........................................................................................5 Security Threats on the Gp Interface ....................................................................................................5 Availability......................................................................................................................................5 Authentication and Authorization..............................................................................................6 Integrity and Confidentiality .......................................................................................................6 Security Solutions for the Gp Interface ................................................................................................7 Gp Network Solution Diagram ....................................................................................................8 Security Threats on the Gi Interface .....................................................................................................8 Availability......................................................................................................................................9 Confidentiality................................................................................................................................9 Integrity ...........................................................................................................................................9 Authentication and Authorization..............................................................................................9 Security Solutions on the Gi Interface..................................................................................................9 Gi Network Security Solution Diagram ...................................................................................10 Security Threats on the Gn Interface ..................................................................................................11 Security Solutions on the Gn Interface...............................................................................................11 Deploying GPRS Security Solutions on Juniper Security Systems ...............................................12 Conclusion ..............................................................................................................................................13 Acknowledgements and Resources ...................................................................................................14
Preface
This paper is intended to assist General Packet Radio Service (GPRS) operators and network designers in the evaluation of potential security threats and solutions. Although a brief review of GPRS architecture is provided, it is assumed that the reader understands the basic GPRS architecture and Internet Protocol data networking. This paper does not attempt to present an exhaustive list of all GPRS security issues.
Introduction
General Packet Radio Service (GPRS) is a data network architecture that is designed to integrate with existing GSM networks and offer mobile subscribers always on packet switched data services access to corporate networks and the Internet. GPRS provides mobile operators with an opportunity to offer higher-margin data access services to subscribers. In return, subscribers benefit from GPRS by being able to use higher bandwidth mobile connections to the Internet and corporate networks. GPRS Tunneling Protocol (GTP) is the protocol used by GSM or UTMS operators to convert radio signals from subscribers into data packets, and then to transport them in non-encrypted tunnels. GTP does not provide for inherent security.
With the addition of GPRS to GSM, mobile operators are adding mobile Internet and virtual private network services to their existing mobile voice services. GPRS networks are connected to several external data networks including those of roaming partners, corporate customers, GPRS Roaming Exchange (GRX) providers, and the public Internet. By connecting their GPRS network to a variety of external networks, mobile operators must take the appropriate steps to protect their own network from attacks initiating from these external networks while continuing to provide access to and from them. Juniper Networks purpose-built firewall/IPSec VPNs address many of the security problems operators face when developing GPRS-based service offerings. The most recent version of GTP is GTP 99. A prior version was called GTP 97. Junipers integrated firewall/VPN product line supports both versions of GTP.
The Gp and the Gi interfaces are the primary points of interconnection between the Operators network and untrusted external networks. Operators must take appropriate measures to protect their network from attacks originated on these external networks. Figure 1
Roaming Partner #1
Operator
Firewall /IPSec VPN
GRX
Gp Interface
VPN Roaming Partner #2
Gn Interface
Corporate Network #2
Billing/
Ga Interface
Accounting DB
Operators must secure connections between trusted and untrusted networks: Gi interface between GPRS network and an external network, such as the Internet. Gp interface between two mobile operators networks, primarily for roaming Ga interface to Billing and Accounting systems Gn interface which secures mobile providers internal network
When considering security threats and possible mitigation, it is important to consider attacks against each of these services. In some cases, it may not be important to protect against certain threats. For example, it is not necessary to protect confidentiality of data that is intended to be public.
GTP: Provides logical connectivity between the SGSN and GGSN of roaming partners BGP: Provides routing information between the operator and the GRX and/or roaming partners DNS: Provides resolution for a subscribers APN
The Gi interface is the interface that data originated by the MS is sent out towards, to access the Internet or a corporate network. It is also the interface that is exposed to public data networks and networks of corporate customers. Traffic being sent out from the GGSN on the Gi interface or arriving for an MS on the Gi interface can be virtually any kind of traffic since the application being used at the MS is unknown.
Availability
The most common type of attack on availability is a denial of service (DOS) attack. There are several types of denial of service attacks that are possible on the Gp interface: Border Gateway bandwidth saturation a malicious operator that is connected to the same GRX (whether or not theyre actually a roaming partner) may have the ability to generate a sufficient amount of network traffic directed at a Border Gateway such that legitimate traffic is starved for bandwidth in or out of the PLMN, thus denying roaming access to or from the network DNS Flood DNS servers on the network can be flooded with either correctly or malformed DNS queries or other traffic thereby denying subscribers the ability to locate the proper GGSN to use as an external gateway. GTP Flood SGSNs and GGSNs may be flooded with unauthorized GTP traffic that cause them to spend their CPU cycles processing illegitimate data. This may prevent subscribers from being able to roam, to pass data out to external networks via the Gi, or from being able to GPRS attach to the network at all.
Spoofed GTP PDP Context Delete An attacker with the appropriate information, can potentially craft a GTP PDP Context Delete message which will remove the GPRS Tunnel between the SGSN and GGSN for a subscriber. Crafting other types of network traffic can learn some of the information that must be known. If an attacker doesnt care about whom they are denying service, they can send many PDP Context Delete messages for every tunnel ID that might be used. Bad BGP Routing Information An attacker who has control of a GRX operators routers or who can inject routing information into a GRX operators route tables, can cause an operator to lose routes for roaming partners thereby denying roaming access to and from those roaming partners. DNS Cache Poisoning It may be possible for an attacker to forge DNS queries and/or responses that cause a given users APN to resolve to the wrong GGSN or even none at all. If a long Time To Live (TTL) is given, this can prevent subscribers from being able to pass data at all.
No security is provided in GTP to protect the communication between different GPRS networks.
Capturing a subscribers data session Because GTP and the embedded T-PDUs are not encrypted, an attacker who has access to the path between the GGSN and SGSN such as a malicious employee or hacker who has compromised access to the GRX, can potentially capture a subscribers data session. Without encryption, this data can then be read or manipulated by illegitimate parties. This is generally true of traffic on public networks and subscribers should be advised to utilize IPSec or similar protection.
GGSN
Gp Interface
SGSN
IPSec GRX
GTP
Roaming Partner #1
Roaming Partner #2
Internet
Availability
Like the Gp interface, denial of service attacks represent the largest threat on the Gi interface. Some examples include: Gi bandwidth saturation Attackers may be able to flood the link from the PDN to the mobile operator with network traffic thereby prohibiting legitimate traffic to pass. Flooding an MS If a flood of traffic is targeted towards the network (IP) address of a particular MS, that MS will most likely be unable to use the GPRS network. This is particularly true because of the significant difference in available bandwidth on the air interface versus the Gi interface.
Confidentiality
There is no protection of data from an MS to the public data network or corporate network. It is assumed that third parties can see data if IP Security or application layer security is not being used.
Integrity
Data sent over public data networks can potentially be changed by intermediaries unless higher layer security is being used.
Traffic rate limiting On connections to the Internet, prioritize IPSec traffic from corporate networks over that of other traffic. This will ensure that attacks from the Internet cannot disrupt mobile intranet services. Another consideration would be to use separate physical interfaces for corporate traffic and Internet traffic. Stateful packet inspection Use a security policy that only allows the MS to initiate connections to the public network and implement stateful packet filtering so that the MS never sees traffic that is initiated from the public network. If required, implement trusted application servers that are permitted by policy to push public network services to the MS. An alternative would be to consider two types of service--one where connections can be initiated from the Internet toward the MS and one where they cannot. Ingress and egress packet filtering Prevent the possibility of spoofed MS to MS data by blocking incoming traffic with the source addresses which are the same as those assigned to an MS for public network access. Overbilling Attack Prevention - Junipers solution enables the GTP firewall to notify the Gi firewall of an attack. The Gi firewall is then able to terminate the hanging sessions and/or tunnels, thus cutting off the unwanted traffic. As such, this prevents the GPRS subscriber from being overbilled. Again, this solution is not limited exclusively to the Gi interface.
SGSN
GGSN
Gi Interface
Corporation A
Corporation B
10
Attacks at the Gn interface in the network can potentially bring down the network depending on the intensity of the attack. This impact can lead to network downtime, loss of service, revenue loss and disgruntled customers
Spoofed SGSN or GGSN: There are instances where malicious users can disguise themselves as a legitimate part of the network by spoofing the IP address of a GGSN or SGSN. Once a party has established themselves as a legitimate network element or user, then they can take actions which are detrimental to customers or wireless carriers, such as deleting PDP contexts or sessions. By executing commands that a GGSN normally executes, such attacks can go undetected until the damage is done, unless the network is protected by a stateful firewall. Spoofed GTP PDP Context Delete An attacker with the appropriate information, can potentially craft a GTP PDP Context Delete message which will remove the GPRS Tunnel between the SGSN and GGSN for a subscriber. Crafting other types of network traffic can learn some of the information that must be known. If an attacker doesnt care about whom they are denying service, they can send many PDP Context Delete messages for every tunnel ID that might be used. Attacks from one mobile customer against another: Mobile customers, whether legitimate customers or not, may attack each other. One such attack is the previously described Overbilling attack. This attack can take the equivalent form of spam for a GPRS network. In this case, the malicious user, once they have gained what appears to be legitimate network access, can send massive amounts of data to unsuspecting users. Since GPRS is a usage based service, then innocent users are overbilled for content that they did not request. Such an attack would be even more harmful than spam is for email, as it becomes much more than an annoyance. Imagine if you were charged (on a per email basis) for every piece of junk email that you received from a spammer!
Policy based Firewall management allows providers to use arbitrary Junipers arbitrary any any zone structure to protect against attacks originating from within the network. A simple trust-untrust architecture does not fully allow customers to do this due to the fact that there is often no concept of untrust within the confines of a given providers network.
11
Stateful Inspection Firewall: By deploying a stateful inspection firewall, and setting the policies by which you want to allow or disallow traffic, carriers can protect against the attacks mentioned above. For example, in the case of the spoofed GGSN messages, if a certain PDP context message did not pass the sanity check detection mechanisms, then they are dropped. In the example above, where a GTP PDP Context Delete message might be spoofed by a malicious user posing as a GGSN, if there was not a prior GTP PDP Context Create message received earlier, then this message would not pass the sanity check, and it would be dropped by the firewall. Junipers Overbilling feature would enable a carrier to prevent the spam example from happening by deleting the hijacked session that the malicious party used to execute the attack.
GTP Tunnel Count Limits APN and Selection Mode GTP Management and Logging Features GTP Traffic Counting GTP Traffic Logging Many other advanced logging capabilities High-availability fail-over including: GTP state tables VPN gateway connections Virtual Router support to separate intranet destined traffic IPSec tunnels or 802.1q VLANs to the GGSN IPSec tunnels or 802.1q VLANs toward corporate network Hardware-accelerated support for GTP over IPSec tunnels
Conclusion
GPRS promises to benefit mobile data users greatly by providing always on higher bandwidth connections than are widely available today. In order to be successful, data connections must be secure and be available anytime and from anywhere.
The maturity of security in the air interface, and the low bandwidth available limit the effectiveness of the Mobile Station as the source of attacks. However, with the introduction of GPRS services, operators must connect their networks to those of corporate customers, public data networks, and that of other operators to provide data access services. These connections represent significant risks to subscribers and the operators themselves.
The lack of security inherent in GTP, the protocol used between roaming partners, represents a significant threat. The security of the roaming network is only as good as that of the weakest operator. Implementing IPSec between roaming partners, traffic rate limiting, and GTP stateful inspection can mitigate a significant number of threats on the roaming network.
Stateful packet inspection, traffic rate limiting, and logical separation of traffic for each corporate network and the public network can significantly reduce the threat between the operators network, subscribers, and these networks.
Juniper Networks has developed technology and solutions that include GTP-aware stateful inspection firewall, GTP aware traffic shaping, and a VPN/VLAN tunnel hub. These solutions help mitigate many of the possible threats to the GPRS network, mobile subscribers, and corporate networks.
13
Security in GPRS. Geir Stian Bajen and Erling Kaasin. May 2001 http://siving.hia.no/ikt01/ikt6400/ekaasin/Master Thesis Web.htm
Screening and filtering: In GPRS the subscriber pays MO and MT packets, how to protect against hackers and unwanted packets? Hannu H. KARI http://www.cs.hut.fi/~hhk/GPRS/lect/screening/ppframe.htm
Wireless and Mobile Network Architectures. Yi-Bing Lin, Herman C.-H Rao, Imrich Chlamtac. John Wiley and Sons 2001.
Copyright 2004 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, NetScreen, NetScreen Technologies, GigaScreen, and the NetScreen logo are registered trademarks of Juniper Networks, Inc. NetScreen-5GT, NetScreen-5XP, NetScreen-5XT, NetScreen-25, NetScreen-50, NetScreen-100, NetScreen204, NetScreen-208, NetScreen-500, NetScreen-5200, NetScreen-5400, NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreenRemote Security Client, NetScreen-Remote VPN Client, NetScreen-IDP 10, NetScreen-IDP 100, NetScreen-IDP 500, GigaScreen ASIC, GigaScreen-II ASIC, and NetScreen ScreenOS are trademarks of Juniper Networks, Inc. All other trademarks and registered trademarks are the property of their respective companies. Information in this document is subject to change without notice. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without receiving written permission from: Juniper Networks, Inc. 1194 N. Mathilda Ave.Sunnyvale, CA 95014 ATTN: General Counsel
14