User equipment (UE) must be authenticated and authorized before it can access the network through a user-network interface. Authentication and authorization can be based on Subscriber Identity Module (SIM) or Universal Subscriber Identity Module (USIM) in the user’s terminal. Other means of authentication are user name and password combinations and certificate-based credentials. With 5G, the user terminal authentication procedure has been improved so that the home network obtains confirmation of successful authentication of a UE in the visited network.
Verification of injected signaling procedures is also recommended when users are properly authenticated and authorized. For example, in the case of an IP Multimedia Subsystem (IMS), the Edge Session Controller (SBC) at the edge of the network performs signaling and media flow control, and the SIP requests validation and encryption to protect subscriber privacy and integrity.
On network-to-network interfaces, CSPs must verify the reliability of incoming signaling procedures in their own administrative domains. This is usually done in nodes acting as the first point of contact at the edge of the signaling network. The Signaling Transfer Point (STP) acts as the first point of contact for SS7 signaling.
The Diameter Edge Agent (DEA) assumes this role for diameter signaling. SIP signaling from interfacing networks first terminates in an SBC before being propagated into the CSPs’ own networks.
In 5G, the Security Edge Protection Proxy (SEPP) acts as the first point of contact.
The principle of defense in depth can also be applied in the signaling network, introducing an additional layer of security controls in case the first layer is bypassed. Therefore, target nodes such as Home Location Register (HLR) or Home Subscriber Server (HSS) also perform integrity checks on signaling messages to filter out those that are obviously erroneous.
Recommended security checks on network-to-network interfaces can be separated into two types: stateless and stateful. Stateless security checks consider only message content and internal configuration data. Stateful security checks involve more sophisticated handling processes. A stateful security check is designed to prevent location-based fraud, where voice calls or text messages are redirected, resulting in illegal interception or impersonation of subscribers.
In large network deployments, there are multiple points of interconnection with roaming networks. Stateful security checks must be performed at all of these points of interconnection, which means that the signaling firewall will need an effective mechanism to synchronize location information about subscribers network-wide. New location information may be received at any of the interconnect points for a dedicated subscriber. The Last Trusted Location information must be the same across all signaling firewalls. Another use case for synchronizing location events between multiple firewall instances is cross-checking location events between different generations of mobile networks. 2G and 3G events are received via SS7 signaling, 4G events are received via Diameter signaling, and 5G events are received via HTTP/2 signaling. 5G has improved the security of subscriber location events through enhanced home control where the authentication information of the UE in the visited network is transmitted to the home network. Therefore, 5G location events are very reliable and can be compared to 2G/3G and 4G location events.
The use of encrypted signaling transport is a complementary strategy providing additional security in signaling networks. Internet Protocol Security (IPsec), TLS, or Datagram Transport Layer Security (DTLS) provides confidentiality, integrity, authentication, and replay protection for a signaling connection between two peers. External parties cannot read or modify signaling information. Neighboring peers can be authenticated more reliably and attackers cannot replay recorded signaling streams to damage the network. In 5G TLS, protected signaling connections are specified by the standards from the outset so that interface network functions are ready to use them.
Secure signaling connections can be established between two peers. It easily works on user-network interfaces where communication from a user terminal to a trusted network node can be encrypted. However, some limitations will arise when extending this concept to an end-to-end session involving multiple CSP networks. In 2G, 3G and 4G networks, end-to-end encryption is not easily possible when intermediate network nodes need to read and modify certain information elements of a signaling message to facilitate routing decisions. CSPs can agree on a secure signaling connection at their interconnecting links, but none of these CSPs can influence how signaling is handled behind the agreed security endpoints so that it is possible to continue with an unprotected signaling connection. 5G introduces the concept of an end-to-end protected roaming connection. Roaming interfaces can be protected using TLS or PRINS (Protocol for N32 Interconnect Security) based application layer security. The concept of end-to-end roaming security has also been specified for 4G networks using Diameter end-to-end security, but it is not yet widely deployed.
Another problem that thwarts secure signaling transport is the fact that attacks on the signaling infrastructure are launched from trusted network elements. This is possible due to the fact that nodes in the network are compromised, for example, by the exploitation of a zero-day vulnerability.
Given this limitation, the added value of end-to-end protected roaming connections is to clearly authenticate the remote party so that location fraud cannot easily be committed. With a signaling firewall, attacks can be made visible and countermeasures can be taken to block fraudulent traffic.