GSMA FS.11 (SS7 Interconnect Security Monitoring and Firewall Guidelines) outline the SS7 threats that MNOs should be monitoring. Are you protected?

GSMA FS.11 (SS7 Interconnect Security Monitoring and Firewall Guidelines) outlines at a high level how mobile network operators (MNOs) can monitor and sample SS7 MAP and CAMEL traffic to monitor unwanted or malicious SS7 traffic, and set firewall policies to improve the protection of their networks.

As mobile operators have continued to add more functions and services, signalling networks are required to carry increasing amounts of sensitive and confidential data, including location, SMS texts, billing data, and so on. This data is sent via roaming interconnectors, which means potentially that anyone with access to the SS7 network can mine the data of any individual on any network in the world.

SS7 attacks can lead to:

• Stolen subscriber information
• Network information disclosure
• Subscriber traffic interception
• Fraud
• Denial of service

GSMA FS.11 outlines Category 1 to 3 SS7 vulnerabilities

The GSMA’s FS.11 guidelines specifically outline the SS7 vulnerabilities that operators must recognise and protect against, while offering guidelines on where to monitor, how to monitor and how to protect networks.

FS.11 divides SS7 attacks into three categories, as outlined below:

Category 1 – Prohibited Interconnect Packets

Category 2 – Unauthorised Packets

Category 3 – Suspicious Location Packets    

Category 3 type attacks are those that require on-going and continuous “cat and mouse” security upgrades as attackers become more sophisticated and continuously push the boundaries of these types of attacks.

SS7 monitoring at multiple nodes

A common line of defence against SS7 attacks is a firewall. An increasing number of operators are deploying an SS7 firewall, which analyses all signalling traffic at the network border and monitors for all types of known SS7 threats. Firewalls are constantly updated to ensure that they recognise new threats. Of course, the next challenge is to ensure that these firewalls are working correctly.

But to ensure SS7 protection, FS.11 recommends that monitoring is performed at all nodes that receive interconnect traffic, such as firewalls, STPs, and so on. Monitoring by nodes such as STPs, SS7 firewalls and network probes at appropriate points throughout the network provides a wider viewpoint of SS7 activity, while monitoring by nodes such as HLCs or MSCs provides insight into the specific traffic they transport. The goal of monitoring is to gauge whether suspicious/malicious SS7 activity is occurring. How can MNOs ensure this?

Emblasoft’s Evolver testing platform enables full support for FS.11 guidelines

Emblasoft Evolver is a comprehensive platform of test and validation solutions that fully supports FS.11 guidelines. Our service can accurately simulate suspicious SS7 traffic from any emulated node in the network. It can also provide reports on whether firewalls and security functions are operating at their full potential and, if not, identify new threats and highlight where the firewall needs updating.

We can simulate all types of traffic listed in GSMA’s FS.11 Categories 1–3, enabling operators to run automated, customised tests against their firewalls or other SS7 defences to identify weaknesses and gaps, and help them to develop robust defences against SS7 attacks.

Evolver also provides automated one-off, periodic or active monitoring to provide a clear picture of SS7 vulnerabilities and firewall performance. Our testing solutions can generate and simulate any relevant SS7 messaging and traffic, traffic patterns and suspicious activities. By doing so, our solutions can ensure the validity of all your SS7 firewalls and defences.

Our active monitoring tools look for known and new SS7 attacks or suspicious traffic on a continuous basis to ensure support for FS.11 guidelines. If you’d like to learn more about how we can help you safeguard your SS7 network and adhere to FS.11 guidelines, why not read our case study?

Download “How do you protect your SS7 roaming connections to meet GSMA FS.11 guidelines?” here to learn more.