Hide Notes 

Slide 1: GPRS/UMTS Security Requirements Guto Motta guto@la.checkpoint.com SE Manager Latin America ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone
Slide 2: Agenda  GSM / GPRS Network Architecture  Security Aspects of GPRS  Attacks and Impact  GTP Awareness ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 2
Slide 3: GSM / GPRS Network Architecture ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone
Slide 4: GSM Architecture ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 4
Slide 5: General Packet Radio Service       Support for bursty traffic Efficient use of network and radio resources Provide flexible services at relatively low costs Possibility for connectivity to the Internet Fast access time Happily co-existence with GSM voice – Reduce Investment ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 5
Slide 6: GPRS Network Architecture New ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 6
Slide 7: GPRS Additions to GSM  New components introduced for GPRS services: – SGSN (Serving GPRS Support Node) – GGSN (Gateway GPRS Support Node) – IP-based backbone network  Old components in GSM upgraded for GPRS services: – HLR – MSC/VLR – Mobile Station ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 7
Slide 8: SGSN - Serving GPRS Support Node  At the same hierarchical level as the MSC.  Transfers data packets between Mobile Stations and GGSNs.  Keeps track of the individual MSs’ location and performs security functions and access control.  Detects and registers new GPRS mobile stations located in its service area.  Participates into routing, as well as mobility management functions. ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 8
Slide 9: GGSN - Gateway GPRS Support Node  Provides inter-working between Public Land Mobile Network (PLMN) and external packet-switched networks.  Converts the GPRS packets from SGSN into the appropriate packet data protocol format (e.g., IP or X.25) and sends out on the corresponding packet data network.  Participates into the mobility management.  Maintains the location information of the mobile stations that are using the data protocols provided by that GGSN.  Collects charging information for billing purpose. ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 9
Slide 10: GPRS Interfaces Gb Other GPRS PLMN Gn GGSN Gi Gp Gf Gd EIR SMS ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 10
Slide 11: GPRS Topology Roaming Partner SGSN BSS GGSN GRX BSS/UTRAN BSS/UTRAN SGSN Home PLMN SGSN Gn Gp C&B GGSN Gi Internet ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 11
Slide 12: Packet Data Protocol (PDP)  Packet Data Protocol (PDP) – – – – Address Context Logical tunnel between MS and GGSN Anchored GGSN for session  PDP activities – Activation – Modification – Deactivation ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 12
Slide 13: PDP Context  When MS wants to send data, it needs to activate a PDP Address  This activation creates an association between the subscriber’s SGSN and GGSN  The information record maintained by the SGSN and GGSN about this association is the PDP Context ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 13
Slide 14: PDP Context Procedures  MS initiated MS BSS Activate PDP Context Request [PDP Type, PDP Address, QoS, Access Point...] SGSN GGSN Security Functions Create PDP Context Request [PDP Type, PDP Address, QoS, Access Point...] Create PDP Context Response [PDP Type, PDP Address, QoS, Access Point...] Activate PDP Context Accept [PDP Type, PDP Address, QoS, Access Point...] ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 14
Slide 15: GPRS Backbone  All packets are encapsulated using GPRS Tunneling Protocol (GTP)  The GTP protocol is implemented only by SGSNs and GGSNs  GPRS MSs are connected to a SGSN without being aware of GTP  An SGSN may provide service to many GGSNs  A single GGSN may associate with many SGSNs to deliver traffic to a large number of geographically diverse mobile stations ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 15
Slide 16: GTP Packet Structure ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 16
Slide 17: GPRS Topology Roaming Partner SGSN BSS GGSN GRX Gp BSS/UTRAN BSS/UTRAN SGSN Home PLMN Gi SGSN Gn C&B GGSN Internet ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 17
Slide 18: Security Aspects of GPRS ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone
Slide 19: GTP Security  GTP – GPRS Tunneling Protocol – Key protocol for delivering mobile data services  GTP itself is not designed to be secure: “No security is provided in GTP to protect the communications between different GPRS networks.”  Regular IP firewalls: – Cannot verify encapsulated GTP packets – Can only filter certain known ports ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 19
Slide 20: GPRS Security  Basic Problem: – SGSN handles authentication – GGSN trusts SGSN  Mobility: – Handover of active tunnels     Fragile, “non-hardened” software Roaming expands your “circle of trust” GRX: Trusting external provider IP lesson learned: Control your own security ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 20
Slide 21: GPRS Security  A distinction needs to be done – Security of Radio Channel – Security of IP and Core supporting network  In GPRS encryption stops at the SGSN  After SGSN traffic is all TCP/IP  All typical TCP/IP attacks vectors apply ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 21
Slide 22: What is the real risk?  Risk vectors – Own mobile data subscribers – Partner networks – GRX  Lessons learned from the IP world – New security vulnerabilities constantly being found in software using Internet Protocol (IP) – Evolving GPRS/UMTS software will be no different – You cannot depend on the network to provide your security - you need to provide your own ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 22
Slide 23: Attacks and Impact ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone
Slide 24: Possible Attacks  Over-Billing Attacks – Charging the customers for traffic they did not use  Protocol Anomaly Attacks – Malformed or corrupt packets  Infrastructure Attacks – Attempts to connect to restricted machines such as the GGSN ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 24
Slide 25: Possible Attacks  GTP handover – Handover between SGSNs should not allow handover to an SGSN that belongs to a PLMN with no roaming agreement.  Resource Starvation Attacks – DoS attacks ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 25
Slide 26: Over-Billing Attack IMSI V Stateful table victim terminal charging gateway src dst radio access network SGSN GPRS backbone GGSN internet access network internet firewall internet malicious server IP 19.8.7.6 IMSI/IP table malicious terminal IMSI M  initially, all tables are empty  malicious and victim terminals have no PDP context activated Source: Gauthier, Dubas & Vallet ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 26
Slide 27: Over-Billing Attack IMSI V Stateful table victim terminal charging gateway src dst radio access network SGSN GPRS backbone GGSN internet access network internet firewall internet malicious server IP 19.8.7.6 IMSI/IP table malicious terminal IMSI M IP 10.3.2.1 M 10.3.2.1 GTP:Create PDP Context Request GTP:Create PDP Context Response (IP addr = 10.3.2.1) SM:Activate PDP Context Request SM:Activate PDP Context Accept   malicious GPRS terminal activates GPRS malicious GPRS terminal is assigned IP address 10.3.2.1 Source: Gauthier, Dubas & Vallet [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. 27
Slide 28: Over-Billing Attack IMSI V Stateful table victim terminal charging gateway src 10.3.2.1 19.8.7.6 dst 19.8.7.6 10.3.2.1 radio access network SGSN GPRS backbone GGSN TCP:SYN/ACK TCP:ACK internet access network internet firewall internet malicious server IP 19.8.7.6 TCP:SYN IMSI/IP table M 10.3.2.1 malicious terminal IMSI M IP 10.3.2.1  malicious party opens a TCP connection between terminal and server Source: Gauthier, Dubas & Vallet [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. 28
Slide 29: Over-Billing Attack IMSI V Stateful table victim terminal charging gateway src 10.3.2.1 19.8.7.6 dst 19.8.7.6 10.3.2.1 radio access network SGSN GPRS backbone GGSN internet access network internet firewall TCP:FIN internet malicious server IP 19.8.7.6 IMSI/IP table malicious terminal IMSI M IP 10.3.2.1 M 10.3.2.1 GTP:Delete PDP Context Request SM:Deactivate PDP Context Request   malicious server starts sending TCP FIN packets malicious GPRS terminal deactivates its PDP context Source: Gauthier, Dubas & Vallet [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. 29
Slide 30: Over-Billing Attack IMSI V Stateful table victim terminal charging gateway src 10.3.2.1 19.8.7.6 dst 19.8.7.6 10.3.2.1 radio access network SGSN GPRS backbone GGSN internet access network internet firewall TCP:FIN internet malicious server IP 19.8.7.6 IMSI/IP table malicious terminal IMSI M GTP: Delete PDP Context Response SM: Deactivate PDP Context Accept   GGSN drops the FIN packets malicious terminal still GPRS attached Source: Gauthier, Dubas & Vallet [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. 30
Slide 31: Over-Billing Attack IMSI V Stateful table victim terminal charging gateway src 10.3.2.1 19.8.7.6 dst 19.8.7.6 10.3.2.1 radio access network SGSN GPRS backbone GGSN internet access network internet firewall TCP:FIN internet malicious server IP 19.8.7.6 IMSI/IP table malicious terminal IMSI M V 10.3.2.1   victim activates its PDP context GGSM assigns IP address 10.3.2.1 to the victim terminal Source: Gauthier, Dubas & Vallet [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. 31
Slide 32: Over-Billing Attack. IMSI V IP 10.3.2.1 Stateful table victim terminal charging gateway src 10.3.2.1 19.8.7.6 dst 19.8.7.6 10.3.2.1 radio access network SGSN GPRS backbone GGSN internet access network internet firewall TCP:FIN internet malicious server IP 19.8.7.6 IMSI/IP table malicious terminal IMSI M V 10.3.2.1   GGSN starts routing again the TCP FIN packets victim terminal starts receiving the TCP FIN packets Source: Gauthier, Dubas & Vallet ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 32
Slide 33: Handover – Updating PDP Contexts Other PLMN GGSN Roaming BSS SGSN SGSN context response GRX BSS/UTRAN BSS/UTRAN SGSN SGSN Gp SGSN context request C&B Gn GGSN Gi VPN-1/FireWall1 Internet [Public]—For everyone Home PLMN Update PDP context ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. 33
Slide 34: GRX Security Report Observation Window: 19 hours ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 34
Slide 35: GTP Awareness ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone
Slide 36: GTP Aware Security Solution  Designed for wireless operators  Dedicated to protect GPRS and UMTS networks  GTP-level security solution  Blocks illegitimate traffic “at the door”  Stateful Inspection technology  Granular security policies  Strong and Comprehensive Management Infrastructure ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 36
Slide 37: Deployment Scenarios ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 37
Slide 38: Summary  GTP itself is not designed to be secure  Basic architectural vulnerabilities – Overbilling attack – Infrastructure attacks  Vendor specific vulnerabilities – Protocol anomalies – Resource starvation  Real world, critical security events identified in GRX  Adoption of 3G services requires advanced GTP aware security solutions ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 38
Slide 39: Thank you! Guto Motta guto@la.checkpoint.com SE Manager Latin America ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone