andrewwo's picture
From andrewwo rss RSS  subscribe Subscribe

[Public]—For everyone ©2003–2008 Check Point Software ... 

[Public]—For everyone ©2003–2008 Check Point Software ...

 
 
 
Tags:  billing software  gprs module  gprs gsm  gsm modem 
Views:  27
Published:  November 13, 2011
 
0
download

Share plick with friends Share
save to favorite
Report Abuse Report Abuse
 
Related Plicks
GSM/UMTS Antennas and RF cables

GSM/UMTS Antennas and RF cables

From: anon-527859
Views: 53 Comments: 0
GSM/UMTS Antennas and RF cables
 
Product Catalog - Network and Web Enabled Devices

Product Catalog - Network and Web Enabled Devices

From: UptimeDevices
Views: 45 Comments: 0
Uptime Devices' Sensor Hubs are compact environmental and security monitoring network devices that notify personnel when conditions exceed user-de!ned limits.
 
Mobile Connection: Wireless Broadband

Mobile Connection: Wireless Broadband

From: baskine
Views: 95 Comments: 0
Mobile Connection: Wireless Broadband
 
HSDPA/ HSUPA Devices

HSDPA/ HSUPA Devices

From: jkim21
Views: 83 Comments: 0
HSDPA/ HSUPA Devices
 
Nexaira Nexconnect Router Supported Modems (quantum-wireless.c om)

Nexaira Nexconnect Router Supported Modems (quantum-wireless.com)

From: anon-146521
Views: 84 Comments: 0
Nexaira Nexconnect Router Supported Modems (quantum-wireless.com)
 
HIPAA Compliant Dental Billing and Coding Services

HIPAA Compliant Dental Billing and Coding Services

From: bobkruse
Views: 41 Comments: 0
Dental billing and coding are vital processes in the management of a dental practice. HIPAA complaint dental billing and coding services ensures adherence to patient privacy norms while helping to maximize revenue.

 
See all 
 
More from this user
World Economic Crisis Real Estate

World Economic Crisis Real Estate

From: andrewwo
Views: 247
Comments: 0
La scienza e la rete

La scienza e la rete

From: andrewwo
Views: 130
Comments: 0
NoMoreForms for Human Resources

NoMoreForms for Human Resources

From: andrewwo
Views: 190
Comments: 0
IP Expo 2009 - Don’t throw away your old PC! - Wednesday 7th October - 11.50 - 12.20

IP Expo 2009 - Don’t throw away your old PC! - Wednesday 7th October - 11.50 - 12.20

From: andrewwo
Views: 816
Comments: 1
Distribution Manager

Distribution Manager

From: andrewwo
Views: 120
Comments: 0
Table Of Contents

Table Of Contents

From: andrewwo
Views: 76
Comments: 0
See all 
 
 
 URL:          AddThis Social Bookmark Button
Embed Thin Player: (fits in most blogs)
Embed Full Player :
 
 

Name

Email (will NOT be shown to other users)

 
 
 
Comments: (watch)
 
 
Notes:
 
Slide 1: GPRS/UMTS Security Requirements Guto Motta guto@la.checkpoint.com SE Manager Latin America ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone
Slide 2: Agenda  GSM / GPRS Network Architecture  Security Aspects of GPRS  Attacks and Impact  GTP Awareness ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 2
Slide 3: GSM / GPRS Network Architecture ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone
Slide 4: GSM Architecture ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 4
Slide 5: General Packet Radio Service       Support for bursty traffic Efficient use of network and radio resources Provide flexible services at relatively low costs Possibility for connectivity to the Internet Fast access time Happily co-existence with GSM voice – Reduce Investment ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 5
Slide 6: GPRS Network Architecture New ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 6
Slide 7: GPRS Additions to GSM  New components introduced for GPRS services: – SGSN (Serving GPRS Support Node) – GGSN (Gateway GPRS Support Node) – IP-based backbone network  Old components in GSM upgraded for GPRS services: – HLR – MSC/VLR – Mobile Station ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 7
Slide 8: SGSN - Serving GPRS Support Node  At the same hierarchical level as the MSC.  Transfers data packets between Mobile Stations and GGSNs.  Keeps track of the individual MSs’ location and performs security functions and access control.  Detects and registers new GPRS mobile stations located in its service area.  Participates into routing, as well as mobility management functions. ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 8
Slide 9: GGSN - Gateway GPRS Support Node  Provides inter-working between Public Land Mobile Network (PLMN) and external packet-switched networks.  Converts the GPRS packets from SGSN into the appropriate packet data protocol format (e.g., IP or X.25) and sends out on the corresponding packet data network.  Participates into the mobility management.  Maintains the location information of the mobile stations that are using the data protocols provided by that GGSN.  Collects charging information for billing purpose. ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 9
Slide 10: GPRS Interfaces Gb Other GPRS PLMN Gn GGSN Gi Gp Gf Gd EIR SMS ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 10
Slide 11: GPRS Topology Roaming Partner SGSN BSS GGSN GRX BSS/UTRAN BSS/UTRAN SGSN Home PLMN SGSN Gn Gp C&B GGSN Gi Internet ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 11
Slide 12: Packet Data Protocol (PDP)  Packet Data Protocol (PDP) – – – – Address Context Logical tunnel between MS and GGSN Anchored GGSN for session  PDP activities – Activation – Modification – Deactivation ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 12
Slide 13: PDP Context  When MS wants to send data, it needs to activate a PDP Address  This activation creates an association between the subscriber’s SGSN and GGSN  The information record maintained by the SGSN and GGSN about this association is the PDP Context ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 13
Slide 14: PDP Context Procedures  MS initiated MS BSS Activate PDP Context Request [PDP Type, PDP Address, QoS, Access Point...] SGSN GGSN Security Functions Create PDP Context Request [PDP Type, PDP Address, QoS, Access Point...] Create PDP Context Response [PDP Type, PDP Address, QoS, Access Point...] Activate PDP Context Accept [PDP Type, PDP Address, QoS, Access Point...] ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 14
Slide 15: GPRS Backbone  All packets are encapsulated using GPRS Tunneling Protocol (GTP)  The GTP protocol is implemented only by SGSNs and GGSNs  GPRS MSs are connected to a SGSN without being aware of GTP  An SGSN may provide service to many GGSNs  A single GGSN may associate with many SGSNs to deliver traffic to a large number of geographically diverse mobile stations ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 15
Slide 16: GTP Packet Structure ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 16
Slide 17: GPRS Topology Roaming Partner SGSN BSS GGSN GRX Gp BSS/UTRAN BSS/UTRAN SGSN Home PLMN Gi SGSN Gn C&B GGSN Internet ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 17
Slide 18: Security Aspects of GPRS ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone
Slide 19: GTP Security  GTP – GPRS Tunneling Protocol – Key protocol for delivering mobile data services  GTP itself is not designed to be secure: “No security is provided in GTP to protect the communications between different GPRS networks.”  Regular IP firewalls: – Cannot verify encapsulated GTP packets – Can only filter certain known ports ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 19
Slide 20: GPRS Security  Basic Problem: – SGSN handles authentication – GGSN trusts SGSN  Mobility: – Handover of active tunnels     Fragile, “non-hardened” software Roaming expands your “circle of trust” GRX: Trusting external provider IP lesson learned: Control your own security ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 20
Slide 21: GPRS Security  A distinction needs to be done – Security of Radio Channel – Security of IP and Core supporting network  In GPRS encryption stops at the SGSN  After SGSN traffic is all TCP/IP  All typical TCP/IP attacks vectors apply ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 21
Slide 22: What is the real risk?  Risk vectors – Own mobile data subscribers – Partner networks – GRX  Lessons learned from the IP world – New security vulnerabilities constantly being found in software using Internet Protocol (IP) – Evolving GPRS/UMTS software will be no different – You cannot depend on the network to provide your security - you need to provide your own ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 22
Slide 23: Attacks and Impact ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone
Slide 24: Possible Attacks  Over-Billing Attacks – Charging the customers for traffic they did not use  Protocol Anomaly Attacks – Malformed or corrupt packets  Infrastructure Attacks – Attempts to connect to restricted machines such as the GGSN ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 24
Slide 25: Possible Attacks  GTP handover – Handover between SGSNs should not allow handover to an SGSN that belongs to a PLMN with no roaming agreement.  Resource Starvation Attacks – DoS attacks ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 25
Slide 26: Over-Billing Attack IMSI V Stateful table victim terminal charging gateway src dst radio access network SGSN GPRS backbone GGSN internet access network internet firewall internet malicious server IP 19.8.7.6 IMSI/IP table malicious terminal IMSI M  initially, all tables are empty  malicious and victim terminals have no PDP context activated Source: Gauthier, Dubas & Vallet ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 26
Slide 27: Over-Billing Attack IMSI V Stateful table victim terminal charging gateway src dst radio access network SGSN GPRS backbone GGSN internet access network internet firewall internet malicious server IP 19.8.7.6 IMSI/IP table malicious terminal IMSI M IP 10.3.2.1 M 10.3.2.1 GTP:Create PDP Context Request GTP:Create PDP Context Response (IP addr = 10.3.2.1) SM:Activate PDP Context Request SM:Activate PDP Context Accept   malicious GPRS terminal activates GPRS malicious GPRS terminal is assigned IP address 10.3.2.1 Source: Gauthier, Dubas & Vallet [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. 27
Slide 28: Over-Billing Attack IMSI V Stateful table victim terminal charging gateway src 10.3.2.1 19.8.7.6 dst 19.8.7.6 10.3.2.1 radio access network SGSN GPRS backbone GGSN TCP:SYN/ACK TCP:ACK internet access network internet firewall internet malicious server IP 19.8.7.6 TCP:SYN IMSI/IP table M 10.3.2.1 malicious terminal IMSI M IP 10.3.2.1  malicious party opens a TCP connection between terminal and server Source: Gauthier, Dubas & Vallet [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. 28
Slide 29: Over-Billing Attack IMSI V Stateful table victim terminal charging gateway src 10.3.2.1 19.8.7.6 dst 19.8.7.6 10.3.2.1 radio access network SGSN GPRS backbone GGSN internet access network internet firewall TCP:FIN internet malicious server IP 19.8.7.6 IMSI/IP table malicious terminal IMSI M IP 10.3.2.1 M 10.3.2.1 GTP:Delete PDP Context Request SM:Deactivate PDP Context Request   malicious server starts sending TCP FIN packets malicious GPRS terminal deactivates its PDP context Source: Gauthier, Dubas & Vallet [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. 29
Slide 30: Over-Billing Attack IMSI V Stateful table victim terminal charging gateway src 10.3.2.1 19.8.7.6 dst 19.8.7.6 10.3.2.1 radio access network SGSN GPRS backbone GGSN internet access network internet firewall TCP:FIN internet malicious server IP 19.8.7.6 IMSI/IP table malicious terminal IMSI M GTP: Delete PDP Context Response SM: Deactivate PDP Context Accept   GGSN drops the FIN packets malicious terminal still GPRS attached Source: Gauthier, Dubas & Vallet [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. 30
Slide 31: Over-Billing Attack IMSI V Stateful table victim terminal charging gateway src 10.3.2.1 19.8.7.6 dst 19.8.7.6 10.3.2.1 radio access network SGSN GPRS backbone GGSN internet access network internet firewall TCP:FIN internet malicious server IP 19.8.7.6 IMSI/IP table malicious terminal IMSI M V 10.3.2.1   victim activates its PDP context GGSM assigns IP address 10.3.2.1 to the victim terminal Source: Gauthier, Dubas & Vallet [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. 31
Slide 32: Over-Billing Attack. IMSI V IP 10.3.2.1 Stateful table victim terminal charging gateway src 10.3.2.1 19.8.7.6 dst 19.8.7.6 10.3.2.1 radio access network SGSN GPRS backbone GGSN internet access network internet firewall TCP:FIN internet malicious server IP 19.8.7.6 IMSI/IP table malicious terminal IMSI M V 10.3.2.1   GGSN starts routing again the TCP FIN packets victim terminal starts receiving the TCP FIN packets Source: Gauthier, Dubas & Vallet ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 32
Slide 33: Handover – Updating PDP Contexts Other PLMN GGSN Roaming BSS SGSN SGSN context response GRX BSS/UTRAN BSS/UTRAN SGSN SGSN Gp SGSN context request C&B Gn GGSN Gi VPN-1/FireWall1 Internet [Public]—For everyone Home PLMN Update PDP context ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. 33
Slide 34: GRX Security Report Observation Window: 19 hours ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 34
Slide 35: GTP Awareness ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone
Slide 36: GTP Aware Security Solution  Designed for wireless operators  Dedicated to protect GPRS and UMTS networks  GTP-level security solution  Blocks illegitimate traffic “at the door”  Stateful Inspection technology  Granular security policies  Strong and Comprehensive Management Infrastructure ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 36
Slide 37: Deployment Scenarios ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 37
Slide 38: Summary  GTP itself is not designed to be secure  Basic architectural vulnerabilities – Overbilling attack – Infrastructure attacks  Vendor specific vulnerabilities – Protocol anomalies – Resource starvation  Real world, critical security events identified in GRX  Adoption of 3G services requires advanced GTP aware security solutions ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone 38
Slide 39: Thank you! Guto Motta guto@la.checkpoint.com SE Manager Latin America ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Public]—For everyone

   
Time on Slide Time on Plick
Slides per Visit Slide Views Views by Location