Access Mediation

Published on February 2017 | Categories: Documents | Downloads: 40 | Comments: 0 | Views: 212
of 15
Download PDF   Embed   Report

Comments

Content

Access Mediation: Preserving
Network Security and Integrity
Definition
Access mediation is the process of examining and controlling signaling traffic
between networks, resources and users by filtering Signaling System 7 (SS7)
traffic. This process enables carriers to inspect the syntax and content of every
signaling message entering or exiting the network. Each message is checked
against the carrier's operations policy to determine whether to permit, deny
and/or modify the message traffic. Access mediation devices are typically used
to mitigate the risks associated with widespread interconnection and network
convergence.

Overview
The telecommunications market has changed dramatically since the SS7
network's inception. Deregulation and convergence have moved the industry
beyond a relatively small group of carriers and equipment manufacturers. Now
there are thousands of SS7 nodes connecting a wide variety of carriers across the
globe. This pervasive interconnection has also introduced newer and more
powerful technologies that don't always meet the existing telephone provider's
reliability and certification standards. Growing demand for nontraditional
services running on the SS7 network continues to make access that's not
regulated even more commonplace. These changing market dynamics have left
the door open to an inadvertent or malicious disruption--catalyzing the need for
an access mediation device to mitigate risk.
This tutorial will take its readers through the concept of access mediation and
explain how it can be applied to help carrier's regain control of their signaling
networks.

Topics
Definition and Overview
1. Historical Perspective
Web ProForum Tutorials
http://www.iec.org

Copyright ©
The International Engineering Consortium

1/15

2. The Role of Access Mediation
3. System Requirements
4. Technological Benefits
5. Application Scenarios
6. Conclusion

1. Historical Perspective
Service providers worldwide rely on the SS7 network. It is the backbone of the
modern telecommunications network, enabling service providers to interconnect
and offer the advanced voice services customer's demand. The SS7 network
provides wireline and wireless call control as well as intelligent network (IN)
services such as 8XX and 900 number calling, calling name (CNAM) and calling
card verification. SS7 also supports government-mandated services like local and
mobile number portability (LNP and MNP).
Since the SS7 network was designed for a closed community, the standards
bodies developing it were primarily concerned with high availability and
redundancy. This ensured the network's ability to protect itself against system
failures.
The Telecom Act of 1996 and the advent of voice and data convergence brought
unforeseen threats to the signaling environment. The 1996 Act mandated that the
small community of incumbent carriers provide nondiscriminatory access to
their SS7 networks on an unbundled basis. Unbundling introduced a host of new
providers into the SS7 environment. Similar deregulation is occurring
worldwide.
At about the same time, demand for Internet Protocol (IP) telephony services
interoperating with the SS7 network began to grow. The proliferation of IP to SS7
gateways that have made this possible, coupled with the added complexity and
linked nature of SS7, has brought unprecedented instability to this once closed
environment.
To address growing security and reliability concerns, Telcordia developed
gateway screening standards (GR-82-CORE). These standards set forth limited
provisions for examining and controlling inappropriate and potentially harmful
traffic. The Telcordia standards may have been adequate at the time. However,
as the market evolves, the carrier's ability to control its network interconnections
Web ProForum Tutorials
http://www.iec.org

Copyright ©
The International Engineering Consortium

2/15

continues to diminish. A more comprehensive approach must be taken to protect
the SS7 network.

2. The Role of Access Mediation
Carriers across the globe are now interconnected through SS7, and the demand
for non-traditional voice services running on the network continues to grow.
Unlike legacy providers, many new carriers are accessing the network with
equipment based on off-the-shelf computing platforms. The inherent flexibility of
this equipment makes it much more powerful and capable of generating
signaling traffic at very high volumes, and often in non-standard forms.
Inexperienced carriers using either new equipment or existing legacy technology
could send inappropriate signaling traffic. While it's unlikely that inappropriate
traffic sent to a single network node would cause a widespread outage, the last
mile impact could be devastating to critical services like E-911.
Perhaps more troubling than a potential inadvertent malfunction is the open
door that deregulation and convergence has left this once closed, secure
environment. The National Research Council (NRC) pointed out in its book titled
"Trust in Cyberspace" that essentially anyone can interconnect to the SS7
network for the modest fee of $10,000. Unregulated access heightens the chance
an attack orchestrated by a terrorist organization or a hacker could cause a
widespread disruption capable of putting national security at risk and crippling
the economy.
Figure 1. Widespread SS7 Interconnection

Web ProForum Tutorials
http://www.iec.org

Copyright ©
The International Engineering Consortium

3/15

The carrier's need to regain control of the SS7 network, in order to ensure its
integrity and reliability, underscores the need for access mediation technology.
Access mediation can mitigate interconnection risks brought on by inexperienced
carriers and unproven technologies, enforce interconnect agreements at a
granular level, and enhance security to prevent a malicious attack.

3. System Requirements
A comprehensive access mediation system provides a protective barrier against
unwanted and inappropriate signaling traffic. The following system
requirements are fundamental to ensuring the continued reliability, service
quality and security of the SS7 network.

Granular Inspection
Access mediation devices shouldn't be limited to analyzing traffic based on the
message header. These devices should be capable of both syntax and content
inspection. Syntax inspection will ensure each message is properly formatted
based on standards and requirements used in the network. Messages that are not
coded correctly should not be permitted into the network. Content inspection
will operate at multiple layers of the protocol stack to validate messages,
parameters and their values for compliance with the carrier's policies and
agreements. Coupling these two types of analysis gives carriers a strong barrier
against traffic that threatens network security and integrity.
Figure 2: Syntax and Content Inspection of Each Message

Analyze every message
Access mediation devices must be able to perform a detailed analysis of every
message entering and exiting the network. The device should be capable of
checking these messages against the service provider's operations policies and
interconnect agreements. Using the results of its examination, the access
mediation device should have the intelligence to pass, block, modify and/or alert
on each message. In addition, the alerting function should have a logging
capability that enables messages to be collected for further analysis.

Web ProForum Tutorials
http://www.iec.org

Copyright ©
The International Engineering Consortium

4/15

Policy-based enforcement
Access mediation devices should govern how the network can be used through
policy-based enforcement. This type of enforcement should be interconnection
specific. And each rule should determine how in-depth each message is
examined. The level of detail must be configurable since each interconnection
may require different levels of analysis depending on the types of traffic it
carries.

Network Transparency
To minimize the impact of a new network infrastructure deployment, installation
time and effort should be minimal. Therefore, deploying an access mediation
device should not require a point code. Access mediation devices should be
transparent, in-line devices. This eliminates the need for network re-engineering,
enabling rapid deployment.

4. Technological Benefits
Any service provider that relies on the PSTN and its SS7 interconnections can
realize substantial benefits from an access mediation device that meets the
aforementioned requirements. It can benefit ILECs, CLECs, wireless carriers,
voice over IP (VoIP) providers, competitive access providers, call center
operations, large enterprises, SS7 hub providers, government agencies and
Internet service providers.

Security
Access mediation devices act as intelligent signaling firewalls. Using an access
mediation device, network operators can control traffic based on protocol
conformance and application level analysis. Both traffic streams and services can
be examined based on information at any layer of the protocol stack. The
enhanced security offered through access mediation mitigates the risks of
inadvertent or malicious disturbances.

Enforce Interconnect Agreements
Interconnect agreements dictate network access between carriers. But whether or
not interconnecting partners follow the terms of those agreements is largely left
to trust. Access mediation devices enable carriers to enforce their agreements at a
granular level.

Prevent Fraud
Since the PSTN relies on SS7 to maintain call control and provide advanced
services, it's a major hotbed for fraudulent activity. Billions are lost annually to
Web ProForum Tutorials
http://www.iec.org

Copyright ©
The International Engineering Consortium

5/15

corporate toll fraud, calls to hot for fraud destinations and interconnect
agreement abuse. Most systems today can report on suspicious activity but lack
the control necessary to stop fraud as it occurs. Access mediation devices can
serve as the active component of a fraud system, enabling carriers to be proactive
in the fight against fraud.

Value-added Applications
Access mediation can also be leveraged to enable a wide range of value-added
applications. Access mediation devices can manipulate, monitor and control SS7
traffic. This functionality serves as a powerful troubleshooting device for
network operators. Message modification capabilities can help carriers avoid
costly equipment upgrades by quickly and efficiently resolving compatibility
and interoperability problems. Access mediation technology can also perform
intelligent filtering, a function that can be used to reroute high-volume traffic
like SMS off of an overloaded network. And the intelligence gathered by
examining every SS7 message traversing the network can be used to help make
planning decisions.

5. Application Scenarios
The following examples illustrate how to access mediation can be used:


Deny badly formatted messages: For example, a carrier using new
equipment might be generating messages with incorrect length. Access
mediation can be used to block these messages, preventing them from
having a detrimental effect on the network."



Stop fraud in progress: Access mediation devices can be used to block
calls to and from blacklisted phone numbers as well as abandoned
international mobile subscriber identities.



Restrict AIN traffic: ILECs can use access mediation devices to restrict
Advanced Intelligent Network (AIN) messages allowed onto their
networks. For example, ILECs can establish a policy that restricts AIN
traffic originating from a CLEC's interconnected SCP that is used for
offering enhanced services to the CLEC's customers who are part of the
ILEC switch.



Control ISUP traffic: For example, if ISUP traffic is being sent at random
from a VoIP interconnection using trunk circuit values that do not exist.
The recipient carrier can block that traffic, allowing only traffic expressly
permitted by the interconnect agreement.

Web ProForum Tutorials
http://www.iec.org

Copyright ©
The International Engineering Consortium

6/15



Block SMS spam: Wireless carriers can install access mediation devices at
their network's entry points to block short message service (SMS) spam
bogging down the network and causing customer dissatisfaction.



New revenue source: SS7 hub providers can sell signaling security as part
of their product suite.



Secure gateway functionality: Carriers can integrate access mediation
capabilities into existing signal transfer point (STP) nodes to enhance their
functionality.



SS7 proxy: Network operators can use access mediation devices to mask
network and protocol differences. This helps carriers avoid costly
upgrades by quickly and efficiently resolving compatibility and
interoperability problems.



SMS filtering and routing: Wireless carriers can implement access
mediation devices to perform filtering and routing for different types of
SMS traffic, enabling new back-end applications and premium services.



Collect market intelligence: Carriers can use an access mediation system
to collect subscriber and service provider calling patterns.



LNP proxy: Carriers can use an access mediation device as an LNP proxy
that allows a switch to process inbound LNP calls. That way, carriers can
avoid purchasing new LNP switch software.



Monitor network performance: Carriers can use access mediation devices
to gather network performance statistics-track link utilization, message
counts and link status in real-time to optimize network planning and
maintenance.

6. Conclusion
The signaling network is the carrier's most critical asset. Deregulation and
convergence has been a double-edged sword for carriers. While these market
changes have brought many exciting new opportunities, they have also opened
the network up to serious threats. New carriers, technology and equipment are
vastly connected worldwide to the PSTN via the signaling network. This
increasingly complex interconnection brings greater risk of a network outage due
to inadvertent or malicious malfunctions. Consequently, carriers need access
mediation technology to examine and control the signaling traffic entering and
Web ProForum Tutorials
http://www.iec.org

Copyright ©
The International Engineering Consortium

7/15

exiting the network. Access mediation protects the network against
inappropriate signaling traffic to ensure network integrity and security in the
evolving signaling environment.

Self-Test
1. Deregulation and convergence have catalyzed the need for access mediation.
a. True
b. False
2. Any carrier that relies on the PSTN and its SS7 interconnections for service
delivery can benefit from access mediation.
a. True
b. False
3. SMS filtering is a function that can be performed by access mediation.
a. True
b. False
4. Current gateway screening standards are adequate for ensuring the network
is protected.
a. True
b. False
5. Access mediation is not able to mask protocol differences between networks.
a. True
b. False
6. If system implementation requires a point code, carriers must reconfigure the
network for deployment.
a. True
b. False
Web ProForum Tutorials
http://www.iec.org

Copyright ©
The International Engineering Consortium

8/15

7. The standards bodies developing SS7 were concerned about protecting the
network from harmful outside sources.
a. True
b. False
8. Which is a main benefit or purpose for implementing access mediation?
a. network security
b. enforce interconnect agreements
c. prevent fraud
d. all of the above
9. Access mediation devices should provide both _______ and ______
inspection.
a. syntax and header
b. content and node
c. syntax and content
d. message and node
10. What is the key difference between gateway screening and access mediation?
a. access mediation looks at the message header while gateway screening
checks message syntax and content.
b. gateway screening devices are limited to analyzing traffic based on the
message header, while access mediation enables carriers to examine
message syntax and content.
c. there is no difference. Gateway screening and access mediation is the
same thing.
d. All of the above

Web ProForum Tutorials
http://www.iec.org

Copyright ©
The International Engineering Consortium

9/15

11. ISUP traffic is being sent at random from a VoIP interconnection using trunk
circuit values that do not exist. Which example demonstrates how access
mediation can be used to resolve this problem?
a. The recipient carrier can block those messages, allowing only the traffic
permitted by the interconnect agreement.
b. The network operations manager alerts the provider they are sending
harmful messages and tells them not to do it again.
c. Access mediation does not apply to this scenario.
12. What type of traffic can access mediation control?
a. ISUP
b. AIN
c. SMS
d. all of the above
13. Access mediation devices act as intelligent_____.
a. gateways
b. routers
c. firewalls
14. Access mediation devices inspect _______ SS7 message traversing the
network to ensure compliance with the carrier’s operations policy.
a. every
b. most
c. none
15. What is syntax inspection?
a. validating message parameters and their values
b. validating protocol conformance
c. validating protocol conformance
Web ProForum Tutorials
http://www.iec.org

Copyright ©
The International Engineering Consortium

10/15

Correct Answers
1. Deregulation and convergence have catalyzed the need for access mediation.
a. True
b. False
2. Any carrier that relies on the PSTN and its SS7 interconnections for service
delivery can benefit from access mediation.
a. True
b. False
3. SMS filtering is a function that can be performed by access mediation.
a. True
b. False
4. Current gateway screening standards are adequate for ensuring the network
is protected.
a. True
b. False
5. Access mediation is not able to mask protocol differences between networks.
a. True
b. False
6. If system implementation requires a point code, carriers must reconfigure the
network for deployment.
a. True
b. False

Web ProForum Tutorials
http://www.iec.org

Copyright ©
The International Engineering Consortium

11/15

7. The standards bodies developing SS7 were concerned about protecting the
network from harmful outside sources.
a. True
b. False
8. Which is a main benefit or purpose for implementing access mediation?
a. network security
b. enforce interconnect agreements
c. prevent fraud
d. all of the above
9. Access mediation devices should provide both _______ and ______
inspection.
a. syntax and header
b. content and node
c. syntax and content
d. message and node
10. What is the key difference between gateway screening and access mediation?
a. access mediation looks at the message header while gateway screening
checks message syntax and content.
b. gateway screening devices are limited to analyzing traffic based on
the message header, while access mediation enables carriers to
examine message syntax and content.
c. there is no difference. Gateway screening and access mediation is the
same thing.
d. All of the above

Web ProForum Tutorials
http://www.iec.org

Copyright ©
The International Engineering Consortium

12/15

11. ISUP traffic is being sent at random from a VoIP interconnection using trunk
circuit values that do not exist. Which example demonstrates how access
mediation can be used to resolve this problem?
a. The recipient carrier can block those messages, allowing only the
traffic permitted by the interconnect agreement.
b. The network operations manager alerts the provider they are sending
harmful messages and tells them not to do it again.
c. Access mediation does not apply to this scenario.
12. What type of traffic can access mediation control?
a. ISUP
b. AIN
c. SMS
d. all of the above
13. Access mediation devices act as intelligent_____.
a. gateways
b. routers
c. firewalls
14. Access mediation devices inspect _______ SS7 message traversing the
network to ensure compliance with the carrier’s operations policy.
a. every
b. most
c. none

Web ProForum Tutorials
http://www.iec.org

Copyright ©
The International Engineering Consortium

13/15

15. What is syntax inspection?
a. validating message parameters and their values
b. validating protocol conformance
c. validating protocol conformance

Glossary
Acronyms Guide
AIN
advanced intelligent network
CLEC
competitive local exchange carrier
CNAM
calling name delivery service
ILEC
incumbent local exchange carrier
IN
intelligent network
IP
internet protocol
ISUP
ISDN user part
LNP
local number portability
MNP
mobile number portability
NRC
National Research Council
Web ProForum Tutorials
http://www.iec.org

Copyright ©
The International Engineering Consortium

14/15

PSTN
public switched telephone network
SCP
service control point
SMS
short message service
SS7
signaling system 7
SSN
subsystem number
STP
signal transfer point
VoIp
Voice over Internet protocol

Web ProForum Tutorials
http://www.iec.org

Copyright ©
The International Engineering Consortium

15/15

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close