Security in Carrier Class Server Applications for All-IP Networks

A revolution is taking place in telecommunication networks. New services are appearing on platforms such as third generation cellular phones (3G) and broadband Internet access. This motivates the transition from mostly switched to all-IP networks. The replacement of the traditional shallow and well-defined interface to telephony networks brings accrued flexibility, but also makes the network accordingly difficult to properly secure. This paper surveys the implications of this transition on security issues in telecom applications. It does not give an exhaustive list of security tools or security protocols. Its goal is rather to initiate the reader to the security issues brought to carrier class servers by this revolution. Introduction Telephony networks typically interface to subscribers through a shallow and well-defined interface. After the introduction of out-of-band control technology based on Signaling 1 Contact person. February 2002 System 7 (SS7) in 1970s, the number of security incidents involving the core telephone network infrastructure reduced substantially. From then on, the commands that subscribers could send were limited to tone or pulse dialing of digits for signaling, switch hook flashes for simple features like call waiting and 3-way calling, and some dial access codes for features like caller-id blocking. On the subsequent incidents, never was the telephony core infrastructure compromised. The telephony operating environment, however, is experiencing dramatic changes. Companies previously labeled as telephone operators are now offering broadband data access and numerous IP services, including mail and web hosting. Furthermore, these services may not remain totally separate from the traditional telephony channels, as more closely new integrated services are offered: • Third generation cellular phones offer voice and high-speed data communications. • Location services enable applications to query the precise location of cellular phones for emergency response, or targeted information/advertisement purposes. • Many of the data-oriented applications being deployed are directly derived from popular Internet applications, or give direct access to Internet-located information content. The result is the current move toward all-IP and IP-interoperable networks (Figure 1). The resulting communication infrastructure, integrating voice, data and multimedia, can be considered as a part of the single large global network, the Internet. It contains traditional wired and wireless phones and computers, and increasingly multi-functional small computers presented as telephony enabled personal digital assistants (PDA). The stateless phone of yesterday is replaced by a small computer, which is both vulnerable to attacks and capable of launching attacks. With the Internet, the explosion of the communication network brought a new field of possible threats [SANS2001, CERT2001]: attacks on or through the communication infrastructure between the server and the clients. The challenge is to have a network offering the flexibility associated with the Internet, while preserving the security and reliability expected from carrier grade equipment.