GPRS Security Threats and Solution ... - Juniper Networks
GPRS Security Threats and Solution ... - Juniper Networks
GPRS Security Threats and Solution ... - Juniper Networks
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
White Paper<br />
<strong>GPRS</strong> <strong>Security</strong> <strong>Threats</strong> <strong>and</strong> <strong>Solution</strong><br />
Recommendations<br />
Alan Bavosa<br />
Product Manager<br />
<strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
1194 North Mathilda Avenue<br />
Sunnyvale, CA 94089 USA<br />
408 745 2000 or 888 JUNIPER<br />
www.juniper.net<br />
Part Number: 200074-002 June 2004
Contents<br />
Preface .......................................................................................................................................................3<br />
Introduction..............................................................................................................................................3<br />
<strong>GPRS</strong> Core Network Architecture Overview.....................................................................................3<br />
Classification of <strong>Security</strong> Services ........................................................................................................4<br />
Data Services on the Gp <strong>and</strong> Gi Interfaces...........................................................................................5<br />
<strong>Security</strong> <strong>Threats</strong> on the Gp Interface ....................................................................................................5<br />
Availability......................................................................................................................................5<br />
Authentication <strong>and</strong> Authorization..............................................................................................6<br />
Integrity <strong>and</strong> Confidentiality .......................................................................................................6<br />
<strong>Security</strong> <strong>Solution</strong>s for the Gp Interface ................................................................................................7<br />
Gp Network <strong>Solution</strong> Diagram ....................................................................................................8<br />
<strong>Security</strong> <strong>Threats</strong> on the Gi Interface .....................................................................................................8<br />
Availability......................................................................................................................................9<br />
Confidentiality................................................................................................................................9<br />
Integrity ...........................................................................................................................................9<br />
Authentication <strong>and</strong> Authorization..............................................................................................9<br />
<strong>Security</strong> <strong>Solution</strong>s on the Gi Interface..................................................................................................9<br />
Gi Network <strong>Security</strong> <strong>Solution</strong> Diagram ...................................................................................10<br />
<strong>Security</strong> <strong>Threats</strong> on the Gn Interface ..................................................................................................11<br />
<strong>Security</strong> <strong>Solution</strong>s on the Gn Interface...............................................................................................11<br />
Deploying <strong>GPRS</strong> <strong>Security</strong> <strong>Solution</strong>s on <strong>Juniper</strong> <strong>Security</strong> Systems ...............................................12<br />
Conclusion..............................................................................................................................................13<br />
Acknowledgements <strong>and</strong> Resources ...................................................................................................14<br />
Copyright © 2004, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
<strong>GPRS</strong> <strong>Threats</strong> <strong>and</strong> Recommendations<br />
Preface<br />
Introduction<br />
This paper is intended to assist General Packet Radio Service (<strong>GPRS</strong>) operators <strong>and</strong> network<br />
designers in the evaluation of potential security threats <strong>and</strong> solutions. Although a brief<br />
review of <strong>GPRS</strong> architecture is provided, it is assumed that the reader underst<strong>and</strong>s the basic<br />
<strong>GPRS</strong> architecture <strong>and</strong> Internet Protocol data networking. This paper does not attempt to<br />
present an exhaustive list of all <strong>GPRS</strong> security issues.<br />
General Packet Radio Service (<strong>GPRS</strong>) is a data network architecture that is designed to<br />
integrate with existing GSM networks <strong>and</strong> offer mobile subscribers “always on” packet<br />
switched data services access to corporate networks <strong>and</strong> the Internet. <strong>GPRS</strong> provides mobile<br />
operators with an opportunity to offer higher-margin data access services to subscribers. In<br />
return, subscribers benefit from <strong>GPRS</strong> by being able to use higher b<strong>and</strong>width mobile<br />
connections to the Internet <strong>and</strong> corporate networks. <strong>GPRS</strong> Tunneling Protocol (GTP) is the<br />
protocol used by GSM or UTMS operators to convert radio signals from subscribers into data<br />
packets, <strong>and</strong> then to transport them in non-encrypted tunnels. GTP does not provide for<br />
inherent security.<br />
With the addition of <strong>GPRS</strong> to GSM, mobile operators are adding mobile Internet <strong>and</strong> virtual<br />
private network services to their existing mobile voice services. <strong>GPRS</strong> networks are connected<br />
to several external data networks including those of roaming partners, corporate customers,<br />
<strong>GPRS</strong> Roaming Exchange (GRX) providers, <strong>and</strong> the public Internet. By connecting their <strong>GPRS</strong><br />
network to a variety of external networks, mobile operators must take the appropriate steps to<br />
protect their own network from attacks initiating from these external networks while<br />
continuing to provide access to <strong>and</strong> from them. <strong>Juniper</strong> Network’s purpose-built<br />
firewall/IPSec VPNs address many of the security problems operators face when developing<br />
<strong>GPRS</strong>-based service offerings. The most recent version of GTP is GTP 99. A prior version was<br />
called GTP 97. <strong>Juniper</strong>’s integrated firewall/VPN product line supports both versions of GTP.<br />
<strong>GPRS</strong> Core Network Architecture Overview<br />
In figure 1, the Mobile Station (MS) logically attaches to a Serving <strong>GPRS</strong> Support Node<br />
(SGSN). The main function of the SGSN is to provide data support services to the MS. The<br />
SGSN is logically connected to a Gateway <strong>GPRS</strong> Support Node (GGSN) via the <strong>GPRS</strong><br />
Tunneling Protocol (GTP). The GTP connection within a given operator’s Public L<strong>and</strong> Mobile<br />
Network (PLMN) is called the Gn interface. The connection between two different PLMNs<br />
(mainly used to implement roaming agreements between providers) is the Gp interface. The<br />
GGSN provides the data gateway to external networks such as the public Internet or corporate<br />
network via the Gi interface. GTP is used to encapsulate data from the MS <strong>and</strong> also includes<br />
mechanisms for establishing, moving, <strong>and</strong> deleting tunnels between SGSN <strong>and</strong> GGSN in<br />
roaming scenarios. And finally, the interface used to connect a providers network to its<br />
internal Accounting <strong>and</strong> Billing systems is called the Ga interface. This is also referred to as<br />
GTP’ or GTP prime.<br />
Copyright © 2004, <strong>Juniper</strong> <strong>Networks</strong>, Inc. 3
<strong>GPRS</strong> <strong>Threats</strong> <strong>and</strong> Recommendations<br />
The Gp <strong>and</strong> the Gi interfaces are the primary points of interconnection between the Operator’s<br />
network <strong>and</strong> untrusted external networks. Operators must take appropriate measures to<br />
protect their network from attacks originated on these external networks.<br />
Figure 1<br />
Corporate<br />
Network #1<br />
VPN<br />
Corporate<br />
Network #2<br />
Gi Interface<br />
Operators must secure connections between trusted <strong>and</strong> untrusted networks:<br />
Gi – interface between <strong>GPRS</strong> network <strong>and</strong> an external network, such as the Internet.<br />
Gp – interface between two mobile operators networks, primarily for roaming<br />
Ga – interface to Billing <strong>and</strong> Accounting systems<br />
Gn – interface which secures mobile providers internal network<br />
Classification of <strong>Security</strong> Services<br />
Firewall<br />
/IPSec VPN<br />
Ga Interface<br />
Operator<br />
Gn Interface<br />
Firewall<br />
/IPSec VPN<br />
Billing/<br />
Accounting DB<br />
Gp Interface<br />
Roaming<br />
Partner #1<br />
GRX<br />
VPN<br />
Roaming<br />
Partner #2<br />
<strong>Security</strong> services are protections <strong>and</strong> assurances that provide mitigation against various<br />
threats. They are generally known as:<br />
� Integrity: Integrity is a security service that assures that data cannot be altered in an<br />
unauthorized or malicious manner.<br />
� Confidentiality: Confidentiality is the protection of data from disclosure to unauthorized<br />
third parties.<br />
� Authentication: Authentication provides assurance that a party in data communication is<br />
who or what they claim to be.<br />
� Authorization: Authorization is a security service that ensures that a party may only<br />
perform the actions that they’re allowed to perform<br />
� Availability: Availability means that data services are usable by the appropriate parties in<br />
the manner intended.<br />
4 Copyright © 2004, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
<strong>GPRS</strong> <strong>Threats</strong> <strong>and</strong> Recommendations<br />
� When considering security threats <strong>and</strong> possible mitigation, it is important to consider<br />
attacks against each of these services. In some cases, it may not be important to protect<br />
against certain threats. For example, it is not necessary to protect confidentiality of data<br />
that is intended to be public.<br />
Data Services on the Gp <strong>and</strong> Gi Interfaces<br />
In order to determine what security solutions are appropriate, it is necessary to first<br />
underst<strong>and</strong> what type of traffic <strong>and</strong> data services are to be provided <strong>and</strong> then to analyze<br />
specific threats to those services. The Gp Interface is the logical connection between PLMNs<br />
that is used to support mobile (roaming) data users. GTP is used to establish a connection<br />
between a local SGSN <strong>and</strong> the user’s home GGSN. Generally the traffic that must be allowed<br />
to <strong>and</strong> from an operators network on the Gp is:<br />
� GTP: Provides logical connectivity between the SGSN <strong>and</strong> GGSN of roaming partners<br />
� BGP: Provides routing information between the operator <strong>and</strong> the GRX <strong>and</strong>/or roaming<br />
partners<br />
� DNS: Provides resolution for a subscribers APN<br />
The Gi interface is the interface that data originated by the MS is sent out towards, to access<br />
the Internet or a corporate network. It is also the interface that is exposed to public data<br />
networks <strong>and</strong> networks of corporate customers. Traffic being sent out from the GGSN on the<br />
Gi interface or arriving for an MS on the Gi interface can be virtually any kind of traffic since<br />
the application being used at the MS is unknown.<br />
<strong>Security</strong> <strong>Threats</strong> on the Gp Interface<br />
Availability<br />
The most common type of attack on availability is a denial of service (DOS) attack. There are<br />
several types of denial of service attacks that are possible on the Gp interface:<br />
� Border Gateway b<strong>and</strong>width saturation – a malicious operator that is connected to the same<br />
GRX (whether or not they’re actually a roaming partner) may have the ability to generate a<br />
sufficient amount of network traffic directed at a Border Gateway such that legitimate<br />
traffic is starved for b<strong>and</strong>width in or out of the PLMN, thus denying roaming access to or<br />
from the network<br />
� DNS Flood – DNS servers on the network can be flooded with either correctly or<br />
malformed DNS queries or other traffic thereby denying subscribers the ability to locate<br />
the proper GGSN to use as an external gateway.<br />
� GTP Flood – SGSNs <strong>and</strong> GGSNs may be flooded with unauthorized GTP traffic that cause<br />
them to spend their CPU cycles processing illegitimate data. This may prevent subscribers<br />
from being able to roam, to pass data out to external networks via the Gi, or from being<br />
able to <strong>GPRS</strong> attach to the network at all.<br />
Copyright © 2004, <strong>Juniper</strong> <strong>Networks</strong>, Inc. 5
<strong>GPRS</strong> <strong>Threats</strong> <strong>and</strong> Recommendations<br />
� Spoofed GTP PDP Context Delete – An attacker with the appropriate information, can<br />
potentially craft a GTP PDP Context Delete message which will remove the <strong>GPRS</strong> Tunnel<br />
between the SGSN <strong>and</strong> GGSN for a subscriber. Crafting other types of network traffic can<br />
learn some of the information that must be known. If an attacker doesn’t care about whom<br />
they are denying service, they can send many PDP Context Delete messages for every<br />
tunnel ID that might be used.<br />
� Bad BGP Routing Information – An attacker who has control of a GRX operators’ routers<br />
or who can inject routing information into a GRX operators’ route tables, can cause an<br />
operator to lose routes for roaming partners thereby denying roaming access to <strong>and</strong> from<br />
those roaming partners.<br />
� DNS Cache Poisoning – It may be possible for an attacker to forge DNS queries <strong>and</strong>/or<br />
responses that cause a given user’s APN to resolve to the wrong GGSN or even none at all.<br />
If a long Time To Live (TTL) is given, this can prevent subscribers from being able to pass<br />
data at all.<br />
Authentication <strong>and</strong> Authorization<br />
Integrity <strong>and</strong> Confidentiality<br />
It may be possible for an imposter to appear to be a legitimate subscriber when they are not.<br />
� Spoofed Create PDP Context Request – GTP inherently provides no authentication for the<br />
SGSNs <strong>and</strong> GGSNs themselves. This means that given the appropriate subscriber<br />
information , an attacker with access to the GRX, another operator attached to the GRX, or<br />
a malicious insider can potentially create their own bogus SGSN <strong>and</strong> create a GTP tunnel<br />
to the GGSN of a subscriber. They can then pretend to be the legitimate subscriber when<br />
they are not. This can result in an operator providing illegitimate Internet access or<br />
possibly unauthorized access to the network of a corporate customer.<br />
� Spoofed Update PDP Context Request – An attacker can use their own SGSN or a<br />
compromised SGSN to send an Update PDP Context Request to an SGSN which is h<strong>and</strong>ling<br />
an existing GTP session. The attacker can then insert their own SGSN into the GTP session<br />
<strong>and</strong> hijack the subscriber data connection.<br />
� Overbilling Attacks – A new attack has emerged in <strong>GPRS</strong> networks called the “Overbilling<br />
Attack”. Such an attack is initiated by a malicious mobile station that hijacks an IP address<br />
of another mobile station <strong>and</strong> invokes a download from a malicious server on the Internet.<br />
Once the download begins, the malicious mobile station exits the session. The mobile<br />
station under attack, receiving the download traffic, gets charged for traffic it did not<br />
solicit. The same malicious party could execute this attack for the purpose of sending<br />
broadcasts of unsolicited data in the direction of subscriber cell phones. The effect is still<br />
the same, in that the subscriber is billed for data that they did not solicited <strong>and</strong> might not<br />
have wanted. Such an attack is not limited to the Gp interface. It can also occur by<br />
exploiting the Gi or Gn interfaces as well.<br />
� Should an attacker be in a position to access GTP or DNS traffic, they can potentially alter<br />
it mid-stream or discover confidential subscriber information. This is a fundamental issue<br />
with GTP as noted in 3GPP TS 09.60 V6.9.0:<br />
“No security is provided in GTP to protect the communication between different <strong>GPRS</strong> networks.”<br />
6 Copyright © 2004, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
<strong>GPRS</strong> <strong>Threats</strong> <strong>and</strong> Recommendations<br />
Capturing a subscriber’s data session – Because GTP <strong>and</strong> the embedded T-PDUs are not<br />
encrypted, an attacker who has access to the path between the GGSN <strong>and</strong> SGSN such as a<br />
malicious employee or hacker who has compromised access to the GRX, can potentially<br />
capture a subscriber’s data session. Without encryption, this data can then be read or<br />
manipulated by illegitimate parties. This is generally true of traffic on public networks <strong>and</strong><br />
subscribers should be advised to utilize IPSec or similar protection.<br />
<strong>Security</strong> <strong>Solution</strong>s for the Gp Interface<br />
The fundamental issue with security threats on the Gp interface is the lack of security inherent<br />
in GTP. Implementing IPSec between roaming partners <strong>and</strong> managing traffic rates, can<br />
eliminate a majority of the Gp security risks. Specific security countermeasures to implement<br />
should include:<br />
� Ingress <strong>and</strong> egress packet filtering – This will help prevent the PLMN from being used as<br />
source to attack other roaming partners. If the mobile operator is connected to more than<br />
one GRX or private roaming peering connections, then this will also help ensure that<br />
spoofed roaming partner traffic cannot arrive on paths where that roaming partner is not<br />
connected.<br />
� Stateful GTP packet filtering – Only allow the traffic required <strong>and</strong> only from the sources<br />
<strong>and</strong> destinations of roaming partners. This will prevent other PLMNs connected to the<br />
same GRX from initiating many kinds of attacks. It will also prevent GSNs from having to<br />
process traffic from PLMNs that are not roaming partners as well as illegal or malformed<br />
traffic. Layer 3 <strong>and</strong> layer 4 stateful inspection is useful because it minimizes the exposure<br />
of the <strong>GPRS</strong> network, GTP stateful inspection is critical to protect GSNs. A firewall that<br />
supports GTP stateful inspection ensures that GSNs are not processing GTP packets that<br />
are malformed, have illegal headers, or are not of the correct state. This prevents many<br />
types of denial of service attacks <strong>and</strong> some others such as reconnaissance.<br />
� GTP Traffic Shaping – In order to prevent the shared resources of b<strong>and</strong>width <strong>and</strong> the<br />
GSN’s processor from being consumed by an attacker or a subscriber, GTP rate limiting<br />
should be implemented. Layer 3 <strong>and</strong> layer 4 rate limiting should also be implemented to<br />
address Denial of Service (DOS) attacks <strong>and</strong> ensure that b<strong>and</strong>width is appropriately<br />
apportioned between GTP, BGP, DNS, etc.<br />
� IPSec tunnels between roaming partners – A majority of confidentiality <strong>and</strong> authentication<br />
issues are addressed by implementing IPSec between you’re the mobile operator PLMN<br />
<strong>and</strong> that of the roaming partners. Generally, only GTP <strong>and</strong> DNS traffic should be allowed<br />
over the IPSec tunnel. No traffic should be permitted from roaming partners that does not<br />
arrive on the IPSec tunnel.<br />
� Overbilling Attack Prevention - <strong>Juniper</strong>’s solution enables the GTP firewall to notify the Gi<br />
firewall of an attack. The Gi firewall is then able to terminate the “hanging” sessions<br />
<strong>and</strong>/or tunnels, thus cutting off the unwanted traffic. As such, this prevents the <strong>GPRS</strong><br />
subscriber from being “overbilled.” Again, this solution is not limited exclusively to the Gp<br />
interface.<br />
Copyright © 2004, <strong>Juniper</strong> <strong>Networks</strong>, Inc. 7
Gp Network <strong>Solution</strong> Diagram<br />
<strong>GPRS</strong> <strong>Threats</strong> <strong>and</strong> Recommendations<br />
Figure 2 below illustrates a recommended configuration for the Gp interface. The border<br />
gateway router supporting BGP can either be in front of or behind the firewall. DNS, Radius,<br />
<strong>and</strong> DHCP servers should be located off of the <strong>Juniper</strong> security system on a separate network<br />
segment. The operations <strong>and</strong> management network should be located off a separate network<br />
segment as well.<br />
Figure 2<br />
<strong>Security</strong> <strong>Threats</strong> on the Gi Interface<br />
IPSec<br />
Roaming<br />
Partner #1<br />
GGSN SGSN<br />
Gp Interface<br />
The Gi interface is where the <strong>GPRS</strong> network connects to the Internet, corporate networks, <strong>and</strong><br />
other network service providers who may provide services to subscribers. Because the<br />
subscriber’s applications can be virtually anything, operators will expose their network at the<br />
Gi to all types of network traffic. Subscribers are then exposed to all of the ills that we have<br />
today on the Internet including viruses, worms, Trojan horses, denial of service attacks, <strong>and</strong><br />
other malicious network traffic.<br />
8 Copyright © 2004, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
GRX<br />
Internet<br />
GTP<br />
Roaming<br />
Partner #2
<strong>GPRS</strong> <strong>Threats</strong> <strong>and</strong> Recommendations<br />
Availability<br />
Confidentiality<br />
Integrity<br />
Like the Gp interface, denial of service attacks represent the largest threat on the Gi interface.<br />
Some examples include:<br />
� Gi b<strong>and</strong>width saturation – Attackers may be able to flood the link from the PDN to the<br />
mobile operator with network traffic thereby prohibiting legitimate traffic to pass.<br />
� Flooding an MS – If a flood of traffic is targeted towards the network (IP) address of a<br />
particular MS, that MS will most likely be unable to use the <strong>GPRS</strong> network. This is<br />
particularly true because of the significant difference in available b<strong>and</strong>width on the air<br />
interface versus the Gi interface.<br />
� There is no protection of data from an MS to the public data network or corporate network.<br />
It is assumed that third parties can see data if IP <strong>Security</strong> or application layer security is<br />
not being used.<br />
� Data sent over public data networks can potentially be changed by intermediaries unless<br />
higher layer security is being used.<br />
Authentication <strong>and</strong> Authorization<br />
� Unless layer 2 or layer 3 tunnels are used at the GGSN to connect to the corporate network,<br />
it may be possible for one MS to access the corporate network of another customer. The<br />
source address of network traffic cannot be relied upon for authentication <strong>and</strong><br />
authorization purposes because the MS or hosts beyond the MS can create packets with<br />
any addresses regardless of the IP address assigned to the MS.<br />
<strong>Security</strong> <strong>Solution</strong>s on the Gi Interface<br />
A majority of the security threats associated with the Gi interface stem from the possibility of<br />
denial of service attacks <strong>and</strong> adjacency attacks. <strong>Security</strong> solutions include:<br />
� Logical tunnels from the GGSN to corporate networks – It should not be possible to route<br />
traffic from the Internet to a corporate network, or between corporate networks at all. In<br />
order to implement this, make sure that the GGSN can logically separate corporate<br />
networks in layer 2 or layer 3 tunnels. If the connection to the corporate network is via the<br />
Internet, IPSec should be used to connect from the GGSN to the corporate network.<br />
Copyright © 2004, <strong>Juniper</strong> <strong>Networks</strong>, Inc. 9
<strong>GPRS</strong> <strong>Threats</strong> <strong>and</strong> Recommendations<br />
� Traffic rate limiting – On connections to the Internet, prioritize IPSec traffic from corporate<br />
networks over that of other traffic. This will ensure that attacks from the Internet cannot<br />
disrupt mobile intranet services. Another consideration would be to use separate physical<br />
interfaces for corporate traffic <strong>and</strong> Internet traffic.<br />
� Stateful packet inspection – Use a security policy that only allows the MS to initiate<br />
connections to the public network <strong>and</strong> implement stateful packet filtering so that the MS<br />
never sees traffic that is initiated from the public network. If required, implement trusted<br />
application servers that are permitted by policy to push public network services to the MS.<br />
An alternative would be to consider two types of service--one where connections can be<br />
initiated from the Internet toward the MS <strong>and</strong> one where they cannot.<br />
� Ingress <strong>and</strong> egress packet filtering – Prevent the possibility of spoofed MS to MS data by<br />
blocking incoming traffic with the source addresses which are the same as those assigned<br />
to an MS for public network access.<br />
� Overbilling Attack Prevention - <strong>Juniper</strong>’s solution enables the GTP firewall to notify the Gi<br />
firewall of an attack. The Gi firewall is then able to terminate the “hanging” sessions<br />
<strong>and</strong>/or tunnels, thus cutting off the unwanted traffic. As such, this prevents the <strong>GPRS</strong><br />
subscriber from being “overbilled.” Again, this solution is not limited exclusively to the Gi<br />
interface.<br />
Gi Network <strong>Security</strong> <strong>Solution</strong> Diagram<br />
� The <strong>Juniper</strong> Gi security solution uses a tunnel hub concept to logically separate traffic for<br />
different corporate networks <strong>and</strong> the Internet. In addition to IPSec tunnels <strong>and</strong> 802.1q<br />
VLANs, ATM, Frame Relay, <strong>and</strong> MPLS can be used in conjunction with third party<br />
switches <strong>and</strong> access concentrators.<br />
Figure 3<br />
Gi Interface<br />
10 Copyright © 2004, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
SGSN<br />
GGSN<br />
Corporation A Corporation B
<strong>GPRS</strong> <strong>Threats</strong> <strong>and</strong> Recommendations<br />
<strong>Security</strong> <strong>Threats</strong> on the Gn Interface<br />
Providers not only need to worry about threats originating from the outside of their network.<br />
There are also many instances where threats may originate from the inside of a provider’s<br />
network. Or threats may emerge from the outside, but propagate within a provider’s network<br />
once the network barrier has been breached. This section will outline threats that may occur<br />
at the Gn interface, which is internal to a given provider’s <strong>GPRS</strong> network.<br />
� Attacks at the Gn interface in the network can potentially bring down the network depending<br />
on the intensity of the attack. This impact can lead to network downtime, loss of service,<br />
revenue loss <strong>and</strong> disgruntled customers<br />
� Spoofed SGSN or GGSN: There are instances where malicious users can disguise<br />
themselves as a legitimate part of the network by spoofing the IP address of a GGSN or<br />
SGSN. Once a party has established themselves as a legitimate network element or user,<br />
then they can take actions which are detrimental to customers or wireless carriers, such as<br />
deleting PDP contexts or sessions. By executing comm<strong>and</strong>s that a GGSN normally<br />
executes, such attacks can go undetected until the damage is done, unless the network is<br />
protected by a stateful firewall.<br />
� Spoofed GTP PDP Context Delete – An attacker with the appropriate<br />
information, can potentially craft a GTP PDP Context Delete message which will<br />
remove the <strong>GPRS</strong> Tunnel between the SGSN <strong>and</strong> GGSN for a subscriber.<br />
Crafting other types of network traffic can learn some of the information that<br />
must be known. If an attacker doesn’t care about whom they are denying<br />
service, they can send many PDP Context Delete messages for every tunnel ID<br />
that might be used.<br />
� Attacks from one mobile customer against another: Mobile customers, whether legitimate<br />
customers or not, may attack each other. One such attack is the previously described<br />
Overbilling attack. This attack can take the equivalent form of “spam” for a <strong>GPRS</strong><br />
network. In this case, the malicious user, once they have gained what appears to be<br />
legitimate network access, can send massive amounts of data to unsuspecting users. Since<br />
<strong>GPRS</strong> is a “usage based” service, then innocent users are “overbilled” for content that they<br />
did not request. Such an attack would be even more harmful than spam is for email, as it<br />
becomes much more than an annoyance. Imagine if you were charged (on a per email<br />
basis) for every piece of junk email that you received from a spammer!<br />
<strong>Security</strong> <strong>Solution</strong>s on the Gn Interface<br />
Using policy based configuration <strong>and</strong> administration, providers can protect against security<br />
threats emerging from within the <strong>GPRS</strong> network.<br />
� Policy based Firewall management allows providers to use arbitrary <strong>Juniper</strong>’s arbitrary<br />
“any any” zone structure to protect against attacks originating from within the network. A<br />
simple “trust-untrust” architecture does not fully allow customers to do this due to the fact<br />
that there is often no concept of “untrust” within the confines of a given provider’s<br />
network.<br />
Copyright © 2004, <strong>Juniper</strong> <strong>Networks</strong>, Inc. 11
<strong>GPRS</strong> <strong>Threats</strong> <strong>and</strong> Recommendations<br />
� Stateful Inspection Firewall: By deploying a stateful inspection firewall, <strong>and</strong> setting the<br />
policies by which you want to allow or disallow traffic, carriers can protect against the<br />
attacks mentioned above. For example, in the case of the spoofed GGSN messages, if a<br />
certain PDP context message did not pass the “sanity check” detection mechanisms, then<br />
they are dropped. In the example above, where a GTP PDP Context Delete message might<br />
be “spoofed” by a malicious user posing as a GGSN, if there was not a prior GTP PDP<br />
Context Create message received earlier, then this message would not pass the sanity<br />
check, <strong>and</strong> it would be dropped by the firewall.<br />
� <strong>Juniper</strong>’s Overbilling feature would enable a carrier to prevent the “spam” example from<br />
happening by deleting the “hijacked” session that the malicious party used to execute the<br />
attack.<br />
Deploying <strong>GPRS</strong> <strong>Security</strong> <strong>Solution</strong>s on <strong>Juniper</strong> <strong>Security</strong> Systems<br />
The <strong>Juniper</strong> <strong>Networks</strong> NetScreen 500-<strong>GPRS</strong> provides security technology to mitigate a wide<br />
variety of attacks on the Gp, Gn, Ga, Gi interfaces. These features include:<br />
� Full policy based protection at all major <strong>GPRS</strong> interfaces<br />
� Logical separation <strong>and</strong> administration via Virtual System (vsys) support<br />
� Support for both GTP 97 <strong>and</strong> GTP 99<br />
� GTP Packet Sanity Check<br />
� GTP Tunnel Limiting<br />
� Hardware-accelerated stateful packet filtering<br />
� Traffic rate limiting<br />
� GTP rate limiting by signaling or user plane<br />
� GTP stateful packet filtering<br />
� <strong>GPRS</strong> Overbilling Attack Prevention<br />
� Dynamic Routing (OSPF <strong>and</strong> BGP)<br />
� High Availability (using <strong>Juniper</strong> Redundancy Protocol – NSRP)<br />
� Route mode or Transparent mode<br />
� Web User Interface (WebUI)<br />
� Access Point Name Filtering (APN Filtering)<br />
� Active/Active mode<br />
� Active/Passive mode<br />
� Per direction APN filtering<br />
� GTP security policies including<br />
� GTP Message Type<br />
� GTP Message Length<br />
� IMSI Prefix filtering (MCC/MNC Filtering)<br />
� Filtering on a per mobile provider basis<br />
12 Copyright © 2004, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
<strong>GPRS</strong> <strong>Threats</strong> <strong>and</strong> Recommendations<br />
Conclusion<br />
� GTP Tunnel Count Limits<br />
� APN <strong>and</strong> Selection Mode<br />
� GTP Management <strong>and</strong> Logging Features<br />
� GTP Traffic Counting<br />
� GTP Traffic Logging<br />
� Many other advanced logging capabilities<br />
� High-availability fail-over including:<br />
� GTP state tables<br />
� VPN gateway connections<br />
� Virtual Router support to separate intranet destined traffic<br />
� IPSec tunnels or 802.1q VLANs to the GGSN<br />
� IPSec tunnels or 802.1q VLANs toward corporate network<br />
� Hardware-accelerated support for GTP over IPSec tunnels<br />
<strong>GPRS</strong> promises to benefit mobile data users greatly by providing always on higher b<strong>and</strong>width<br />
connections than are widely available today. In order to be successful, data connections must<br />
be secure <strong>and</strong> be available anytime <strong>and</strong> from anywhere.<br />
The maturity of security in the air interface, <strong>and</strong> the low b<strong>and</strong>width available limit the<br />
effectiveness of the Mobile Station as the source of attacks. However, with the introduction of<br />
<strong>GPRS</strong> services, operators must connect their networks to those of corporate customers, public<br />
data networks, <strong>and</strong> that of other operators to provide data access services. These connections<br />
represent significant risks to subscribers <strong>and</strong> the operators themselves.<br />
The lack of security inherent in GTP, the protocol used between roaming partners, represents<br />
a significant threat. The security of the roaming network is only as good as that of the<br />
weakest operator. Implementing IPSec between roaming partners, traffic rate limiting, <strong>and</strong><br />
GTP stateful inspection can mitigate a significant number of threats on the roaming network.<br />
Stateful packet inspection, traffic rate limiting, <strong>and</strong> logical separation of traffic for each<br />
corporate network <strong>and</strong> the public network can significantly reduce the threat between the<br />
operator’s network, subscribers, <strong>and</strong> these networks.<br />
<strong>Juniper</strong> <strong>Networks</strong> has developed technology <strong>and</strong> solutions that include GTP-aware stateful<br />
inspection firewall, GTP aware traffic shaping, <strong>and</strong> a VPN/VLAN tunnel hub. These<br />
solutions help mitigate many of the possible threats to the <strong>GPRS</strong> network, mobile subscribers,<br />
<strong>and</strong> corporate networks.<br />
Copyright © 2004, <strong>Juniper</strong> <strong>Networks</strong>, Inc. 13
Acknowledgements <strong>and</strong> Resources<br />
<strong>GPRS</strong> <strong>Threats</strong> <strong>and</strong> Recommendations<br />
The author wishes to thank the staff of Ericsson Research Labs, Berkeley, CA, for their<br />
assistance with the analysis of GTP <strong>and</strong> Gi interface security threats.<br />
Also special thanks to Jesse Shu of <strong>Juniper</strong> <strong>Networks</strong> <strong>GPRS</strong> Software Engineering.<br />
Other sources of helpful information include:<br />
<strong>Security</strong> in <strong>GPRS</strong>. Geir Stian Bajen <strong>and</strong> Erling Kaasin. May 2001<br />
http://siving.hia.no/ikt01/ikt6400/ekaasin/Master Thesis Web.htm<br />
Screening <strong>and</strong> filtering: In <strong>GPRS</strong> the subscriber pays MO <strong>and</strong> MT packets, how to protect<br />
against hackers <strong>and</strong> unwanted packets? Hannu H. KARI<br />
http://www.cs.hut.fi/~hhk/<strong>GPRS</strong>/lect/screening/ppframe.htm<br />
<strong>GPRS</strong> <strong>Security</strong>. Charles Brookson. December 2001.<br />
http://www.brookson.com/gsm/gprs.pdf<br />
Wireless <strong>and</strong> Mobile Network Architectures. Yi-Bing Lin, Herman C.-H Rao, Imrich<br />
Chlamtac. John Wiley <strong>and</strong> Sons 2001.<br />
Copyright © 2004 <strong>Juniper</strong> <strong>Networks</strong>, Inc. All rights reserved.<br />
<strong>Juniper</strong> <strong>Networks</strong>, the <strong>Juniper</strong> <strong>Networks</strong> logo, NetScreen, NetScreen Technologies, GigaScreen, <strong>and</strong> the NetScreen logo are registered<br />
trademarks of <strong>Juniper</strong> <strong>Networks</strong>, Inc. NetScreen-5GT, NetScreen-5XP, NetScreen-5XT, NetScreen-25, NetScreen-50, NetScreen-100, NetScreen-<br />
204, NetScreen-208, NetScreen-500, NetScreen-5200, NetScreen-5400, NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-<br />
Remote <strong>Security</strong> Client, NetScreen-Remote VPN Client, NetScreen-IDP 10, NetScreen-IDP 100, NetScreen-IDP 500, GigaScreen ASIC,<br />
GigaScreen-II ASIC, <strong>and</strong> NetScreen ScreenOS are trademarks of <strong>Juniper</strong> <strong>Networks</strong>, Inc. All other trademarks <strong>and</strong> registered trademarks are the<br />
property of their respective companies.<br />
Information in this document is subject to change without notice.<br />
No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without<br />
receiving written permission from:<br />
<strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
1194 N. Mathilda Ave.Sunnyvale, CA 95014 ATTN: General Counsel<br />
14 Copyright © 2004, <strong>Juniper</strong> <strong>Networks</strong>, Inc.