Traffic Screening

This section provides a practical overview of SS7 traffic screening. Traffic screening is normally applied at Signal Transfer Points (STPs) because these are normally the gateways between operator networks. Network operators are responsible for ensuring the security of their own SS7 networks to defend against any unwarranted incoming traffic. At present, SS7 traffic can be altered, injected, or deleted after physical access to the signaling links is gained.

STPs normally have extensive screening functionality. Typically, the screening rules are specified on a per-linkset basis. Usually the STP can support something in the range of a few thousand conditional statements that can be applied to each linkset. Screening usually adds only a couple milliseconds to cross STP transmission time.

STP gateway screening is typically applied to provide access-control mechanisms to nonhome SS7 networks (interconnects). Figure 15-1 illustrates this concept.

Before an incoming Message Signal Unit (MSU) is accepted, it should pass a series of filtering rules that ensure conformance to the specified criteria. If an MSU does not pass the test, it should be discarded. This operation is known as message screening. Screening normally is applied only to the incoming internetwork SS7 MSUs. Screening procedures normally are not applied to outgoing or intranetwork MSUs. Internetwork MSUs are of high importance because they constitute the traffic coming in from other operators via interconnects. Screening is normally applied at the Message Transfer Part (MTP) 3 and Signaling Connection Control Part (SCCP) protocols layers. MTP screening is applied before any Global Title Translation (GTT). Normally there are pre-GTT and post-GTT SCCP screening rules.

The following typical MTP basic screening rules can be combined to build more complex screening functionality:

• Allow specified Originating Point Code (OPC)

• Block specified OPC

• Allow specified Destination Point Code (DPC)

• Block specified DPC

• Permitted Service Information Octet (SIO) values include priority values as per the Service Indicator (SI) subfield, network values as per the Network Indicator (NI) subfield, and the User Part values as per the Subservice field (SSF)

• Allow certain MTP3 H0/H1 values (signaling network management messages)

The following typical pre-GTT SCCP screening rules can be combined to build more complex screening functionality:

• Calling Party Address (CgPA) parameters such as point code allowed, subsystem number allowed, SCCP message type allowed, routing indicator allowed, and translation type allowed

The following typical post-GTT SCCP screening rules can be combined to build more complex screening functionality:

• Called Party Address (CdPA) parameters such as point code allowed, subsystem number allowed, and SCCP management messages allowed

The next sections look at the protocol issues you should keep in mind when planning to implement screening rules.

Screening Considerations

The following sections discuss areas of concern surrounding the various protocols in a core SS7 stack. In general, signaling related to the control and management of the whole network is somewhat more of a target for fraud than, say, signaling relating to one call only.

MTP

The lower levels of MTP (MTP1 and MTP2) are involved in the reliable transfer of SUs on only a link-by-link basis, rather than on an end-to-end basis. Therefore, screening is not provided at these layers, and monitoring systems may take many measurements relating to MTP2 performance instead. MTP screening is provided for MTP3, because it provides the routing of MSUs through the SS7 network and as such, contains information related to the network topology, such as routing tables. The information relating to network topology can change dynamically by the network management functions of MTP3. Therefore, MTP3 network management messages need to be both screened and monitored, because they can access and modify the network's routing information.

SCCP

As with MTP3, SCCP carries messages arriving from both Level 4 and self-generated SCCP network management messages. SCCP management informs other nodes of application status, such as whether a particular application is working.