SlideShare a Scribd company logo

Diameter Penetration Test Lab

F
frcarlson

Working Paper for IEEE MENS Conference - Los Angeles, Ca.

1 of 6
Download to read offline
Security Penetration Test Framework for the Diameter Protocol Frederick R. Carlson National Defense University Washington, D.C., USA fcarlson@ieee.org Abstract— this paper outlines the infrastructure required for a documented the next generation NAS AAA requirements. The penetration testing suite centered around the cellular call control Mobile IP Working Group of the IETF documented AAA protocol called Diameter. A brief description of Diameter is requirements that would help Mobile IP scale for Inter-Domain given along with the basic equipment and design requirements to mobility. The Telecommunication Industry Association (TIA) conduct the testing. TR-45.6 Adjunct Wireless Packet Data Technology working group documented the CDMA2000 Wireless Data Diameter, Wireless Security, Penetration Testing, SIP, SS7 Requirements for Authorization, Authentication and Accounting (AAA). Based on the work of TR-45.6, 3GPP2 has I. INTRODUCTION specified a two phased architecture for supporting Wireless IP The purpose of this paper is to suggest a framework for a networking based on IETF protocols; the second phase detailed security analysis of the Diameter Protocol and the requiring AAA functionality not supportable in RADIUS. The platforms that carry this protocol. There is very little design of Diameter met the requirements indicated by these information on the protocol aside from a series of Requests for various groups. 2 Comment, Standards Body Documentation and Industry White Papers. It is critical that the framework not only examines the III. THE RELAVENCE OF THE DIAMETER PROTOCOL Diameter Protocol in isolation, but in system as well. This is to Diameter is important as it subsumes the Signaling System show the interaction between Diameter and the various cellular Seven (SS7) system that was responsible for signaling and radio systems, handsets, Provisioning gateways (P-Gateway), control in Public Switched Telephone Networks (PSTN) and Serving Gateway (S-Gateway), Policy, Charging and Routing was the intelligent signaling layer in Time Division Function (PCRF) Gateways and the base stations (eNodeB) as Multiplexing (TDM) networks. SS7, a very important and long well. This paper sets up the base system to conduct detailed living protocol, is being replaced in modern cellular networks analysis of the Diameter Protocol from a Security Perspective. by two protocols: Session Initiation Protocol (SIP) and Diameter. SIP is the call control protocol used to establish II. DIAMETER voice, messaging and multimedia communication sessions. The Diameter model is a base protocol and a set of Diameter is used to exchange subscriber profiles, applications. The base protocol provides common functionality authentication, billing, Quality of Service (QoS) and to the supported applications. The base protocol defines the mobility—between the network elements in these systems. The basic Diameter message format. Data is carried within a subscriber profile information handles issues such as network Diameter message as a collection of Attribute Value Pairs join, location updates and subscriber data, voice, video or (AVPs). An AVP is like a RADIUS attribute. An AVP consists multimedia sessions. This information is routed between of multiple fields: an AVP Code, a Length, some Flags, and visited and home networks to authenticate and enable services Data. Some AVPs are used by the Diameter base protocol; for roaming subscribers. Diameter signaling is used between other AVPs are intended for the Diameter application while yet the elements in a service provider’s 4G network and between others may be used by the higher-level end-system application providers and roaming hubs. There is a large body of Diameter that employs Diameter. 1 interfaces that have been defined by various industry and standards groups. Diameter is a extremely flexible standard, A number of working groups have specified their which is both it’s strength, as it allows very quick development, requirements for Authorization, Authentication and Accounting and it’s weakness, as it tends to be somewhat unfinished, (AAA) protocols, and these requirements drove the design of cannot scale without help and has little, if any, academic work the Diameter protocol. The Roaming Operations (ROAMOPS) on the security posture of the protocol ecosystem itself. 3 Working Group of the Internet Engineering Task Force (IETF) published a set of requirements for roaming networks. The 2 NAS Requirements (NASREQ) Working Group of the IETF Interlink Networks. (2002). Introduction to Diameter. Retrieved from: http://www.interlinknetworks.com/whitepapers/Introduction_to_Diameter.pdf 3 Acme Packet. (2012). Scaling Diameter in LTE and IMS, Retrieved from: 1 Interlink Networks. (2002). Introduction to Diameter. Retrieved from: http://ws.lteconference.com/wpcontent/uploads/1120APKT_WP_ScalingDia http://www.interlinknetworks.com/whitepapers/Introduction_to_Diameter.pdf meter_020112.pdf
IV. DIAMETER AND MOBILITY the UE through the P-CSCF. The IMS system can then connect Diameter signaling puts significant demands on the mobile a call through a media gateway (signaling processes not shown) network. The main challenges that service providers face with so the connection can reach the landline telephone. 6 scaling, security and managing Diameter in Long Term • The relevance of this discussion is that the 4G Evolution (LTE) and IP Multimedia Subsystem (IMS) network is not a closed system like the PSTN was. It networks include: is growing up with even more open standards than the • Traffic volume: The volume of messages and Diameter Transmission Protocol/Internet Protocol (TCP/IP) transactions for each voice or data session can be huge. By based networks that formed the Internet. This is one 2015, the firm Exact Ventures projects a figure of 235,000 of the reasons that cellular infrastructure can be transactions per second (TPS) for every one million brought to market extremely quickly, it is also a subscribers. For a moderately sized LTE deployment of five reason that security holes may be formed at the seams million subscribers, a mobile service provider will require of the actual infrastructure the cellular carriers are Diameter transaction processing in the range of 220,000 to over deploying. Currently, mobile security is focused on one million TPS. 4 handheld and user interaction and that are probably a good development as the user devices themselves are • Overload and network failure: The servers involved in very insecure, but there is the possibility of easily processing various AAA, QoS or charging functions are not exploited vulnerabilities within the actual base station equipped to deal with spikes in volume; this can impact service and IMS/LTE infrastructure. quality or network availability due to element overload and failure. This is a key security concern. • Network attack: Diameter signaling infrastructure that is exposed to external networks in roaming scenarios can be attacked in two major ways. The first is with a denial of service attack. With Diameter pooling the information exchange used for signaling, if attack the Diameter Border Controllers, this can degrade or possibly take down the entire 4G network. A more insidious attack would be the interception of Attribute Value Pair and location information. Information can easily be sniffed on untrusted, public IP transport networks between service providers. 5 In fact, Wireshark has a detailed Diameter template within their sniffer product to do just that. The security theme here is not only can subtle attacks be made on the 4G system (similar to the ones made on its predecessor SS7), but the distributed nature of the 4G network makes it uniquely vulnerable to “script kiddie” like Denial of Service attacks. Figure 1. IP Multimedia Subsystem 7 V. IP MULTIMEDIA SUBSYSTEM (IMS) VI. DIAMETER AS A LAYER Unfortunately, the cellular network which Diameter is Diameter sits above the transport layer when placed in the applied is moderately complex. This section of the paper gives OSI (Opens Systems Interconnection) layered architecture. It a very basic discussion of platforms and what they do in the uses the transport services provided by either TCP or SCTP IMS ecosystem. Figure 1 shows the basic functions of the IMS layers, which in turn use IP as their layer below as illustrated in system. This diagram shows that a user equipment device (a Figure 2. This is significant because the vast majority of tools mobile phone in this example) is calling another device (a and talent are focused at Layer 7 issues such as stack overflows landline telephone). The User Equipment (UE) sends its and other software design issues or network based issues such connection request (an invite) to the proxy call session control as Layer 4 port management and network flows. Being above function (P-CSCF). The P-CSCF needs to find the call server Layer 4 and below layer 7, Diameter is in a very difficult so it sends a request to the interrogatory call session control position on the OSI stack for IT managers to deal with as a server (I-CSCF). The I-CSCF contacts the home subscriber matter of culture. This is because the vast majority of people in server (HSS) which contains the service profile of user and the the IT industry are trained to look at issues at Layers 3 and location of the serving call session control function (S-CSCF). below (Networkers), 3, 4 and 7 (Programmers and most The S-CSCF will then manage the communication session with Security Personnel) and Layer 1 and 2 (Telecom and Fiber). 4 6 Acme Packet. (2012). Scaling Diameter in LTE and IMS, Retrieved from: VoIP Dictionary. IP Multimedia Subsystem - IMS http://ws.lteconference.com/wpcontent/uploads/1120APKT_WP_ScalingDia Retrieved from: meter_020112.pdf http://www.voipdictionary.com/VoIP_Dictionary_IMS_Definition.html 5 7 Acme Packet. (2012). Scaling Diameter in LTE and IMS, Retrieved from: VoIP Dictionary IP Multimedia Subsystem – IMS http://ws.lteconference.com/wpcontent/uploads/1120APKT_WP_ScalingDia Retrived from: meter_020112.pdf http://www.voipdictionary.com/VoIP_Dictionary_IMS_Definition.html
The pool of people that understand session and presentation layer issues are somewhat small; the pool of people that understand the security interactions smaller still. A very interesting issue is appearing in the mobile network. The nervous system of this infrastructure seems to be moving to a portion of the IT ecosystem that IT managers are least prepared to cope with. Figure 3. LTE Architecture 9 The protocol used here is Diameter which allows these subsystems to communicate. This creates an interesting security situation as Layer 4 (transport) through than Layer 6 (presentation) now have significant policy and control implications that were previously reserved at Layer 3 and Layer 4. As mobile networks like LTE move into vogue, we Figure 2. Diameter as a Layer 8 shall see that the securing of this protocol and the platforms that aggregate it and transport it around the cellular system will be a significant effort. VII. LONG TERM EVOLUTION (LTE) LTE is an evolution of the IMS system that simplifies the VIII. EQUIPMENT REQUIRED 10,11 platforms required to provide 4G services. The first major The effort breaks down into two phases. Phase I creates a component is the eNodeB, a base station radio. The second Server running Virtualization Software with a target Open major component is mobility management entity (MME), Source Diameter Server installed on it. A system that meets which is the brains of the system. The third is the System the target box specifications appears in Table 1 (Phase I Bill of Architecture Evolution – Gateway (SAE-GW) which is a very Materials for Target Box). fast user plane router. The Policy and Control Routing Function and the Host Subscriber Service are critical to track billing and QoS considerations. Figure 3 - LTE Architecture illustrates this arrangement. 9 Event Helix (2010). Long Term Evolution (LTE) Overview, Retrieved from: http://www.eventhelix.com/lte/tutorial/lte_overview.pdf 10 Rapid7 (2011) “How to Create a Penetration Lab”, Retrieved from: http://www.metasploit.com 8 11 N. Kottapalli (2010), Radisys White Paper: Diameter and LTE Evolved The information at the Metasploit Website was invaluable to the creation of Packet System. http://go.radisys.com/rs/radisys/images/paper-lte-diameter- this equipment list. See the article “How to Create a Penetration Lab” at eps.pdf http://www.metasploit.com
TABLE I. PHASE I BILL OF MATERIALS FOR TARGET BOX Target System Subsystem Specification Processor Intel Core 2 Quad @2.66 GHz Memory 8 GB Crucial DDR3 RAM Hard Drive 500 GB HD Network 2 Gigabit Ethernet NICS Cards Operating Ubuntu 10.04 LTS 64 bit System Virtualization VMware Workstation Software Target Open Diameter Software Software A system that meets the attack system specifications is listed in Table 2 (Phase I Bill of Materials for Attack Box). Figure 4. Phase I Diameter Lab X. EQUIPMENT SET UP OF TARGET DIAMETER SYSTEM – TABLE II. PHASE I BILL OF MATERIALS FOR ATTACK BOX PHASE II Attacking System Once the environment is set up, it is then necessary to add Virtualized and/or simulated elements of the LTE 4G system of Subsystem Specification systems. The critical ones are the Policy and Charging Rules Processor Multiple Core Function (PCRF), the Host Subscriber Service (HSS) and Memory 8 GB DDR3 RAM Mobility Management Entity (MME) Figure 5 shows the topology of the second phase of the lab setup. Hard Drive 500 GB HD Operating Ubuntu 9.10 64 bit System Network 1 Gigabit Ethernet NICS Cards Virtualization VMware Workstation (or Virtual Box) Software Attack Metasploit Framework (and/or Core Impact) Software Wireshark Backtrack 5 Pre-built virtual machines or installer ISOs IX. EQUIPMENT SET UP OF TARGET DIAMETER SYSTEM – PHASE I Figure 4 (Phase I Diameter Lab) shows the Phase I lab environment. This is the bare bones setup and will be used Figure 5. Phase II Diameter Lab mostly to get the Diameter System up and accessible through the VM in the attack box and to make sure that the correct tools to do initial Penetration Test runs are set up.
XI. VULNERABILITY IDENTIFICATION passed over the SS7 based Public Switched Telephone A list of potential system vulnerabilities must be created Network, it makes sense to start building a capability now that from this effort. In an extremely useful paper, Securing SS7 can look into this issue of Diameter Security. Telecommunications Networks by Lorenz, et al. presents an excellent taxonomy for security vulnerabilities in the call control subsystem of the Public Switched Telephone Network (PSTN). That taxonomy appears in Figure 6 – SS7 Taxonomy 12. This paper proposes the creation of an analogous taxonomy from the SS7 work in the examination of Diameter vulnerabilities as a first deliverable of this system. Figure 6. Signalling System Seven SS7 Security Taxonomy XII. CONCLUSION REFERENCES Diameter is subsuming SS7 for call control. It is very likely to subsume RADIUS and TACACS+ for general purpose [1] G. Lorenz, T. Moore, G. Manes, J. Hale, S. Shenoi, Securing SS7 Authorization, Accounting, and Authentication (AAA) services Telecommunications Networks, Proceedings of the 2001 IEEE as well. A list of potential system vulnerabilities will be Workshop on Information Assurance and Security, United States created from this effort using a similar effort as the SS7 Military Academy, West Point, NY, 5 - 6 June 2001 Security Taxonomy shown in Securing SS7 [2] Acme Packet. (2012). Scaling Diameter in LTE and IMS. Retrieved Telecommunications Networks. Currently the security from: research on Diameter is extremely thin, mirroring the situation http://ws.lteconference.com/wpcontent/uploads/1120APKT_WP_Scalin gDiameter_020112.pdf in the 1980s and 1990s with SS7. With mobile computing [3] Interlink Networks. (2002). Introduction to Diameter. Retrieved from: becoming so ubiquitous and the richness and importance of http://www.interlinknetworks.com/whitepapers/Introduction_to_Diamet data at a much higher level than what was comparatively er.pdf [4] N. Kottapalli (2010), Radisys White Paper: Diameter and LTE Evolved 12 G. Lorenz, T. Moore, G. Manes, J. Hale, S. Shenoi, Securing SS7 Packet System http://go.radisys.com/rs/radisys/images/paper-lte- Telecommunications Networks, Proceedings of the 2001 IEEE Workshop on diameter-eps.pd Information Assurance and Security, United States Military Academy, West [5] R. Nicole, Event Helix (2010). Long Term Evolution (LTE) Overview Point, NY, 5 - 6 June 2001 Retrieved from: http://www.eventhelix.com/lte/tutorial/lte_overview.pdf
[6] IRMC: 6201.2 SEC Course Notes, National Defense University, [7] Rapid7 (2011) “How to Create a Penetration Lab” Retrieved from: Information Resources Management College, Washington, DC, www.metasploit.com November 2005. [8] VoIP Dictionary IP Multimedia Subsystem – IMS Retrived from: http://www.voipdictionary.com/VoIP_Dictionary_IMS_Definition.html

Recommended

Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN network
P1Security
 
The known unknowns of SS7 and beyond
The known unknowns of SS7 and beyondThe known unknowns of SS7 and beyond
The known unknowns of SS7 and beyond
Siddharth Rao
 
User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...
Siddharth Rao
 
Assaulting diameter IPX network
Assaulting diameter IPX networkAssaulting diameter IPX network
Assaulting diameter IPX network
Alexandre De Oliveira
 
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksInfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
Omer Coskun
 
Philippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsPhilippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elements
P1Security
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1security
P1Security
 
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisAttacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
P1Security
 

Recommended

Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN network
P1Security
 
The known unknowns of SS7 and beyond
The known unknowns of SS7 and beyondThe known unknowns of SS7 and beyond
The known unknowns of SS7 and beyond
Siddharth Rao
 
User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...
Siddharth Rao
 
Assaulting diameter IPX network
Assaulting diameter IPX networkAssaulting diameter IPX network
Assaulting diameter IPX network
Alexandre De Oliveira
 
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksInfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
Omer Coskun
 
Philippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsPhilippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elements
P1Security
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1security
P1Security
 
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisAttacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
P1Security
 
Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...
Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...
Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...
P1Security
 
Telecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsTelecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronights
P1Security
 
4G LTE Security - What hackers know?
4G LTE Security - What hackers know?4G LTE Security - What hackers know?
4G LTE Security - What hackers know?
Stephen Kho
 
44Con 2014: GreedyBTS - Hacking Adventures in GSM
44Con 2014: GreedyBTS - Hacking Adventures in GSM44Con 2014: GreedyBTS - Hacking Adventures in GSM
44Con 2014: GreedyBTS - Hacking Adventures in GSM
iphonepentest
 
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON
 
Hallowed be thy packets by Paul Coggin
Hallowed be thy packets by Paul CogginHallowed be thy packets by Paul Coggin
Hallowed be thy packets by Paul Coggin
EC-Council
 
Security Issues In Voip
Security Issues In VoipSecurity Issues In Voip
Security Issues In Voip
Waqas Daar
 
On her majesty's secret service - GRX and a Spy Agency
On her majesty's secret service - GRX and a Spy AgencyOn her majesty's secret service - GRX and a Spy Agency
On her majesty's secret service - GRX and a Spy Agency
Stephen Kho
 
Bluetooth
BluetoothBluetooth
Bluetooth
Tejaswa Jain
 
Enhancement of the Authentication and Key Agreement Protocol in 4G Mobile Net...
Enhancement of the Authentication and Key Agreement Protocol in 4G Mobile Net...Enhancement of the Authentication and Key Agreement Protocol in 4G Mobile Net...
Enhancement of the Authentication and Key Agreement Protocol in 4G Mobile Net...
Ahmad K. Kabbara
 
H.323 protocol
H.323 protocolH.323 protocol
H.323 protocol
Habibur Rahman
 
Pentesting layer 2 protocols
Pentesting layer 2 protocolsPentesting layer 2 protocols
Pentesting layer 2 protocols
Abdessamad TEMMAR
 
Switch and Router Security Testing
Switch and Router Security TestingSwitch and Router Security Testing
Switch and Router Security Testing
Conferencias FIST
 
Router and Routing Protocol Attacks
Router and Routing Protocol AttacksRouter and Routing Protocol Attacks
Router and Routing Protocol Attacks
Conferencias FIST
 
9517ijnsa03
9517ijnsa039517ijnsa03
9517ijnsa03
IJNSA Journal
 
Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2
Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2
Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2
Anatol Alizar
 
Cryptography in GSM
Cryptography in GSMCryptography in GSM
Cryptography in GSM
Tharindu Weerasinghe
 
Exploiting Layer 2
Exploiting Layer 2Exploiting Layer 2
Exploiting Layer 2
Conferencias FIST
 
Transmission Security (TRANSEC) - White Paper
Transmission Security (TRANSEC) - White PaperTransmission Security (TRANSEC) - White Paper
Transmission Security (TRANSEC) - White Paper
ST Engineering iDirect
 
Gsm security final
Gsm security finalGsm security final
Gsm security final
Sanket Yavalkar
 
Meletis Belsis - IMS Security
Meletis Belsis - IMS SecurityMeletis Belsis - IMS Security
Meletis Belsis - IMS Security
Meletis Belsis MPhil/MRes/BSc
 
What is IPX?
What is IPX?What is IPX?
What is IPX?
whatisipx
 

More Related Content

What's hot

Telecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsTelecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronights
P1Security
 
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON
 
Security Issues In Voip
Security Issues In VoipSecurity Issues In Voip
Security Issues In Voip
Waqas Daar
 
Enhancement of the Authentication and Key Agreement Protocol in 4G Mobile Net...
Enhancement of the Authentication and Key Agreement Protocol in 4G Mobile Net...Enhancement of the Authentication and Key Agreement Protocol in 4G Mobile Net...
Enhancement of the Authentication and Key Agreement Protocol in 4G Mobile Net...
Ahmad K. Kabbara
 
Switch and Router Security Testing
Switch and Router Security TestingSwitch and Router Security Testing
Switch and Router Security Testing
Conferencias FIST
 
Router and Routing Protocol Attacks
Router and Routing Protocol AttacksRouter and Routing Protocol Attacks
Router and Routing Protocol Attacks
Conferencias FIST
 
9517ijnsa03
9517ijnsa039517ijnsa03
9517ijnsa03
IJNSA Journal
 

What's hot (20)

Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...
Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...
Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommu...
 
Telecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsTelecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronights
 
4G LTE Security - What hackers know?
4G LTE Security - What hackers know?4G LTE Security - What hackers know?
4G LTE Security - What hackers know?
 
44Con 2014: GreedyBTS - Hacking Adventures in GSM
44Con 2014: GreedyBTS - Hacking Adventures in GSM44Con 2014: GreedyBTS - Hacking Adventures in GSM
44Con 2014: GreedyBTS - Hacking Adventures in GSM
 
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
 
Hallowed be thy packets by Paul Coggin
Hallowed be thy packets by Paul CogginHallowed be thy packets by Paul Coggin
Hallowed be thy packets by Paul Coggin
 
Security Issues In Voip
Security Issues In VoipSecurity Issues In Voip
Security Issues In Voip
 
On her majesty's secret service - GRX and a Spy Agency
On her majesty's secret service - GRX and a Spy AgencyOn her majesty's secret service - GRX and a Spy Agency
On her majesty's secret service - GRX and a Spy Agency
 
Bluetooth
BluetoothBluetooth
Bluetooth
 
Enhancement of the Authentication and Key Agreement Protocol in 4G Mobile Net...
Enhancement of the Authentication and Key Agreement Protocol in 4G Mobile Net...Enhancement of the Authentication and Key Agreement Protocol in 4G Mobile Net...
Enhancement of the Authentication and Key Agreement Protocol in 4G Mobile Net...
 
H.323 protocol
H.323 protocolH.323 protocol
H.323 protocol
 
Pentesting layer 2 protocols
Pentesting layer 2 protocolsPentesting layer 2 protocols
Pentesting layer 2 protocols
 
Switch and Router Security Testing
Switch and Router Security TestingSwitch and Router Security Testing
Switch and Router Security Testing
 
Router and Routing Protocol Attacks
Router and Routing Protocol AttacksRouter and Routing Protocol Attacks
Router and Routing Protocol Attacks
 
9517ijnsa03
9517ijnsa039517ijnsa03
9517ijnsa03
 
Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2
Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2
Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2
 
Cryptography in GSM
Cryptography in GSMCryptography in GSM
Cryptography in GSM
 
Exploiting Layer 2
Exploiting Layer 2Exploiting Layer 2
Exploiting Layer 2
 
Transmission Security (TRANSEC) - White Paper
Transmission Security (TRANSEC) - White PaperTransmission Security (TRANSEC) - White Paper
Transmission Security (TRANSEC) - White Paper
 
Gsm security final
Gsm security finalGsm security final
Gsm security final
 

Viewers also liked

What is IPX?
What is IPX?What is IPX?
What is IPX?
whatisipx
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
Fatih Ozavci
 
The Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopThe Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 Workshop
Fatih Ozavci
 
The Arena is I 91 Compliant
The Arena is I 91 CompliantThe Arena is I 91 Compliant
The Arena is I 91 Compliant
sonicsarena
 
8 Trends of Training&Development 2012
8 Trends of Training&Development 20128 Trends of Training&Development 2012
8 Trends of Training&Development 2012
Yulya Uzhakina
 
Wedding slideshow
Wedding slideshowWedding slideshow
Wedding slideshow
llee1986
 
T&d system measurement t&d kpi panel
T&d system measurement t&d kpi panelT&d system measurement t&d kpi panel
T&d system measurement t&d kpi panel
Yulya Uzhakina
 
Cheese Unit Day 2 August 17 Revised
Cheese Unit Day 2 August 17 RevisedCheese Unit Day 2 August 17 Revised
Cheese Unit Day 2 August 17 Revised
Rachael Mann
 

Viewers also liked (20)

Meletis Belsis - IMS Security
Meletis Belsis - IMS SecurityMeletis Belsis - IMS Security
Meletis Belsis - IMS Security
 
What is IPX?
What is IPX?What is IPX?
What is IPX?
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
 
IMS presentation
IMS presentationIMS presentation
IMS presentation
 
VoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesVoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco Phones
 
VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP
 
The Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopThe Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 Workshop
 
NGN & IMS
NGN & IMSNGN & IMS
NGN & IMS
 
The Arena is I 91 Compliant
The Arena is I 91 CompliantThe Arena is I 91 Compliant
The Arena is I 91 Compliant
 
8 Trends of Training&Development 2012
8 Trends of Training&Development 20128 Trends of Training&Development 2012
8 Trends of Training&Development 2012
 
Wedding slideshow
Wedding slideshowWedding slideshow
Wedding slideshow
 
El172 grammar u1 2
El172 grammar u1 2El172 grammar u1 2
El172 grammar u1 2
 
T&d system measurement t&d kpi panel
T&d system measurement t&d kpi panelT&d system measurement t&d kpi panel
T&d system measurement t&d kpi panel
 
The silent whisper production diary
The silent whisper production diary The silent whisper production diary
The silent whisper production diary
 
Cheese Unit Day 2 August 17 Revised
Cheese Unit Day 2 August 17 RevisedCheese Unit Day 2 August 17 Revised
Cheese Unit Day 2 August 17 Revised
 
Inleiding \'Digivaardig\' bij Koninklijke Visio/OTC op 18 juni 2012
Inleiding \'Digivaardig\' bij Koninklijke Visio/OTC op 18 juni 2012Inleiding \'Digivaardig\' bij Koninklijke Visio/OTC op 18 juni 2012
Inleiding \'Digivaardig\' bij Koninklijke Visio/OTC op 18 juni 2012
 
Worlds of Words
Worlds of WordsWorlds of Words
Worlds of Words
 
Bergens blonde
Bergens blondeBergens blonde
Bergens blonde
 
めんどうくさくないWardenハンズオン
めんどうくさくないWardenハンズオンめんどうくさくないWardenハンズオン
めんどうくさくないWardenハンズオン
 
Methods of hair_removal
Methods of hair_removalMethods of hair_removal
Methods of hair_removal
 

Similar to Diameter Penetration Test Lab

Advanced Security Management in Metro Ethernet Networks
Advanced Security Management in Metro Ethernet NetworksAdvanced Security Management in Metro Ethernet Networks
Advanced Security Management in Metro Ethernet Networks
IJNSA Journal
 
Trustbased Routing Metric for RPL Routing Protocol in the Internet of Things.
Trustbased Routing Metric for RPL Routing Protocol in the Internet of Things.Trustbased Routing Metric for RPL Routing Protocol in the Internet of Things.
Trustbased Routing Metric for RPL Routing Protocol in the Internet of Things.
pijans
 
TRUST BASED ROUTING METRIC FOR RPL ROUTING PROTOCOL IN THE INTERNET OF THINGS
TRUST BASED ROUTING METRIC FOR RPL ROUTING PROTOCOL IN THE INTERNET OF THINGSTRUST BASED ROUTING METRIC FOR RPL ROUTING PROTOCOL IN THE INTERNET OF THINGS
TRUST BASED ROUTING METRIC FOR RPL ROUTING PROTOCOL IN THE INTERNET OF THINGS
pijans
 
TRUST BASED ROUTING METRIC FOR RPL ROUTING PROTOCOL IN THE INTERNET OF THINGS
TRUST BASED ROUTING METRIC FOR RPL ROUTING PROTOCOL IN THE INTERNET OF THINGSTRUST BASED ROUTING METRIC FOR RPL ROUTING PROTOCOL IN THE INTERNET OF THINGS
TRUST BASED ROUTING METRIC FOR RPL ROUTING PROTOCOL IN THE INTERNET OF THINGS
pijans
 
Security course: exclusive 5G SA pitfalls and new changes to legislation
Security course: exclusive 5G SA pitfalls and new changes to legislationSecurity course: exclusive 5G SA pitfalls and new changes to legislation
Security course: exclusive 5G SA pitfalls and new changes to legislation
PositiveTechnologies
 
What Is Routing Overhead Of The Network
What Is Routing Overhead Of The NetworkWhat Is Routing Overhead Of The Network
What Is Routing Overhead Of The Network
Patricia Viljoen
 
Comparative Analysis of Quality of Service for Various Service Classes in WiM...
Comparative Analysis of Quality of Service for Various Service Classes in WiM...Comparative Analysis of Quality of Service for Various Service Classes in WiM...
Comparative Analysis of Quality of Service for Various Service Classes in WiM...
Editor IJCATR
 
4g security presentation
4g security presentation4g security presentation
4g security presentation
Kyle Ly
 
liaison-2019-09-30-itu-t-tsag-ietf-iab-ls-on-new-ip-shaping-future-network-at...
liaison-2019-09-30-itu-t-tsag-ietf-iab-ls-on-new-ip-shaping-future-network-at...liaison-2019-09-30-itu-t-tsag-ietf-iab-ls-on-new-ip-shaping-future-network-at...
liaison-2019-09-30-itu-t-tsag-ietf-iab-ls-on-new-ip-shaping-future-network-at...
MohammadSwerki2
 
Chp 6 infrastructure- the backbone of e-commerce tech
Chp 6 infrastructure- the backbone of e-commerce techChp 6 infrastructure- the backbone of e-commerce tech
Chp 6 infrastructure- the backbone of e-commerce tech
cheqala5626
 
Secure Data Aggregation Of Wireless Sensor Networks
Secure Data Aggregation Of Wireless Sensor NetworksSecure Data Aggregation Of Wireless Sensor Networks
Secure Data Aggregation Of Wireless Sensor Networks
Amy Moore
 

Similar to Diameter Penetration Test Lab (20)

IRJET- Security Analysis and Improvements to IoT Communication Protocols ...
IRJET- Security Analysis and Improvements to IoT Communication Protocols ...IRJET- Security Analysis and Improvements to IoT Communication Protocols ...
IRJET- Security Analysis and Improvements to IoT Communication Protocols ...
 
Essay On Ethernet
Essay On EthernetEssay On Ethernet
Essay On Ethernet
 
Advanced Security Management in Metro Ethernet Networks
Advanced Security Management in Metro Ethernet NetworksAdvanced Security Management in Metro Ethernet Networks
Advanced Security Management in Metro Ethernet Networks
 
A Rouge Relay Node Attack Detection and Prevention in 4G Multihop Wireless N...
A Rouge Relay Node Attack Detection and Prevention in 4G Multihop Wireless N...A Rouge Relay Node Attack Detection and Prevention in 4G Multihop Wireless N...
A Rouge Relay Node Attack Detection and Prevention in 4G Multihop Wireless N...
 
Trustbased Routing Metric for RPL Routing Protocol in the Internet of Things.
Trustbased Routing Metric for RPL Routing Protocol in the Internet of Things.Trustbased Routing Metric for RPL Routing Protocol in the Internet of Things.
Trustbased Routing Metric for RPL Routing Protocol in the Internet of Things.
 
TRUST BASED ROUTING METRIC FOR RPL ROUTING PROTOCOL IN THE INTERNET OF THINGS
TRUST BASED ROUTING METRIC FOR RPL ROUTING PROTOCOL IN THE INTERNET OF THINGSTRUST BASED ROUTING METRIC FOR RPL ROUTING PROTOCOL IN THE INTERNET OF THINGS
TRUST BASED ROUTING METRIC FOR RPL ROUTING PROTOCOL IN THE INTERNET OF THINGS
 
TRUST BASED ROUTING METRIC FOR RPL ROUTING PROTOCOL IN THE INTERNET OF THINGS
TRUST BASED ROUTING METRIC FOR RPL ROUTING PROTOCOL IN THE INTERNET OF THINGSTRUST BASED ROUTING METRIC FOR RPL ROUTING PROTOCOL IN THE INTERNET OF THINGS
TRUST BASED ROUTING METRIC FOR RPL ROUTING PROTOCOL IN THE INTERNET OF THINGS
 
Security course: exclusive 5G SA pitfalls and new changes to legislation
Security course: exclusive 5G SA pitfalls and new changes to legislationSecurity course: exclusive 5G SA pitfalls and new changes to legislation
Security course: exclusive 5G SA pitfalls and new changes to legislation
 
Analytical Model on Secure Transmission for SIP-Video Call Setup for WiMax He...
Analytical Model on Secure Transmission for SIP-Video Call Setup for WiMax He...Analytical Model on Secure Transmission for SIP-Video Call Setup for WiMax He...
Analytical Model on Secure Transmission for SIP-Video Call Setup for WiMax He...
 
F0353743
F0353743F0353743
F0353743
 
What Is Routing Overhead Of The Network
What Is Routing Overhead Of The NetworkWhat Is Routing Overhead Of The Network
What Is Routing Overhead Of The Network
 
Comparative Analysis of Quality of Service for Various Service Classes in WiM...
Comparative Analysis of Quality of Service for Various Service Classes in WiM...Comparative Analysis of Quality of Service for Various Service Classes in WiM...
Comparative Analysis of Quality of Service for Various Service Classes in WiM...
 
4g security presentation
4g security presentation4g security presentation
4g security presentation
 
Effects of SIP in Interoperable LMR/Cellular Heterogeneous Mobile Wireless N...
Effects of SIP in Interoperable LMR/Cellular Heterogeneous Mobile Wireless N...Effects of SIP in Interoperable LMR/Cellular Heterogeneous Mobile Wireless N...
Effects of SIP in Interoperable LMR/Cellular Heterogeneous Mobile Wireless N...
 
A Review on security issues in WiMAX
A Review on security issues in WiMAXA Review on security issues in WiMAX
A Review on security issues in WiMAX
 
liaison-2019-09-30-itu-t-tsag-ietf-iab-ls-on-new-ip-shaping-future-network-at...
liaison-2019-09-30-itu-t-tsag-ietf-iab-ls-on-new-ip-shaping-future-network-at...liaison-2019-09-30-itu-t-tsag-ietf-iab-ls-on-new-ip-shaping-future-network-at...
liaison-2019-09-30-itu-t-tsag-ietf-iab-ls-on-new-ip-shaping-future-network-at...
 
A SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICE
A SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICEA SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICE
A SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICE
 
Chp 6 infrastructure- the backbone of e-commerce tech
Chp 6 infrastructure- the backbone of e-commerce techChp 6 infrastructure- the backbone of e-commerce tech
Chp 6 infrastructure- the backbone of e-commerce tech
 
A SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICE
A SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICEA SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICE
A SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICE
 
Secure Data Aggregation Of Wireless Sensor Networks
Secure Data Aggregation Of Wireless Sensor NetworksSecure Data Aggregation Of Wireless Sensor Networks
Secure Data Aggregation Of Wireless Sensor Networks
 

Diameter Penetration Test Lab

  • 1. Security Penetration Test Framework for the Diameter Protocol Frederick R. Carlson National Defense University Washington, D.C., USA fcarlson@ieee.org Abstract— this paper outlines the infrastructure required for a documented the next generation NAS AAA requirements. The penetration testing suite centered around the cellular call control Mobile IP Working Group of the IETF documented AAA protocol called Diameter. A brief description of Diameter is requirements that would help Mobile IP scale for Inter-Domain given along with the basic equipment and design requirements to mobility. The Telecommunication Industry Association (TIA) conduct the testing. TR-45.6 Adjunct Wireless Packet Data Technology working group documented the CDMA2000 Wireless Data Diameter, Wireless Security, Penetration Testing, SIP, SS7 Requirements for Authorization, Authentication and Accounting (AAA). Based on the work of TR-45.6, 3GPP2 has I. INTRODUCTION specified a two phased architecture for supporting Wireless IP The purpose of this paper is to suggest a framework for a networking based on IETF protocols; the second phase detailed security analysis of the Diameter Protocol and the requiring AAA functionality not supportable in RADIUS. The platforms that carry this protocol. There is very little design of Diameter met the requirements indicated by these information on the protocol aside from a series of Requests for various groups. 2 Comment, Standards Body Documentation and Industry White Papers. It is critical that the framework not only examines the III. THE RELAVENCE OF THE DIAMETER PROTOCOL Diameter Protocol in isolation, but in system as well. This is to Diameter is important as it subsumes the Signaling System show the interaction between Diameter and the various cellular Seven (SS7) system that was responsible for signaling and radio systems, handsets, Provisioning gateways (P-Gateway), control in Public Switched Telephone Networks (PSTN) and Serving Gateway (S-Gateway), Policy, Charging and Routing was the intelligent signaling layer in Time Division Function (PCRF) Gateways and the base stations (eNodeB) as Multiplexing (TDM) networks. SS7, a very important and long well. This paper sets up the base system to conduct detailed living protocol, is being replaced in modern cellular networks analysis of the Diameter Protocol from a Security Perspective. by two protocols: Session Initiation Protocol (SIP) and Diameter. SIP is the call control protocol used to establish II. DIAMETER voice, messaging and multimedia communication sessions. The Diameter model is a base protocol and a set of Diameter is used to exchange subscriber profiles, applications. The base protocol provides common functionality authentication, billing, Quality of Service (QoS) and to the supported applications. The base protocol defines the mobility—between the network elements in these systems. The basic Diameter message format. Data is carried within a subscriber profile information handles issues such as network Diameter message as a collection of Attribute Value Pairs join, location updates and subscriber data, voice, video or (AVPs). An AVP is like a RADIUS attribute. An AVP consists multimedia sessions. This information is routed between of multiple fields: an AVP Code, a Length, some Flags, and visited and home networks to authenticate and enable services Data. Some AVPs are used by the Diameter base protocol; for roaming subscribers. Diameter signaling is used between other AVPs are intended for the Diameter application while yet the elements in a service provider’s 4G network and between others may be used by the higher-level end-system application providers and roaming hubs. There is a large body of Diameter that employs Diameter. 1 interfaces that have been defined by various industry and standards groups. Diameter is a extremely flexible standard, A number of working groups have specified their which is both it’s strength, as it allows very quick development, requirements for Authorization, Authentication and Accounting and it’s weakness, as it tends to be somewhat unfinished, (AAA) protocols, and these requirements drove the design of cannot scale without help and has little, if any, academic work the Diameter protocol. The Roaming Operations (ROAMOPS) on the security posture of the protocol ecosystem itself. 3 Working Group of the Internet Engineering Task Force (IETF) published a set of requirements for roaming networks. The 2 NAS Requirements (NASREQ) Working Group of the IETF Interlink Networks. (2002). Introduction to Diameter. Retrieved from: http://www.interlinknetworks.com/whitepapers/Introduction_to_Diameter.pdf 3 Acme Packet. (2012). Scaling Diameter in LTE and IMS, Retrieved from: 1 Interlink Networks. (2002). Introduction to Diameter. Retrieved from: http://ws.lteconference.com/wpcontent/uploads/1120APKT_WP_ScalingDia http://www.interlinknetworks.com/whitepapers/Introduction_to_Diameter.pdf meter_020112.pdf
  • 2. IV. DIAMETER AND MOBILITY the UE through the P-CSCF. The IMS system can then connect Diameter signaling puts significant demands on the mobile a call through a media gateway (signaling processes not shown) network. The main challenges that service providers face with so the connection can reach the landline telephone. 6 scaling, security and managing Diameter in Long Term • The relevance of this discussion is that the 4G Evolution (LTE) and IP Multimedia Subsystem (IMS) network is not a closed system like the PSTN was. It networks include: is growing up with even more open standards than the • Traffic volume: The volume of messages and Diameter Transmission Protocol/Internet Protocol (TCP/IP) transactions for each voice or data session can be huge. By based networks that formed the Internet. This is one 2015, the firm Exact Ventures projects a figure of 235,000 of the reasons that cellular infrastructure can be transactions per second (TPS) for every one million brought to market extremely quickly, it is also a subscribers. For a moderately sized LTE deployment of five reason that security holes may be formed at the seams million subscribers, a mobile service provider will require of the actual infrastructure the cellular carriers are Diameter transaction processing in the range of 220,000 to over deploying. Currently, mobile security is focused on one million TPS. 4 handheld and user interaction and that are probably a good development as the user devices themselves are • Overload and network failure: The servers involved in very insecure, but there is the possibility of easily processing various AAA, QoS or charging functions are not exploited vulnerabilities within the actual base station equipped to deal with spikes in volume; this can impact service and IMS/LTE infrastructure. quality or network availability due to element overload and failure. This is a key security concern. • Network attack: Diameter signaling infrastructure that is exposed to external networks in roaming scenarios can be attacked in two major ways. The first is with a denial of service attack. With Diameter pooling the information exchange used for signaling, if attack the Diameter Border Controllers, this can degrade or possibly take down the entire 4G network. A more insidious attack would be the interception of Attribute Value Pair and location information. Information can easily be sniffed on untrusted, public IP transport networks between service providers. 5 In fact, Wireshark has a detailed Diameter template within their sniffer product to do just that. The security theme here is not only can subtle attacks be made on the 4G system (similar to the ones made on its predecessor SS7), but the distributed nature of the 4G network makes it uniquely vulnerable to “script kiddie” like Denial of Service attacks. Figure 1. IP Multimedia Subsystem 7 V. IP MULTIMEDIA SUBSYSTEM (IMS) VI. DIAMETER AS A LAYER Unfortunately, the cellular network which Diameter is Diameter sits above the transport layer when placed in the applied is moderately complex. This section of the paper gives OSI (Opens Systems Interconnection) layered architecture. It a very basic discussion of platforms and what they do in the uses the transport services provided by either TCP or SCTP IMS ecosystem. Figure 1 shows the basic functions of the IMS layers, which in turn use IP as their layer below as illustrated in system. This diagram shows that a user equipment device (a Figure 2. This is significant because the vast majority of tools mobile phone in this example) is calling another device (a and talent are focused at Layer 7 issues such as stack overflows landline telephone). The User Equipment (UE) sends its and other software design issues or network based issues such connection request (an invite) to the proxy call session control as Layer 4 port management and network flows. Being above function (P-CSCF). The P-CSCF needs to find the call server Layer 4 and below layer 7, Diameter is in a very difficult so it sends a request to the interrogatory call session control position on the OSI stack for IT managers to deal with as a server (I-CSCF). The I-CSCF contacts the home subscriber matter of culture. This is because the vast majority of people in server (HSS) which contains the service profile of user and the the IT industry are trained to look at issues at Layers 3 and location of the serving call session control function (S-CSCF). below (Networkers), 3, 4 and 7 (Programmers and most The S-CSCF will then manage the communication session with Security Personnel) and Layer 1 and 2 (Telecom and Fiber). 4 6 Acme Packet. (2012). Scaling Diameter in LTE and IMS, Retrieved from: VoIP Dictionary. IP Multimedia Subsystem - IMS http://ws.lteconference.com/wpcontent/uploads/1120APKT_WP_ScalingDia Retrieved from: meter_020112.pdf http://www.voipdictionary.com/VoIP_Dictionary_IMS_Definition.html 5 7 Acme Packet. (2012). Scaling Diameter in LTE and IMS, Retrieved from: VoIP Dictionary IP Multimedia Subsystem – IMS http://ws.lteconference.com/wpcontent/uploads/1120APKT_WP_ScalingDia Retrived from: meter_020112.pdf http://www.voipdictionary.com/VoIP_Dictionary_IMS_Definition.html
  • 3. The pool of people that understand session and presentation layer issues are somewhat small; the pool of people that understand the security interactions smaller still. A very interesting issue is appearing in the mobile network. The nervous system of this infrastructure seems to be moving to a portion of the IT ecosystem that IT managers are least prepared to cope with. Figure 3. LTE Architecture 9 The protocol used here is Diameter which allows these subsystems to communicate. This creates an interesting security situation as Layer 4 (transport) through than Layer 6 (presentation) now have significant policy and control implications that were previously reserved at Layer 3 and Layer 4. As mobile networks like LTE move into vogue, we Figure 2. Diameter as a Layer 8 shall see that the securing of this protocol and the platforms that aggregate it and transport it around the cellular system will be a significant effort. VII. LONG TERM EVOLUTION (LTE) LTE is an evolution of the IMS system that simplifies the VIII. EQUIPMENT REQUIRED 10,11 platforms required to provide 4G services. The first major The effort breaks down into two phases. Phase I creates a component is the eNodeB, a base station radio. The second Server running Virtualization Software with a target Open major component is mobility management entity (MME), Source Diameter Server installed on it. A system that meets which is the brains of the system. The third is the System the target box specifications appears in Table 1 (Phase I Bill of Architecture Evolution – Gateway (SAE-GW) which is a very Materials for Target Box). fast user plane router. The Policy and Control Routing Function and the Host Subscriber Service are critical to track billing and QoS considerations. Figure 3 - LTE Architecture illustrates this arrangement. 9 Event Helix (2010). Long Term Evolution (LTE) Overview, Retrieved from: http://www.eventhelix.com/lte/tutorial/lte_overview.pdf 10 Rapid7 (2011) “How to Create a Penetration Lab”, Retrieved from: http://www.metasploit.com 8 11 N. Kottapalli (2010), Radisys White Paper: Diameter and LTE Evolved The information at the Metasploit Website was invaluable to the creation of Packet System. http://go.radisys.com/rs/radisys/images/paper-lte-diameter- this equipment list. See the article “How to Create a Penetration Lab” at eps.pdf http://www.metasploit.com
  • 4. TABLE I. PHASE I BILL OF MATERIALS FOR TARGET BOX Target System Subsystem Specification Processor Intel Core 2 Quad @2.66 GHz Memory 8 GB Crucial DDR3 RAM Hard Drive 500 GB HD Network 2 Gigabit Ethernet NICS Cards Operating Ubuntu 10.04 LTS 64 bit System Virtualization VMware Workstation Software Target Open Diameter Software Software A system that meets the attack system specifications is listed in Table 2 (Phase I Bill of Materials for Attack Box). Figure 4. Phase I Diameter Lab X. EQUIPMENT SET UP OF TARGET DIAMETER SYSTEM – TABLE II. PHASE I BILL OF MATERIALS FOR ATTACK BOX PHASE II Attacking System Once the environment is set up, it is then necessary to add Virtualized and/or simulated elements of the LTE 4G system of Subsystem Specification systems. The critical ones are the Policy and Charging Rules Processor Multiple Core Function (PCRF), the Host Subscriber Service (HSS) and Memory 8 GB DDR3 RAM Mobility Management Entity (MME) Figure 5 shows the topology of the second phase of the lab setup. Hard Drive 500 GB HD Operating Ubuntu 9.10 64 bit System Network 1 Gigabit Ethernet NICS Cards Virtualization VMware Workstation (or Virtual Box) Software Attack Metasploit Framework (and/or Core Impact) Software Wireshark Backtrack 5 Pre-built virtual machines or installer ISOs IX. EQUIPMENT SET UP OF TARGET DIAMETER SYSTEM – PHASE I Figure 4 (Phase I Diameter Lab) shows the Phase I lab environment. This is the bare bones setup and will be used Figure 5. Phase II Diameter Lab mostly to get the Diameter System up and accessible through the VM in the attack box and to make sure that the correct tools to do initial Penetration Test runs are set up.
  • 5. XI. VULNERABILITY IDENTIFICATION passed over the SS7 based Public Switched Telephone A list of potential system vulnerabilities must be created Network, it makes sense to start building a capability now that from this effort. In an extremely useful paper, Securing SS7 can look into this issue of Diameter Security. Telecommunications Networks by Lorenz, et al. presents an excellent taxonomy for security vulnerabilities in the call control subsystem of the Public Switched Telephone Network (PSTN). That taxonomy appears in Figure 6 – SS7 Taxonomy 12. This paper proposes the creation of an analogous taxonomy from the SS7 work in the examination of Diameter vulnerabilities as a first deliverable of this system. Figure 6. Signalling System Seven SS7 Security Taxonomy XII. CONCLUSION REFERENCES Diameter is subsuming SS7 for call control. It is very likely to subsume RADIUS and TACACS+ for general purpose [1] G. Lorenz, T. Moore, G. Manes, J. Hale, S. Shenoi, Securing SS7 Authorization, Accounting, and Authentication (AAA) services Telecommunications Networks, Proceedings of the 2001 IEEE as well. A list of potential system vulnerabilities will be Workshop on Information Assurance and Security, United States created from this effort using a similar effort as the SS7 Military Academy, West Point, NY, 5 - 6 June 2001 Security Taxonomy shown in Securing SS7 [2] Acme Packet. (2012). Scaling Diameter in LTE and IMS. Retrieved Telecommunications Networks. Currently the security from: research on Diameter is extremely thin, mirroring the situation http://ws.lteconference.com/wpcontent/uploads/1120APKT_WP_Scalin gDiameter_020112.pdf in the 1980s and 1990s with SS7. With mobile computing [3] Interlink Networks. (2002). Introduction to Diameter. Retrieved from: becoming so ubiquitous and the richness and importance of http://www.interlinknetworks.com/whitepapers/Introduction_to_Diamet data at a much higher level than what was comparatively er.pdf [4] N. Kottapalli (2010), Radisys White Paper: Diameter and LTE Evolved 12 G. Lorenz, T. Moore, G. Manes, J. Hale, S. Shenoi, Securing SS7 Packet System http://go.radisys.com/rs/radisys/images/paper-lte- Telecommunications Networks, Proceedings of the 2001 IEEE Workshop on diameter-eps.pd Information Assurance and Security, United States Military Academy, West [5] R. Nicole, Event Helix (2010). Long Term Evolution (LTE) Overview Point, NY, 5 - 6 June 2001 Retrieved from: http://www.eventhelix.com/lte/tutorial/lte_overview.pdf
  • 6. [6] IRMC: 6201.2 SEC Course Notes, National Defense University, [7] Rapid7 (2011) “How to Create a Penetration Lab” Retrieved from: Information Resources Management College, Washington, DC, www.metasploit.com November 2005. [8] VoIP Dictionary IP Multimedia Subsystem – IMS Retrived from: http://www.voipdictionary.com/VoIP_Dictionary_IMS_Definition.html