06-09-2012, 02:45 PM
The Advanced Intelligent Network—A Security Opportunity
advanced inteligent network.pdf (Size: 48.79 KB / Downloads: 183)
Abstract
The public switched telephone network (PSTN) is evolving from a closed network made up of
specialized equipment into an open network employing many of the same components and protocols that
are used in the Internet. The security vulnerabilities of the Internet are well known. The possible
introduction of these vulnerabilities into the PSTN provides opportunities—for hackers to exploit the
vulnerabilities and for security professionals to eliminate them.
The current PSTN is evolving into what is known as the Advanced Intelligent Network (AIN). In the old
PSTN, the control functions for telephone services (service logic) are implemented in software that runs
in telephone switches. In the AIN, service logic is implemented by Service Logic Programs (SLPs) that
run in Service Control Points (SCPs). SCPs are, in most cases, ordinary commercially available
microprocessor-based workstations or servers, running the same insecure operating systems that are used
on most Internet hosts. SCPs communicate with switches through the SS7 network. In addition, SCPs will
have connections (sometimes via other machines) to the telephone companies' corporate data networks to
support such functions as customer service and billing. There are also plans to offer customers an Internet
interface for changing their service parameters—such as the number to which their calls should be
forwarded.
Introduction
The public switched telephone network (PSTN) is currently undergoing some radical changes. In
the past, it was a closed network made up of specialized equipment that very few people
understood. Connection of customer equipment to the voice network was strictly regulated, and
the control system was completely closed. Over the years, many restrictions on the connection of
customer equipment to the voice network have been eliminated. Currently the same thing is
happening to the control network—the SS7 network. It is evolving into an open network
employing many of the same components and protocols that are used in the Internet. Connection
of third-party equipment to the SS7 network is being mandated, both by federal regulations and
by the marketplace. It appears that there will eventually be connections between the SS7
network and the Internet. The possible introduction of the well-known Internet security
vulnerabilities into the PSTN provides opportunities—both for hackers to exploit the
vulnerabilities and for security professionals to eliminate them.
AIN Concepts and Terminology
This section is a very much oversimplified discussion of the AIN. It includes a high-level
summary of the AIN architecture, the functions of the major components, and definitions of
some of the acronyms. It is provided here in hopes of helping the reader unfamiliar with the AIN
to make some sense of the terminology and the multitude of acronyms. The indulgence of
readers familiar with the AIN is requested. More complete information about the AIN can be
found in [Robrock91] and the extensive list of references in it.
Figure 1, on the next page, shows the major AIN components and their relationships to one
another. A small subset of the total network is shown, containing at least one example of each
AIN component and of the network connections between them.
Evolution of the AIN
In earlier switching systems, call setup signals were sent over the trunk lines between switches
using tones similar to those emitted by touch tone phones. In Figure 1, these switches are labeled
SSP (Service Switching Point).
Hackers discovered that they could build devices which they called blue boxes. These blue boxes
could imitate the call setup signals and set up calls while bypassing the accounting for the calls.
Thus, they were able to steal long-distance phone service.
Common Channel Signaling (CCS) eliminated this security flaw. Call setup signals are now sent
between switches using a packet-switched network. The packet switches are called Signal
Transfer Points (STP). The latest version of the CCS system is SS7 (Signaling System 7). At a
very high level, there is some resemblance between the SS7 network and a TCP/IP network such
as the Internet. However, at a more detailed level, they are quite different.
AIN Components
The Service Switching Point (SSP) is a telephone switch. SSPs are present in the existing, pre-
AIN PSTN. In order to participate in the AIN, a switch must be upgraded to run a version of
software that conforms to the AIN call model and has triggers at specified points in the call setup
sequence. If a trigger is enabled, the SSP will, at that point in call setup, send a request to the
SCP asking for instructions about how to proceed with the call setup. Triggers can be enabled or
disabled selectively, for individual lines, groups of lines, or the entire switch.
The Signal Transfer Point (STP) is an SS7 packet switch. These, too, are part of the existing
network. There are few, if any, high level architectural changes required to the STP to support
AIN services, although some detailed changes are probably required. It is likely that significant
changes would be required to support enhanced security.
The Service Control Point (SCP) is the brain of the AIN. It runs Service Logic Programs (SLPs),
which control call processing and provide all the new AIN services. The switch (SSP) will
consult the SCP at various points in the call setup sequence. The SCP will run its Service Logic
Programs, consult its (customer-specific) databases, and return instructions to the switch. There
is a requirement that the instructions be returned very quickly since the switch is in the middle of
a call setup and the customer is waiting for the ringing tone to start. An SCP can provide service
to multiple switches. The switch and SCP communicate over the SS7 network.
Threats to the Network
Threats are actions that an intruder might take to attack the network by exploiting its
vulnerabilities. The threats to the PSTN are too numerous to mention individually. This section
only outlines threats and attack methods. It is best read slowly, using one's imagination.
Threats can be placed in four categories: theft of information, unauthorized alteration of
information, denial of service, and theft of service. These threats can be carried out using a
variety of attack methods.
The network could be attacked by three methods: physical access to network nodes or links,
network access to network nodes, or the introduction of malicious software during the software
development or software distribution processes. In addition, individual applications could be
attacked at the end user interface by attempting to exploit weaknesses in their user authentication
and usage authorization features, or by probing for flaws in their handling of incorrect input.
Conclusions
The problem described above is a large, multi-faceted information system security problem. It
involves both computer security and network security. The problems exist in all layers, from the
lowest layers of network infrastructure, up through the execution environment of application
software, up to the design of the end-user interfaces.
Many of these problems could be solved by the proper application of existing computer security
and network security technology. Encryption, for message privacy, message authentication, and
message integrity, could provide defenses against many of the network based attacks. State of
the art user authentication methods, such as smart cards for customers and telco employees, and
biometric devices (e.g., fingerprint readers) controlling physical access to buildings and rooms
housing switching equipment, would provide good defenses against attacks based on physical
access or user interface exploitation. High assurance operating systems (those having Orange
Book ratings of B2 and above) would be free of many of the exploitable vulnerabilities in the
non-rated systems currently being used for AIN components. High assurance operating systems
are expensive, but quantity discounts might be available if they were to be purchased in the
numbers needed for the entire PSTN.