Signaling System 7 (SS7) is one of the largest packet networks in the
world, linking telecommunication networks of all types into one large global
communication network. It is the glue between networks that enables call
setup and teardown as well as advanced services. An overlay to the voice
network, SS7 is an out-of-band digital network. It does not handle any
bearer traffic; its sole focus is to carry messages that connect and
disconnect calls between subscribers and to access databases to deliver
advanced services such as caller-ID, call forwarding, toll free, and local
The SS7 architecture is comprised of three signaling points: Service
switching points (SSPs); signal transfer points (STPs); and service control
points (SCPs). As the entry and exit points for the SS7 network, SSPs
originate, terminate, and ï¿½tandemï¿½ telephone calls. STPs function as
routers, relaying messages from SSP to SSP and to SCPs, the interface to the
telephone company databases.
A CLOSED NETWORK
The SS7 network design was based on the assumption that there would be a
limited number of carriers interconnecting to the local exchange carriers (LECs).
As a closed network, data is only exchanged between switches and databases
with very little human intervention. With a limited number of carriers and
limited points of interconnection, the LECs could assume with fair certainty
that all of the elements passing data were trusted sources.
The security measures employed in todayï¿½s SS7 network reflect that
assumption. Unlike IP protocols, security features like authentication and
encryption were not built into the SS7 protocol. Rather, the focus has been
placed on creating secure physical environments for the network equipment
rather than secure protocols. The central offices (COs) in which the network
elements are housed are well protected. Management access to the equipment
is safeguarded by telco methods and procedures developed over many years.
While physical security has been a primary focus, there are also security
measures employed at the network level. STPs, the routers of the SS7
network, perform gateway screening to prohibit inbound and outbound messages
from unauthorized nodes. The addresses of individual nodes within a network
are isolated. Global title translation (GTT) enables a network to receive
messages from other networks without disclosing the unique addresses, called
point codes, of its own nodes.
THE LANDSCAPE CHANGES
The advent of deregulation and the convergence of voice and data networks
have changed the network landscape. Not only are there many more players in
the game than originally envisioned, but the players are using the network
for a much broader range of applications than originally planned. SS7 is no
longer a closed network. It interfaces to wide variety of customers and to
an array of other networks.
The increasing number and complexity of interfaces between SS7 and other
networks increases its vulnerability to attack. Every point of
interconnection is a potential point of access. The developing
interdependence between SS7 and IP networks is increasing that
vulnerability. It is a misconception to think that a network is secure if it
is not IP-based. If there is an IP network anywhere in the chain of
interconnection, all the connected networks are vulnerable to some extent.
There is no encryption or authentication in the signaling network to ensure
the validity of sending nodes outside the network boundary. A rogue server
in the IP network sending damaging management messages could seriously
impair the signaling network and take down service.
Anyone capable of generating SS7 messages and introducing them to the
network can cripple PSTN service. For example, a hacker with access to ISDN
could spoof the source address and introduce harmful packets into the
network by modifying and fabricating ISDN user part (ISUP) messages. SS7
network elements are also susceptible to packet sniffing.
Each element in the SS7 network is engineered to handle a certain amount
of traffic. A hacker can flood a node by generating more traffic than it can
handle and take it down. When this occurs, call processing in that section
of the network can come to a halt.
PROTECTING THE SIGNALING NETWORK
Signaling is critical to all network operations, and it is essential to
secure and protect the network. There are a number of steps that can be
taken to maintain its integrity.
One of the best ways to create a safer signaling network is to create a
smarter SS7 network. STPs provide a unique vantage point from which to view
the network and gather valuable information. All of the traffic to and from
SSPs and SCPs passes through them. An SS7 firewall application on an STP
enables carriers to define screening parameters to identify messages that
are out of context or exhibit irregularities. Next-generation STPs take
security intelligence to a new level. They can actually analyze message
behavior, identify anomalies, and invoke procedures to recommend a course of
The SS7 and VoIP interconnection architecture should be designed to
minimize the risk. Creating an architecture that uses centralized SS7 to IP
gateways increases security by minimizing the number of points of
interconnection to the SS7 network. Rather than front-end each media gateway
with SS7 over IP signaling, a single scalable, high-capacity signaling
gateway can be deployed to control a farm of media gateways. By creating a
single point of connection, it is also easier to firewall the SS7 network
because the security wall can be installed at fewer points.
Running SS7 signals and other types of traffic such as corporate data on
a single network can introduce potential risks. Since the network is most
vulnerable at the edge, physically separating the signaling and bearer
traffic on different networks significantly increases security. Within the
core of the network, which is more secure, the network can be shared for
multiple traffic types.
Secure management interfaces are also an essential network protection
measure. Loopholes in current IP management protocols such as simple network
management protocol (SNMP) can give hackers and attackers access to the
signaling network. Secure management protocols must be augmented with strict
methods and procedures such as password aging, non-reusable passwords,
activity log, and audit trails to enhance the security.
Securing the global voice network will become increasingly important as new
cutting-edge technology is introduced. It is critical to address network
security to prevent a slowdown in the rate of adoption of new technology.
The job of securing the network is never complete and is a continuous
learning process. The industry as a whole must maintain a constant alert and
continue to evolve security solutions to make the telecommunication
Ravi Ravishankar is director, Advanced Technology Planning, at Tekelec.
His focus is on defining signaling solutions and products for the
next-generation packet telephony and 3G wireless networks. Tekelec is a
leading developer of telecommunications signaling infrastructure,
softswitches, testing and diagnostic solutions, and service applications.
Please visit their Web site at www.tekelec.com.
To The August 2002 Table Of Contents ]