Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1999-09-07
2001-10-23
Hua, Ly V. (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S152000
Reexamination Certificate
active
06308276
ABSTRACT:
BACKGROUND
The invention relates generally to SS7 networks and, more particularly, to a system and method for controlling and securing SS7 message traffic in an SS7 network.
The SS7 network is the backbone of the world's telecommunications networks. Service providers across the globe rely on the SS7 network to implement setup, routing, and control of a call, as well as to provide to residential, business, and government customers advanced services such as 800 and 900 calling, caller ID, local number portability, and calling card verification. Without the SS7 network, the world's telecommunications networks would cease to function properly.
The SS7 network is comprised of a number of different types of signaling nodes, including Service Switching Points (“SSPs”), Signaling Transfer Points (“STPs”), and Service Control Points (“SCPs”). SSPs originate, manage, and terminate calls. SCPs act as centralized databases that validate, authorize, and answer service requests from SSPs, such as how to route an 800 number call. STPs route SS7 messages between SSPs, SCPs, and other STPs. The SS7 network was designed to be a trusting network, and as such, the misuse of any signaling node could have alarming results like denial of customer service, redirected calls, violation of customer data, and fraud.
“Policy-based” security management refers to the enforcement of a governing set of rules at strategically located points (“chokepoints”) for the purpose of enforcing security boundaries between two or more signaling nodes such that only those events meeting criteria defined by the policy may pass between the nodes while all other events are denied passage. Variations and improvements on this basic theme have resulted in devices known today as “firewalls.” Much like a guard at a checkpoint, a firewall strictly enforces, on a message-by-message basis, access rules specified within an established control policy for what message traffic may pass. The policy may also dictate other actions to be performed with respect to message traffic, such as logging a security event in connection with a message or sequence of messages, sending an urgent alert message notifying appropriate personnel of a security event, or modifying a message.
As a result of telecommunication deregulation and industry growth, the SS7 network has expanded and is now vulnerable to attacks, intrusions, fraud, and misuse. Internet security professionals consider firewalls to be essential to protect an enterprise's local and wide area networks from external or internal misuse. A comprehensive SS7 firewall system would provide telecommunications service providers with a similar capability as well as much more, including the means to completely control every message entering and leaving the telecommunications service providers' SS7 signaling nodes. Without this capability, telecommunications service providers are exposed and vulnerable.
Current methods for controlling the ingress and egress of SS7 traffic to and from a telecommunications service providers' SS7 signaling nodes require the configuration of access control lists according to a fixed table format on a signaling element. As such, these methods are unable to reflect a service provider's complete control policy and are limited by the range of controls defined by the signaling system. Furthermore, these methods do not provide the service provider with a centrally managed system. In addition, current methods of controlling traffic on a signaling element control basis are only an extremely limited subset of the SS7 protocol.
Therefore, what is needed is a comprehensive SS7 message control system for a telecommunications service provider in which firewall elements are transparent to the underlying signaling nodes being protected, security reports are retrievable from a central location, and that is scaleable so as to accommodate emerging threats.
SUMMARY OF THE INVENTION
The present invention, accordingly, provides a system and method for performing security access control functions for a telecommunication service provider's signaling nodes, including, but not limited to, SSPs, SCPs, and STPs. In a preferred embodiment, an SS7 firewall is provided between an STP of the global SS7 network, and each of a service provider's signaling nodes, such as an SSP or SCP. In accordance with features of the present invention, the SS7 firewall controls all of the SS7 message traffic entering and leaving the service provider's signaling nodes.
In one aspect, the system of the present invention monitors every SS7 message entering and leaving a SS7 signaling node by providing with respect to the signaling node an SS7 message filter that inspects each message and compares it to a SS7 rule-set, or policy, to determine whether the node should accept, modify, respond to, or reject the message.
In another aspect, the system of the present invention maintains the state of each call, service, or transaction comprising a sequence of SS7 messages initiated or maintained by the signaling node in order to compare the state of the call, service, or transaction with an SS7 rule-set that is used to determine whether the node should continue, modify, respond to, or terminate the call, service, or transaction.
In another aspect, the system of the present invention provides, from a centralized location, an environment in which the SS7 message control policy for one or more signaling nodes is conveniently administered and configured by a system administrator without the need for significant software modification and in which a system administrator can obtain up-to-date reports of the control state of one or more of signaling nodes, as well as summary reports on the nature of the SS7 messages entering and leaving one or more signaling nodes.
These and other objectives and features of the invention encompass a comprehensive system for controlling and securing the SS7 signaling nodes of a telecommunications service provider. In the most basic configuration, passage of inbound and outbound SS7 message traffic is permitted or denied according to a rule-set that is managed by a security administrator. The system combines call progress monitoring, including message correlation and state management, transaction progress monitoring, including message correlation and state management, network management monitoring, and message verification.
The system and method of the invention performs centrally-managed, service provider-wide enforcement of an SS7 message control policy and real-time notification of potential policy breaches. The system utilizes specialized, high availability, “on-the-wire” devices to monitor, control, and insert messages into the SS7 packet-switched global SS7 network. The system controls access to the switches, databases, and advanced intelligent network (AIN) computer systems of a service provider, all of which function as SS7 signaling nodes. The system also “fails closed”, ensuring SS7 message traffic is uninhibited in the event of a system failure.
Specific attributes identified by the controlling system pertaining to all inbound and outbound signal messages determine whether a call, transaction, or control message, in accordance with the a predefined control policy, are allowed, are denied, are negatively replied to, are logged, and/or initiate an alerting action. Attributes captured by the system are protocol-dependent and include mandatory fixed, mandatory variable, or optional parameters for components of the SS7 protocol, including, but not limited to, ISDN user part (“ISUP”), transaction capability application part (“TCAP”), signaling connection control part (“SCCP”), and operations, maintenance, and administration part (“OMAP”). In addition, the system maintains state between messages associated with call setup/tear-down and transaction queries, enabling the enforcement of a message control policy based on signaling state. State attributes captured by the system include, for example, call message verification, call type association, query request/r
Ashdown Mike
Lynchard Steve
Hua Ly V.
ICom Technologies
Jenkens & Gilchrist
LandOfFree
SS7 firewall system does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with SS7 firewall system, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and SS7 firewall system will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2615934