The invention relates generally to SS7 networks and, more particularly, to a system and method for controlling and securing SS7 message traffic in an SS7 network.
The SS7 network is the backbone of the world's telecommunications networks. Service providers across the globe rely on the SS7 network to implement setup, routing, and control of a call, as well as to provide to residential, business, and government customers advanced services such as 800 and 900 calling, caller ID, local number portability, and calling card verification. Without the SS7 network, the world's telecommunications networks would cease to function properly.
The SS7 network is comprised of a number of different types of signaling nodes, including Service Switching Points ("SSPs"), Signaling Transfer Points ("STPs"), and Service Control Points ("SCPs"). SSPs originate, manage, and terminate calls. SCPs act as centralized databases that validate, authorize, and answer service requests from SSPs, such as how to route an 800 number call. STPs route SS7 messages between SSPs, SCPs, and other STPs. The SS7 network was designed to be a trusting network, and as such, the misuse of any signaling node could have alarming results like denial of customer service, redirected calls, violation of customer data, and fraud.
"Policy-based" security management refers to the enforcement of a governing set of rules at strategically located points ("chokepoints") for the purpose of enforcing security boundaries between two or more signaling nodes such that only those events meeting criteria defined by the policy may pass between the nodes while all other events are denied passage. Variations and improvements on this basic theme have resulted in devices known today as "firewalls." Much like a guard at a checkpoint, a firewall strictly enforces, on a message-by-message basis, access rules specified within an established control policy for what message traffic may pass. The policy may also dictate other actions to be performed with respect to message traffic, such as logging a security event in connection with a message or sequence of messages, sending an urgent alert message notifying appropriate personnel of a security event, or modifying a message.
As a result of telecommunication deregulation and industry growth, the SS7 network has expanded and is now vulnerable to attacks, intrusions, fraud, and misuse. Internet security professionals consider firewalls to be essential to protect an enterprise's local and wide area networks from external or internal misuse. A comprehensive SS7 firewall system would provide telecommunications service providers with a similar capability as well as much more, including the means to completely control every message entering and leaving the telecommunications service providers' SS7 signaling nodes. Without this capability, telecommunications service providers are exposed and vulnerable.
Current methods for controlling the ingress and egress of SS7 traffic to and from a telecommunications service providers' SS7 signaling nodes require the configuration of access control lists according to a fixed table format on a signaling element. As such, these methods are unable to reflect a service provider's complete control policy and are limited by the range of controls defined by the signaling system. Furthermore, these methods do not provide the service provider with a centrally managed system. In addition, current methods of controlling traffic on a signaling element control basis are only an extremely limited subset of the SS7 protocol.
Therefore, what is needed is a comprehensive SS7 message control system for a telecommunications service provider in which firewall elements are transparent to the underlying signaling nodes being protected, security reports are retrievable from a central location, and that is scaleable so as to accommodate emerging threats.