Definition
Access mediation is the process of examining and controlling signaling traffic between networks, resources and users by filtering Signaling System 7 (SS7) traffic. This process enables carriers to inspect the syntax and content of every signaling message entering or exiting the network. Each message is checked against the carrier's operations policy to determine whether to permit, deny and/or modify the message traffic. Access mediation devices are typically used to mitigate the risks associated with widespread interconnection and network convergence by providing revenue assurance, fraud prevention, and advanced signaling security.
Overview
The telecommunications market has changed dramatically since the SS7 network's inception. Deregulation and convergence have moved the industry beyond a relatively small group of carriers and equipment manufacturers. Now there are thousands of SS7 nodes connecting a wide variety of carriers across the globe. This pervasive interconnection has also introduced newer and more powerful technologies that don't always meet the existing telephone provider's reliability and certification standards. Growing demand for nontraditional services running on the SS7 network continues to make access that's not regulated even more commonplace. These changing market dynamics have left the door open to an inadvertent or malicious disruption, phantom/misrouted call abuse, and fraud-catalyzing the need for an access mediation device to mitigate these risks.
Historical Perspective
Service providers worldwide rely on the SS7 network. It is the backbone of the modern telecommunications network, enabling service providers to interconnect and offer the advanced voice services customer's demand. The SS7 network provides wireline and wireless call control as well as intelligent network (IN) services such as 8XX and 900 number calling, calling name (CNAM) and calling card verification. SS7 also supports government-mandated services like local and mobile number portability (LNP and MNP).
Since the SS7 network was designed for a closed community, the standards bodies developing it were primarily concerned with high availability and redundancy. This ensured the network's ability to protect itself against system failures.
The Telecom Act of 1996 and the advent of voice and data convergence brought unforeseen threats to the signaling environment. The 1996 Act mandated that the small community of incumbent carriers provide nondiscriminatory access to their SS7 networks on an unbundled basis. Unbundling introduced a host of new providers into the SS7 environment. Similar deregulation is occurring worldwide.
At about the same time, demand for Internet Protocol (IP) telephony services interoperating with the SS7 network began to grow. The proliferation of IP to SS7 gateways that have made this possible, coupled with the added complexity and linked nature of SS7, has brought unprecedented instability to this once closed environment.
To address growing security and reliability concerns, Telcordia developed gateway screening standards (GR-82-CORE). These standards set forth limited provisions for examining and controlling inappropriate and potentially harmful traffic. The Telcordia standards may have been adequate at the time. However, as the market evolves, the carrier's ability to control its network interconnections continues to diminish. A more comprehensive approach must be taken to protect the SS7 network and control intercarrier signaling activity.
Service providers worldwide rely on the SS7 network. It is the backbone of the modern telecommunications network, enabling service providers to interconnect and offer the advanced voice services customer's demand. The SS7 network provides wireline and wireless call control as well as intelligent network (IN) services such as 8XX and 900 number calling, calling name (CNAM) and calling card verification. SS7 also supports government-mandated services like local and mobile number portability (LNP and MNP).
Since the SS7 network was designed for a closed community, the standards bodies developing it were primarily concerned with high availability and redundancy. This ensured the network's ability to protect itself against system failures.
The Telecom Act of 1996 and the advent of voice and data convergence brought unforeseen threats to the signaling environment. The 1996 Act mandated that the small community of incumbent carriers provide nondiscriminatory access to their SS7 networks on an unbundled basis. Unbundling introduced a host of new providers into the SS7 environment. Similar deregulation is occurring worldwide.
At about the same time, demand for Internet Protocol (IP) telephony services interoperating with the SS7 network began to grow. The proliferation of IP to SS7 gateways that have made this possible, coupled with the added complexity and linked nature of SS7, has brought unprecedented instability to this once closed environment.
To address growing security and reliability concerns, Telcordia developed gateway screening standards (GR-82-CORE). These standards set forth limited provisions for examining and controlling inappropriate and potentially harmful traffic. The Telcordia standards may have been adequate at the time. However, as the market evolves, the carrier's ability to control its network interconnections continues to diminish. A more comprehensive approach must be taken to protect the SS7 network and control intercarrier signaling activity.
The Role of Access Mediation
Carriers across the globe are now interconnected through SS7. These interconnections are open to abuse because gateway screening is not capable of determining whether message syntax and content are both correct and appropriate. Carriers have no method to control misrouted or phantom calls. These types of calls have incomplete or incorrect message information and leave the receiving carrier with no means of collecting any revenue for the call. Access mediation is designed to give carriers the means to control these kinds of calls.
Unlike legacy providers, many new carriers are accessing the network with equipment based on off-the-shelf computing platforms. The inherent flexibility of this equipment makes it much more powerful and capable of generating signaling traffic at very high volumes, and often in non-standard forms. Inexperienced carriers using either new equipment or existing legacy technology could send inappropriate signaling traffic. While it's unlikely that inappropriate traffic sent to a single network node would cause a widespread outage, the last mile impact could be devastating to critical services like E-911.
Perhaps more troubling than a potential inadvertent malfunction is the open door that deregulation and convergence has left this once closed, secure environment. The National Research Council (NRC) pointed out in its book titled "Trust in Cyberspace" that essentially anyone can interconnect to the SS7 network for the modest fee of $10,000. Unregulated access heightens the chance an attack orchestrated by a terrorist organization or a hacker could cause a widespread disruption capable of putting national security at risk and crippling the economy.
Carriers across the globe are now interconnected through SS7. These interconnections are open to abuse because gateway screening is not capable of determining whether message syntax and content are both correct and appropriate. Carriers have no method to control misrouted or phantom calls. These types of calls have incomplete or incorrect message information and leave the receiving carrier with no means of collecting any revenue for the call. Access mediation is designed to give carriers the means to control these kinds of calls.
Unlike legacy providers, many new carriers are accessing the network with equipment based on off-the-shelf computing platforms. The inherent flexibility of this equipment makes it much more powerful and capable of generating signaling traffic at very high volumes, and often in non-standard forms. Inexperienced carriers using either new equipment or existing legacy technology could send inappropriate signaling traffic. While it's unlikely that inappropriate traffic sent to a single network node would cause a widespread outage, the last mile impact could be devastating to critical services like E-911.
Perhaps more troubling than a potential inadvertent malfunction is the open door that deregulation and convergence has left this once closed, secure environment. The National Research Council (NRC) pointed out in its book titled "Trust in Cyberspace" that essentially anyone can interconnect to the SS7 network for the modest fee of $10,000. Unregulated access heightens the chance an attack orchestrated by a terrorist organization or a hacker could cause a widespread disruption capable of putting national security at risk and crippling the economy.
Figure 1. Widespread SS7 Interconnection The carrier's need to regain control of the SS7 network, in order to ensure its integrity and reliability underscores the need for access mediation technology. Access mediation can mitigate interconnection risks brought on by inexperienced carriers and unproven technologies, interconnection abuse, and malicious attacks.
System Requirements
A comprehensive access mediation system provides a protective barrier against unwanted and inappropriate signaling traffic. The following system requirements are fundamental to ensuring the continued reliability, service quality and security of the SS7 network.
A comprehensive access mediation system provides a protective barrier against unwanted and inappropriate signaling traffic. The following system requirements are fundamental to ensuring the continued reliability, service quality and security of the SS7 network.
Granular Inspection
Access mediation devices shouldn't be limited to analyzing traffic based on the message header. These devices should be capable of both syntax and content inspection. Syntax inspection ensures each message is properly formatted based on standards and requirements used in the network. Messages that are not coded correctly should not be permitted into the network. Content inspection operates at multiple layers of the protocol stack to validate messages, parameters and their values for compliance with the carrier's policies and agreements. Coupling these two types of analysis gives carriers a strong barrier against traffic that threatens network revenue, security, and integrity.
Figure 2: Syntax and Content Inspection of Each MessageAnalyze every message
Access mediation devices must be able to perform a detailed analysis of every message entering and exiting the network. The device should be capable of checking these messages against the service provider's operations policies and interconnect agreements. Using the results of its examination, the access mediation device should have the intelligence to pass, block, modify and/or alert on each message. In addition, the alerting function should have a logging capability that enables messages to be collected for further analysis.
Policy-based enforcement
Access mediation devices should govern how the network can be used through policy-based enforcement. This type of enforcement should be interconnection specific. And each rule should determine how in-depth each message is examined. The level of detail must be configurable since each interconnection may require different levels of analysis depending on the types of traffic it carries.
Network Transparency
To minimize the impact of a new network infrastructure deployment, installation time and effort should be minimal. Therefore, deploying an access mediation device should not require a point code. Access mediation devices should be transparent, in-line devices. This eliminates the need for network re-engineering, enabling rapid deployment.
Access mediation devices should also interoperate with network equipment regardless of the manufacturer or the signaling mode (channel associated or quasi-associated). Vendor-independence allows the same rules to be applied network-wide and custom rules to be applied at specific locations. Signaling mode independence avoids the need for grooming equipment as the non-signaling channels of a T-1/E-1 can be passed through the mediation device.
Technological Benefits
Any service provider that relies on the PSTN and its SS7 interconnections can realize substantial benefits from an access mediation device that meets the aforementioned requirements. It can benefit ILECs, CLECs, wireless carriers, voice over IP (VoIP) providers, competitive access providers, call center operations, large enterprises, SS7 hub providers, government agencies, and Internet service providers.
Revenue Assurance
Access mediation devices allow carriers to achieve true revenue assurance and enforce interconnect agreements by taking complete control of all aspects of intercarrier signaling activity. Carriers can reject, in real-time, calls that are misrouted and phantom calls with incomplete or incorrect message information. Access mediation ensures full compliance with interconnect agreements and only valid, revenue-producing calls are accepted.
Fraud Prevention
Billions are lost annually to fraud. Access mediation devices allow carriers to be proactive in the fight against fraud. Real-time call teardown capabilities stop fraud in progress while customized fraud prevention policies can be rapidly created to guard against fraudulent activity before it occurs.
Advanced Signaling
SecurityWith syntax and content inspection of messages, access mediation devices act as intelligent signaling firewalls that provide carriers with advanced signaling security far beyond that of gateway screening. Syntax inspection ensures each message is properly formatted while content inspection validates messages, parameters, and parameter values. Whether harmful messages have been sent inadvertently or with malicious intent, access mediation protects the network against inappropriate and/or dangerous signaling traffic.
Value-added Applications
Access mediation can also be leveraged to enable a wide range of value-added applications. Access mediation devices can manipulate, monitor and control SS7 traffic. This functionality serves as a powerful troubleshooting device for network operators. Message modification capabilities can help carriers avoid costly equipment upgrades by quickly and efficiently resolving compatibility and interoperability problems. Access mediation technology can also perform intelligent routing, a function that can be used to reroute certain types of high-volume SMS traffic off of an overloaded network. And the intelligence gathered by examining every SS7 message traversing the network can be used to help make planning decisions.
Application Scenarios
The following examples illustrate how access mediation can be used:
- Deny phantom calls: An access mediation system can be used to deny a call with missing information in the messaging that would prevent a carrier from collecting the revenue for that call.
- Deny badly formatted messages: For example, a carrier using new equipment might be generating messages with incorrect length. Access mediation can be used to block these messages, preventing them from having a detrimental effect on the network.
- Stop fraud in progress: Access mediation devices can be used to tear down fraudulent calls in progress and block calls to and from blacklisted phone numbers, stolen calling cards, abandoned international mobile subscriber identities, and stolen subscriber identity modules.
- Restrict AIN traffic: ILECs can use access mediation devices to restrict Advanced Intelligent Network (AIN) messages allowed onto their networks. For example, ILECs can establish a policy that restricts AIN traffic originating from a CLEC's interconnected SCP that is used for offering enhanced services to the CLEC's customers who are part of the ILEC switch.
- Control ISUP traffic: For example, if ISUP traffic is being sent at random from a VoIP interconnection using trunk circuit values that do not exist. The recipient carrier can block that traffic, allowing only traffic expressly permitted by the interconnect agreement.
- Block SMS spam: Wireless carriers can install access mediation devices at their network's entry points to block short message service (SMS) spam bogging down the network and causing customer dissatisfaction.
- Secure gateway functionality: Carriers can integrate access mediation capabilities into existing signal transfer point (STP) nodes to enhance their functionality.
- SS7 proxy: Network operators can use access mediation devices to mask network and protocol differences. This helps carriers avoid costly upgrades by quickly and efficiently resolving compatibility and interoperability problems.
- SMS filtering and routing: Wireless carriers can implement access mediation devices to perform filtering and routing for different types of SMS traffic, enabling new back-end applications and premium services.
- CNAM and 8XX application: Carriers can use an access mediation system to enable a CNAM and/or 8XX application to avoid dip charges for operator-owned CNAM and 8XX calls.
- Point code proxy: Carriers can use an access mediation device to allow multiple nodes with separate point codes to appear as one. The point code proxy enables the introduction of softswitches into the network and can even extend the number of point codes supported by a single signaling point.
- Monitor network performance: Carriers can use access mediation devices to gather network performance statistics. Track link utilization, message counts and link status in real-time to optimize network planning and maintenance.
Conclusion
The signaling network is the carrier's most critical asset. Deregulation and convergence has been a double-edged sword for carriers. While these market changes have brought many exciting new opportunities, they have also opened the network up to serious threats. New carriers, technology and equipment are vastly connected worldwide to the PSTN via the signaling network. This increasingly complex interconnection brings greater risk of a network outage due to inadvertent or malicious malfunctions as well as lost revenue due to interconnection abuse. Consequently, carriers need access mediation technology to examine and control the signaling traffic entering and exiting the network. Access mediation protects the network against inappropriate signaling traffic to ensure network integrity and security in the evolving signaling environment.
No comments:
Post a Comment