Security in GPRS

White Paper

GPRS Security Threats and Solution Recommendations

Alan Bavosa Product Manager

Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408 745 2000 or 888 JUNIPER www.juniper.net Part Number: 200074-002 June 2004

Copyright © 2004, Juniper Networks, Inc.

Contents

Preface .......................................................................................................................................................3 Introduction..............................................................................................................................................3 GPRS Core Network Architecture Overview.....................................................................................3 Classification of Security Services ........................................................................................................4 Data Services on the Gp and Gi Interfaces...........................................................................................5 Security Threats on the Gp Interface ....................................................................................................5

Availability......................................................................................................................................5 Authentication and Authorization..............................................................................................6 Integrity and Confidentiality .......................................................................................................6

Security Solutions for the Gp Interface ................................................................................................7 Gp Network Solution Diagram ....................................................................................................8

Security Threats on the Gi Interface .....................................................................................................8 Availability......................................................................................................................................9 Confidentiality................................................................................................................................9 Integrity ...........................................................................................................................................9 Authentication and Authorization..............................................................................................9

Security Solutions on the Gi Interface..................................................................................................9 Gi Network Security Solution Diagram ...................................................................................10

Security Threats on the Gn Interface ..................................................................................................11 Security Solutions on the Gn Interface...............................................................................................11 Deploying GPRS Security Solutions on Juniper Security Systems ...............................................12 Conclusion..............................................................................................................................................13 Acknowledgements and Resources ...................................................................................................14

GPRS Threats and Recommendations

Copyright © 2004, Juniper Networks, Inc. 3

Preface

This paper is intended to assist General Packet Radio Service (GPRS) operators and network designers in the evaluation of potential security threats and solutions. Although a brief review of GPRS architecture is provided, it is assumed that the reader understands the basic GPRS architecture and Internet Protocol data networking. This paper does not attempt to present an exhaustive list of all GPRS security issues.

Introduction

General Packet Radio Service (GPRS) is a data network architecture that is designed to integrate with existing GSM networks and offer mobile subscribers “always on” packet switched data services access to corporate networks and the Internet. GPRS provides mobile operators with an opportunity to offer higher-margin data access services to subscribers. In return, subscribers benefit from GPRS by being able to use higher bandwidth mobile connections to the Internet and corporate networks. GPRS Tunneling Protocol (GTP) is the protocol used by GSM or UTMS operators to convert radio signals from subscribers into data packets, and then to transport them in non-encrypted tunnels. GTP does not provide for inherent security.

With the addition of GPRS to GSM, mobile operators are adding mobile Internet and virtual private network services to their existing mobile voice services. GPRS networks are connected to several external data networks including those of roaming partners, corporate customers, GPRS Roaming Exchange (GRX) providers, and the public Internet. By connecting their GPRS network to a variety of external networks, mobile operators must take the appropriate steps to protect their own network from attacks initiating from these external networks while continuing to provide access to and from them. Juniper Network’s purpose-built firewall/IPSec VPNs address many of the security problems operators face when developing GPRS-based service offerings. The most recent version of GTP is GTP 99. A prior version was called GTP 97. Juniper’s integrated firewall/VPN product line supports both versions of GTP.

GPRS Core Network Architecture Overview

In figure 1, the Mobile Station (MS) logically attaches to a Serving GPRS Support Node (SGSN). The main function of the SGSN is to provide data support services to the MS. The SGSN is logically connected to a Gateway GPRS Support Node (GGSN) via the GPRS Tunneling Protocol (GTP). The GTP connection within a given operator’s Public Land Mobile Network (PLMN) is called the Gn interface. The connection between two different PLMNs (mainly used to implement roaming agreements between providers) is the Gp interface. The GGSN provides the data gateway to external networks such as the public Internet or corporate network via the Gi interface. GTP is used to encapsulate data from the MS and also includes mechanisms for establishing, moving, and deleting tunnels between SGSN and GGSN in roaming scenarios. And finally, the interface used to connect a providers network to its internal Accounting and Billing systems is called the Ga interface. This is also referred to as GTP’ or GTP prime.


4 Copyright © 2004, Juniper Networks, Inc.

The Gp and the Gi interfaces are the primary points of interconnection between the Operator’s network and untrusted external networks. Operators must take appropriate measures to protect their network from attacks originated on these external networks.

Figure 1

Operators must secure connections between trusted and untrusted networks:

•Gi – interface between GPRS network and an external network, such as the Internet.

•Gp – interface between two mobile operators networks, primarily for roaming

•Ga – interface to Billing and Accounting systems

•Gn – interface which secures mobile providers internal network

Classification of Security Services

Security services are protections and assurances that provide mitigation against various threats. They are generally known as:

Integrity: Integrity is a security service that assures that data cannot be altered in an unauthorized or malicious manner.

Confidentiality: Confidentiality is the protection of data from disclosure to unauthorized third parties.

Authentication: Authentication provides assurance that a party in data communication is who or what they claim to be.

Authorization: Authorization is a security service that ensures that a party may only perform the actions that they’re allowed to perform

Availability: Availability means that data services are usable by the appropriate parties in the manner intended.

Roaming Partner #2Roaming

Partner #2

Roaming Partner #1Roaming

Partner #1

Billing/

Accounting DB

Billing/

Accounting DB

OperatorGRXGRX

Corporate

Network #1

Corporate

Network #1

Gi Interface

Ga Interface

VPN

Firewall/IPSec VPN

VPN

Corporate

Network #2

Corporate

Network #2

Gp InterfaceGn Interface

Firewall/IPSec VPN



When considering security threats and possible mitigation, it is important to consider attacks against each of these services. In some cases, it may not be important to protect against certain threats. For example, it is not necessary to protect confidentiality of data that is intended to be public.

Data Services on the Gp and Gi Interfaces

In order to determine what security solutions are appropriate, it is necessary to first understand what type of traffic and data services are to be provided and then to analyze specific threats to those services. The Gp Interface is the logical connection between PLMNs that is used to support mobile (roaming) data users. GTP is used to establish a connection between a local SGSN and the user’s home GGSN. Generally the traffic that must be allowed to and from an operators network on the Gp is:

GTP: Provides logical connectivity between the SGSN and GGSN of roaming partners

BGP: Provides routing information between the operator and the GRX and/or roaming partners

DNS: Provides resolution for a subscribers APN

The Gi interface is the interface that data originated by the MS is sent out towards, to access the Internet or a corporate network. It is also the interface that is exposed to public data networks and networks of corporate customers. Traffic being sent out from the GGSN on the Gi interface or arriving for an MS on the Gi interface can be virtually any kind of traffic since the application being used at the MS is unknown.

Security Threats on the Gp Interface

Availability

The most common type of attack on availability is a denial of service (DOS) attack. There are several types of denial of service attacks that are possible on the Gp interface:

Border Gateway bandwidth saturation – a malicious operator that is connected to the same GRX (whether or not they’re actually a roaming partner) may have the ability to generate a sufficient amount of network traffic directed at a Border Gateway such that legitimate traffic is starved for bandwidth in or out of the PLMN, thus denying roaming access to or from the network

DNS Flood – DNS servers on the network can be flooded with either correctly or malformed DNS queries or other traffic thereby denying subscribers the ability to locate the proper GGSN to use as an external gateway.

GTP Flood – SGSNs and GGSNs may be flooded with unauthorized GTP traffic that cause them to spend their CPU cycles processing illegitimate data. This may prevent subscribers from being able to roam, to pass data out to external networks via the Gi, or from being able to GPRS attach to the network at all.



Spoofed GTP PDP Context Delete – An attacker with the appropriate information, can potentially craft a GTP PDP Context Delete message which will remove the GPRS Tunnel between the SGSN and GGSN for a subscriber. Crafting other types of network traffic can learn some of the information that must be known. If an attacker doesn’t care about whom they are denying service, they can send many PDP Context Delete messages for every tunnel ID that might be used.

Bad BGP Routing Information – An attacker who has control of a GRX operators’ routers or who can inject routing information into a GRX operators’ route tables, can cause an operator to lose routes for roaming partners thereby denying roaming access to and from those roaming partners.

DNS Cache Poisoning – It may be possible for an attacker to forge DNS queries and/or responses that cause a given user’s APN to resolve to the wrong GGSN or even none at all. If a long Time To Live (TTL) is given, this can prevent subscribers from being able to pass data at all.

Authentication and Authorization

It may be possible for an imposter to appear to be a legitimate subscriber when they are not.

Spoofed Create PDP Context Request – GTP inherently provides no authentication for the SGSNs and GGSNs themselves. This means that given the appropriate subscriber information , an attacker with access to the GRX, another operator attached to the GRX, or a malicious insider can potentially create their own bogus SGSN and create a GTP tunnel to the GGSN of a subscriber. They can then pretend to be the legitimate subscriber when they are not. This can result in an operator providing illegitimate Internet access or possibly unauthorized access to the network of a corporate customer.

Spoofed Update PDP Context Request – An attacker can use their own SGSN or a compromised SGSN to send an Update PDP Context Request to an SGSN which is handling an existing GTP session. The attacker can then insert their own SGSN into the GTP session and hijack the subscriber data connection.

Overbilling Attacks – A new attack has emerged in GPRS networks called the “Overbilling Attack”. Such an attack is initiated by a malicious mobile station that hijacks an IP address of another mobile station and invokes a download from a malicious server on the Internet. Once the download begins, the malicious mobile station exits the session. The mobile station under attack, receiving the download traffic, gets charged for traffic it did not solicit. The same malicious party could execute this attack for the purpose of sending broadcasts of unsolicited data in the direction of subscriber cell phones. The effect is still the same, in that the subscriber is billed for data that they did not solicited and might not have wanted. Such an attack is not limited to the Gp interface. It can also occur by exploiting the Gi or Gn interfaces as well.

Integrity and Confidentiality

Should an attacker be in a position to access GTP or DNS traffic, they can potentially alter it mid-stream or discover confidential subscriber information. This is a fundamental issue with GTP as noted in 3GPP TS 09.60 V6.9.0:

“No security is provided in GTP to protect the communication between different GPRS networks.”



Capturing a subscriber’s data session – Because GTP and the embedded T-PDUs are not encrypted, an attacker who has access to the path between the GGSN and SGSN such as a malicious employee or hacker who has compromised access to the GRX, can potentially capture a subscriber’s data session. Without encryption, this data can then be read or manipulated by illegitimate parties. This is generally true of traffic on public networks and subscribers should be advised to utilize IPSec or similar protection.

Security Solutions for the Gp Interface

The fundamental issue with security threats on the Gp interface is the lack of security inherent in GTP. Implementing IPSec between roaming partners and managing traffic rates, can eliminate a majority of the Gp security risks. Specific security countermeasures to implement should include:

Ingress and egress packet filtering – This will help prevent the PLMN from being used as source to attack other roaming partners. If the mobile operator is connected to more than one GRX or private roaming peering connections, then this will also help ensure that spoofed roaming partner traffic cannot arrive on paths where that roaming partner is not connected.

Stateful GTP packet filtering – Only allow the traffic required and only from the sources and destinations of roaming partners. This will prevent other PLMNs connected to the same GRX from initiating many kinds of attacks. It will also prevent GSNs from having to process traffic from PLMNs that are not roaming partners as well as illegal or malformed traffic. Layer 3 and layer 4 stateful inspection is useful because it minimizes the exposure of the GPRS network, GTP stateful inspection is critical to protect GSNs. A firewall that supports GTP stateful inspection ensures that GSNs are not processing GTP packets that are malformed, have illegal headers, or are not of the correct state. This prevents many types of denial of service attacks and some others such as reconnaissance.

GTP Traffic Shaping – In order to prevent the shared resources of bandwidth and the GSN’s processor from being consumed by an attacker or a subscriber, GTP rate limiting should be implemented. Layer 3 and layer 4 rate limiting should also be implemented to address Denial of Service (DOS) attacks and ensure that bandwidth is appropriately apportioned between GTP, BGP, DNS, etc.

IPSec tunnels between roaming partners – A majority of confidentiality and authentication issues are addressed by implementing IPSec between you’re the mobile operator PLMN and that of the roaming partners. Generally, only GTP and DNS traffic should be allowed over the IPSec tunnel. No traffic should be permitted from roaming partners that does not arrive on the IPSec tunnel.

Overbilling Attack Prevention - Juniper’s solution enables the GTP firewall to notify the Gi firewall of an attack. The Gi firewall is then able to terminate the “hanging” sessions and/or tunnels, thus cutting off the unwanted traffic. As such, this prevents the GPRS subscriber from being “overbilled.” Again, this solution is not limited exclusively to the Gp interface.



Gp Network Solution Diagram

Figure 2 below illustrates a recommended configuration for the Gp interface. The border gateway router supporting BGP can either be in front of or behind the firewall. DNS, Radius, and DHCP servers should be located off of the Juniper security system on a separate network segment. The operations and management network should be located off a separate network segment as well.

Figure 2

Security Threats on the Gi Interface

The Gi interface is where the GPRS network connects to the Internet, corporate networks, and other network service providers who may provide services to subscribers. Because the subscriber’s applications can be virtually anything, operators will expose their network at the Gi to all types of network traffic. Subscribers are then exposed to all of the ills that we have today on the Internet including viruses, worms, Trojan horses, denial of service attacks, and other malicious network traffic.

GRX

Roaming Partner #1

Roaming Partner #2

GGSN SGSN

Gp Interface

Internet

GTPIPSec



Availability

Like the Gp interface, denial of service attacks represent the largest threat on the Gi interface. Some examples include:

Gi bandwidth saturation – Attackers may be able to flood the link from the PDN to the mobile operator with network traffic thereby prohibiting legitimate traffic to pass.

Flooding an MS – If a flood of traffic is targeted towards the network (IP) address of a particular MS, that MS will most likely be unable to use the GPRS network. This is particularly true because of the significant difference in available bandwidth on the air interface versus the Gi interface.

Confidentiality

There is no protection of data from an MS to the public data network or corporate network. It is assumed that third parties can see data if IP Security or application layer security is not being used.

Integrity

Data sent over public data networks can potentially be changed by intermediaries unless higher layer security is being used.

Authentication and Authorization

Unless layer 2 or layer 3 tunnels are used at the GGSN to connect to the corporate network, it may be possible for one MS to access the corporate network of another customer. The source address of network traffic cannot be relied upon for authentication and authorization purposes because the MS or hosts beyond the MS can create packets with any addresses regardless of the IP address assigned to the MS.

Security Solutions on the Gi Interface

A majority of the security threats associated with the Gi interface stem from the possibility of denial of service attacks and adjacency attacks. Security solutions include:

Logical tunnels from the GGSN to corporate networks – It should not be possible to route traffic from the Internet to a corporate network, or between corporate networks at all. In order to implement this, make sure that the GGSN can logically separate corporate networks in layer 2 or layer 3 tunnels. If the connection to the corporate network is via the Internet, IPSec should be used to connect from the GGSN to the corporate network.



Traffic rate limiting – On connections to the Internet, prioritize IPSec traffic from corporate networks over that of other traffic. This will ensure that attacks from the Internet cannot disrupt mobile intranet services. Another consideration would be to use separate physical interfaces for corporate traffic and Internet traffic.

Stateful packet inspection – Use a security policy that only allows the MS to initiate connections to the public network and implement stateful packet filtering so that the MS never sees traffic that is initiated from the public network. If required, implement trusted application servers that are permitted by policy to push public network services to the MS. An alternative would be to consider two types of service--one where connections can be initiated from the Internet toward the MS and one where they cannot.

Ingress and egress packet filtering – Prevent the possibility of spoofed MS to MS data by blocking incoming traffic with the source addresses which are the same as those assigned to an MS for public network access.

Overbilling Attack Prevention - Juniper’s solution enables the GTP firewall to notify the Gi firewall of an attack. The Gi firewall is then able to terminate the “hanging” sessions and/or tunnels, thus cutting off the unwanted traffic. As such, this prevents the GPRS subscriber from being “overbilled.” Again, this solution is not limited exclusively to the Gi interface.

Gi Network Security Solution Diagram

The Juniper Gi security solution uses a tunnel hub concept to logically separate traffic for different corporate networks and the Internet. In addition to IPSec tunnels and 802.1q VLANs, ATM, Frame Relay, and MPLS can be used in conjunction with third party switches and access concentrators.

Figure 3

Gi Interface

GGSN

SGSN

Corporation A Corporation B



Security Threats on the Gn Interface

Providers not only need to worry about threats originating from the outside of their network. There are also many instances where threats may originate from the inside of a provider’s network. Or threats may emerge from the outside, but propagate within a provider’s network once the network barrier has been breached. This section will outline threats that may occur at the Gn interface, which is internal to a given provider’s GPRS network.

Attacks at the Gn interface in the network can potentially bring down the network depending on the intensity of the attack. This impact can lead to network downtime, loss of service, revenue loss and disgruntled customers

Spoofed SGSN or GGSN: There are instances where malicious users can disguise themselves as a legitimate part of the network by spoofing the IP address of a GGSN or SGSN. Once a party has established themselves as a legitimate network element or user, then they can take actions which are detrimental to customers or wireless carriers, such as deleting PDP contexts or sessions. By executing commands that a GGSN normally executes, such attacks can go undetected until the damage is done, unless the network is protected by a stateful firewall.

Spoofed GTP PDP Context Delete – An attacker with the appropriate information, can potentially craft a GTP PDP Context Delete message which will remove the GPRS Tunnel between the SGSN and GGSN for a subscriber. Crafting other types of network traffic can learn some of the information that must be known. If an attacker doesn’t care about whom they are denying service, they can send many PDP Context Delete messages for every tunnel ID that might be used.

Attacks from one mobile customer against another: Mobile customers, whether legitimate customers or not, may attack each other. One such attack is the previously described Overbilling attack. This attack can take the equivalent form of “spam” for a GPRS network. In this case, the malicious user, once they have gained what appears to be legitimate network access, can send massive amounts of data to unsuspecting users. Since GPRS is a “usage based” service, then innocent users are “overbilled” for content that they did not request. Such an attack would be even more harmful than spam is for email, as it becomes much more than an annoyance. Imagine if you were charged (on a per email basis) for every piece of junk email that you received from a spammer!

Security Solutions on the Gn Interface

Using policy based configuration and administration, providers can protect against security threats emerging from within the GPRS network.

Policy based Firewall management allows providers to use arbitrary Juniper’s arbitrary “any any” zone structure to protect against attacks originating from within the network. A simple “trust-untrust” architecture does not fully allow customers to do this due to the fact that there is often no concept of “untrust” within the confines of a given provider’s network.



Stateful Inspection Firewall: By deploying a stateful inspection firewall, and setting the policies by which you want to allow or disallow traffic, carriers can protect against the attacks mentioned above. For example, in the case of the spoofed GGSN messages, if a certain PDP context message did not pass the “sanity check” detection mechanisms, then they are dropped. In the example above, where a GTP PDP Context Delete message might be “spoofed” by a malicious user posing as a GGSN, if there was not a prior GTP PDP Context Create message received earlier, then this message would not pass the sanity check, and it would be dropped by the firewall.

Juniper’s Overbilling feature would enable a carrier to prevent the “spam” example from happening by deleting the “hijacked” session that the malicious party used to execute the attack.

Deploying GPRS Security Solutions on Juniper Security Systems

The Juniper Networks NetScreen 500-GPRS provides security technology to mitigate a wide variety of attacks on the Gp, Gn, Ga, Gi interfaces. These features include:

Full policy based protection at all major GPRS interfaces

Logical separation and administration via Virtual System (vsys) support

Support for both GTP 97 and GTP 99

GTP Packet Sanity Check

GTP Tunnel Limiting

Hardware-accelerated stateful packet filtering

Traffic rate limiting

GTP rate limiting by signaling or user plane

GTP stateful packet filtering

GPRS Overbilling Attack Prevention

Dynamic Routing (OSPF and BGP)

High Availability (using Juniper Redundancy Protocol – NSRP)

Route mode or Transparent mode

Web User Interface (WebUI)

Access Point Name Filtering (APN Filtering)

Active/Active mode

Active/Passive mode

Per direction APN filtering

GTP security policies including

GTP Message Type

GTP Message Length

IMSI Prefix filtering (MCC/MNC Filtering)

Filtering on a per mobile provider basis



GTP Tunnel Count Limits

APN and Selection Mode

GTP Management and Logging Features

GTP Traffic Counting

GTP Traffic Logging

Many other advanced logging capabilities

High-availability fail-over including:

GTP state tables

VPN gateway connections

Virtual Router support to separate intranet destined traffic

IPSec tunnels or 802.1q VLANs to the GGSN

IPSec tunnels or 802.1q VLANs toward corporate network

Hardware-accelerated support for GTP over IPSec tunnels

Conclusion GPRS promises to benefit mobile data users greatly by providing always on higher bandwidth connections than are widely available today. In order to be successful, data connections must be secure and be available anytime and from anywhere.

The maturity of security in the air interface, and the low bandwidth available limit the effectiveness of the Mobile Station as the source of attacks. However, with the introduction of GPRS services, operators must connect their networks to those of corporate customers, public data networks, and that of other operators to provide data access services. These connections represent significant risks to subscribers and the operators themselves.

The lack of security inherent in GTP, the protocol used between roaming partners, represents a significant threat. The security of the roaming network is only as good as that of the weakest operator. Implementing IPSec between roaming partners, traffic rate limiting, and GTP stateful inspection can mitigate a significant number of threats on the roaming network.

Stateful packet inspection, traffic rate limiting, and logical separation of traffic for each corporate network and the public network can significantly reduce the threat between the operator’s network, subscribers, and these networks.

Juniper Networks has developed technology and solutions that include GTP-aware stateful inspection firewall, GTP aware traffic shaping, and a VPN/VLAN tunnel hub. These solutions help mitigate many of the possible threats to the GPRS network, mobile subscribers, and corporate networks.



Acknowledgements and Resources

The author wishes to thank the staff of Ericsson Research Labs, Berkeley, CA, for their assistance with the analysis of GTP and Gi interface security threats.

Also special thanks to Jesse Shu of Juniper Networks GPRS Software Engineering.

Other sources of helpful information include:

Security in GPRS. Geir Stian Bajen and Erling Kaasin. May 2001

http://siving.hia.no/ikt01/ikt6400/ekaasin/Master Thesis Web.htm

Screening and filtering: In GPRS the subscriber pays MO and MT packets, how to protect against hackers and unwanted packets? Hannu H. KARI

http://www.cs.hut.fi/~hhk/GPRS/lect/screening/ppframe.htm

GPRS Security. Charles Brookson. December 2001.

http://www.brookson.com/gsm/gprs.pdf

Wireless and Mobile Network Architectures. Yi-Bing Lin, Herman C.-H Rao, Imrich Chlamtac. John Wiley and Sons 2001.

Copyright © 2004 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, NetScreen, NetScreen Technologies, GigaScreen, and the NetScreen logo are registered trademarks of Juniper Networks, Inc. NetScreen-5GT, NetScreen-5XP, NetScreen-5XT, NetScreen-25, NetScreen-50, NetScreen-100, NetScreen-204, NetScreen-208, NetScreen-500, NetScreen-5200, NetScreen-5400, NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-Remote Security Client, NetScreen-Remote VPN Client, NetScreen-IDP 10, NetScreen-IDP 100, NetScreen-IDP 500, GigaScreen ASIC, GigaScreen-II ASIC, and NetScreen ScreenOS are trademarks of Juniper Networks, Inc. All other trademarks and registered trademarks are the property of their respective companies. Information in this document is subject to change without notice. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without receiving written permission from: Juniper Networks, Inc. 1194 N. Mathilda Ave.Sunnyvale, CA 95014 ATTN: General Counsel

Security in GPRS

Documents

stateful packet

separate network

traffic rate

junipers solution

stateful inspection

gtp stateful

attacker doesnt

gprs tunneling