F5 GTP Firewall - stop intruders at EPC edge
In previous post “The rising threat of GTP attacks - are you protected?” I discussed various threats posed by a potential attacker through snooping into and controlling of your IPX/GRX S8 roaming traffic. Today I will review F5 GTP Firewall Solution and methods it uses to address many possible GTP attack vectors F5 has a portfolio of products and solutions made specifically for Service Providers - S/Gi Firewall, Context-aware Policy Enforcement (PEM), DNS Solutions, Diameter signaling solutions, CGNAT and TCP Optimization help Service Providers around the globe secure and optimize their Packet Core networks. GTP Firewall Solution is now part of the offering that enables MNOs to further secure their network edge. Solution Components GTP Firewall Solution is based on the F5 TMOS and offers a variety of deployment options ranging from standalone appliances and F5 Viprion blade chassis to public and private cloud VEs. GTP FW comprises the following components: Network Firewall GTP Intrusion Prevention System GTP Plausibility checks via LTM iRules By combining AFM with GTP Plausibility checks via LTM iRules, GTP Firewall achieves L3-L7 capabilities necessary to perform an effective GTP analysis and manipulation. Pic 1. F5 GTP Firewall Network Layer Security GTP Firewall uses AFM to secure network edge to IPX/GRX and perform IP filtering. Only known roaming partners can send GTP traffic to local SGWs and PGWs. Access Control List and Message Filtering secure the network further by allowing only certain message types to be accepted from IPX/GRX. For instance, only S8 messages would be allowed while S5 messages would be blocked. DoS/DDoS profiles are used to detect attack vectors and block violating traffic. Pic 2. Block disallowed messages Plausibility of GTP messages Part of Layer 7 GTP Firewall inspects GTP messages and analyzes certain parameters to detect anomalies. Plausibility checks include: IP Address validation in GTP messages Cross-Layer checks Validity of information in IE representing Roaming Partner and/or Subscriber GTP-in-GTP encapsulation detection Protection against manipulated and fake GTP messages Plausibility checks help prevent Layer 7 attacks that exploit network’s inability to block malicious GTP messages that pose as legitimate requests. GTP Firewall can use the flexibility of LTM iRules to query external databases and confirm the validity of GTP IE. This functionality allows for agile and customized deployments of F5 GTP Firewall solution Pic 3. Plausibility checks Intrusion Prevention System and Layer 7 GTP Firewall AFM Intrusion Prevention System has been enhanced to fully support GTP protocol. IPS makes it easy to perform tens if not hundreds of checks of GTP messages and configure rules according to the customer’s specific requirements. From limiting APNs to blocking ports to IP blacklisting - IPS is highly regarded for its flexibility in defining a virtually unlimited number of check combinations. Here are some commonly used rules that can be configured in GTP Intrusion Prevention System: Protocol conformance Signature conformance on known security issues Filter GTPv2-C IE by message type. 100+ types in DB, can blacklist/whitelist specific fields APN verification (wildcards can be used) for Create Session Requests Throttle by RAT Type, PDN Type (v4/v6), User Location Info, Aggregate Max Bit Rate, QoS IP blacklisting of tunneled packets DoS vectors for tunneled packets and GTP-in-GTP Map Radio QoS to Network QoS Throttling per user or per roaming partner Log enrichment: TEID, APN, IMSI etc By combining traditional Layer 4 Firewall capabilities with F5’s Intrusion Prevention System and LTM iRules GTP Firewall Solution has become the most advanced MNO network protection offering that can successfully deal with many GTP attacks and protect critical Network Elements like PGWs and SGWs while optimizing security costs.The rising threat of GTP attacks - is your GRX/IPX connection secure?
Overview In today’s world everything seems to revolve around privacy, security and challenges of protecting personal information, Apps, services and network infrastructure from a variety of threats. L7 DoS attacks, credential hijacking/stuffing and use of sophisticated botnets pose a significant risk for businesses and Service Providers. Besides mitigating OWASP top 10 to protect their apps and subscribers, Mobile Network Operators must take necessary steps to secure their backbone Packet Core (EPC). Diameter, SIP and various types of GTP protocols are used for communication between NEs inside and between EPCs. GTP-U is also used to carry subscriber’s mobile traffic throughout the EPC and out to the Internet. EPC of a standalone Service Provider is usually considered being secure enough with the exception of Gi interface between PDN gateways (PGW) and the Internet. Gi is locked down with some sort of Gi firewall. However, a rare MNO would isolate itself and its subscribers by staying disconnected from other MNOs.National and international roaming is a significant part of MNO’s revenue and one of the major services available to subscribers since the inception of mobile networks. Sometimes MNOs are directly interconnected with other MNOs using S5/S8 interface. It is a fairly secure connection as it uses P2P infrastructures like site VPNs and use of MPLS. More often, however, Operators opt to connect to IP exchange(s) (IPX)/ GPRS exchange(s) (GRX) that offer a simultaneous interconnection with a multitude of other MNOs and act as GTP and/or Diameter intermediaries that route or forward messages based on pre-determined criteria. IPX/GRX is considered being the “weakest link” by some security researchers. One of them has published a study back in 2015 that showed various ways of attacking MNOs using GTP-C messages, prompting associations like GSMA to issue security guidelines otherwise known as GSMA PRD FS.20, that describe threats, risks and mitigation techniques of such attacks. Types of attacks GTP eavesdropping If an IPX/GRX infrastructure is compromised, a potential attacker can snoop into passing GTP traffic and gain valuable subscriber information. For example, User Location information can be exposed if ‘MS Info Change Notification' Requests are sent between Visited PMN and Home PMN. Other important information that can be exposed to the attacker is subscriber APN credentials. Those credentials are transmitted in clear-text and are part of PPP set-up procedure. Pic 1. GTP snooping Generation of malicious GTP messages Besides just parsing the transiting GTP traffic, an attacker can generate malicious requests and cause significant damage to subscriber sessions, billing and Denial of Service on a specific SGW(s). Vectors of potential attacks include but are not limited to: - DoS attackon all subscribers served by the same SGW is made possible through generation of GTP messages containing increased Recovery information element (IE) - Information gathering through sending fake ‘Delete Session Request’ which must be answered by receiving NE - Unauthorized access to an APN by impersonating a Visited PLMN SGW and sending a message to Home PLMN PGW with Selection Mode IE set to ‘Verified’ i.e. indicating that HLR has approved the access of this UE to the specified APN - Billing fraud and impersonation of another subscriber by specifying another subscriber’s IMSI in Session Setup Request - Redirect existing GTP-U tunnel to another PGW by sending Update PDP Context Request message and specifying new TEID Data - DoS attack on all subscribers served by the same SGW board by sending Delete PDN Connection Set Request with a valid FQ-CSID Pic 2. GTP active attack Flood of malicious GTP messages One of the serious concerns of any MNO is the potential network outage and service degradation due to an exhaustion of IP addresses assigned to a particular PGW, and this vulnerability can be exploited by sending a flood of ‘Create Session Request’ messages to that PGW Pic 3. GTP flood Active message suppression Message suppression and dropping poses a risk for subscribers as it can cause legitimate ‘Delete Session Request’ messages to never reach Home PGW, keeping subscriber’s PDP context active in VPLMN. Pic 4. Message suppression Active message suppression and modification As with active suppression, an attacker can modify or drop and recreate GTP requests and/or answers. As a possible attack vector, a legitimate ‘Session Setup Response’/‘Create Session Response’ is modified to include a ‘Cause’ IE value other than “Request Accepted”, “New PDP type due to network preference” or “New PDP type due to single address bearer only". This behavior causes Denial of Service for affected subscribers. Pic 5. Message modification Securing IPX/GRX connections with F5 GTP Firewall With the amount of potential attacks it's clear thatMNOs need to protect their roaming interfaces and secure entire EPC infrastructure and exposed network elements. Measures like typical network and NE hardening i.e. separation on most layers and use of traditional L4 FW are not extremely effective against GTP (or any type of L7) attacks. An intelligent Application-layer Firewall, on other hand, will ensure GTP attacks are implausible by using a set of rules that inspect GTP traffic, check for protocol compliance, examine various Information Elements inside the message and possibly make an external NE signaling call, before deciding to block or allow the message to travel into Home network. F5 GTP Firewall uses AFM module to perform protocol compliance, protect from DoS attacks and secure network infrastructure with Intrusion Prevention Service (IPS) while GTP Session Director (GTP-SD) allows for flexible examination of various parts of GTP messages, implementation of custom rules and extensive logging and visualizations. GTP is here to stay, so are the security challenges associated with IPX/GRX. My colleague Peter Nas wrote an excellent post on GTP and 5G and why every MNO has to secure its GTP roaming interfaces. Pic 6. F5 GTP Firewall Stay tuned for the next post where I will review F5 GTP Firewall solution
