Wednesday 20 November 2019

GTP Security: Securing 5G Networks with a GTP Firewall

Anthony Webb, EMEA Vice President at A10 Networks

It is often written that 5G will usher in the Fourth Industrial Revolution and change the economy. The speeds and capacity that 5G network promises to bring has the potential to be an indispensable technology. Verizon estimated that by 2035, 5G “will enable £10.5 trillion of global economic output and support 22 million jobs worldwide.

Therefore, 5G is not only important because it has the potential to support millions of devices at ultrafast speeds, but also because it has the potential to transform the lives of people around the world. But with this new opportunity also comes higher security risks as cyberattacks grow in sophistication and volume and use lightly protected mobile and IoT devices in their botnets or targeted attacks.

GTP today

Since the early days of 3G or 2.5G, GPRS Tunnelling Protocol (GTP) has been used to carry traffic and signalling through mobile networks and has continued to do so in 4G/LTE and recent 5G non-standalone architectures. But GTP was never designed with security in mind and therefore has no inherent security mechanisms.

As traffic, devices and interconnection partners surge, so does the use of GTP. The transition to 5G is happening and most operators will opt to deploy 5G in stages, using a common 4G core as they build out the 5G RAN. As a result, threats to 4G core elements from GTP-based attacks will still be present during this hybrid period. This where operators must now include a GTP firewall as part of their current network security posture and as they evolve the network to 5G.

GTP vulnerabilities have been well known by the industry and documented in GSMA reports. What is required is a GTP firewall which stops attackers from trying to exploit GTP vulnerabilities on the interfaces exposed to the network. These attacks target both mobile subscribers and mobile network infrastructure. The most common GTP security issues include confidential data disclosures, denial of service, network overloads, and a range of fraud activities. In 5G, additional security measures have been added, but GTP will continue to play an important role, especially in roaming.

What is required?

The simple answer is scalable security. Mobile operators face the challenge of securing roaming and EPC interfaces where GTP protocols are used extensively in and are known to have vulnerabilities that can be readily exploited by malicious actors. As vulnerable devices and partners expand, so does the attack surface available for malicious purposes. Operators need to meet the growing security challenges while also providing a seamless subscriber experience.

As they move towards 5G, with likely a 4G common core for many years, operators will need to tackle the risks inherent in GTP, as threats continue to grow against a much larger volume of traffic and applications. Roaming traffic, with its high complexity and large number of interconnect partners and hubs, can be an especially vulnerable and attractive target for malicious actors.

Common Threats

The most common threats from a GTP based attacks include the following:
Eavesdropping – intercepting and snooping into GTP traffic gaining valuable and confidential subscriber information

  • Fraud: Attackers can use services at the expense of the operator or another subscriber using invalid or hijacked IMSI
  • Injection of malicious GTP messages: Disrupting sessions and creating DDoS
  • Subscriber denial of service: Spoofing subscriber IDs to generate malicious messages that cause service disruption for an individual subscriber
  • Message Suppression and Modification: Prevent message delivery or allow malicious content delivery, disrupting service
  • Network Overload/DDoS: Malicious, malformed or invalid signalling packets are sent that overwhelm network elements or cause vulnerable elements to fail
GTP Firewall 
A GTP firewall provides security and scalability, while protecting the mobile core against GTP-based threats mentioned above through GTP interfaces in the access networks and GRX/IPX interconnect to support uninterrupted operations. The GTP firewall can be inserted into multiple interfaces carrying the GTP traffic. The primary use case is being inserted on S5-Gn and S8-Gp (roaming firewall) interfaces.

No comments: