[Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. GPRS/UMTS Security Requirements Guto Motta

Slides:



Advertisements
Similar presentations
MIGRATION OF GSM TO GPRS
Advertisements

An Overview of GPRS Shourya Roy Pradeep Bhatt Gururaja K.
UMA (Unlicensed Mobile Access) El Ayoubi Ahmed Hjiaj Karim.
© Sunrise GSM Data evolution EDGE GSM HSCSD services upto 38.4 kbit/s (later up to 64 kbit/s) PDS services low bit rates GSM GPRS services upto.
1 General Packet Radio Service (GPRS) Adapted from a presentation by Miao Lu Nancy Samaan SITE, Ottawa.
Contents of Presentation
General Packet Radio Service An Overview Ashish Bansal.
General Packet Radio Services(GPRS). GPRS GSM GPRS GSM-Drawbacks Circuit switching is used. Complete traffic channel is allocated to user for complete.
Telefónica Móviles España GPRS (General Packet Radio Service)
Mobile Communication MMS / GPRS. What is GPRS ? General Packet Radio Service (GPRS) is a new bearer service for GSM that greatly improves and simplifies.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Mobile Communication Division
Cellular and Mobile Wireless Networks (part 2) Advanced Computer Networks.
All IP Network Architecture 2001 년 12 월 5 일 통신공학연구실 석사 4 차 유성균
General Packet Radio System (GPRS) Overview. Introduction General Packet Radio Service (GRPS) today “Packet overlay” network on top of the existing GSM.
Supporting Packet-Data QoS in Next-Generation Cellular Networks R. Koodli and Mikko Puuskari Nokia Research Center IEEE Communication Magazine Feb, 2001.
GPRS Muhammad Al-khaldi Sultan Al-Khaldi
Presentation on General Packet Radio Service (GPRS)
Cellular IP: Proxy Service Reference: “Incorporating proxy services into wide area cellular IP networks”; Zhimei Jiang; Li Fung Chang; Kim, B.J.J.; Leung,
 The GSM network is divided into two systems. each of these systems are comprised of a number of functional units which are individual components of the.
© China Mobile Communications Corporation GPRS Operation of CMCC China Mobile Communications Corporation.
General Packet Radio Service (GPRS) A new Dimension to Wireless Communication.
PERSONAL COMMUNICATION SYSTEMS: GPRS Ian F. Akyildiz Broadband & Wireless Networking Laboratory School of Electrical and Computer Engineering Georgia Institute.
Huawei Confidential. All Rights Reserved OMQ GPRS Principle ISSUE 2.0.
Blog: aforajayshahnirma.wordpress.com
Wireless Networks Chris Lord (cil103) An Overview of General Packet Radio Service (GPRS) Based on information from
General Packet Radio Service
Ronald D. (Ron) Ryan Chair T1P1.SAH Slide 1 Copyright Nortel Networks T1P1/ Overview 3G UMTS LI Capabilities T1P1.SAH April 2001.
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
General Packet Radio Service Presented By: Kusum Bharti Maulana Azad National Institute of Technology,Bhopal Department of Computer Science &
1 Presentation_ID © 1999, Cisco Systems, Inc. Cisco All-IP Mobile Wireless Network Reference Model Presentation_ID.
GSM TOWARDS LTE NETWORKS
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
1 © NOKIA Functionality and Testing of Policy Control in IP Multimedia Subsystem Skander Chaichee HUT/Nokia Networks Supervisor: Professor Raimo.
MOBILITY Beyond Third Generation Cellular Feb
Security fundamentals Topic 10 Securing the network perimeter.
General Packet Radio Service (GPRS)
GPRS Part II Wireless and Mobile Network Architecture
Ασύρματα Δίκτυα και Κινητές Επικοινωνίες Ενότητα # 8: Σύστημα 2.5 Γενιάς GPRS Διδάσκων: Βασίλειος Σύρης Τμήμα: Πληροφορικής.
4.1 Data services in GSM II GPRS (General Packet Radio Service) – packet switching – using free slots only if data packets ready to send (e.g., 115 kbit/s.
NETLMM Applicability Draft (Summary) 28 Sep
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 27 November 23, 2004.
Supporting Nodes SGSN(serving GPRS supporting Node) Functions- 1]Packet switching 2]Routing and transfer 3]Mobility Management 4]Logical Link management.
GPRS General Packet Radio Service Shay Toder – Ori Matalon The Department of Communication System Engineering Ben-Gurion University June 19, 2002.
1 Special Topics in Computer Engineering Supervised by Dr. Walid Abu-Sufah Jordan University Department of Computer Engineering.
Mobile IP THE 12 TH MEETING. Mobile IP  Incorporation of mobile users in the network.  Cellular system (e.g., GSM) started with mobility in mind. 
1 Wireless Networks Lecture 17 GPRS: General Packet Radio Service (Part I) Dr. Ghalib A. Shah.
MULTIMEDIA ENGINEERING ISE (International School of Engineering, CU) Information and Communication Engineering 4 2.5G Mobile Phone and Network.
BITS Pilani Pilani | Dubai | Goa | Hyderabad EA C451 Vishal Gupta.
BITS Pilani Pilani | Dubai | Goa | Hyderabad EA C451 Vishal Gupta.
General packet radio service (GPRS)
Nokia 3G Serving GPRS Support Node
GPRS.
CS1: Wireless Communication and Mobile Programming
NETLMM Applicability Draft (Summary)
Communication Protocol Engineering Lab. Taek-su Shin 1 General Packet Radio Service (GPRS) 1/2 June, 3, 2003 Taek-Su Shin Communication.
Visit for more Learning Resources
GPRS GPRS stands for General Packet Radio System. GPRS provides packet radio access for mobile Global System for Mobile Communications (GSM) and time-division.
GPRS GPRS (General Packet Radio Service) is an overlay on top of the GSM physical layer and network entities. Advantages: Short access time to the network.
GPRS/EDGE Implementation
Master in progettista di servizi radiomobili Web Based Overview
IP Multimedia Subsystem & W-CSCF
Network Architecture How does it all work?
Master in progettista di servizi radiomobili Web Based Overview
GPRS Architecture Ayan Ganguly Bishakha Roy Akash Dutta.
GPRS Introduction to GPRS. 1.1) what is GPRS?
Mobile IP Outline Homework #4 Solutions Intro to mobile IP Operation
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
Global One Communications
Presentation transcript:

[Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. GPRS/UMTS Security Requirements Guto Motta SE Manager Latin America

2 [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. Agenda  GSM / GPRS Network Architecture  Security Aspects of GPRS  Attacks and Impact  GTP Awareness

[Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. GSM / GPRS Network Architecture

4 [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. GSM Architecture

5 [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. General Packet Radio Service  Support for bursty traffic  Efficient use of network and radio resources  Provide flexible services at relatively low costs  Possibility for connectivity to the Internet  Fast access time  Happily co-existence with GSM voice –Reduce Investment

6 [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. GPRS Network Architecture New

7 [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. GPRS Additions to GSM  New components introduced for GPRS services: –SGSN (Serving GPRS Support Node) –GGSN (Gateway GPRS Support Node) –IP-based backbone network  Old components in GSM upgraded for GPRS services: –HLR –MSC/VLR –Mobile Station

8 [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. SGSN - Serving GPRS Support Node  At the same hierarchical level as the MSC.  Transfers data packets between Mobile Stations and GGSNs.  Keeps track of the individual MSs’ location and performs security functions and access control.  Detects and registers new GPRS mobile stations located in its service area.  Participates into routing, as well as mobility management functions.

9 [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. GGSN - Gateway GPRS Support Node  Provides inter-working between Public Land Mobile Network (PLMN) and external packet-switched networks.  Converts the GPRS packets from SGSN into the appropriate packet data protocol format (e.g., IP or X.25) and sends out on the corresponding packet data network.  Participates into the mobility management.  Maintains the location information of the mobile stations that are using the data protocols provided by that GGSN.  Collects charging information for billing purpose.

10 [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. GPRS Interfaces Gb Gn Gi EIR Gf GGSN Other GPRS PLMN Gp SMS Gd

11 [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. GPRS Topology BSS GGSN Roaming Partner SGSN GGSN Gi Gp BSS/UTRAN Home PLMN BSS/UTRAN SGSN C&B Gn GRX Internet

12 [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. Packet Data Protocol (PDP)  Packet Data Protocol (PDP) –Address –Context –Logical tunnel between MS and GGSN –Anchored GGSN for session  PDP activities –Activation –Modification –Deactivation

13 [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. PDP Context  When MS wants to send data, it needs to activate a PDP Address  This activation creates an association between the subscriber’s SGSN and GGSN  The information record maintained by the SGSN and GGSN about this association is the PDP Context

14 [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. PDP Context Procedures  MS initiated MSBSSSGSNGGSN Activate PDP Context Request Create PDP Context Request Create PDP Context Response Activate PDP Context Accept Security Functions [PDP Type, PDP Address, QoS, Access Point...] [PDP Type, PDP Address, QoS, Access Point...] [PDP Type, PDP Address, QoS, Access Point...] [PDP Type, PDP Address, QoS, Access Point...]

15 [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. GPRS Backbone  All packets are encapsulated using GPRS Tunneling Protocol (GTP)  The GTP protocol is implemented only by SGSNs and GGSNs  GPRS MSs are connected to a SGSN without being aware of GTP  An SGSN may provide service to many GGSNs  A single GGSN may associate with many SGSNs to deliver traffic to a large number of geographically diverse mobile stations

16 [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. GTP Packet Structure

17 [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. GPRS Topology BSS GGSN Roaming Partner SGSN GGSN Gi Gp BSS/UTRAN Home PLMN BSS/UTRAN SGSN C&B Gn GRX Internet

[Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. Security Aspects of GPRS

19 [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. GTP Security  GTP – GPRS Tunneling Protocol –Key protocol for delivering mobile data services  GTP itself is not designed to be secure: “No security is provided in GTP to protect the communications between different GPRS networks.”  Regular IP firewalls: –Cannot verify encapsulated GTP packets –Can only filter certain known ports

20 [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. GPRS Security  Basic Problem: –SGSN handles authentication –GGSN trusts SGSN  Mobility: –Handover of active tunnels  Fragile, “non-hardened” software  Roaming expands your “circle of trust”  GRX: Trusting external provider  IP lesson learned: Control your own security

21 [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. GPRS Security  A distinction needs to be done –Security of Radio Channel –Security of IP and Core supporting network  In GPRS encryption stops at the SGSN  After SGSN traffic is all TCP/IP  All typical TCP/IP attacks vectors apply

22 [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. What is the real risk?  Risk vectors –Own mobile data subscribers –Partner networks – GRX  Lessons learned from the IP world –New security vulnerabilities constantly being found in software using Internet Protocol (IP) –Evolving GPRS/UMTS software will be no different –You cannot depend on the network to provide your security - you need to provide your own

[Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. Attacks and Impact

24 [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. Possible Attacks  Over-Billing Attacks –Charging the customers for traffic they did not use  Protocol Anomaly Attacks –Malformed or corrupt packets  Infrastructure Attacks –Attempts to connect to restricted machines such as the GGSN

25 [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. Possible Attacks  GTP handover –Handover between SGSNs should not allow handover to an SGSN that belongs to a PLMN with no roaming agreement.  Resource Starvation Attacks –DoS attacks

26 [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. Over-Billing Attack GPRS backbone internet access network internet radio access network SGSNGGSN internet firewall malicious server charging gateway  initially, all tables are empty  malicious and victim terminals have no PDP context activated IMSI/IP table Stateful table dstsrc IP malicious terminal victim terminal IMSI M IMSI V Source: Gauthier, Dubas & Vallet

27 [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. GPRS backbone internet access network internet radio access network SGSNGGSN internet firewall malicious terminal victim terminal charging gateway  malicious GPRS terminal activates GPRS  malicious GPRS terminal is assigned IP address GTP:Create PDP Context Request IMSI M IMSI V IMSI/IP table GTP:Create PDP Context Response (IP addr = ) M Stateful table dstsrc SM:Activate PDP Context Request IP SM:Activate PDP Context Accept malicious server IP Over-Billing Attack Source: Gauthier, Dubas & Vallet

28 [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. GPRS backbone internet access network internet radio access network SGSNGGSN internet firewall charging gateway  malicious party opens a TCP connection between terminal and server TCP:SYN TCP:SYN/ACK IMSI/IP table M Stateful table dstsrc TCP:ACK malicious terminal victim terminal IMSI M IMSI V IP malicious server IP Over-Billing Attack Source: Gauthier, Dubas & Vallet

29 [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. GPRS backbone internet access network internet radio access network SGSNGGSN internet firewall charging gateway  malicious server starts sending TCP FIN packets  malicious GPRS terminal deactivates its PDP context TCP:FIN IMSI/IP table M malicious terminal victim terminal IMSI M IMSI V IP malicious server IP GTP:Delete PDP Context Request SM:Deactivate PDP Context Request Stateful table dstsrc Over-Billing Attack Source: Gauthier, Dubas & Vallet

30 [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. GPRS backbone internet access network internet radio access network SGSNGGSN internet firewall charging gateway  GGSN drops the FIN packets  malicious terminal still GPRS attached TCP:FIN SM: Deactivate PDP Context Accept IMSI/IP table malicious terminal victim terminal IMSI M IMSI V malicious server IP GTP: Delete PDP Context Response Stateful table dstsrc Over-Billing Attack Source: Gauthier, Dubas & Vallet

31 [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. GPRS backbone internet access network internet radio access network SGSNGGSN internet firewall charging gateway  victim activates its PDP context  GGSM assigns IP address to the victim terminal TCP:FIN IMSI/IP table malicious terminal victim terminal IMSI M IMSI V malicious server IP Stateful table dstsrc V Over-Billing Attack Source: Gauthier, Dubas & Vallet

32 [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. GPRS backbone internet access network internet radio access network SGSNGGSN internet firewall charging gateway  GGSN starts routing again the TCP FIN packets  victim terminal starts receiving the TCP FIN packets TCP:FIN IMSI/IP table malicious terminal victim terminal IMSI M IMSI V IP malicious server IP Stateful table dstsrc V Over-Billing Attack. Source: Gauthier, Dubas & Vallet

33 [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. Handover – Updating PDP Contexts BSS GGSN Other PLMN SGSN GGSN Gi Gn Gp Internet BSS/UTRAN C&B Home PLMN BSS/UTRAN VPN-1/FireWall-1 SGSN Roaming SGSN context request SGSN context response Update PDP context GRX

34 [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. GRX Security Report Observation Window: 19 hours

[Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. GTP Awareness

36 [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. GTP Aware Security Solution  Designed for wireless operators  Dedicated to protect GPRS and UMTS networks  GTP-level security solution  Blocks illegitimate traffic “at the door”  Stateful Inspection technology  Granular security policies  Strong and Comprehensive Management Infrastructure

37 [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. Deployment Scenarios

38 [Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. Summary  GTP itself is not designed to be secure  Basic architectural vulnerabilities –Overbilling attack –Infrastructure attacks  Vendor specific vulnerabilities –Protocol anomalies –Resource starvation  Real world, critical security events identified in GRX  Adoption of 3G services requires advanced GTP aware security solutions

[Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. Thank you! Guto Motta SE Manager Latin America

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.