Managing Security Vulnerabilities on Communication Infrastructure

Signaling is a Control Plane (CP) mechanism required between the Core Network Elements (NE) or Functions (NF) to setup communication channels for subscriber traffic in the User Plane (UP).  Signaling routers and proxies, in 4G and 5G core networks, function as the nerve centers for routing signaling between a myriad of NE/NF in the Evolved Packet Core (EPC) and 5G Core networks. Being central to the core elements, they offer network simplification, multi-vendor message exchange, network protection against congestion, uneven load distribution, as well as service availability. Their deployment for in a virtualized or a hybrid environment enables distributed signaling architecture to meet network service performance, scalability, and resiliency requirements.

Due to the centralized nature of the signaling routers and proxies, securing them from vulnerabilities is of vital importance to Communication Service Provider (CSP). Compromising the hosts, guest applications or the networking fabric is of a major concern to CSP.  As service disruption may result, if risks are not mitigated in a timely fashion.

Unethical hackers never stop finding open opportunities to compromise businesses for one reason or another. Thus, IT Security teams run Security Scans, on a monthly or bi-weekly basis, to discover vulnerabilities in the signaling solution. The resulting data is overwhelming for both CSP and solution vendor. The business problem is two folds. For CSP Operations team, it is how to manage the security exposure. While for the solution vendor, it is how to focus their limited resources to deliver solutions rather than spinning their wheels to patch software.

CELENIUM SME action started by defining the problem domains ands scope, outlining the solution paths, identifying mitigation resources, determining the processes and procedures for risk mitigation, then listing the handover points between the solution provider and the CSP personnel.

Security Scans discover vulnerabilities in the signaling solution components at the Systems and Networks levels. System scans capture vulnerabilities in the operating systems, and installed packages. While Network or Port scans examine the network interfaces to identify unnecessary open ports. System scans targets the hosts, guests, and Top of the Rack switches.  The resulting Common Vulnerability Exposure (CVEs) may or may not impact the product. As such, the action would differ, and also depending the criticality of the exposure. On system hosts, the majority of system scans tend to be duplicated across hosts. An operating system patch update performed manually, or via yum/dnf update would resolve the issue. Application related vulnerabilities are more involved and would require  application development patches or scheduled in a future release.

The security risk mitigation passes though self contained phases. Each has a well defined scope, scenarios and actions. Using project management processes and project lifecycle, roles and responsibilities of each phase are assigned.  Methods of Procedures (MoPs) are created for the respective core network deployment, and demonstration is provided to aid in handing over responsibility from solution provider to CSP personnel.

Problem  solved!

“Ahmad is an excellent engineer and a solution design architect whom I’ve had a great pleasure working with on several 4G and 5G projects and proud to have him on my team. Ahmad brings breath of knowledge and experience in many different aspects of the industry. He puts careful attention to details, communicating and articulating complex solutions with stellar diagrams and neat documentation that make the organization look good, and the entire implementation clear and easy to understand by the team and the customers, who highly appreciate the details and the fine documentation. Customers like the fact that they can talk to an expert like Ahmad who knows the subject matter, and can delve deep into technical details to ensure the proposed solution is well understood and how the implementation is going to work.”

Hanan Dadon, Sr. Manager Consulting, Architecture & Solutions at Oracle