Comparing PSTN and data security

This time we’d like to make some comparisons between the security of the PSTN and the security of data networks.

Data networks, like the PSTN, require physical protection on some levels. Data networks also rely on firewalls for security. A firewall is a system (software, hardware or both) that enforces an access control policy between two networks. One function of the firewall is to block entry, the other is to permit it; policy levels determine the entry and egress of data.

Like data networking firewalls, the PSTN’s SS7 signal transfer point (STP) acts as a “firewall” to screen SS7 messages exchanged with other SS7 networks. SS7 can use digital signatures in the messaging protocols to offer an added layer of security. Service control points (SCP) and STPs are also deployed in mated pairs in separate physical locations to improve network reliability and security.

Data networking also relies on encryption to protect unauthorized users from gaining access to raw data. Unlike a secure IP network, the SS7 network does not use encryption; therefore a hacker who can gain access to the signaling channel can see into the heart and soul of PSTN signaling.

When SS7 was first introduced, each major phone company generally had its own independent SS7 network. However, since the introduction of number portability, North American SS7 networks now function as one single network. So, as with the Internet, if one SS7 node becomes “infected” or hacked, then other SS7 nodes and potentially the entire SS7 network can become vulnerable. While recovery could quickly be re-established by “unlinking” the SS7 network back to individual carriers’ SS7 networks, the merger of wireline and wireless carriers’ networks presents special security challenges to the SS7 network.

Even greater concerns lie in the convergence of public IP and the PSTN signaling infrastructures. We’ll discuss these next time.