SigFW is an Open Source SS7/Diameter firewall for Antisniff, Antispoof & Threat Hunt.
Abstract
The SS7/Sigtran protocol stack mobile vulnerabilities affect the security of all mobile users worldwide. The SS7 is signalisation between Mobile Operators Core Network about where your mobile phone is located and where to send media, so the secured end-device does not help here, as it is only a consequence of having legitimate SS7 traffic. To protect against SS7 vulnerabilities, you need to play at operator-level. And this was not really the kind of thing you could do up till now.
* SS7 firewall – Technical capabilities
– Open SS7 TCAP encryption and signing of the SS7 messages, including auto encryption setup
– SS7 SCCP blacklists (Category 0)
– SS7 TCAP blacklists (Category 1)
– SS7 MAP firewall rules (Category 2)
– Signalling IDS integration (for Category 3 and advanced detection)
– SS7 Filtering and honeypoting
– Centralized threat reporting with mThreat integration
– Collaboration with other SS7 and signaling security systems
– Management through open APIs
– Passive run (re-run traffic from pcap or passive interface to test the firewall)
– LUA programmable firewall rules
– Scalable/Decentralized solution
SS7/Sigtran protocol stack
* Diameter firewall – Technical capabilities
– Open Diameter encryption and signing of the Diameter messages, including auto encryption setup
– Diameter host and realms blacklists (Category 0)
– Diameter Command Code blacklists and Realm whitelist (Category 1)
– Diameter firewall rules (Category 2)
– Signalling IDS integration (for Category 3 and advanced detection)
– Diameter Filtering and honeypoting
– Centralized threat reporting with mThreat integration
– Collaboration with other Diameter and signaling security systems
– Management through open APIs
– Passive run (re-run traffic from pcap or passive interface to test the firewall)
– LUA programmable firewall rules
– Scalable/Decentralized solution
.Dependencies:
+ Maven & wiresark
+ SCTP API http://openjdk.java.net/projects/sctp/html/gettingstarted.html
Security:
– For both SS7FW and DiameterFW before using.
– realm.properties: Change the username, password for firewall API
– sigfw.json: Generate new Public, Private Keys. Change the mThreat salt
– Jetty: Change the certificate
running from cli
To test the encryption, signatures:
+ Instead of SS7Firewall run SS7FirewallFirstInstance and SS7FirewallSecondInstance
+ Instead of DiameterFirewall run DiameterFirewallFirstInstance and DiameterFirewallSecondInstance
Usage:
git clone https://github.com/P1sec/SigFW && cd SigFW cd ss7fw/ss7fw.ss7fw-core_jar_1.0.0-SNAPSHOT Run SS7FW project: mvn exec:java -Dexec.mainClass="ss7fw.SS7Firewall" mvn exec:java -Dexec.mainClass="ss7fw.SS7ClientLiveInput" mvn exec:java -Dexec.mainClass="ss7fw.SS7Server" Replay traffic from pcap: cd ./input mkfifo pipe tshark -T ek -x -j "" -r ./input/sigtran.pcap > sigtran.json cat ./input/sigtran.json > pipe Build DiameterFW project cd /diameterfw/diameterfw.diameterfw-core_jar_1.0.0-SNAPSHOT mvn clean install -Dmaven.test.skip=true Run DiameterFW project: mvn exec:java -Dexec.mainClass="diameterfw.DiameterFirewall" mvn exec:java -Dexec.mainClass="diameterfw.DiameterClientLiveInput" mvn exec:java -Dexec.mainClass="diameterfw.DiameterServer" Replay traffic from pcap: cd ./input mkfifo pipe tshark -T ek -x -j "" -r ./input/diameter.pcap > diameter.json cat ./input/diameter.json > pipe
Source: https://github.com/P1sec