Systems Engineering Approach to Security Baseline for SS7 Table
From the NIIF Reference Document, Part III, Installation, Testing & Maintenance Responsibilities for SS7 Links and Trunks – Attachment I, SS7 Network Security Base Guidelines
The following table includes a list of questions that should be addressed when performing a security analysis. The list is not a complete list but is provided as a starting point.
CCSN Logical Security ChecklistQuestion / Yes/No / If No,
Why not?
Is security addressed across the entity's entire CCS network?
Are CCSN Critical Common Environments defined and isolated (e.g. by firewall perimeters) to limit access to authorized processes and users?
If fire walls are deployed are they placed around the CCSN CCE e.g., a "perimeter" or perimeters placed around the OAM&P of critical CCS components, NEs, NSs and OSs ?
Are software changes controlled and verified to maintain the established security perimeter?
Has a security baseline been established for Network Elements, NEs, Network Systems,NSs, and Operations Support Systems, OSs and Data Communication Network DCNs?
Is that baseline specified or referenced in procurement RFPs and contracts?
Do new NEs, NSs, OSs and DCNs meet those requirements?
Are organizational responsibilities for network security defined?
Is that responsibility clearly placed within CCSN common management reporting?
Is security part of the defined responsibilities for the personnel that monitor, maintain and control various CCSN and SS7 components?
Are all CCS network connectivity and network mappings documented?
If documented, has the connectivity been verified?
Have the following generic countermeasures been implemented for all key CCSN nodes (NEs, NSs and OSs):
Assignment of command privileges to each class of user by functional responsibility, to allow the power to get the job done, while reserving special power (e.g., the ability to change user passwords) to the security administrator ?
Use of (COMPLIANT) commercially-available access-control systems (e.g., dial-back modems that do not utilize a pass-through feature) to secure remote access to CCS nodes?
Use of encryption equipment at each end of an OAM&P access session which transits an open PPSN?
Use of available access control software at the host system?
Use of established access procedures and security routines (e.g., periodic re-authorization of users and the use of security tools)?
Elimination of uncontrolled dial access?
Controlled access for vendor support?
Controlled access to dial-in protocol analyzers on the signaling links and X.25 facilities between CCSN nodes e.g., STPs?
Intrusion recovery plans for the entity's CCSN?
Security on the gateway screening tables?
Adequate security on the node restart capability?
Adequate security on vendor-specific node restart procedures?
Back-up tapes and media available and secured off-site?