Method of and apparatus for mediating common channel signaling message between networks using control message templates
First Claim
1. A communication network, comprising:
- (A) local communication links,(B) a plurality of separately located central office switching systems interconnected via trunk circuits for selectively providing switched call connections between at least two of the local communication links in response to predetermined control data messages,(C) a signaling communication system for two-way communications of said control data messages between at least said central office switching systems, said signaling communication system interconnecting the central office switching systems;
(D) a signaling gateway, separate from the central office switching systems and connected to said signaling communications system, said signaling gateway including an interface connected to a remote communications network and configured to exchange said control data messages between said remote communication network and said central office switching systems by way of said signaling communication system, and(E) a signaling system security monitor, separate from the central office switching systems, said signaling system security monitor including a plurality of message templates corresponding to approved individual ones of said control data messages, sequences of such control data messages and informational relationships between the data contents of such data messages, said signaling system security monitor being responsive to said message templates to perform syntax and content dependent screening of said control data messages, said content dependent screening including checking appropriateness of said control data messages in context of (i) a state of the communications network and (ii) prior related messages.
2 Assignments
0 Petitions
Accused Products
Abstract
A communication network includes a Security Gatekeeper that authenticates and validates network control messages within, transiting, entering and leaving an overlying control fabric such as an SS7 network. The Security Gatekeeper incorporates several levels of checks to ensure that messages are properly authenticated, valid, and consistent with call progress and system status. In addition to message format, message content is checked to ensure that the originating node has the proper authority to send the message and to invoke the related functions and that the message, itself, is appropriately coded. Predefined sets of templates may be used to check the messages, each set of templates being associated with respective originating point codes and/or calling party addresses. The templates may also be associated with various system states such that messages corresponding to a particular template cause a state transition along a particular edge to a next state node for which another set of templates is defined. Thus, system, call and/or transaction state are maintained. The monitor also includes signaling point authentication using digital signatures and timestamps. Timestamps are also used to initiate appropriate timeouts and so that old or improperly sequenced message may be ignored, corrected or otherwise processed appropriately. The Security Gatekeeper may be located at the edge of a network to be protected so that all messaging to and from the protected network must enter and egress by way of the Gatekeeper. Alternatively, the Security Gatekeeper may be internal to the protected network. In this configuration, ISUP traffic can be monitored by configuring the Security Gatekeeper as a “pseudo switch” so that ISUP messaging is routed through the Gatekeeper on its way between interconnected SSPs, while actual bearer traffic is trunked directly between the associated SSPs, bypassing the Gatekeeper.
62 Citations
32 Claims
-
1. A communication network, comprising:
-
(A) local communication links, (B) a plurality of separately located central office switching systems interconnected via trunk circuits for selectively providing switched call connections between at least two of the local communication links in response to predetermined control data messages, (C) a signaling communication system for two-way communications of said control data messages between at least said central office switching systems, said signaling communication system interconnecting the central office switching systems; (D) a signaling gateway, separate from the central office switching systems and connected to said signaling communications system, said signaling gateway including an interface connected to a remote communications network and configured to exchange said control data messages between said remote communication network and said central office switching systems by way of said signaling communication system, and (E) a signaling system security monitor, separate from the central office switching systems, said signaling system security monitor including a plurality of message templates corresponding to approved individual ones of said control data messages, sequences of such control data messages and informational relationships between the data contents of such data messages, said signaling system security monitor being responsive to said message templates to perform syntax and content dependent screening of said control data messages, said content dependent screening including checking appropriateness of said control data messages in context of (i) a state of the communications network and (ii) prior related messages. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. A method of securely interfacing control links of respective communication networks, comprising the steps of:
-
storing a plurality of control message templates; exchanging control data messages between a remote communication network and a plurality of switching systems via a local signaling communication system; selecting ones of said control message templates in response to respective ones of said control messages; determining, using said templates, if said control data messages are proper including, responsive to said message templates, performing syntax and content dependent screening of said control data messages, said content dependent screening including checking appropriateness of said control data messages in context of (i) a state of the communications network and (ii) prior related messages; in response to said determining step, selectively communicating and selectively modifying so as to bring into conformance with expectations said control data messages between said central office switching systems; selectively routing messages from an incoming link to an outgoing link in response to said control data messages; and selectively generating control messages to help restore system integrity in cases where control messages are disallowed. - View Dependent Claims (27, 28, 29, 30, 31, 32)
-
Specification