Method of and apparatus for authenticating control messages in a signaling network
First Claim
1. A communication network, comprising:
- (A) local communication links,(B) a plurality of separately located central office switching systems interconnected via trunk circuits for selectively providing switched call connections between at least two of the local communication links in response to predetermined control data messages,(C) a signaling communication system for two-way communications of said control data messages between said central office switching systems, said signaling communication system interconnecting the central office switching systems;
(D) a signaling gateway, separate from the central office switching systems and connected to said signaling communications system, said signaling gateway including an interface connected to a remote communications network and configured to exchange said control data messages between said remote communication network and said central office switching systems by way of said signaling communication system, and(E) a signaling system security monitor, separate from the central office switching systems, said signaling system security monitor configured to evaluate an encrypted portion of said control data messages including digital time stamps so as to authenticate corresponding ones of said control messages and, in response, determine if said control data messages are chronologically sequenced.
2 Assignments
0 Petitions
Accused Products
Abstract
A communication network includes an SS7 Security Gatekeeper that authenticates and validates network control messages within, transiting, entering and leaving an overlying control fabric such as an SS7 network. The SS7 Security Gatekeeper incorporates several levels of checks to ensure that messages are properly authenticated, valid, and consistent with call progress and system status. In addition to message format, message content is checked to ensure that the originating node has the proper authority to send the message and to invoke the related functions. Predefined sets of templates may be used to check the messages, each set of templates being associated with respective originating point codes and/or calling party addresses. The templates may also be associated with various system states such that messages corresponding to a particular template cause a state transition along a particular edge to a next state node at which another set of templates are defined. Thus, system and call state is maintained. The monitor also includes signaling point authentication using digital signatures and timestamps. Timestamps are also used to initiate appropriate timeouts and so that old or improperly sequenced message may be ignored, corrected or otherwise processed appropriately. The SS7 Security Gatekeeper may be located at the edge of a network to be protected so that all messaging to and from the protected network most egress by way of the Gatekeeper. Alternatively, the SS7 Security Gatekeeper may be internal to the protected network and configured as a “pseudo switch” so that ISUP messaging is routed through the Gatekeeper while actual traffic is trunked directly between the associated SSPs, bypassing the Gatekeeper.
-
Citations
40 Claims
-
1. A communication network, comprising:
-
(A) local communication links, (B) a plurality of separately located central office switching systems interconnected via trunk circuits for selectively providing switched call connections between at least two of the local communication links in response to predetermined control data messages, (C) a signaling communication system for two-way communications of said control data messages between said central office switching systems, said signaling communication system interconnecting the central office switching systems; (D) a signaling gateway, separate from the central office switching systems and connected to said signaling communications system, said signaling gateway including an interface connected to a remote communications network and configured to exchange said control data messages between said remote communication network and said central office switching systems by way of said signaling communication system, and (E) a signaling system security monitor, separate from the central office switching systems, said signaling system security monitor configured to evaluate an encrypted portion of said control data messages including digital time stamps so as to authenticate corresponding ones of said control messages and, in response, determine if said control data messages are chronologically sequenced. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A method of securely interfacing control links of respective communication networks, comprising the steps of:
-
exchanging control data messages between a remote communication network and a local signaling communication system; decrypting a certificate portion of said control data messages including a time stamp so as to authenticate originating point code information corresponding to said control data messages and, in response to said time stamp, determine if said control data messages are chronologically sequenced based on said time stamp so as to determine control message chronological sequencing; selectively communicating, in response to said decrypting step, control data messages between central office switching systems; and selectively providing switched call connections between at least two of the local communication links in response to predetermined control data messages. - View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
-
Specification