Cyber Security for Triple Play Delivery Platforms

By Diya Soubra

Cyber security is one of the hottest subjects these days. A host on the Internet is attacked on average once every few minutes, which means it can be infected before the installer has even reached the point of installing the security software on a machine that is being setup for the first time.

Users need to be more concerned because the nature of the motives behind the attacks have recently shifted from being a proof of superior programming power to a means of making easy money. Computers of unknowing users are pirated to send spam email, fake click-through ads or even to mount distributed DOS attacks, for a fee. The hacker gets away with his profit, and the user is left to suffer the legal liability for initiating the network intrusion.

Until recently, the industry focus has been on computers as primary targets for cyber attacks, and on protection via add-on software modules and applications. This is no longer the case due to the dramatic increase in the number of mobile or fixed networked appliances. In the case of handheld networked devices, the intrusion prevention would be a major drain on the battery. In a business setting a whole department is normally dedicated to network security but at home the users are left to fend for themselves. The focus of the rest of this article is on the residential network.

In businesses, the security devices are concentrated near the router serving as the WAN connection, a role which is played by the residential gateway in a home setting. The gateway, by definition, is the entry point to the home network. It then forms the first barrier to any cyber attack on the various appliances and computers connected to that home network. The gateway’s main security concern is to protect from information theft and from unauthorized use of machines on the home network which then may be used to initiate other network attacks.

There are three approaches to security that may be applied at the gateway, since the assumption is that external security boxes are too expensive to apply in a home setting:

1. A gateway using the minimum firewall techniques where the security load is expected to be handled by each host or appliance.

2. Network Intrusion detection.

3. Network Intrusion prevention.

The first case is what’s shipping today in all broadband routers where the main function of the box is to route Internet packets to the home LAN. This approach is not sufficient enough to handle the increasing levels of threat and implications of attacks expected on the Internet today.

In the second case, the security software in the gateway monitors all the flows to analyze the packet traffic at each of the OS network layers looking for intrusions and notifying the user of anomalies.

The third case is the most interesting one since the security software is in the packet path to prevent malicious packets from getting on to the home LAN. Given that the majority of the cyber attacks are already identified and classified by the security industry, it is reasonable to expect the gateway to prevent those attacks from proceeding to the home network. In cyberspace, these attacks make up a large part of what’s referred to as the Internet background radiation. Worms that were launched in the year 2001 are still around today attacking unprotected hosts despite treatment of machines worldwide. The more dangerous attacks are the new worms and viruses that have not yet been identified and classified. There exists a large body of technical research on how to monitor, track and block new cyber attacks. The key summary point, out of all that knowledge, is that each packet flow has to be handled individually and has to be tracked as it changes states against a predefined set of policies or rules. This immediately translates into having a requirement for a high performance processor and a large amount of memory in order to handle the packet flow in real-time. It is vital to stop the attack before it happens since the clean up costs are always higher than the prevention cost. The situation gets even worse as the bandwidth increases and as the diversity of the traffic grows.

It is to the advantage of a service provider to have a sophisticated residential gateway that has built in Network Intrusion Prevention since that box is an integral part of the provider infrastructure. If each of those nodes is cyber security ready then the infrastructure as a whole will maintain its integrity and reliability which is a key element for service delivery.

Security software has evolved over time from being a bolt on after the fact to being a properly designed unified security module which is then integrated into the system of choice. Eventually, the unified security module will be built into the system from the ground up once the platform has the necessary processing power and memory to handle such a load. Security software puts a very heavy load on the host.

With the growth in the number of networked devices and the increase in network bandwidth, comes the increased threat of cyber attacks that will cause larger and larger damage. Today the majority of network attached devices are PCs, and the majority of “intrusion prevention” occurs on the PC itself. The new generation of network attached devices in the home will not necessarily be PCs, and not necessarily have the resources to do complex “intrusion prevention”. The WiFi iPod, WiFi Cell Phones, PDA, etc. Especially in the case where they are battery driven and can’t really afford the power to do the complex “intrusion prevention”. The home gateway must then provide the “clean secure home network traffic”.

A first point of defense is the residential home gateway which now is an integral part of the service provider infrastructure. The residential gateway has to have sufficient memory and processing power to perform the network intrusion prevention function by applying pre-defined policies to each and every packet flow besides doing the usual pattern matching and anomaly detection to filter out the internet background radiation. Most processors on the market today for residential gateways were designed for one specific purpose which is to move packets from the provider network to the home network. These processors are not well-suited in the fight to maintain cyber security in the home. Service providers looking into the design of the next version of the service delivery platform need to seriously weigh the consequence of not applying the required security software or selecting the wrong processor to support that load. IT

References

Pang, Ruoming, Characteristics of Internet Background Radiation [Online] http://www.imconf.net/imc-2004/papers/p27-pang.pdf

Diya Soubra is the Director of Marketing for the Media Delivery Solutions product line at Mindspeed Technologies. He joined Mindspeed in 1990 as a designer and developer of test and validation systems. You can reach him at [email protected].

» Internet Telephony Magazine Table of Contents