The proliferation of broadband Internet technologies has exposed a new security hole. The advantages of these new high-speed Internet services are that they are unmetered and “always on”—benefits that, unfortunately, have created a serious security gap.
For example, a Digital Subscriber Line (xDSL) allows you to make voice calls while you’re connected to the Net. You don’t need to dial up and disconnect from the Internet, so your computer will automatically connect when it’s switched on. This configuration works like a corporate LAN connected to the Internet via a leased line—the difference being that a corporate network is likely to have security features that are both expensive to buy and highly technical to implement. Such security is effective, but it is far beyond the home user and most small to midsize businesses (SMEs).
Before these new high-speed services appeared on the scene, Internet connections were dialed or connected whenever they were needed, and they would hang up or be manually disconnected when their work was done. Assigning a permanent, static IP address to each machine was considered wasteful, since any one host was connected to the Internet, on average, far less than 50 percent of the time. For this reason, an ISP would register a block of IP addresses and then assign them using Dynamic Host Configuration Protocol (DHCP) as needed.
While it would be possible for a hacker to break into one of these addresses, it simply wasn’t worth the effort, because any one IP address could disappear at any moment. Even if a successful attack were carried out, a hacker wouldn’t be able to reconnect to the same address, since it would belong to a different host the next time it appeared.
With the advent of high-speed Internet services, there is no longer a need for dynamic IP addresses. It’s much simpler to configure the router on the client side to keep a static IP address and stay connected most of the time. What this means, however, is that hackers can now attack your computer at a leisurely pace, because once they have your IP address, they know that it won’t be changing.
A friend of mine recently had ADSL installed at home and found he was getting port-scanned about once an hour at peak Internet usage times. A serious problem for a user, yes, but when you’re talking about an SME connecting their network to the Internet, the problem is suddenly far more worrisome.
Whose responsibility is broadband security?
One solution to this security problem would be for the end user to attach a software firewall for protection. However, this requires a certain degree of technical savvy, and a badly configured dedicated hardware firewall is said to be more dangerous than having no firewall at all.
For a number of reasons, quite a few companies have a vested interest in making broadband connections secure. First of all, it’s widely believed that security threats, whether real or imagined, are holding back the development of e-commerce and any number of Internet-based revenue streams for corporations of all sizes. In addition, most people believe the ISP has some security-related responsibility to the user.
And now that broadband technologies have been installed for more than a year in thousands of homes and offices, network equipment vendors are pushing ISPs to establish some kind of security measure within their own networks, rather than pushing the security responsibility onto the shoulders of the user.
The advantages of the ISP network security fix approach are obvious:
- End customers need not worry about security issues.
- Costs are cut dramatically, as there is no need to purchase, install, configure, and support a firewall at the customer’s site.
- The network owner has complete control over configuration of the router.
Enter Nortel’s Shasta 5000 BSN
One of the devices offering this capability is the Nortel Shasta 5000 Broadband Service Node. The Shasta 5000 BSN is not a firewall. Its official name is an “edge switch,” and it sits on the last mile of a broadband network. This is the point at which the “local” broadband traffic belonging to one network or ISP meets the Internet, which is, of course, where security becomes an issue.
The Shasta 5000 has an impressive feature list, taking traffic from xDSL, cable, dial-up pools, satellite and other wireless networks, ATM, and even leased-line customers. It will prioritize network traffic, allowing critical traffic, such as that generated by Voiceover IP phone systems, to have top priority over other forms of traffic.
For businesses, it has the ability to create a virtual private network (VPN) tunnel securely over the Internet, thus allowing companies to connect two LANs over the Internet at a very low cost. So long as a Shasta 5000 switch is installed at either end of the Internet connection on the border of other broadband networks, the traffic can be encrypted to provide a truly secure VPN.
The most powerful feature of the Shasta 5000 is that it will support network services on a per-subscriber basis. This means that home and business customers can all join at the same switch, yet have their network services, such as intruder detection or traditional firewall security, applied with different configurations to different customers. This feature effectively replaces the idea of having each customer install a personal on-site firewall. So long as you trust the local broadband network, then you can trust your security.
For ISPs, this opens up a whole world of revenue-generating, valued-added services. If, for example, an ISP charges a subscriber $30.00 per month for access, it can now add network services, such as security, for an extra $5 per month or a VPN option to businesses for a few hundred dollars per year—very attractive pricing compared to the cost of maintaining a hardware firewall or VPN access gateway on site.
The system will also scale easily. If broadband demand from customers continues to proliferate rapidly, the ISP can simply add another switch to increase service capacity. One hopes this will go some way toward enabling ISPs—many of whom are pressured by the high demand for broadband—to provide a higher quality of service to their customers.