The threats are continually evolving and exist at multiple levels. At best, the Internet security battle is a back-and-forth affair, with just as many smart people on the bad side as on the good. The biggest danger, perhaps, is assuming that yesterday's security will suffice in this new world. "Better authentication and less reliance on easily compromised solutions is a must because of the growing sophistication of the threats," wrote Mustaque Ahamad, a professor at the College of Computing at the Georgia Institute of Technology and director of the Georgia Tech Information Security Center, in response to emailed questions.
The gravity of the situation is apparent in a pair of studies released Dec. 21 by Infonetics Research. One, entitled DDoS Prevention Appliance Market Outlook found that Distributed Denial of Service (DDoS) attacks are growing, as is the market for equipment aimed at thwarting them. The second, Service Provider Security Drivers, Spending, and Vendor Leadership: Global Survey, found that “nearly every service provider interviewed” for the report plans to increase spending on security in 2012 both in absolute dollars and as a percentage of the company’s capex budget.
The dynamic is interesting and evolving quickly. On one level, operators need to protect switches, servers and other core network elements from DDoS and similar attacks. A largely separate but deeply related level of concern is at the applications layer, where a new generation of end user devices and dizzying array of mobile operating systems can provide the armies of clever crackers potential entry paths -- called "attack vectors" in the hacking community -- into the MSO's back office.
On a third level, operators protecting real time, Session Initiation Protocol (SIP)-based communications -- video calls and VoIP -- demand special security attention. This is best provided by session border controllers (SBCs), according to Stephen Collins, the vice president of marketing for Acme Packet. Collins suggested that moving SIP traffic over WiFi networks will require the type of security that SBCs offer.
Cable's Head Start
Cassio Sampaio, the assistant vice president of product line management for Sandvine, suggested that the cable industry may be ahead of wireless and DSL providers in detecting DDoS and related network-borne attacks because of the proactive rollout of policy platforms to manage the burgeoning number of mobile devices it supports.
Sampaio said the ability to manage a tremendous number of devices in a manner granular enough to satisfy complex rules -- for instance, enabling a particular piece of R-rated content to be available to a mobile device registered to an adult but not to a child living at the same address -- puts the basic structure in place that can support the tools needed to battle DDoS attacks. "[It] makes sense for security to be part of same portfolio," Sampaio said. "It could be that cable providers are slightly ahead of the curve by being early adopters of narrow policy techniques that led them to put more infrastructure in place."
The key to protecting cable and other IP networks is using an industry standard protocol called NetFlow to track traffic patterns, said Tom Bienkowski, the director of product marketing for Arbor Networks. "It could see that traffic [generally] flows at a particular rate," Bienkowski said. "If there is a major spike that is not normal, it could be indicative of a DDoS attack."
Tools from Arbor and others that detect such activity can divert the flow and mitigate, or cleanse, the traffic. Tools that use NetFlow -- Arbor markets them under the Arbor Peakflow SP label -- are important as the threats expand. "DDoS continues to grow in size and complexity with the advent of botnets for hire," he said. "That is really what is causing the huge, huge jump in the number and size of DDoS attacks."
All Those New OSs
The potential game-changer for the cable industry -- and the place where the security world of switches and routers overlaps with the security world of end user devices -- is the rise of advanced operating systems. Lance Boyd, the vice president of business development for Irdeto, said the legacy world of cable networks is secure behind hardened cable modems, gateways and set-top boxes. iOS, Android, Windows Phone and other advanced OSs aren't nearly as locked down and present a potential path in the network for crackers.
Irdeto and other companies offer tools that protect valuable content, such as streaming movies. This software isn't present on all data that is being sent, however. The unprotected data can carry malware such as Trojans and worms capable of opening "back doors" into the underlying network. The takeaway is that operators must deal with far greater complexity than before. "All of a sudden, they are moving from a very closed system to multiple end points that are open and vulnerable," Boyd said.
Georgia Tech's Ahamad suggested that the problem eventually can threaten even the formerly highly secure infrastructure: "Compromise of end devices such as customer home computers and even set-top boxes via malware infection is a serious problem," he wrote. "Such devices not only can waste resources such as bandwidth; they can steal sensitive information and even alter setting[s] and configurations."
Cable operators clearly are at the forefront of bringing the still relatively young broadband infrastructure to a mass public. It is a dangerous world, however, and much of what happens will test operators. The bottom line simply is that operators need to recognize the dangers and be proactive. "[The] security risks are real, and operators need to put best practices in place to protect [the] enterprise and customer [endpoints]," Ahamad said.
Carl Weinschenk is Broadband Technology Report's Senior Editor. Contact him at email@example.com.