1. No category

Security in Broadband Networks

12
SECURITY IN
BROADBAND
NETWORKS
The Internet is still a friendly place with friendly people. They are your neighbors, and they have home networks just like you do. However, there are lines of
delineation between zones of trust, and just as there are doors on houses and
businesses, there are gateways between points on broadband networks. This
chapter describes the security concerns that face service providers and presents
some solutions.
Broadband Network Gateways (BNGs) are IP aggregation points for thousands
of customers. It is important to note that the BNG is the IP termination point
where routing occurs and where the IP service starts. The other elements, such as
residential gateways, access nodes, and Ethernet aggregation networks, provide
transport.
Service provider networks have two primary goals when providing security. First
is protecting the service provider domain. This means that the service provider
needs to protect its network from external parties, including customers and
external networks. Second, it is usually high on the list to protect customers from
external networks. After all, the service provider’s goal is to provide a reliable and
useful service. If conditions create dissatisfactory service, the customers will
likely find another provider.
469
CHAPTER 12
SECURITY IN BROADBAND NETWORKS
Some security concepts overlap between protecting the service provider and protecting the customer. The next section and “Residential Gateway Security Features” delve into these topics.
DENIAL OF SERVICE
The last ten years have seen significant denial of service (DoS) attacks across the
Internet. They have created havoc for providers and have caused network outages, billing issues, unavailable websites that provide both commercial and noncommercial content, and frustration for millions of users. These attacks come in
many flavors and sizes and typically have a single goal: to make a particular host,
network, or service unavailable.
Reasons for DoS attacks vary. The DoS attacker subculture has focused on building namesakes or repertoire for the size (in terms of time lost) or significance of
service they have affected. UNIX systems in the 1980s saw attacks by single users
inflict damage to shared systems. Some attacks focused on creating the maximum number of processes that a system could handle. The mid-1990s saw DoS
attacks that focused on e-mail and FTP services, with the goal of filling server
storage and effectively preventing valid e-mail and files from being transferred to
the server. These attacks usually were not destructive to the network, but rather
focused on particular systems. Thus, they commonly were rectified by systems
administrators.
Attacks over the next few years became more network-focused. In 1997, with a
release of source code and attack method, millions of Windows 95 computers on
the Internet became susceptible to an attack called WinNuke, which crashed the
computer. These attacks were possible over the Internet simply by sending a
small string of data to a listening port on the computer. The target of these
attacks appeared largely focused on individual hosts or subnets. Because the traffic volume was light, network providers were not very concerned about revenue
loss due to attacks.
This all changed with flooding attacks, which consumed vast amounts of network backbone traffic. One of the most recognized attacks is the “smurf ” attack,
named after the application bearing the same name. This technique used the
470
DENIAL OF SERVICE
functionality of many routers at the time that allowed packets that were sent to
remote IP broadcast addresses to be delivered to Layer 2 broadcasts. This functionality, combined with IP spoofing (changing or spoofing the source address of
traffic) attacks, led to a situation in which a single IP ping that was delivered to
an IP network could generate amplified ICMP responses from hundreds of hosts.
If the initial transmission to the targeted network was sourced with a spoofed IP
address, then hundreds of responses would be sent to the victim network that
owned the spoofed IP address. The real attacker was essentially a third party that
created the network storm. Tracing these types of attacks was difficult, because it
involved networks sending massive amounts of traffic to other networks, even
though one network did not originate the request. Even worse, it was possible to
source a network address that amplified traffic and to use this IP source address
to send to other amplifiers. The real attacker simply observed the behavior (usually by pinging servers on the targeted networks and monitoring round-trip
latency) as the two targeted networks began flooding each other until either their
or their upstream carrier’s networks reached capacity.
Smurf attacks are no longer common for a number of reasons. Best-practice documents from network vendors and discussions within network operator forums
helped quell the issues by making network changes that disabled the use of IP
directed broadcasts, which is how a smurf attack starts. Additionally, one of the
most important network changes that has been introduced on the edge of many
providers is the concept of Reverse Path Forwarding (RPF), which makes it easy
for service providers to prevent IP spoofing.
REVERSE PATH FORWARDING
The concept of RPF checking is simple. Routers that implement RPF checks
accept IP packets when they have a route to the source of the packet on the same
interface on which they receive the packet. For instance, if the router has a route
table entry for the prefix 192.168.10/24, which is reachable via interface
GigabitEthernet2/0.100, and this interface has RPF checking enabled, the router
will accept only packets from hosts within the 192.168.10/24 address range on
this particular interface. This function in the router checks the reverse path for a
received packet and accepts it if the router would normally send a packet to that
address via the same interface.
471
CHAPTER 12
SECURITY IN BROADBAND NETWORKS
RPF checking on BNGs is essential. On most hardware-based routers, the RPF
check does not cause any noticeable forwarding delay, although it allows packets
to be checked for spoofing. If this functionality is enabled on all subscriber interfaces, it may not stop attacks, but at least it will ensure that packets which originate from the subscribers are using their valid addresses, as shown in Figure 12.1.
This makes tracking attacks much easier.
Packet source address:
192.168.1.1/32
192.168.1.1/32
X
10.10.10.10/32
Packet source
address: 1.2.3.4/32
Figure 12.1 RPF in action.
RESIDENTIAL GATEWAY SECURITY FEATURES
The home router, now commonly called a Residential Gateway (RG), carries a
greater number of features than before, which protect the subscriber from Internet attacks. The device needs to be able to protect itself from common TCP
anomalies and attacks such as LAND, Ping of Death, TCP syn floods, TCP reset
attacks, and invalid Internet Protocol packets. These types of attacks are common on the Internet; they target the IP stack that is implemented on devices.
Devices that are vulnerable to these types of attacks usually reset or crash if they
receive these attacks.
472
DENIAL OF SERVICE
Providers would have a difficult time troubleshooting the connection’s transient
behavior if the customer’s gateway was being attacked. It is important for service
providers to reduce the number of help desk calls that are associated with lack of
connectivity. Therefore, it is advisable that service providers select or recommend devices that provide an adequate level of security for the home premises.
When security is ensured or tightened, it becomes easier to position more reliable services, because the service is not as vulnerable to degradation.
RG features vary depending on vendor and model. Here are some of the basic
security features that should be available on residential gateways:
• Configurable firewall with the ability to log the packets that match specific
rules
• Ability to block or not respond to ping on the WAN interface
• Session Initiation Protocol (SIP) Application Layer Gateway to open ports for
voice traffic
• Ability to create VLANs on Ethernet ports to allow for segmentation between
different home networks
• Classification of traffic based on five-tuple (source, destination, protocol,
source ports, destination ports) and possibly TCP flags. This is useful for QoS
configuration on the residential gateway, because it allows traffic flows to be
classified, and then scheduling mechanisms can create the proper prioritization for the traffic.
• Network Address Translation / Port Address Translation (NAT/PAT)
• Port forwarding to allow external hosts to reach internal hosts on specific
ports
• Demilitarized zone (DMZ) configuration for specific hosts
With a combination of provider-based security mechanisms and security features that are implemented in residential gateway products, the subscriber network can focus on using and enjoying services and not worrying about each
packet that is directed its way.
473
CHAPTER 12
SECURITY IN BROADBAND NETWORKS
BROADBAND NETWORK SECURITY AND VOIP
Traditional telephone systems give the residential customer a telephone service
without providing a gateway to the service’s signaling mechanisms. Phone systems allow limited commands from subscribers, usually limited to the on-hook/
off-hook and DTMF inputs and in some cases, R2 signaling. Since the 1970s, the
phone system has moved away from in-band signaling, and rightly so.
In some respects, voice over IP (VoIP) systems allow customers to interface with
calls’ signaling mechanics. VoIP still has the split concept of the voice stream and
the signaling flows, yet implementations of VoIP have essentially placed the signaling interface back with subscribers. This is why security of VoIP for broadband networks is critical.
Let’s compare some concepts between standard phone networks and VoIP networks. Standard phone networks typically have no user-supplied credentials to
the phone system. There are exceptions, such as party lines, and call-gate calling
features, where PIN codes are entered to enable specific calling patterns, such as
to permit a long-distance call. However, most commonly, upon picking up a telephone handset, the call is already authenticated, because the actual line authenticates the customer. The fact that the POTS line is actually located at the
subscriber’s residence is enough authentication that the call is being placed by
the appropriate party. VoIP services are different. They are not bound to the subscriber’s physical location. Because IP packets can originate from anywhere on an
inter-network, additional models for trust are needed.
These are the VoIP security issues that face service providers:
• Reliable authentication of subscriber details
• Prevention of fraud
• Mitigation against potential DoS attacks on the VoIP service
• Lawful interception capabilities within the service provider network
Subscriber registrations for VoIP services using SIP are performed in clear text in
most implementations. Within a single service provider domain, this is not that
much of a concern, because the provider can control the access and has a relationship with the residential voice subscriber.
474
THE SECURITY OF VOIP AND CREDENTIALS
THE SECURITY OF VOIP AND CREDENTIALS
Enforcing reliable authentication of subscriber details goes hand in hand with
prevention of fraud. With valid authentication details, an IP host can place calls
that may incur charges to a subscriber and the service provider. If the subscriber
SIP credentials are compromised, it becomes possible for an attacker to place
calls that are billed to another party. For this reason, it is highly recommended
that service providers generate the passwords that are used for SIP devices. Usergenerated passwords would pose a risk and liability to the service provider
should a brute-force method be applied to the SIP registrar in an attempt to find
valid credentials.
Using managed residential gateways with VoIP support, or when more advanced
users (possibly with softphones or WiFi VoIP phones) receive credentials for the
network, these credentials should be generated by the service provider to ensure
there is some randomness in the choice of credentials.
SESSION BORDER CONTROLLERS AS APPLICATION LAYER PROXIES
A soft switch is the name for an IP-capable telephony switch and protecting them
is essential because of the importance placed on the switching infrastructure.
Carriers that are interested in providing VoIP to PSTN handoff, or even PSTN
replacement technologies need to ensure that the connections to their actual
switches are handled in a secure fashion. Session Border Controllers (SBCs) help
protect this switching infrastructure by creating an additional security layer
between clients and the switching domain. SBCs provide back-to-back user agent
support, which acts as an application layer proxy.
SBCs can provide additional control in VoIP networks. Features include the
following:
• Network address translation
• Deep packet inspection on SIP / H.323 VoIP signaling packets
• Quality of Service (QoS) markings and prioritization based on call details
• DoS prevention and detection
• Lawful interception capabilities
475
CHAPTER 12
SECURITY IN BROADBAND NETWORKS
Carrier-grade VoIP solutions are also best served with Intrusion Detection Systems (IDSs) that can inspect VoIP signaling packets (SIP/H.225) and analyze
protocol anomalies that may cause issues with voice gateways and soft switches.
These SIP and H.225 packets could be malformed, and consequently would
exploit the protocol stack on the voice gateways. Such anomalies may be packets
that have the following characteristics:
• SIP header refers to nonstandard procedures or non-RFC-compliant methods
• SIP packet fields are too large
• SIP max-forwards are a nonrecommended value
• SIP unknown headers
IDS systems that reside on the path to the SBC or voice gateway should perform
this protocol inspection and alert on issues, as illustrated in Figure 12.2. Because
crackers generally try to explore the system behavior before launching a direct
attack, it is wise to investigate issues before you actually have a system fault or
compromise.
Internet
Border Router
BNG
PSTN
Figure 12.2 IDS protecting a voice gateway.
476
THE SECURITY OF VOIP AND CREDENTIALS
As shown in Figure 12.2, the deep inspection firewall inspects all flows that are
directed to and from the VoIP gateway. For SIP phones and SIP clients that are
built into residential gateways (RGs), the VoIP flows traverse the BNG, cross the
service provider core, and then pass through the deep inspection firewall. The
firewall ensures that properly formatted packets and valid content are being
directed to the gateway.
Some SIP trunks can be reached over the Internet. For this reason it is important
to inspect SIP flows to and from the Internet. The deep inspection firewall can
reach the border routers or additional provider edge routers to reach other
networks.
TRANSPORT SECURITY ISSUES WITH VOIP NETWORKS
As soon as subscribers get used to the benefits of advanced calling features and
cheaper calling rates that are associated with VoIP, they will want to take these
services with them when they are on the road, at the coffee shop, or at the
airport. The problem is that many if not most of these mentioned networks
carry a degree of risk that cannot be fully quantified. The public network that
a computer or device connects to may have any number of vulnerabilities or
potential hackers.
Many public access points do not use WEP or WPA security because of the difficulty in getting users to connect. With an open access point and no encryption,
it is possible to eavesdrop or sniff the wireless packets from a WiFi-enabled SIP
phone or even a softphone that runs on a laptop. Inside the wireless channel, the
Ethernet frames may contain SIP registration messages and credentials for the
user that could easily be reconfigured on another WiFi handset or in another
client. The attacker can then place calls that will be billed against the original
roaming user.
Immediate solutions to the issue are to establish VPNs (either IPSec or SSL) back
to a service provider before passing credentials in clear text. This approach is an
expensive solution in terms of the computing power and software required in the
handset. Furthermore, devices might not have the VPN software built in.
477
CHAPTER 12
SECURITY IN BROADBAND NETWORKS
The target architecture to deal with this issue is provided in Secure SIP or SIP
over Transport Layer Security (TLS). RFC 3261 specifies this security framework
in the TLS subsection. Business-grade IP phones that are being produced today
contain this functionality. The hard part is finding providers that support TLS
VoIP services.
Additional risks that need to be considered when taking IP phones onto
untrusted networks are the devices’ software vulnerabilities. For example, there
have been reports of WiFi IP phones that in their default out-of-the-box configuration allow SNMP get and set commands. This lets the device be reconfigured by
anyone on the Internet. Another WiFi handset model has a default telnet daemon
that allows access based on default usernames and passwords. Once inside the
phone, an attacker can modify system variables and operating system registers.
With some in-house testing, providers could weed out most of the risky models
of phones and recommend the approved models to their consumer base if the
phones are not provided as part of the service subscription.
WHOLESALE VOIP SECURITY ON BROADBAND NETWORKS
One of the goals of Next-Generation Networks (NGNs) that carriers are deploying is not only to enable new service creation, but to reduce costs. The cost
reduction is achieved by delivering multiple services on a single network instead
of maintaining many disparate networks, each with its own expensive circuits
and equipment. Many carriers currently sell toll-quality voice through standard
residential phones. With the launch of VoIP services it would be important not to
devalue all the existing PSTN business through arbitrage, but it is wise to complement the service by offering less expensive calling rates on services that cost
the provider less. VoIP would cost the provider less because the infrastructure
required to carry and terminate the call is cheaper.
Telecommunication companies that have a large local presence in a specific
region may want to explore the option of taking in additional revenue streams by
selling voice termination to international or other local providers. A wholesale
environment has a loose relationship between the wholesale provider and the
customer purchasing voice termination or call routing.
478
WHOLESALE VOIP SECURITY ON BROADBAND NETWORKS
The purchasing customer may be in another country, and she might want to buy
local dialing rates in the provider’s country. With VoIP all of this is possible,
although it does mean that the provider needs to expose part of its network to
the Internet. Session border controllers should be placed at the network edge in
the DMZ, as shown in Figure 12.3. This allows VoIP trunks over SIP (SIP peers)
to be established between autonomous systems. Figure 12.3 shows a service provider with connectivity to the Internet via its border router, and connectivity to
other private networks. For resiliency and scaling purposes, the provider may use
dedicated session border controllers between private networks.
Internet
Border Router
Private NET A
Private NET B
Figure 12.3 Session border controllers connecting to various networks and to the deep inspection firewall.
In the figure, the telecommunications provider may serve as an interim network
between Private NET A and Private NET B. Calls between these networks may be
routed directly within the SP network, and special functions may be applied for
these call destinations.
479
CHAPTER 12
SECURITY IN BROADBAND NETWORKS
A provider that wants to wholesale the termination of voice minutes on its VoIP
infrastructure may consider attracting international companies by making the
service available over the Internet via SIP.
LAWFUL INTERCEPTION IN BROADBAND NETWORKS
Government and law agencies have begun applying pressure to carriers to ensure
that the carriers will provide mechanisms for agencies to trigger the monitoring
of specific traffic flows and to send this data directly to the agencies. It is a complex and controversial subject for numerous reasons, but most importantly
because it creates a security paradigm between a carrier and a somewhat trusted
outside force.
From a business perspective, the agency is an untrusted entity. But from a network capability perspective, the agency has been given a significant level of trust.
The technical implications are real. Most specifically, lawful interception is the
ability to intercept entire IP streams, usually both to and from the customer, and
mirror the IP streams to law agencies that scrutinize the packets for illegal or relevant content (once the flows are recomposed into useful data).
Software feature sets on routers in the area of lawful interception are dictated by
requests from carriers that need to comply with local regulations regarding wiretapping and surveillance laws. For example, within some localities it is required
that general network operators will not be able to detect that a particular interface is being intercepted. This means that there is a level of abstraction on lawful
interception functionality and the details that troubleshooting operators can see.
TRIGGERS ON BNG INTERFACES
The BNG can trigger lawful interception capabilities by Command-Line Interface (CLI) commands or with RADIUS Change of Authorization (CoA) messages. CoA messages can allow a RADIUS server to modify subscriber attributes,
such as enabling the mirroring of traffic to or from the subscriber session to an
analyzer port (outbound mirrored port). This functionality is intended for lawful intercept capabilities, but it also works well for network troubleshooting
when trying to diagnose protocol issues with clients.
480
DENIAL OF SERVICE ON AUTHENTICATION SYSTEMS
CONFIDENTIALITY
Mirroring the data is not enough in some networks. Because the intercepted traffic could actually be an attack on a top-secret government computer, the data
needs to be confidentially transferred over the service provider core. In some
implementations this can be handled with an IPSec or SSL VPN tunnel between
the interception point and the mediation point (the agency). This capability is
important to some law agencies to prevent prying eyes (within the service provider) on the attack by sniffing backbone traffic.
DENIAL OF SERVICE ON AUTHENTICATION SYSTEMS
Each time a broadband subscriber connects to a service provider, resources to
authenticate the user are consumed. Regardless of whether the user is connected
via DHCP, PPPoA, PPPoE, or IPoE, internal system processes are spent processing the user’s authentication attempt. Service providers need to protect their network from misconfigured clients and malicious users who may expose resource
limitations in back-end authentication systems.
For example, consider a common setup for PPPoA/PPPoE subscribers in which
PAP/CHAP credentials are configured in an ADSL modem. The modem may be
configured to reconnect upon link failure, so the modem constantly retries to
authenticate a subscriber. When the modem attempts to authenticate a subscriber, the BNG takes the supplied username/password credentials, queues them
in RADIUS requests, and issues requests of a RADIUS authentication server.
Commonly, there are fixed numbers of outstanding RADIUS messages that can
be processed or queued on both the BNG and RADIUS authentication servers.
At the same time that this single modem is attempting to reconnect, hundreds of
other RADIUS authentication requests might be occurring. The danger to the
service provider is that with rapid succession of attempts on a single subscriber
connection, it may be possible to prevent valid authentication attempts from
other subscribers due to insufficient resources in the network. Usually the end
client cannot be trusted to do the right thing, therefore the BNG should implement good control protocol rate-limit mechanisms to protect itself from attacks,
whether intentional or not.
481
CHAPTER 12
SECURITY IN BROADBAND NETWORKS
SOLUTIONS FOR ENHANCING SECURITY ON AUTHENTICATION
SYSTEMS
The following sections contain some ideas and concepts that can improve
authentication systems on carrier networks. By no means is this a complete list.
Some of the ideas may be difficult to integrate into existing provisioning and
OSS systems. The goal is to recognize the important role that authentication
systems play within carrier networks and to reduce the risk to service
degradation.
AUTHENTICATE AND ACCEPT ALL REQUESTS
One approach is to provide a RADIUS authentication accept along with other
RADIUS Vendor-Specific Attributes (VSAs) that allow the subscriber to connect
and receive an IP address inside a routing context with no connectivity to real
services. Basically, for a user who supplies invalid credentials, the system accepts
the user and places him in an area that does not provide external services, such as
the Internet. This could be combined with a web redirecting portal that tells the
user that he has entered invalid credentials, tells him how to troubleshoot the
issue, and supplies him with a procedure for rectifying the situation.
This strategy reduces the strain on the back-end systems and the BNG, because
most PPP clients are satisfied that they have connected when they receive an IP
address. It is important to mention that this technique is of value only if the client is a valid PPP client and not a malicious attack. Specially designed client
applications have been created by attackers that generate authentication attempts
at line-rate speeds. This has caused some BNGs to begin dropping authentication
requests from valid authentication clients.
Authenticating to the network with PPP credentials (username and password)
may not be necessary if the provider grants access based on a subscriber line versus access based on the user-defined attributes. This form of authentication is
identical to how a telephone is used today.
482
SOLUTIONS FOR ENHANCING SECURITY ON AUTHENTICATION SYSTEMS
PASSWORD-FREE NETWORKS
When the concept of using a password to get access to the network does not exist,
a few things become apparent. First, a security element (theft of accounts to do
password compromise) is removed. Second, delivering the service is easier.
Application services such as VoIP and other subscriber-centric services may still
require a password or some form of authentication. But by removing the network-level password, a provider may benefit financially by reducing Operational
Expenses (OpEx) from fewer support-related calls concerning password issues.
However, the main benefit of this approach is to begin trusting infrastructure
more and subscriber-supplied passwords less. A PPP environment still has ways
to accomplish the same concept. Having a standard username and password,
preferably ones that are the defaults on the residential gateway, can allow the service provider to easily enliven the service.
LOAD BALANCING OF AUTHENTICATION SYSTEMS
Placing network load balancers in front of the AAA systems allows peak loads to
be distributed across multiple AAA servers, as shown in Figure 12.4. Load balancers typically have their own method of high availability or resiliency. Application health checks allow the load balancers to monitor if a particular AAA server
is responding. These make use of AAA packets that are sent from the load-balancers and solicit a reply if all is in order These checks are a good measure to use
so that the load balancing functionality does not forward packets to systems that
are not responding.
483
CHAPTER 12
SECURITY IN BROADBAND NETWORKS
AAA Servers
Application Load Balancers
Figure 12.4 Application load balancers.
SECURING VIDEO DISTRIBUTION SYSTEMS
When securing video distribution systems, it is best to split the topic into two
separate areas of discussion. The first is security concerns when joining broadcast
channels, and the second is security concerns with video on demand (VoD) systems. Additionally, you can restrict which channels may be joined at a network
layer. We talk about it in this section.
MULTICAST JOIN STATE AND SPEED WITH BROADCAST CHANNELS
Internet Group Membership Protocol (IGMP) is used by clients to join multicast
channels or groups. An issue that has been discussed in great detail within networking forums is the speed at which channels may be changed on IP backbones
that serve multicast streams. The goal is to provide not only fast channel changes,
but also efficient network utilization.
IGMP join time needs to be fast, but because these packets are control packets,
they need to be inspected by the BNG to ensure that a flood of IGMP packets
does not bombard the BNG. Suspicious flow detection, which is discussed later
in this chapter, detects IGMP thresholds on a per-customer basis and enforces
sane joins-per-second.
484
SECURING VIDEO DISTRIBUTION SYSTEMS
Some providers use static joins to popular groups on a multicast VLAN that faces
the aggregation network and then the access node. The statically defined groups
would be defined on the BNG and may reference the normal suite of broadcast
television channels. The intended behavior is to provide faster join times,
because the group would already be available on the aggregated network and
quite possibly would already be available on the access node. For more unique
programming content, such as The Whale Channel, the IGMP messages would
be transparently snooped on the access node and would flow all the way up to the
BNG. The BNG would then join the specific group that contains The Whale
Channel, and the forwarding of traffic would flow down to the customer.
MULTICAST GROUP ACCESS LISTS WITH BROADCAST CHANNELS
The BNG may have policies that enforce which channels a user may receive. On
Juniper Networks JUNOSe and Cisco Systems IOS, these policies are enforced
on a per-interface basis by consulting an access list that accepts or rejects specific
groups that are referenced in an IGMP message. Service providers typically
create a handful of profiles for video packages they want to offer, such as the
following:
• Gold package (all multicast groups )
• Movie package (premium movie groups)
• Sports package (major international and local sports channels)
Corresponding access lists that reference the groups are applied to individual
customer interfaces.
Many video systems now rely on securing content by using Public Key Infrastructure (PKI), encrypting all the video content, and decrypting the content at
the set-top box—although a good safeguard is still to have some IGMP accesslists on the network edge, perhaps for unencrypted groups that are part of a
package for which the user needs to subscribe.
VIDEO ON DEMAND SECURITY
VoD services allow users to choose video content and have it delivered ondemand to their video clients. The technology behind the scenes uses centralized
485
CHAPTER 12
SECURITY IN BROADBAND NETWORKS
or distributed servers that provide a series of time/resource slots in which clients
connect. The servers stream the content and the clients buffer a few seconds of
the stream in case of packet or frame drop in the network. Because the video
stream is dedicated to a single client, it makes sense that this traffic would be
delivered unicast to the client.
Firewalls and Intrusion Detection and Prevention (IDP/IDS) systems with application layer support for securing video servers are important to protecting the
video area within the network framework. This includes features such as preventing SYN or UDP attacks to the infrastructure, corrupt protocols, or simply
too many requests from a single client. Most carrier-grade firewalls can cope with
large traffic flows and high bit rates and can prevent SYN and RST attacks against
infrastructure.
Due to the nature of video, it takes only a short duration of degradation on the
carrier network’s VoD servers to create a serious problem. Losing only a single
frame in MPEG streams can cause a noticeable issue for the subscriber. For this
reason, some VoD solutions use dedicated servers that buffer large portions of
the streamed video content and allow the client or set-top boxes to re-request
portions of the data. All of this happens at the application level. It’s important to
protect these VoD servers from even accidental resource exhaustion caused by
subscriber-initiated requests.
PROTECTING THE CONTROL PLANE IN THE ROUTING
INFRASTRUCTURE
Modern BNGs provide rate limiting on a per-protocol basis from the forwarding
plane to the control plane. The router’s rate-limiting capability allows the BNG
to protect itself from erroneous or malicious clients that send a high rate of
packets that require the control plane to inspect or respond.
In a typical broadband access environment, a BNG runs subscriber management
protocols such as PPPoE and DHCP and routing protocols such as BGP toward
the core. The BNG is a termination point for thousands of customers. Therefore,
if a flood of control packets arrives at the router, prioritization of protocols
toward the control plane should occur. The primary goal of this behavior is to
prevent failure of critical control plane functionality, such as the loss of BGP sessions if ICMP traffic is directed to the BNG.
486
PROTECTING THE CONTROL PLANE IN THE ROUTING INFRASTRUCTURE
BNGs must be able to distinguish between the different types of protocols that
arrive at the network interface cards and provide a throttling mechanism on a
choke point between the forwarding plane and the control plane. One way to
think of this behavior is that the router identifies traffic by protocol, such as
ICMP, BGP, PPP/LCP, or OSPF. The router then assigns specific internal rate limiters by protocol. This is a double-edged sword. If a single user were to fill a central PPP packet queue, other PPP customers would be affected. Therefore it
makes more sense to detect anomalies and provide mechanisms to quell suspicious flows of protocol traffic from specific customer interfaces.
SUSPICIOUS FLOW DETECTION
Suspicious Flow Detection (SFD) functionality in BNGs is a major plus, because
it allows the router to analyze traffic, detect suspicious traffic flows, and then disable interface stacks for a period of time. This requires the maintenance of state
information, which can be quite expensive. However, if implemented correctly,
the system can achieve a good level of protection required to mitigate the effect
of protocol attacks.
One example implementation of SFD is supported in Juniper’s JUNOSe operating system. The low-level protocols are analyzed at the BNG and it tracks the rate
on an individual subscriber basis for a multitude of protocols, including ARP,
DHCP requests, PPPoE PADI messages, ATM 1483 OAM and LMI, IP, ICMP,
and MPLS. In the event that a specific flow is marked as suspicious, all packets
pertaining to the flow are dropped on the line card until the flow expires or when
the flow is no longer marked as suspicious.
Some examples of control protocol flooding that should be prevented in BNGs
are IP TTL floods, extremely rapid DHCP requests, IP options, router alert, and
PPP LCP echo/request. The consequence of not detecting and eliminating this
traffic from the network edge is a poorly performing network and edge element.
Thousands of users may be affected if these control packets are not properly
eliminated at the edge. However, some requests can be effectively controlled only
at an interface to the server layer by a firewall because of the complex protocol
inspection that needs to be done. Filtering network-level and some applicationlevel protocol flows scales better at the network edges. But if the protocol
machinery is relatively complex or there is a need to continually maintain IP
address lists, this may scale better at a centralized point.
487
CHAPTER 12
SECURITY IN BROADBAND NETWORKS
NETFLOW/J-FLOW/C-FLOW STATISTICAL COLLECTION
Collecting traffic flow statistics (not to be confused with suspicious flows) on
BNGs provides a method to understand the traffic at a more granular level. Flows
are collected based on sampling of traffic that is forwarded. A flow typically consists of information from the IP header and transport-layer header, such as IP
source address, IP destination address, protocol, source port, destination port,
and sometimes, router interface. A flow record or multiple flow records are sent
to configured collection hosts for each flow that is sampled. Flows are given an
identifier in the flow record to allow correlation on offline systems to determine
if multiple flow records refer to a single flow.
The raw data of flow records can then be compiled into useful offline tools that
produce detailed graphs and stochastic modeling of network traffic with a bit of
intelligence. The benefit of using NetFlow instead of, or in combination with,
standard interface graphing is that you can create graphs that show top packet
forwarders, protocols that occur most frequently, detection of Distributed Denial
of Service (DDoS) networks and attacks, and forensic details to trace attacks that
have already occurred.
As soon as the information is collected from routers in the network, the flows can
be stored in databases and archives on servers. Here, relevant information can be
gathered by parsing the information into readable graphs and statistics. If attacks
or spam originate from the service provider network and logs are supplied from
a reporting IS, an operator can search for traffic flows that correspond to the
reporting party. Then the operator can determine if and when the traffic actually
did source from the alleged perpetrator.
The other added benefit concerning security is the ability to watch, trend, and
possibly respond to new network anomalies. These might include a new worm or
virus that is infecting machines on the Internet and, in turn, infecting additional
hosts. If the overall traffic volume remains steady, it would be difficult to realize
that the worm is running rampant through the network. One way to tell would
be if the flow statistics showed a new port (possibly used by the worm to spread)
that is increasing in usage at a tremendous rate.
488
BLACKHOLE/SINKHOLE ROUTING
PACKET FILTERS
Applying strict packet filters to BNGs to protect against control protocol attacks
is not as vital if SFD is enabled. The listening ports for various protocols typically
are bound to specific interfaces and routing instances. For example, if BGP is
enabled on core-facing interfaces in the default routing instance, customers who
are terminated into another routing instance can not open a TCP session with
the BGP daemon on the router.
Packet filters to protect users from worms and trojans may be necessary to protect the user’s service and the Internet’s stability. Global routing was destabilized
by the SQL Slammer worm as it began scanning multicast address ranges. This
generated a large number of source addresses (SAs) on networks running Multicast Source Discovery Protocol (MSDP).
Other worms such as Code Red simply created such an incredible scanning and
infection rate that the bandwidth congestion on links created BGP time-outs.
The BGP time-outs turned into flapping behavior, which led to BGP dampening,
which caused widespread network unreachability.
For these reasons it is at the operator’s discretion to apply packet filters that help
protect the routing infrastructure and, in some cases, protect the clients directly,
even if this means giving the subscriber a filtered IP connection.
BLACKHOLE/SINKHOLE ROUTING
When DDoS attacks enter from either the provider’s customers or other networks, it is necessary to get a handle on the traffic—and quickly! Backbone network operators may already be familiar with blackhole or sinkhole routing. The
concept involves preconfigured policies on the network that are enacted when
traffic is singled out and referenced in the policy. Blackhole routing usually
allows a provider to drop traffic for a specific prefix or route the traffic to a discard/null interface. BGP policy can influence or trigger blackhole routing by tagging the appropriate BGP community that is matched in BGP policy around the
network.
489
CHAPTER 12
SECURITY IN BROADBAND NETWORKS
Sinkhole routing is useful for the same purpose and is essentially the same concept, except that the traffic is routed to an analyzer. This is very similar to lawful
interception. However, with a sinkhole, the traffic usually comes from another
network or multiple networks, and the idea is to capture a better understanding
of it, or simply to discard it. These may be DDoS attacks that are being received
from multiple autonomous systems (ASs) that are peers of the provider. Figures
12.5, 12.6, and 12.7 show a sequence of these variations in action.
AS 100
192.168.1.1/32
Service Provider
AS 300
AS 200
Figure 12.5 Distributed denial of service to a single host.
Figure 12.6 shows how the DoS traffic can be blocked at the ingress of the network. One way to achieve this is to match the destination address of the flow or
flows and advertise these routes to the other routers in the AS via IBGP with a
special community value. This community value instructs routers to discard traffic matching that destination.
490
BLACKHOLE/SINKHOLE ROUTING
AS 100
192.168.1.1/32
X
X Service Provider X
AS 300
AS 200
Figure 12.6 Sinkhole of traffic to an attacked host by discarding the DoS flow's source address at the border routers.
Traffic analyzer
AS 100
192.168.1.1/32
Service Provider
AS 300
AS 200
Figure 12.7 Sinkhole of traffic to an attacked host.
491
CHAPTER 12
SECURITY IN BROADBAND NETWORKS
SUMMARY
Broadband networks are evolving into multiservice networks. Networks are supporting more and more users and are providing services that require greater control and reliability. Broadband networks are carrying voice, video, more data,
and best-effort Internet data. Each service has its own set of security requirements. Because of the critical nature of some of the services, such as voice, the
networks need to ensure secure and reliable architectures.
Security is not just access lists and firewalls. It’s a process that needs to be
ingrained into the protocols, the systems, the elements, the provisioning, and the
business. For many providers, constructing multi-play broadband networks is a
shift in business models. These networks are the bread and butter of how the
provider will do business. Additional services will be components that can be
provided on the newly created multi-play networks. With an entire series of business objectives that focus on network and service delivery, it is imperative to
think about the network’s reliability. If the network is secure, it is bound to
enhance the service’s reliability. Higher reliability is a concept, much like performance. It’s a perception that is backed up by statistical data and the outcome is
tangible. The outcome of a secure and reliable network is a network that can
carry and deliver more services with greater service level agreements. This is beneficial for the consumers and the carrier.
Over the next few years we will continue to see more intelligent elements added
to networks. Firewalls will increase in performance as more features are implemented in hardware ASICs and FPGAs. To handle more state and more complexity, intelligence and signaling will be distributed. One such example where we
will see vast improvements will be the focus on IP Multimedia Subsystem (IMS)
integration and concepts into routers and other networking components. Singledevice SBCs have greater CPU power and clustering support to handle higher
throughputs and sessions. When VoIP calls are scaling to the hundreds of thousands of concurrent sessions, single-box intelligence will have scaling issues. This
is why intelligence of VoIP signaling, VoIP streams, and video channel membership and statistics will be managed across entire networks. Intelligent and controllable routers, which are already getting standards-based APIs, will simply
492
SUMMARY
become control points. The opening and closing of ports and access for signaled
sessions will be controlled on the intelligent network as a whole.
The concept of broadband networks with multi-play services has sparked the
creation of many additional protocols. These protocols will be scrutinized by
security professionals and systems hackers. Protocols and hacking techniques
will become more complex. The architects, designers, engineers, businesspeople,
and users are at an important point in time. Broadband networks that deliver
all services will become more widely deployed, and the reliance on them will
increase. This will push security technologies to delve into more complex attacks
and inspection, thereby creating a better service for consumers and a better
network for providers.
493
This page intentionally left blank

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz