Email a colleague    

October 2011

Security Early Warning System: The Challenge for Telecom

Security Early Warning System: The Challenge for Telecom

We watched with horror the videos of the tsunami that struck Japan in March 2011.  Our hearts went out to the people of that great nation.

As terrible as the tragedy was, Japan’s preparedness and earthquake/tsunami early warning systems allowed thousands of people to flee to safety before Nature unleashed its devastating power.

A Denial of Service (DoS) attack is the malicious equivalent of a tsunami.  It is, in fact, a cyber-security breach that uses a flood of data to overwhelm an enterprise’s connections, stopping it from communicating or doing business online.

Today, telecom service providers are the DoS early detection and warning system for thousands of enterprises who pay for the extra strengthening of defenses and detection that DoS requires.  It’s a watchdog role that the service providers are in a unique position to play.

Unfortunately, large enterprises, in particular, are wholly unaware how vulnerable they really are to DoS attack.  Public relations flare-ups, for example, have triggered massive attacks against corporations whose businesses have been temporarily shut down and suffered huge financial damage.

This week I am speaking with Paul Scanlon of Arbor Networks, a company in the thick of DoS defense.  Arbor’s solutions detect and mitigate DoS attacks and its solution is often part of a service provider’s network early warning system.  Paul is a solution architect for Arbor Networks in the Americas.  Most recently, he worked to develop and manage Arbor Network’s Threat Management System (TMS) product line.

Paul will talk us through many of the issues and changes roiling the telecom industry that are making network security more difficult and why the service providers are integral partners in a network security strategy.  And while Paul again hits on wireless broadband growth being at the forefront of these changes, he puts this impact, and its importance, in a slightly different light.

James Heath: Services providers are the first line of defense for many of their customers, be they enterprises or consumers.  And it occurs to me that Arbor is in the position of seeing first-hand how telecoms defend their customers from cyber-attack.  So how well are telecoms and enterprises working together to defend against their common enemy?

Paul Scanlon: You know, it’s funny, I read your blog post on March 7 and thought the point that Steve Shalita of NetScout made is part and parcel with how we operate.  We also provide visibility to what’s going on in the network, because you can’t secure what you can’t see.  The first thing you have to do is maintain and establish positive control over the network.  The real challenge with visibility in telecom networks is scale.

Scale is the major difference between the enterprise and the service provider network security markets.  If you’re working with an enterprise a point solution may be sufficient, a solution that looks at a finite number of interfaces or connections.  If that solution provides visibility at those key network points, they can maintain visibility over their most critical components of the network.

Service providers have a much larger network, with many more interfaces and connections to monitor, and typically fewer numbers of applications to fine-tune than the enterprise does.  In essence, the service provider needs to worry mainly about keeping the IP transport and routing services running.

Even still, enterprises know that their range of control is limited.  They can only serve people on their website or transact business online by communicating with networks outside their control.  Likewise, they know their telecom provider has that interconnectivity and transport and is far more knowledgeable in large scale networks.  Furthermore, the service provider has the security measures and traffic visibility to provide early warning and attack recovery services.  This is why enterprises see service providers as the perfect partners to provide this first line of defense.

Visibility into the network is tough.  Do you have advice or any rules of thumb to help telecoms prioritize their viewing points in the network?

Well, as Metcalfe observed, the value of the network is the square of the devices attached to it.  So a peering point where two service provider networks meet is one of the more valuable points.  I would start there.

A Tier 2 or regional service provider may have a limited number of connections to the outside world, so the best points to monitor choice may be relatively easy.  The larger the network becomes, the more those peering points start to blur.  If you’re operating a global tier 1 network, your peering points may be connected to some of the biggest networks in the world, governments, and to a large number of smaller service providers.  To them the peering edge is much less defined than it is for a smaller or regional carrier which has outlets to the Tier 1 provider networks.

Beyond monitoring the peering points, the next step is to wrestle with economics of how much additional coverage you can afford.  But I would say the next points in importance that you need fine grain visibility around are your service points.  Finally, begin to trade off monitoring traffic and at what depth this traffic is monitored, with the level of enforcement of your “acceptable use“ and other policies that control connections into your network and how the network is used by a subscriber or an employee.

What features and capabilities of Arbor Networks are delivering value to telecoms as they secure their own and their customers’ networks?

A feature we think is unique is our ability to correlate data across multiple points in the network quickly.  One of the design goals of our system is that it will generate a report in under a second when requested.

Now, because visibility is so critical, our solution provides a global view of an autonomous system; we can scope the view to your zone of control or the boundaries of interest.  To provide this, you have to look at the entire network and then coordinate and correlate what’s happening across the network at these various points.  So if you’re correlating traffic across multiple links, we can generate the report and distribute it around the world in under a second.

Another aspect of visibility we provide is visibility of network traffic across logical entities and geographies.  The correlation between the network and geography provides a lot more information to the operator about cause and effect in the real world.

After the recent earthquake, you could see the peering sites and BGP routing tables around Japan and Asia Pac start to change as the network recovered from outages.  Seeing that geographically is invaluable.  Otherwise, you may see change in the BGP tables in San Francisco, but not understand that the change is really coming from Japan.  Seeing that extra dimension helps people understand cause and effect, allowing them to react much faster, and that’s critical in today’s world.

You see LTE as a hot topic and the growth in broadband wireless is outstripping all other subscriber growth.  How are these issues affecting Arbor Networks’ view of the future and what headaches will service providers encounter in addressing these issues?

I think IP networks moving into the wireless space will be challenging on many levels.  Large organizations have managed IP and wireless in separate silos and there were good efficiency reasons for doing it that way, but today, that same silo approach is creating barriers to smooth information flow and best practices.

When two silos converge, as is happening now with wireless and IP, the issues of trust and credibility become important for successful implementation.  Cooperation between the two groups builds trust and this will be less of an issue as we move through the next few years of convergence.

In some ways this is a religious war reminiscent of the old “Bell-heads versus Net-heads“ debates of a decade or so ago.  Until recently, IP in wireless networks was limited to mostly transport networks.  For example, in a UMTS network, one side of the GGSN and SGSN used standard wireless protocols, while the other side used IP.

A firewall on the transport side of the SGSN or GGSN could enforce policy between the IP network and the wireless network, but may be exposed to new threats such as distributed DoS, (DDoS).  Placement of threat management system solutions to prevent the SGSN or GGSN from being knocked out by traffic inbound to a wireless subscriber is more likely today with the ending of walled gardens and the resultant proliferation of different wireless devices and applications.

IP is pervasive in the architecture of LTE networks.  This obviously affects the wireless team as they need to become more proficient in IP technology.  What is less apparent is the effect it has on the IP team.

IP teams are affected by two factors.  First, wireless service providers are becoming the dominant Internet Service Providers.  The number of mobile broadband subscribers exceeds the number of fixed broadband subscribers in many markets.  This means that the IP team will have to come to grips with the mobility being introduced by the wireless networks.

But secondly, the really big change for IP teams is the shift from connectivity-oriented services to real-time or streaming services.  That’s hitting the wireless guys at the same time its forcing changes in the IP network and because they’re overtaking the fixed market, the wireless teams are going to be relied upon to take more of a lead in resolving the IP issues that arise in the LTE architectures.

The new reliance on cooperation between IP data networks with LTE is why trust is becoming such an important element facilitating this convergence.  If trust is not continually built between these two teams, there’s going to be a lot of finger pointing as IP moves further into wireless networks and wireless accounts for more IP traffic.  This is even more critical as both teams work to deploy IPv6 to address the explosive growth on the wireless edge.

There are a lot of technologies in IP that will make certain that the operation is seamless, end to end.  But the rollout of IPv6 and the challenges that arise with the interconnection of IPv6 networks with established IPv4 networks is one area that we are watching.  As IPv6 is rapidly deployed at the edges of networks to address subscriber and content growth, these two IP technologies will have to be interconnected with specialized gateways; Carrier Grade NAT (CGN) devices are an example of systems that will add complexity in end-to-end visibility.

So going forward, successful service providers have their work cut out for them.  They need to make certain that things like real-time applications and streaming work well.  And they’re going to have to do a lot more engineering and planning in the IP realm than was required in previous instances of network convergence.

This article first appeared in Billing and OSS World.

Copyright 2011 Black Swan Telecom Journal

James Heath

James Heath

James Heath is a senior consultant for Ericsson and a former analyst with Technology Research Institute (TRI).  He authored a 2010 multi-client study on Botnet defense, “Advanced Network Security for the Large Enterprise: Market Analysis Report and Guide to Cyber Security Solutions that Defend Against Botnets, Denial-of-Service and Data Theft Attacks.“  Previously, while at Dittberner Associates, he tracked the broadband access and Switch and Router markets in more than 65 countries and authored studies on broadband, IPTV, LTE, and Carrier Routers.

Paul Scanlon

Paul Scanlon

Paul Scanlon is a solution architect for Arbor Networks, a company in the thick of DoS defense.

Most recently, Paul worked to develop and manage Arbor Network’s Threat Management System (TMS) product line.

Arbor’s solutions detect and mitigate DoS attacks and its solution is often part of a service provider’s network early warning system.

Black Swan Solution Guides & Papers

Related Articles

  • Metadata Toolkit: Mediating the IP Network in Support of Fresh Security Apps interview with Bob Noel — Mediating the IP network has always been an issue due to its sheer complexity.  But now a clever software supplier uses metadata to abstract network events and economically enable the development of near-real-time security apps.
  • BT Americas Security Chief: Security is No Longer Just an IT Problem, It’s a Major Board Room Concern interview with Jason Cook — A global expert on security explains six key motivators that are driving enterprises and telecoms to strengthen their security protection.
  • A Big Win/Win: Protecting Mobile Users While Boosting Revenue by Dan Baker — Increasingly mobile operators will turn to the cloud to find compelling services.  This white paper explains the benefits of a cloud security service that detects and blocks malware.
  • A Powerful Tool for Fraud & Security Investigators: Real-Time Packet-to-Event Translation interview with Steven Shalita — Network forensics enables investigators to reconstruct and analyze network activity.  But automated packet-to-event translation could make forensics widely accessible to non-technical investigators.  The article explains: the new visual playback paradym; changes in packet storage strategy; and the vision of a single instrumentation instance driving multiple assurance applications.
  • Security Early Warning System: The Challenge for Telecom by James Heath & Paul Scanlon — A Denial of Service (DoS) attack is a cyber-security breach that uses a tsunami of data to overwhelm an enterprise’s connections, stopping it from communicating or doing business online.  This article explains why DoS and other security matters are coming to a head as LTE and IP expand.  Here you’ll also learn the reasons why telecoms are becoming key security partners with enterprises.
  • LTE Monitoring: The Virtue of Combining Service and Security Assurance interview with James Heath & Steve Shalita — The arrival of  LTE, the all-IP wireless standard, greatly complicates the guaranteee of service quality and security.  This article details of the many challenge and reasons why additional investments will be required to remain secure.  Fortunately a saving grace is proposed: a single Network Behavioral analysis (NBA) system for anomaly detection that serves the dual missions of service assurance and cybersecurity.
  • Single Sign-On: The Cornerstone of Network Security & Integrity interview with Sergio Pellizzari — The greatest security threat in telecom is not the careless Web surfer, but the innocent misconfiguration of network elements like routers, switches, and firewalls.  This article delves into single-sign and explains how it’s become a vital security measure.  You’ll learn about the robustness of carrier-grade vs. enterprise solutions and read examples of what can go wrong without a proper single-sign on solution in place.