Cable-Modem Users Ponder Firewall Need

6/04/2000 8:00 PM Eastern

The hype has it that cable-modem users' PCs are like sitting ducks, waiting to get shot down by hackers who prey on shared resources. Even digital-subscriber-line and dial-up users aren't immune.

Puncturing that hype, MSOs and Internet-service providers said their customers' PCs-and data-are safe.

The reality, as with most thorny issues, probably lies somewhere in between the warnings and dismissals, which means it's probably better to be safe than sorry.

Although cable-modem systems are getting more secure-especially with the introduction of Data Over Cable Service Interface Specification-compatible products-hackers are getting more brazen, using tools and technologies that weren't available even a year ago.

Their motives have also become more sinister. In the past, hacking was almost a sport and its trophy simple bragging rights. Today, some hackers reflect a new breed of Web bandits who look for personal information like credit-card and social-security numbers to assume their victims' identities and use their credit and resources.

Others want access to users' hard drive to set up rogue FTP (File Transfer Protocol) sites.

Cable-modem environments, which are more likely to use fixed Internet-protocol addresses, are frequent targets for hackers, said Rob Graham, chief technology officer for Network ICE Corp., a home firewall provider.

A fixed IP address provides a better target for hackers than floating IP addresses that dial-up ISPs assign to users. "The average home cable-modem user is scanned [by hackers] about 20 times per day," Graham added.


To combat the problems-both real and imaginary-a new category of home-firewall products has emerged.

Firewall is a generic term for hardware and software products designed to prevent unauthorized access to or from a private network.

There are several types of firewall techniques that range from packet filters, which block specific types of packets, to application gateways that monitor traffic to and from specific applications. In addition, proxy servers, which are designed to hide users' IP addresses, can also be used as firewalls.

Today, many MSOs are evaluating the long-term value of adding such products to their service offerings-a much-needed move, according to one analyst.

"Home firewalls are going to be huge. It's going to be a standard product, whether it's a stand-alone hardware or software addition or built into headends or modems via DOCSIS 1.1," said Patti Reali, a cable analyst with Dataquest.

She pointed out a little-known fact that is also a reason why some cable operators are taking a wait-and-see attitude: Cable Television Laboratories Inc.'s DOCSIS 1.1 will solve many existing cable-modem-security problems.

DOCSIS 1.1 protects users by encrypting packets, said Nancy Davoust, technical lead of CableLabs' PacketCable security-architecture group. The encryption process has the best chance of thwarting intruders.

Packets are encrypted by the headend, and the cable modem is designed to reject any packets that aren't encrypted. A clever hacker could spoof the encryption, but chances are that it would be next to impossible to do.

DOCSIS 1.0 also includes encryption, but even that standard has been slow to roll out. At the end of 1999, only 25 percent of installed headends were DOCSIS-compatible, Reali said, adding, "That still leaves a huge base that's proprietary."


DOCSIS 1.1 also adds a new security feature: authentication. The authentication portion of the DOCSIS 1.1 modem is designed to keep cable-modem users from hacking their neighbors, Davoust said.

"With authentication, we know who's on the network," she added. "A cable modem is tied to a customer's billing information. People can't send things anonymously anymore."

If a customer is hacked, an MSO can track down the culprit as long as they are also a DOCSIS 1.1 cable-modem user.

Unfortunately, the rollout of DOCSIS 1.1 equipment is still several months, if not one year, off. The certification process is expected to start this summer, but CableLabs senior vice president of communications Mike Schwartz warned that it is unusual for a vendor to pass certification on its first try.

DOCSIS 1.1 products should ship this year, but even then, mass-market rollouts won't happen until 2001. In the meantime, there are still customers to protect.

Cognizant of this, Excite@Home Corp. was one of the first cable-broadband providers to add home-firewall access.

The company inked a deal in January with online application-service provider Corp. that gives its more than 1.5 million users access to the ASP's new firewall product, "McAfee Personal Firewall."

Although Excite@Home vice president of network engineering Jay Rolls said he doesn't think the majority of the company's customers need a home-firewall product, there are enough users who download unsupported software and run alternate operating systems to make it worth it to offer a program like's.

"We don't want to falsely raise red flags, particularly since most of these products are so [user] unfriendly. But in the worst-case scenario, there are going to be users who fire up Linux with all of its stock configurations and security holes open. These people are the ones that will get hacked," Rolls said.

"When you have 1.5 million users, that's a lot of possible scenarios," he added.

Rolls said most customers are protected by the initial cable-modem installations, which turn off computers' file-sharing capabilities. In addition, customers are required to sign acceptable-use contracts, agreeing not to turn file sharing back on.

But Graham said this action isn't enough because a PC has 64,000 ports of access. Turning off one port-port 139-isn't going to stop a determined hacker, he added.

"In a perfect world, this works, but roughly one-half of the users install lots of doodads and download and run new applications. This opens up holes," he said. "Customers might not even realize they have file sharing on or ports that are open to intruders."


While experts agreed that home firewalls are a good idea, the addition of home-firewall technology can be an expensive proposition, especially when there are hundreds of thousands of users to equip.

MSOs are reluctant to take on the added costs of equipment or truck rolls that are necessary for installation.

One vendor has released a hardware product designed for user installation to help MSOs avoid support and installation costs.

NDC Communications Inc.'s SOHOware's "Broadband Internet Gateway" sits between the cable modem and the line into the home, and it is connected via the RJ45 network port, vice president of business development Andy Chang said. The product hides the user's IP address, keeping it away from hackers, he added.

SOHOware is currently working to get its product offered as an $189.99 add-on to cable-modem installations. "We're trying to get customers to pay for this themselves by explaining why it's important," Chang said.

The price of Excite@Home's offering is also shouldered by the end-user.'s service is available to users for $39.99 per year, although a specific price for Excite@Home users has not been finalized.

Predictably, hardware and software manufacturers would like MSOs to pick up the cost of home-firewall products. Some have even suggested adding different-priced tiers of service, depending on the security needs of the end-user.

One analyst doubted MSOs would be willing to advertise different levels of service that emphasize a lack of security.

"There will be different levels of service, but they will be based on speed. No MSO is going to feel comfortable marketing a service that labels itself as less than 100 percent secure," said Cynthia Brumfield, principle analyst with Broadband Intelligence Inc.

"I spoke to [Excite@Home chairman, president and CEO] George Bell about tiered service, and security tiers were not on his list," she added.

So what's an MSO to do? Keep partnering with technology manufacturers, Brumfield said, and educate the consumer.

"Consumers are scared today because of all of the telephone-company marketing messages that say it's easy to breach security on a cable modem," she said. "The best thing for MSOs to do is to continue beefing up security and to partner with software manufacturers to help dispel the myths."