Voice of Security: Tight Makes Right

3/31/2006 7:00 PM Eastern

Listen closely in your average cable-system network operations center. The hum is not just that of packets carrying Web pages or video streams. It's now the chatter of Internet protocol voice traffic.

Adding voice traffic is inevitable when you're trying to turn a data network into a single delivery system for all kinds of content and services — and, in the future, might add streams delivering TV channels as well.

But with conversations now flowing between cable systems' data networks and the Internet, it also could open the door for potential new security threats from computer hackers.

For instance, hackers could target a cable operator's softswitches, software-based routers that perform the function of telephone circuit switches by guiding packets of data to their next destination.

Left unprotected, these softswitches are “an excellent target for DDOS [distributed denial-of-service] attacks,” said Dan Hession, senior director of marketing for Cisco Systems Inc.'s cable products. If hackers wanted to cripple an IP voice service, “you could basically target their switches, and attack it with a million little bots or fragmented packets, and finally the softswitch is going to say 'Whoa, I can't process any more.' And so you start to drop calls and your service goes down.”

As a result of threats like that, cable operators are beefing up their firewall and monitoring systems to fend off attacks, before they occur.

Insight Communications Co. serves more than 439,200 cable modem customers and more than 80,000 voice customers in the Midwest, including a small number of customers on a new Internet protocol voice service in Anderson, Ind.

Insight has put in place advanced firewalls and network monitoring systems at its network operations center.

The purpose: to detect and fend off hacker intrusions, be they denial-of-service attacks aiming to overwhelm its softswitches, or even unauthorized users trying to piggyback on the voice service without paying.

A backup NOC is housed in a Toronto data center run by global network-management and services provider Accenture.

Traffic coming into the data center and by extension the operations center is handled through a dual firewall scheme. Tight security makes right security, said Andy MacDowell, Insight's vice president of information technology.

In the data center, there are three entry and three exit points for data traffic moving in and out. Each is guarded by two firewalls — one supplied by San Jose, Calif.-based Cisco Systems Inc. and the other by Microsoft Corp.'s Internet Security and Acceleration (ISA) server product. One filters packets for known problems such as Internet viruses and the other tracks the origins and destinations of packets.

Since Insight mixes up the order of the firewalls — alternating which firewall initially takes in the incoming traffic — and each firewall examines the data for different problems, it's much harder for hackers to pick off both, MacDowell said.

“They handle the intrusion differently,” he said. “So if you know one, you can send a denial-of-service [attack] to figure out how to get through one. But what works for one doesn't work for the other.”

For example, a hacker could aim a flood of bogus packets at the firewall charged with examining data for known viruses.

But the second firewall that examines where packets originate and where they are headed will pick up the massive packet influx from a small set of addresses and sound the alarm that an attack is under way.

From there, techs can send a command to the packet-filtering firewall to turn away all packets with that set of addresses.

In addition, the software tools technicians need to diagnose and fix problems within the system are kept on a private network, shielded from the consumer data traffic.

Insight is one example of a cable operator that is using multiple firewalls to protect its key data centers and NOCs, according to Cisco's Hession. Now, even a single firewall, in some cases, gets subdivided into multiple virtual firewalls, with each handling a specific service, such as voice or data.

“Instead of buying 10 Cisco boxes that are firewalls, you can buy one blade and segment it into 10 different firewalls,” Hession said. “One, it is cost effective; and two, the management is better that way, because you can apply your policy in one central location.”

Having multiple firewalls from a single vendor does make sense if they are guarding services increasingly flowing over a single, unified IP pipe.

“As far as firewalling and security features, it's probably more critical because you've moved to an open-standards platform,” Hession said. “It's the school of hard NOCs — they have to figure that out.”

While security in the operations center and data center is growing, so too is the security attached to the data services themselves — particularly with voice-over-Internet protocol phones.

These are essentially computers, attached to the Internet, with earphones and microphones. The guts, though, can be attacked by a hacker, just like a desktop computer.

And just like in the computer world, in the future thousands of cable system phones that use Internet protocols to carry calls could face attack by a hacker trying to turn them into “zombies.” This, too, can plague a cable or phone networks with a flood of data packets.

In the Internet world, a good example of this is a recent case in which a 20-year-old California man was convicted of staging a 14-month hacking spree. He allegedly seized control of thousands of Internet-connected computers and gave fellow hackers access to the resulting zombie network to mount attacks on computer networks. Among victims: the Naval Air Warfare Center and the Defense Information Systems Agency.

So technology providers like State College, Pa.-based C-COR Inc. and Cisco are now providing beefed-up security software in the equipment that sets up cable subscribers with voice services. These subscriber-provisioning systems require devices such as voice modems to provide an electronic identification before they can make a call.

An operator can install C-COR software in the network operations center, to give out digital certificates to the IP multimedia terminal adapters (MTAs), or specialized cable modems that connect the customer's phone to the broadband Internet pipe.

The system assigns the modem an electronic registration card authorizing it to access the operator's voice service. The code on that virtual card identifies the user as an authorized customer, and that key is also sent along in the voice data stream when a customer makes a call.

The system also sends the key information to a call-management server in the local headend, so that when calls come in from the user's terminal adapter, the server can check the key code it has on file for the customer against the key code attached to the call itself, before allowing the call to go through.

“The idea behind this certificate is the MTA will use this certificate to talk to the call management server in the network itself,” said Milan Karangutkar, until recently the director of product management and customer fulfillment at C-COR.

The call-management server “will look at the certificate and validate the certificate itself, and if the certificate is not valid it is going to deny the calling party the ability to make a call.”

Insight is among the cable operators that has adopted the digital certificate approach.

Digital certificates are “basically to make sure that MTA is part of your network, so somebody can't come in via another MTA and get onto your network and make a phone call,” MacDowell said. “Somebody can't splice off of their neighbor, run a coax across their back yard, pop it up and put anther MTA and get onto the network.”

Such secure provisioning elements are particularly important in the world of Internet Protocol voice, since the system is now flowing in part on the same Internet data streams now rife with hackers.

“Operators do have to look into the security, and that will become essential because these operators have not been exposed to the hackers, which is something that may happen in the future,” Karangutkar said.

Call Roll
Competition in Voice Over Internet Protocol Services
* Average revenue per household also same as “average revenue per unit”
Provider: Time Warner Cable
Number of markets: All 31 Time Warner divisions
VoIP customer count: 1.1 million as of 4Q
Average market penetration: 7% of homes passed
Stand-alone service price: $49.95 for voice only
Bundled discount: $44.95 with high-speed data; $39.95 with data and video
Revenue per household for all services combined*: $85
Provider: Vonage
Number of markets: 150
VoIP customer count: 1.5 million as of March 1
Stand-alone service price: $14.99 for 500 minutes; $24.99 for unlimited minutes
Bundled discount: N/A
Revenue per household for all services combined: N/A
Provider: Verizon Inc.
Number of markets: service to 75 area codes across 19 states plus the District of Columbia
VoIP customer count: N/A
Switched telephony customer count: 48.8 million
Stand-alone service price: $19.95 for a 500-minute plan; $34.95 for unlimited calling
Bundled discount: $29.95 for unlimited plan with Verizon broadband subscription
Revenue per household for all services combined: $51.50
Provider: BellSouth Corp.
Number of markets: Available across BellSouth's nine-state service area
VoIP customer count: Not available.
Switched telephony customer count: 12.4 million
Standalone service price: $29.99
Bundled discount: None
Revenue per household for all services combined: N/A
Provider: Charter Communications
Number of markets: eight regional markets in St. Louis; Wisconsin; Massachusetts; South Carolina; Riverside, Calif.; eastern Tennessee; North Carolina; Southern California
VoIP customer count: 121,500
Switched telephony customer count: 30,000
Stand-alone service price: $39.99 for unlimited calling
Bundled discount: various packages. Most common offer is $99 for video, high-speed data and voice
Revenue per household for all services combined: $75.88
Provider: Cox Communications Inc.
Number of markets: 10, with plans to bring telephony to all markets by the end of the year
Customer count: 1.5 million for VoIP and switched telephony products. Cox does not break out separate figures for the two services
Stand-alone service price: Varies by market
Bundled discount: Varies by market
Revenue per household for all services combined: Not released
Provider: Comcast Corp.
Number of markets: 25 markets, with plans for 15 additional markets this year
VoIP customer count: 202,000
Switched telephony customer count: 1.1 million
Average market penetration: 6.2% for switched and VoIP service combined
Standalone service price: $54.95
Bundled discount: $39.95 with video and high-speed data; $44.95 with either video or high-speed data
Revenue per household for all services combined: not released
Provider: Cablevision
Number of markets: rolled out in all of Cablevision's New York City footprint
VoIP customer count: 731,341 as of December 2005.
Switched telephony customer count: 7,810 as of December 2005
Average market penetration: 16.3%
Stand-alone service price: $34.95
Bundled discount: $29.95 for customers taking high-speed data or video
Revenue per household for all services combined: $100.46

Want to read more stories like this?
Get our Free Newsletter Here!