Securing Quality of Experience for Residential and Business Customers
Broadband offers tremendous opportunities for service providers and their customers. As a shared medium, broadband is an incubator for new blended media applications, a foundation for commercial efficiency gains, and an opportunity for collaboration across the human network. But there are risks as well as rewards to participation in the broadband community. Users can become victims of computer viruses, botnets, worms, and other malware, and these victims can unknowingly become threats to others using the same broadband connections. These victimized customers need help. Just as they are willing to pay to keep their homes protected with safeguards for personal property, they also require and are willing to pay for security for their data and intellectual property-security that provides privacy and effectively deters intrusion attempts. Such security also protects the broadband community from the spread of malware and disruption of service.
Some customers want to broadcast information over the network. Others want safeguards to prevent access to offensive content and protections from unsolicited e-mail messages. Customers want to know when a security breach has occurred and how to remedy it. Desktop software is not enough. Many users do not install it, and others do not understand how to properly use it. Call centers are not the answer; security-related incidents are too numerous and too expensive to address, and response time is inadequate. Bad publicity around security breaches can severely damage a service provider's reputation.
The answer is the network-based Cisco® Secure Broadband solution. Cisco Secure Broadband simultaneously protects the broadband community while also offering personalized, self-service features to meet the needs of individual users and aid service providers in delivering a very high quality of experience in broadband networks.
Cisco Secure Broadband
The Cisco Secure Broadband solution implements the Cisco IP Next-Generation Network (IP NGN) security architecture and uses Cisco security technologies to detect, isolate, and remedy intended and accidental threats to broadband assets. The solution includes:
• Cisco ServiceFlex network design: a converged residential and commercial broadband network design developed to provide visibility and threat control to broadband community assets
• Cisco Personalized Security Services offer: extensions to ServiceFlex to reduce unsolicited e-mail messages, protect subscribers from viruses and worms, provide privacy protection against phishing, and enable personalized content categorization to monitor, control, or restrict access to network-based applications and content
• Cisco Hosted and Managed Business Security Services offer: extensions to the ServiceFlex design to efficiently and lucratively host and manage security services for businesses
Cisco ServiceFlex Network Design: A Secure IP NGN Infrastructure
Cisco ServiceFlex is a converged residential and commercial broadband network design that securely offers multimedia services. It provides total visibility and control of internal and external security threats to the broadband community by using security integrated into the architectural design of the Cisco IP NGN. The IP NGN security blueprint is built on three main areas of focus:
• Operational processes for compliance to regulatory requirements, establishment of service level agreements (SLAs), and structured as well as automated security processes
• Technologies, including platforms and tools to embed, enable, manage, and monitor security compliance, and integration of these technologies across the network
• Solutions that provide automated network-level protection from distributed-denial-of-service (DDoS) attacks and identity theft; managed and hosted security services for business; and personalized security services to customize content access restrictions, reduce unsolicited e-mail messages, defend users from viruses, and more
Cisco ServiceFlex also partitions and secures per-service flows across the converged network. This optimizes per-service resource allocation across the network and serves to further isolate any potential security breach from negatively affecting neighboring service flows. Cisco ServiceFlex provides direct visibility and control to guard against threats to the broadband community, including:
• Reconnaissance: the unauthorized discovery and mapping of systems and services with the intent to use the information to launch attacks
• DDoS attacks: disruptions of network services because of planned malicious attacks intended to overwhelm network resources to disrupt legitimate use of these resources
• Unauthorized access to network equipment with the goal of compromising the network or the service or of using the system as an agent for a DDoS attack
• Collateral damage: the aftereffects of an attack on the network-for example, a DDoS attackthat traverses that network and can cause network equipment to experience CPU overload, dropping of good traffic, or a crash
• Service abuse attempts to exploit weaknesses in application protocols that have been inadequately implemented or do not adequately account for error conditions or anomalies
Cisco IP NGN Operational Process Model
The Cisco Operational Process Model (COPM) for Service Provider Security (Figure 1) addresses how a service provider can effectively deliver more services with better efficiencies and greater control.
Figure 1. Cisco Operational Process Model for Service Provider Security
The Cisco operational process model is a proactive threat-mitigation approach that goes beyond a single box or technology, anticipates the shortage of operational security expertise, and helps minimize threats that cannot be completely controlled while controlling those that can. By formalizing a process model and linking it with technologies within the Cisco ServiceFlex design, Cisco offers a comprehensive security solution that reduces operational expenses for securing a rapidly expanding network. It provides technologies that bring total visibility and control of security threats at every layer in the network while simultaneously providing individualized feature choices that can be offered as profitable new subscriber services. Some of the technologies that contribute to the Cisco Secure Broadband solution are shown in Table 1.
Table 1. Some Layer 3 Technologies Underlying Cisco Secure Broadband
Features
Description
Benefits
Data Plane
NetFlow
• Macro-level anomaly-based DDoS detection through counting the number of flows ( instead of contents); provides rapid confirmation and isolation of attack
IP source tracker
• Quickly and efficiently pinpoints the source interface an attack in coming from
Access control lists (ACLs)
• Protect edge routers from malicious traffic; explicitly permit the legitimate traffic that can be sent to the edge router's destination address
Unicast reverse path forwarding (uRPF)
• Mitigates problems caused by the introduction of malformed or spoofed IP source addresses into either the service provider or customer network
Remotely triggered black holing (RTBH)
• Drops packets based on source IP address; filtering is at line rate on most capable platforms. Hundreds of lines of filters can be deployed to multiple routers even while the attack is in progress
QoS tools
• Protects against flooding attacks by defending QoS policies to limit bandwidth or drop offending traffic (identify, classify and rate limit)
Control Plane
Receive ACLs
• Control the type of traffic that can be forwarded to the processor
Control plane policing
• Provides QoS control or packets destined to the control plane of the routers; ensures adequate bandwidth for high-priority traffic such as routing protocols
Routing protection
• MD5 neighbor authentication protects routing domain from spooling attacks
• Redistribution protection safe-guards network from excessive conditions
• Protects CPU and memory resources of IOS device against DoS attacks
Dual export syslog
• Syslog exported to dual collectors for increased availability
In uniting defenses against all threats to the broadband infrastructure and by providing reliable and total visibility into the threats, Cisco Secure Broadband can protect the shared assets and service experience of dynamic and evolving broadband communities. Cisco Secure Broadband protects without removing freedom of choice, because residential and business subscribers are able to personalize their security services to meet their individual needs.
Personalized Security Services
Service providers can use the Cisco Secure Broadband solution to offer lucrative network-based security services for individual subscribers or for a community, with services that can be personalized to meet the individual's choice. Cisco Personalized Security Services include:
• Self-service security management: If a residence is infected with malware that threatens broadband community services, the offending service is isolated, and the user is redirected to a self-service station to prevent the malware from spreading. At the Web-based self-service station the user is guided through potential remedies to the security threat.
• Personalized content categorization and access restriction: Adults can classify and customize restrictions to Internet content and impose time limits to protect children from offensive content. Governments or social networks can protect members from content sources deemed offensive.
• Reduction and source control for unsolicited e-mail messages: Cisco network intelligence can detect and block unsolicited e-mail messages addressed to an individual. Providers can offer individual subscription to this service for an additional fee. Network intelligence can detect and redirect unregistered sources of unsolicited e-mail messages. Providers can enforce unsolicited e-mail message site registration to simplify opt-in or opt-out service contracts.
• Personal network protection: Network intelligence can detect and block known malware and prevent privacy probing to home assets coming through the network.
• Propagation protection against viruses, spyware, phishing, and other forms of malware: Network intelligence can detect and block known malware and prevent virus or worm propagation through the network.
Managed and Hosted Business Security Services
Service providers can use a Cisco Secure Broadband solution to offer lucrative managed secure broadband services. For businesses, managed security services can range from services as basic as providing a firewall solution for a small company to comprehensive security lifecycle management for global enterprises. Solutions with multiple security capabilities can be customized to meet the needs of businesses, drawing from a variety of security features, including:
• Endpoint protection and 24-hour network monitoring
• Virus and worm scanning and intrusion detection
• Firewall management and managed VPNs
• URL blocking and Web site security assessments
Summary
To meet subscriber expectations for heightened security in the home, in the office, and on the go, service providers must add effective protections to their networks. With shared multimedia applications and peer-to-peer connections, broadband networks cannot be secured with desktop software. Products and technologies in the Cisco Secure Broadband solution allow service providers to add heightened protections that will satisfy customers while also adding new revenue. Cisco Secure Broadband can also lower operational costs by reducing the volume of help desk cases and bandwidth costs from outbound unsolicited e-mail messages and DDoS attacks, while also preventing revenues and penalties lost because of network downtime. A secure network experience gives subscribers a greater sense of control and confidence that leads to a better, longer-lasting relationship with their providers.
