Scale and Personalize Broadband Security Services [Secure Broadband]

Threats to network security are growing and varied. Service providers must provide effective security to protect against viruses, worms, botnet attacks, distributed-denial-of-service (DDoS) attacks, SPAM, and phishing. Cisco® network-based security solutions provide far more protection than PC software, which is often inconsistently deployed and updated by consumers. Network-based security protects every subscriber, using intelligence about each subscriber's access privileges and each traffic flow. Additionally, self-service features can alert subscribers to malware and enable subscribers to disinfect their own computers themselves. These and other self-service security features are collectively known as Cisco Personalized Security Services. They allow subscribers to protect their own data, the assets of their families, and to help safeguard entire broadband communities.

This paper describes the intelligent security products and self-defending network features that comprise Cisco Personalized Security Services, including the Cisco Service Control Engine (SCE) and Cisco Intelligent Services Gateway (ISG). Various Cisco Personalized Security Services applications are described.

Overview

Subscribers are relying more and more on service providers to protect them from malware, SPAM, and network exploits. While network-based and PC security software provide a degree of protection, the insecure PCs of millions of unaware users can be remotely controlled to spew out SPAM and launch DDoS attacks. And other malware, such as phishing and identity theft, is on the rise.

Cisco provides the infrastructure, technologies, and products that let the service provider and the subscriber take an active role in securing both collective and individual assets. Service providers can deploy personalized, self-service security features as new sources of revenue today. These features make it easier for subscribers to resolve threats themselves and self-configure security settings. And giving subscribers more control over their own security can reduce call center workloads and costs.

The technologies behind the Cisco Personalized Security Services have the unique ability to inspect and control per-subscriber application characteristics to provide extended inspection and per-service application control. These capabilities protect broadband community assets against DDoS attacks, viruses, botnet propagation, and more, while also giving service providers the option to offer reliable network-based, self-service, personalized services.

These services include the ability to configure security settings using a self-service station; content classification and access restriction features, including parental controls; SPAM reduction and SPAM source control; and self-service personal network-based protection from DDoS attacks, worms, viruses, scan/sweep attacks, and more.

Challenge

Rising levels of SPAM, malware, and cybercrime afflict millions of users worldwide. A 2006 study by Consumer Reports found that phishing attacks resulted in $630 million in theft within the United States in 2005 and that the total cost of viruses, spyware, and phishing totaled more than $8 billion in the United States alone in that year. From January 2005 to March 2006, 270 million consumers and small business owners who used a free PC scanning tool from Microsoft found malicious code on 5.7 million computers, including 3.5 million "backdoor Trojans," which functioned as bots communicating over a private messaging channel to a controller. About 20 percent of the PCs checked in March had been cleaned once before and then re-infected, most often with a different kind of bot.

Trend Micro estimates that 100 million computers worldwide are working as bots and that 15 million of them are active at different hours of the day. In November of 2006, Reuter's reported that "Criminal gangs using hijacked computers are behind a surge in unwanted e-mails peddling sex, drugs, and stock tips in Britain." And e-mail security firm Postini has estimated that the volume of SPAM tripled between November and June of 2006 and now accounts for nine out of every 10 e-mails sent worldwide.

Customers want protection from malware and are willing to pay for it. A study in 2004 by Jupiter Research found that 47 percent of surveyed broadband consumers would be willing to pay for a value-added service (VAS) bundle that would include security services. That number increased to 58 percent a year later in a similar study by Ipsos-Mori that also showed:

• 54 percent of customers would be willing to pay $3 or more per month on top of their Internet access costs for clean Internet service

• 66 percent of customers would switch service providers if an alternative provider offered superior protection

Service providers are looking for ways to differentiate themselves and their services from competitors, given the highly competitive and changing market. At the same time, service providers must protect their individual customers and their broadband communities while network traffic volumes are doubling and content is accessed over both secure and insecure networks. Effective protection can provide competitive differentiation that can reduce customer turnover, enhance customer satisfaction, lead to cross-selling of other network services, and turn happy customers into word-of-mouth promoters of service provider offerings.

Solution

Cisco Personalized Security Services are network-based solutions, implemented entirely in the service provider's network infrastructure. These services simultaneously protect the broadband community while offering personalized protection as well. They do not require client-side agents (such as security-specific software to load or manage residential devices). The services use the security and management capabilities of the Cisco IP Next-Generation Network (IP NGN) Carrier Ethernet network design, the Cisco IP NGN Service Exchange Framework (the service creation and management layer of the Cisco IP NGN), and Cisco products and partner products for specific malware protection.

Collectively, Cisco broadband security is known as the Cisco Secure Broadband Solution, Figure 1. This comprehensive approach to network-based security is unique in being able to simultaneously secure the benefits and highest quality of experience for broadband services while offering choices for personalized security services to all members of the broadband community. Cisco Secure Broadband implements the Cisco IP NGN security architecture and uses Cisco security technologies to detect, isolate, and remedy intended and accidental threats to broadband assets.

Figure 1. Cisco Secure Broadband Solution Components

The Cisco Secure Broadband Solution includes:

• Cisco Hosted and Managed Business Security Services: The addition of Cisco customer premises equipment (CPE) and extensions to the Cisco IP NGN Carrier Ethernet network design efficiently and lucratively host and manage security services for businesses.

• Cisco Personalized Security Services: These services reduce SPAM, protect subscribers from viruses and worms, provide privacy protection against phishing, and provide personalized content categorization so subscriber systems can monitor, control, or restrict access to network-based applications and content.

• Cisco IP NGN Carrier Ethernet Network Design: This converged residential and commercial broadband network design provides visibility and threat control to broadband community assets.

Products and Technologies Enabling Cisco Personalized Security Services

Cisco Personalized Security Services use technologies deployed within the Service Exchange Framework, Figure 2, the service creation and management layer of the Cisco IP NGN. Intelligent Cisco security products and self-defending network features maximize security without requiring additional CPE.

Figure 2. Cisco Service Exchange Framework

The products that enable secure broadband solutions, including Personalized Security Services, include: intelligent access routers and switches, network and aggregation-layer routers, broadband remote access servers, Multiprotocol Label Switching (MPLS) switches, core switches for converged IP networks, security features such as firewall feature sets, and policy control devices.

Two Cisco products deployed within the Service Exchange Framework provide new and unique levels of awareness and protection:

• The Cisco Service Control Engine (SCE) detects and controls specific real-time application content per subscriber. It classifies application content and behavior and extends the security analysis by directing traffic to value-added services (VAS) server systems for detailed virus identification. This capability greatly enhances the security offered to each individual subscriber.

• The Cisco Intelligent Services Gateway (ISG), available in intelligent edge routers, automatically detects when users are accessing the network and determines both the type of service each user wishes to access and the type of device that is being used. The Cisco ISG has the intelligence to manage access to various types of services - both IP Multimedia Subsystem (IMS) and other non-Session Initiation Protocol (SIP)-based services - by many different types of devices.

These Cisco products and technologies can be combined with third-party security solutions to provide a depth and breadth of protection not available before as self-service, network-based features. And these Personalized Security Services are designed to continually evolve as new threats and tactics arise.

Cisco Personalized Security Services Applications

Service providers can deploy these products and technologies to offer lucrative Personalized Security Services, including those described on the following pages. These personalized services give individual users unprecedented control over their own network security while also helping to protect the entire broadband community. This level of security saves time and expense for both subscribers and providers.

• Security self-service station: If a computer appears to be infected with malware that is being pushed out into the broadband community, the offending outbound traffic is redirected to a self-service station to prevent the malware from spreading, Figure 3. At the self-service site, the subscriber is guided through potential remedies. This service applies to all subscribers to protect the broadband community.

Figure 3. Security Self-Service Station

How it works: A Cisco SCE located close to the subscriber can analyze all user traffic using heuristic and behavioral analysis to recognize security threats. The Cisco SCE processes traffic directly and uses additional screening supplied by VAS systems, if necessary. After identifying an infected user device, the Cisco SCE can also block suspect traffic or notify the end user by redirecting HTTP traffic to the Self-Service Web Portal site. After remediation has been completed, the subscriber's original subscription package is restored. Two methods enforce remediation: "Safe Harbor" directs the user to a self-service station at sign-on to scan for required preconditions (for example, supported equipment, operating system, configuration) to remediate any issues before network session begins; "Quarantine" responds to violations during an active session and dynamically restricts offending use until a remedy is selected from the self-service station.

• Content classification and access restriction: Adults can classify and customize restrictions to Internet content and impose time limits to protect children from what they consider offensive or otherwise undesirable content. Parents can access a Web portal and set controls to govern their children's use of the Internet, Figure 4. These controls can enforce time limits (for example, allowing only two-hour access Monday, Wednesday, and Friday) or they can ensure that certain Web sites and video content are not accessible at all to minors using the home computer. Governments, organizations, or social networks can protect members from content sources deemed harmful or undesirable as well. Providers can offer individual subscriptions to this service for an additional fee.

Figure 4. Self-Service Content Classification and Access Restriction

How it works: The carrier-grade design of the Cisco SCE allows for real-time classification of HTTP requests against a list of URLs without any noticeable delay in network performance. The Cisco SCE can store a list of up to 100,000 URLs. After the parent or other subscriber enters their preferences for the sub accounts of other users, the Cisco SCE intercepts the packets coming from a home computer and implements native URL access control using an internal URL cache updated from public URL repositories to comply with filtering preferences. The Cisco SCE can also integrate with third-party parental control systems by querying the classification of URLs and applying the appropriate per-subscriber policy.

• SPAM reduction and source control: Cisco network intelligence can detect and block SPAM on its way to individual subscribers. Providers can offer individual subscriptions to this service for an additional fee. Cisco network intelligence can also detect and redirect unregistered sources of SPAM. Providers can enforce SPAM site registration to simplify opt-in or opt-out service contracts.

How it works: This network-based solution uses the Cisco SCE to forward Simple Mail Transfer Protocol (SMTP) mail traffic for inspection by a VAS server, Figure 5. The Cisco SCE can recognize end-user devices that are infected by a SPAM zombie and unknowingly being used to issue SPAM messages. It counts outbound, off-net, SMTP sessions against a predefined threshold and can alert the service provider to statistically significant amounts of e-mail generated from any source entering the network. The Cisco SCE can block the suspect traffic or notify the end user after a violation is detected.

Figure 5. SPAM Reduction Feature to Reduce Inbound SPAM Headend to Subscribers

The Cisco SCE can also be used as a pre-filter to offload and better scale on an as-needed basis the redirection of SMTP or HTTP e-mail traffic onto a more advanced SPAM detection device. Providers can deploy this solution as an operational service for all subscribers to assure fair use and proper registration of SPAM producers within the network. The Cisco SCE can detect and redirect unregistered sources of SPAM to the security self-service station where remediation instructions (such as how to register as an online e-mail distributor or other usage policy reminders or restrictions) can be available.

• Personal network protection: Cisco network intelligence in combination with third-party security systems can detect and block known malware and prevent privacy probing and virus or worm attacks on subscriber computers. Service providers can offer a fee-based, self-selection service or offer the service at no additional charge as part of their residential broadband service.

How it works: This is a network-based solution that uses the Cisco SCE in conjunction with other specialized elements to perform heuristic and behavioral analysis to recognize DDoS attacks, worms, scan/sweep attacks, and more. The Cisco SCE can log alerts for the subscriber and the provider's operational support system (OSS). Then the Cisco SCE can drop malicious traffic before it reaches subscriber assets. Its capability to redirect traffic flows per subscriber service means that the Cisco SCE can scale to provide network-based virus, worm, and other malware protection, Figure 6. The Cisco SCE directs traffic for subscribers who paid for the service to a partner VAS server, which can analyze e-mail file attachments, embedded malicious code in HTTP Webpages, or infected files from FTP communications in real time. If the VAS server identifies a virus or other form of malware, the file download is halted before the virus or malware is loaded to the personal network.

Figure 6. Personal Network Protection

By offering Personalized Security Services, service providers can:

• Achieve differentiation with new value-added service

• Create new revenue stream while reducing calls to help desk

• More accurately and actively identify threats based on monitoring network traffic

• Better identify new threats as they emerge based on statistical traffic patterns analysis

• Protect all devices connected through the broadband service

• Block security threats and reduce bandwidth consumption from unwanted traffic

• Reduce the risk of electronic fraud by blocking spyware, phishing, and pharming

Personalized Security Services give customers the following benefits:

• Identify and stop threats in the network and not at the user's computer

• Anti-X service starts the instant the user subscribes to the broadband service

• Get instant security updates for immediate protection based on a database of threats maintained centrally in the network

• No need to update desktop software

• No additional software needed on the end-user computer

• No additional local equipment required

Conclusion

Service providers can reduce call center overhead and provide enhanced security to broadband networks with Personalized Security Services from Cisco. An array of self-service and centralized security features put access to content and the ability to configure security into the hands of individual subscribers. These security services can be used to protect individual users, families, and entire broadband communities. Utilizing the embedded security intelligence at all layers of the Cisco IP NGN and tools such as the Cisco SCE and Cisco ISG, Personalized Security Services are a compelling offering that can enhance customer loyalty and generate significant new revenue.

For More Information

Cisco IP NGN:
http://www.cisco.com/en/US/solutions/ns341/ns525/ns537/networking_solution_announcement0900aecd80381291.html#srvc_conv

Cisco Product and Technologies for Personalized Subscriber Management:
http://www.cisco.com/en/US/solutions/collateral/ns341/ns525/ns537/ns549/ns746/ns715/net_brochure0900aecd8055c187.html

Cisco Secure Broadband White Paper:
http://www.cisco.com/en/US/netsol/ns734/networking_solutions_white_papers_list.html

Cisco Intelligent Services Gateway:
http://www.cisco.com/en/US/products/ps6588/products_ios_protocol_group_home.html

Cisco Broadband Policy Manager:
http://www.cisco.com/en/US/products/ps6478/index.html

Cisco SCE 2000 Series Service Control Engine:
http://www.cisco.com/en/US/products/ps6151/index.html

Service Exchange:
http://www.cisco.com/go/serviceexchange

Hierarchical Navigation

Secure Broadband

Scale and Personalize Broadband Security Services

Downloads