Come on in, the door is open: Carriers fit security into high-speed networks

Meeting customer needs is critical to a service provider's success. And as customers demand more high-speed bandwidth, carriers and service providers are moving at a breakneck pace to roll out services such as high-speed cable access and DSL faster than the competition. Meanwhile, eager customers are waiting for the words "available in your area."

But security issues remain, although they seem to get lost in the hustle to be first to market.

"`Always on' does mean `always vulnerable,'" said Brent Chapman, director of technical marketing for Covad Communications. But the danger that unwanted eyes can view data traveling over shared networks always has been present. With dial-up access, unsuspecting users only tap into a network sporadically, therefore providing a certain degree of protection. But the constant connection involved with cable and DSL access gives hackers an open window for entry into a victim's computer system. Although DSL appears to have fewer security risks than cable access, problems exist with any shared connection, Chapman said.

As more rollouts continue, what are service providers doing to protect customers? Enterprise customers use firewalls, IP security or virtual private networks (VPNs) for network protection. But those options can be expensive and may entail resources that small and medium-sized business don't have.

To lessen security costs for customers, vendors such as CoSine Communications, Nortel Networks, Spring Tide Networks and Unisphere are making equipment to provide security from inside the carrier network rather than at the customer premises, said Andrew Cray, research analyst with the Aberdeen Group. Although some providers find the idea of adding security to their service suites attractive, others are not ready to incur the expense (see sidebar on page 70).

"It all depends on the level of concern," said David Ginsburg, director of field marketing and consulting engineering for Nortel. "Many [service providers] see it not only as a concern but as a way to differentiate their services." Nortel's Shasta 5000 broadband service node, which sits on the subscriber edge of the network, aggregates and secures each line with network-based firewalls as they meet the Internet backbone and where broadband subscribers meet broadband services. The service node protects cable and dial-up connections and the DSL connections, Ginsburg said. "For some telecommuters and small businesses, their livelihood relies on computer systems or e-commerce, and without added protection they lock the front door and leave the back door open."

Spring Tide is nearing the release of its IP Service Switch (see figure). Like the Shasta device, it is targeted at carriers and competitive local exchange carriers with residential and business customers lacking the resources to have their own standalone security solutions. The Spring Tide device occupies the service layer in the public IP network and enables VPNs and value-added services, said Bob Sullebarger, director of marketing for Spring Tide. The switch adds service intelligence to the IP network by dynamically applying the necessary mixture of security, performance and address management, which then can be marketed as value-added services, he said.

"There is a viable market today, and every time [service providers] add more lines, the addressable market expands," Sullebarger said.

"People are beginning to realize that security by obscurity isn't enough," said Andy Paul, vice president and product manager for Concentric Network. In response, Concentric is looking for ways, such as security-enabling equipment, to offer protection for its customers, Paul said.

While most believe security is an issue with broadband access, some believe the chance of a breach is not that great, especially with DSL.

"The industry is aware of the concern, which creates a new market opportunity for software products and firewalls to add another tier of security," said Jeff Waldhuter, director of technology and engineering for Bell Atlantic's science and technology division.

But once the volume of customers using the shared connections increases, the probability of a hacker going after a particular user diminishes.

For protection, turn off things such as file sharing and even a user's computer, Waldhuter said. ISPs can provide another layer of security for business customers, he said. "It is up to the individual company using the transport. We don't want to over-engineer and end up with higher costs, and we can't deliver a Cadillac if everyone doesn't need one."

Although Bell Atlantic may look at equipment that provides added protection in the future, today Waldhuter does not believe the risk is high enough to demand that. Instead, Bell Atlantic is migrating from its initial rollout's static IP addresses to the more secure, dynamic IP addresses.

"Service providers do what the buyers demand they do," said Tom Nolle, president of CIMI Corp. "Every vendor is making a mountain out of a molehill to get differentiation."

The instances of carriers putting in security equipment without requests coming from customers are few. "I feel sorry for the vendors and all the good technical people - but the security problems are really not going to happen," Nolle said.

Waldhuter agreed with Nolle's lack of concern for security problems and added that DSL connections provide an extra tier of security over cable. "We got out of the party line business 80 years ago," Waldhuter said, referring to cable access.

But if the incumbents have to acknowledge security problems with DSL, it will hamper their ability to combat cable modems, said Ron Westfall, senior analyst with Current Analysis. "They are really afraid of AT&T and the cable boogie man."