Door open, door closed

Cable Internet access was one of the technological success stories of 1999, but it is shadowed by several perceived problems that threaten to hamper its mass deployment - most notably, the danger of hackers attacking its "always-on" connection and its growing reputation as a restrictive mode of access that makes free choice of an ISP difficult, if not impossible.

Nortel Networks' Shasta IP services division has devised solutions for these problems - solutions pegged to its Shasta 5000 broadband service node. The Shasta 5000 is a subscriber aggregation device with interfaces to a wide range of networks - DSL, wholesale dial-up and cable, with wireless and frame relay and ATM in the works.

Last September, the company announced that it had added DSL firewall capabilities to its feature set. In mid-December, Nortel unveiled stateful firewall capabilities for cable access networks.

The help is sorely needed. "This is not just a scare tactic," said Reese Melvoin, network security consultant with DataVault. "The typical user doesn't have a real concept of Internet security and expects his service provider to supply that security. The ISP is the modern-day equivalent of the telephone provider, after all." Cable multiple systems operators (MSOs) need to defuse security concerns, especially when they reach beyond the home to the telecommuter and small and medium-sized business markets.

The Shasta 5000 allows an MSO to individualize stateful firewall policies for every subscriber on the network, blocking malicious traffic or even just cutting out spam. Routers have done some of this with extended access lists and filtering mechanisms, but they don't have the processing muscle to put tens of thousands of firewall policies per subscriber into place for every subscriber on a large network.

This opens the possibility of many service differentiations with corresponding revenue increases. For example, using firewall policies, MSOs can move into multidwelling units and offer small businesses the ability to run e-commerce, mail servers and domain naming system servers while barring residential users in the building from doing the same. They also can offer "family-friendly" Internet packages.

"One of the most requested value-adds is URL filtering/routing, in which a subscriber can sign up for a G-rated or PG-rated experience," said Dave Ginsburg, director of consulting engineering for the Shasta IP services division of Nortel.

The Shasta 5000 also offers an MSO the option of flexible access wholesaling. "Now cable providers don't have to deploy an architecture of routers and headends that tie them to a single service provider," Ginsburg said. "They can let their subscribers, including telecommuters, dynamically select their ISP of choice - once a month, or even totally on demand, though that's pushing the billing processes."

Service selection can be done in two main ways. With point-to-point protocol (PPP) over Ethernet using a PC client, every person in the residence on a PC can be tunneled securely or routed to a separate ISP or corporate virtual private network without an IPSec client.

A parallel tunneling architecture uses dynamic host configuration protocol. This environment eliminates the PPP-over-Ethernet client, avoiding the barrier that software downloads pose for inexperienced users. Instead, subscribers go through their standard Web browser and log on to a captive portal, served by a portal server and from which they select their ISP. In the future, they also will be able to select special content or different qualities of service.