Network insecurity: why telecoms operators are behind on the security curve - Cover Story

Telecom Asia, Jan, 2003 by John C. Tanner

Terrorist threats, denial-of-service attacks and Net worms have brought new awareness, to the importance of security--but telecoms players are finding out the hard way that they're further behind on the security curve than they thought.

Between 9/11, Internet worms and the constant barrage of vulnerabilities announced in Microsoft products, the telecoms world in general--not to mention its customers--is more aware about the importance of security than ever before. Which isn't to say that the telecoms industry has been completely unaware of it up to now. But then, the network isn't what it was 20 years ago, or even five years ago.

Indeed, the list of potential vulnerabilities is a long one that includes operating systems from Unix and Novell NetWare to any Windows OS, as well as numerous network elements such as firewalls, Ethernet switches, WAP gateways, and dial-up modem banks. PBXs, VPNs, and even voicemail are also potential weak spots.

The application level is also riddled with potential weak spots, Web browsers and Microsoft Outlook being the most well known examples. Clients for IRC and instant messaging also present problems, as do background elements like Java and cookies. Server software is also at risk of attack, especially where remote control applications are used to allow network managers to troubleshoot off-site equipment.

Telcos and network service providers have to worry about this as much as anyone else--possibly more so, since not only do they have the same intra-company communications requirements as any large corporation, but they also own and/or operate the networks that everyone else is using at some level. Throw in the increasing ubiquity of IP--particularly in the core network via MPLS--and the always-on nature of broadband services and mobile data services like GPRS and cdma2000 1x, and suddenly telecoms operators have security issues they've never had to deal with before.

As a result, telecoms operators are only now just thinking about how to cope with these issues. Consequently, says Cable & Wireless security chief Bill Hancock, security in the telecoms industry isn't nearly as solid as it ought to be.

"Security tends to be an afterthought rather than a business driver," Hancock says. "It's not until they get hacked that they wish they'd invested in it. They don't realize that security is not a finished product--it's always changing."

This, in a nut, is the message that security experts are working overtime to get across to network managers everywhere--there is no one-off, catchall big red idiot button.

Mary Ann Davidson, chief security officer of Oracle Corp, likens securing a network to painting the Golden Gate Bridge. "An entire team of painters is constantly painting one side of the bridge, then the other. When they finish, they start over again immediately," she says. "Security professionals need to be constantly vigilant to ensure that they are not only doing the right things today, but they continue to do them tomorrow, and the next day, and they anticipate the problems of next month."

Hard security

Davidson says that the growing complexity of network security isn't just about the growing number of IP devices connecting to the network--it's also about the industry's tendency to introduce new technology without delivering appropriate security for it (wireless being the most recent example), as well as its tendency to either create new classes of security problems or recreate the same problems over and over again.

An example of the latter, says Davidson, is caching Web content to offload processing from the server providing the initial content, which is meant to improve system performance. "To cache security-relevant, data requires all the same access control, auditing, and authentication as is required in the server itself," Davidson says. In other words, adding another tier to the application almost always results in additional security requirements.

Another example, says Bob Brace, global VP of Mobile Solutions at Nokia Internet Communications, is GPRS, which brings IP-related security issues to GSM networks. "As the GPRS data flows are carried over IP, measures for protecting against common Internet-type of security threats need to be implemented," he says. "These threats include password, man-in-the-middle, denial of service attacks, use of network packet decoders and IP spoofing, just to mention the most common ones."

Indeed, just the very shift from circuit-switched to packet-switched networks is changing the rules of the game for telecoms operators, Brace says. "The majority [of traffic] will be packet-based in five years time, during which the total traffic per subscriber will triple," says Brace. "This has huge implications for security."

About time

The good news is that telecoms operators--as well as LAN managers--are at least aware that the problem exists, and that it desperately needs addressing.

"Globally, the attitude seems to have changed a lot in a year," says Tom Noonan, chairman, president and CEO of Internet Security Systems. "There's awareness because everyone got screwed on Code Red, and then Code Blue--these automated threats where they don't need to necessarily know if you're on or off the network."