Several issues exist for all mass-deployed broadband services:
15.1.1 Problems Raised by an Always-connected ServiceUnlike dial-up connections to the Internet, DSL connections are likely to be always connected to the wide area resource. This opens the user from the home or small business to a number of attacks that are less likely in the traditional environment of intermittent connections. In a dial-up environment, the IP address of the user's system is not static, as it is typically assigned anew from a pool of available addresses owned by the ISP each time the user establishes a connection. Therefore, there is no permanent relationship between a dial-up user and a particular IP address. This provides a certain level of security for the user. In this transient environment it is not possible to establish a relationship between a user and a particular address, which provides some anonymity for a user's communications on the public Internet. In the case of a DSL connection, which is permanently connected, the IP address is never reassigned and the user's communications can associated with a particular address. This opens the user to a number of security issues.
Once the attacker has gained access to the user's system, a number of types of mischief are possible. In addition to stealing the user's information or damaging the user's resources, the attacker can use the system for their own purposes by installing their own data or programs on the suborned system. The fact that the user's system is always connected makes the system potentially very desirable to the attacker. The attacked system can then be used for further network mischief, such as denial of service attacks on the network from the user's computer. The user's PC can be configured as a Web server without the user's knowledge. In addition to broadcasting information about the user's system to the outside world, the commandeered system can be used to distribute information that the hacker has installed on the user's computer. The high speed of the DSL connection makes the user's system even more desirable to a hacker than dial-up connections. A number of relatively simple remedies reduce the danger of the attack on the permanent DSL connection.
15.1.2 Naivete of the Typical Broadband Access UserHome and small business users are often ignorant of security issues, and even if they are interested in the problem, they are likely to have little time to manage security tools in their homes or offices. Unlike the large enterprise where a specialized staff can oversee the security systems on the network, the smaller users have very limited resources for this complex function. Large enterprises with their professional, full-time network security staffs often experience breaches. How can the home or small business user be expected to learn how to configure and monitor their environment with their much more limited resources? Assumptions cannot be made about the value of the information on any user's computer. Identity theft through hacking a home PC is a serious problem for a particular home user, and the information on a business computer may be vital to the continued existence of that small operation. Although the vendors of tools such as personal firewalls and simple hardware-based security tools attempt to make their applications as self-configuring and intuitive as possible, some learning and resources are required on the part of the user. Additionally the continuing evolution of attacks requires periodic updates, reconfigurations, and replacements of even the most user-friendly tools. Addressing this issue is difficult in the DSL environment. However, it also provides a means for access and service providers to offer additional services to their customers and thus differentiate themselves from other providers of broadband service or to obtain additional revenues from additional services to their customers.
15.1.3 Increasing Complexity of the Networks in Homes and Small BusinessesUsers of DSL in both the home and small business are likely to support more complex networks at their premises than have been typical of the such environments in the past. In addition to the security issues mentioned in the previous section, DSL environments create security issues that are specific to these environments. In a home environment with multiple computers, one cannot assume that the users share identical security interests. For example, the PC used by a parent may access that person's employer over the DSL connection from the home office, while children may have PCs used solely for "entertainment" Internet access. In this case, incoming and outgoing access restrictions for the parent and his computer are obviously different from those for the children from their computers. A firewall function at the gateway to the home (or within the access or corporate network) is not sufficient to ensure that only the authorized user can access the parent's corporate network. Only security that extends from the parent's computer to the employer's network can provide such control. The support for a virtual private network from the parent's PC, through the gateway and through the Internet, is one solution to this issue. Additionally, the use of separate ATM virtual circuits (VCs) dedicated to each of the users can ensure that the traffic for these two environments is kept separate. The existence of home networks with multiple resources connected to them itself adds considerably to the complexity of keeping the home or small business environment secure. Personal firewalls on a single PC are a suitable security solution for the home or small business with such a simple environment. However, in environments with multiple devices on a home LAN, managing separate firewalls on each PC can become an administrative nightmare. In a DSL implementation supporting a home network, hardware-based applications on the device supporting the DSL access to the home is an obvious solution. Not only does this centralize the security function in the home or business, but also it allows the use of enhancements such as multiple VCs, and network address translation to enhance the security to the entire home network. 15.1.4 Complex Interactions between the Broadband Users and the Networks of OthersA PC on a DSL-connected home network that accesses another secure network creates security issues for that network. Breaching of resources on a vulnerable home network may allow access by unauthorized users to the remote secure network. Thus, the protection for the home network becomes part of the security cordon for the remote network; one that is not under the control of the administrators of that network. The home network thus becomes a portal for hacking another network and a weak point for other networks accessed from that home. |
Top |