It’s hip2b2

The telecommunications sector has been bombarded with customer complaints on security lately. There is this issue about Smart Wifi and other Cable DSL services being insecure in the last mine. Now, there is this Inq7 article that describes another spin on the story of Telco security.

“A lot of telecommunications companies don’t take responsibility when it comes to security. That is unless you’re using their managed services, which is costly,” said Ken Liow, senior manager of security of 3Com’s enterprise marketing in Asia Pacific, in an interview with local reporters.

Liow stressed that telecommunications companies are not in the business of providing security. Thus end-users are still expected to spend more to secure their networks.

There are two schools of thought when it comes to telecommunications security. The first school of thought says that Telcos being service providers are responsible for the well being of their customers. This is similar to the argument that if a shopper goes to a mall that mall is partially responsible for the shopper’s security. Therefore, in this school of thought, network operators must ensure that pro-active protection is provided to the customers. This may include firewall and anti-virus services. These types of service are required by majority of network users. This is Provider Secures.

Then there is the other school of the thought. This second school says that Telcos are only required to be a “raw bit pipe”. Therefore, they should not tamper with the packet in anyway. For example, if a Telco pro-actively firewalls particularly evil ports then it is possible they also block some port that maybe required by a particular customer. This makes port filtering very difficult. If the Telco has anti-DOS solutions then these solutions can actually block a “Slashdot Effect” (which is a good thing for web content providers). If the Telco has anti-spamware software and accidentally marks a false positive on an important email then the customer might not be able to receive that email on time. Hence, this school promotes the idea that customers should secure themselves and Telcos should just play the role of a raw bit pipe. This school of thought is where the 3Com exec interviewed belongs to. This is Customer Secures.

Of course, as any information technology security practicioner will tell you. The security of the system is as strong as the weakest link. Therefore, both scenarios above will not work. Both parties are equally liable for their security needs. It is not possible to expect either party to be responsible for the entire security question. So, in an ideal world, Customer and Provider Secures.

However, some customers are really not capable of securing themselves. These days it is possible to find people who get computers and DSL service without knowing anything about basic information security. In most cases, they just know how to power up and click on a shortcut to their favorite website. This class of Internet users is slowly growing and growing. Telcos, as providers, must some how be able to secure this class of users. This is particularly important because it is these users who are normally hosting a worm and/or being converted into zombies and drones for Distributed Denial of Service (DDOS) attacks. These zombies and drones then become bigger security problems.

I propose that a protected connectivity option when subscribing to residential DSL service be made available to customers. This is like a protected APN in the mobile data world (a lesson taken from the walled garden mobile world). This service may initially come with:

• A basic ingress and egress firewall package that will whitelist allowable services. Services such as HTTP, SMTP, POP3, IMAP, Bittorrent, IM, Skype and others can be pre-allowed. Maybe even a community driven policy board to determine which services to allow or block.
• All HTTP, SMTP, POP3 and IMAP traffic from this service will be transparently routed to security appliances for scanning. This might be a costly option if a full commercial security suite is required. However, it is possible to use available open source software (Spamassasin, Squid, Clamav) instead. These might not be as effective as commercial products. But, they are better than nothing.
• Offer a white label VoIP service at a reasonable rate. This will allow subscribers to obtain VoIP services as a reasonable rate without having to purchase them from an external provider.
• This should be an optional service for free. If it is not free most subscribers will shy away from it. Therefore, use of commodity components and open source software is vital.

All of these will be implemented on a network level and should be transparent to the users. With this, users are now able to access their basic Internet services will a limited degree of safety. Of course, this is still not totally safe but it is a good start.

In conclusion, I believe that Telcos should offer a service that provide a certain degree of network security to these customers. However, we should identify these customers first. Most business customers will not require network security services because they will probably have their own programs. Also they require specialized services that might be obstructed by the provided security features. Also powerusers will require certain specialized services too. However, more often than not, they are capable of protecting themselves. So we just have to look after a limited, but big, group of customers. These customers must be given a option that can help secure themselves better at the network layer.

This entry was posted on Friday, May 26th, 2006 at 1:03 am and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.