Building a Secure Service Provider Architecture

Provider online security pays off

Dark Reading Staff, Dark Reading

November 21, 2006

16 Min Read

There’s no doubt that both commercial and consumer confidence is being damaged by the rising tide of crime and abuse on the Internet. For just one type of fraud alone – phishing – security company Websense Inc. (Nasdaq: WBSN) recorded about 18,000 attack reports each month in the first half of 2006, but suddenly spiking to nearly 30,000 in June. (See First Half 2006 Security Trends Report.) And a Gartner Inc. survey last year estimated that about 2.4 million U.S. consumers lost nearly $1 billion because of phishing attacks alone in the 12 months to mid-2005.

Unsurprisingly, customers are now expecting service providers to protect them with safe and secure IP services, and service providers have realized this will prove an important differentiator in the future. And many customers will pay for tangible improvements in Internet security – so the Holy Grail of new revenues beckons.

And it may have substance. Heavy Reading Enterprise declared in a report in August 2006 that organizations of all sizes will increase spending for security products and services over the next two years: 66 percent of respondents from both large- and medium-sized companies and 55 percent of small companies. (See HR: Security Spending on the Rise.)

So what's driving this security spending spree? "Security is not settling down. There are more and more security incidents every day – spam, spoofs, or loss of sensitive data," notes Robert Lerner, senior analyst for Heavy Reading. "Organizations are looking to fill in a lot of security gaps and trying to build an enterprise-wide security system."

In parallel, service providers are going to have to build a whole lot more security into their networks, especially since the industry is now moving wholesale to IP-based, converged, next-generation networks (NGNs) to support all their services.

But making architectures secure is very much a ground-up approach, with a need to integrate security into all network layers. This means adopting good security fundamentals, and then implementing them by the appropriate techniques.

Examples are applying acceptable-use policies and best practices to both inbound and outbound communications to restore customer confidence in email security, and applying new techniques such as collaborative architectures that aim for a continual improvement in the speed and reliability of spam, phishing, and virus control.

This report looks at how service providers can start pulling these issues together to build a secure service-provider architecture that will protect both themselves and their customers – profitably. Here’s a hyperlinked contents list:


This report is based on a Webinar, Building a Secure Service Provider Architecture, moderated by Simon Hill, Events Editor, Light Reading, and sponsored by Cisco Systems Inc. (Nasdaq: CSCO), Mirapoint Inc. , and Cloudmark Inc. An archive of the Webinar may be viewed free of charge by clicking here.

Related Webinar archives:

— Tim Hills is a freelance telecommunications writer and journalist. He's a regular author of Light Reading reports.

Next Page: Threat Evolution: What’s Going On Out There?

Network security threats and the operational complexity of countering them seem to be on an ever-upward ratchet. The list of security nasties to which IP-based networks and their users can be subject just goes on and on (see Security Product Directory), and embraces:

  • Viruses

  • Trojans

  • Worms

  • Spyware

  • Malicious URLs

  • Spam

  • Offensive content

  • Directory harvest attacks

  • IP fragmentation

  • Cross-site scripting

  • Buffer overflows

  • Directory traversal

  • HTTP code inspection

  • Denial-of-service (DOS) attacks

  • Smurfing and fraggling

  • ID theft

  • Phishing

  • Web content tampering

  • Unauthorized system access and tampering

  • False traffic and billing fraud

  • Session hijacking of call handover in mobile networks

  • VOIP call theft and redirection

  • etc.

Twenty years ago, no one had heard of most of these, and security was very much limited to a block-and-hide approach, where encryption was seen as solving everything, and manual procedures and command-line operator interfaces (CLIs) were the norm. Then came detection of simple threats through reactive virus and intrusion detection, relying on best-of-breed perimeter-point products and the introduction of dedicated security appliances.

Now the buzzword is protection from simple threats, by converging scanning and filtering to provide a comprehensive view of all security elements. This embeds security into the switch or router and makes manageability critical.

But over the next few years it is going to get even more complicated with the arrival of adaptive networks, which will be self-managing, self-protecting, and self-healing to provide highly available network services based on security-aware network elements.

Another big change is occurring in users’ attitudes. Increasing exposure to fraud, spam, and viruses has dented both enterprise and consumer confidence in e-commerce and emails. There is a growing view that service providers should do more to make the Internet and Internet applications more secure.

And, of course, it is costing a lot of people – not least, the service providers – a lot of money.

“Spam, phishing, and viruses are growing at incredible rates and are getting increasingly sophisticated. Handling all this is driving up infrastructure costs in terms of mail storage, filtering servers, and bandwidth,” says Jamie de Guerre, Director of Program Management, Cloudmark. “We have found cases where 20 to 25 percent of mail storage is taken up by spam, and the filtering software requires more servers than the rest of mail infrastructure.”

This can easily translate into hundreds of millions of dollars over the entire industry. Nor are humble private Web users much better off. A Gartner survey last year estimated that about 2.4 million U.S. consumers lost nearly $1 billion because of phishing attacks alone in the 12 months to mid-2005.

So cue for action. But what? And where?

Next Page: Security & the Service Provider

A good place to start is the network infrastructure itself. This, according to Chuck Adams, Service Provider Security Solutions, Cisco Systems, is crucial to the transformational migration that service providers are making to IP-based NGNs.

“The challenge is describing where and how you embed security into this whole architecture,” he says. “Essentially, it is inserted throughout. While that is easy to say, it is more difficult to implement. Security should be considered and designed into the NGN throughout all the processes, technologies, and plant security solutions. So when a service provider is undergoing the IP transformation, it’s an ideal time to refine business processes and architectural design to adhere to certain security principles.”

Figure 1 shows a typical service-provider network high-level block architecture, together with the security roles that should be designed into the architecture when planning the transformation to an IP NGN.

Figure 1: Security Roles Across the Network Source: Cisco Systems, 2006

Obviously, the routers, switches, and other equipment that forms the network infrastructure must itself be as secure as possible – having their own infrastructure hacked is every service provider’s nightmare. This means such data- and control-plane protection techniques as unicast Reverse Path Filtering (RFP), reflexive access control lists, control-plane policing techniques, and committed-access-rate technologies and various other rate-limiting techniques. Additionally, the management plane must be protected (for example, by using SNMP v3 and other technologies), and there are evolving network-visibility tools and techniques, such as Cisco’s NetFlow for enhanced flow-based security traffic analysis and analysis and mitigation capabilities for distributed DOS attacks.

The next level of security design covers every security element that would be encountered by a typical packet moving across Figure 1. These actions depend on the policies implemented at each security element at different layers of the topology. These policies are directly related to what types of controls the service provider wishes to impose on its customers, and should be related to the acceptable-use terms that its customers and partners agree to. Where to implement these policies is essentially a function of where along the path is the most effective and efficient logical point at which to evoke the desired action. Once determined, the service provider can then define the requirement for that action and decide at which application layer to invoke it, and this should dictate what type of security technology would need to be used.

According to Cisco's Adams, all this has to be done within a framework of unchanging fundamentals that govern service-provider security. The overarching requirement is a set of security policies that define what is “right” (allowed or required) and what is “wrong” (forbidden or deprecated) in terms of the network, services, and users. An important qualification, however, is that the service provider has to be prepared to treat security as work in progress.

“The threats we face are continuing to evolve,” he says. “Therefore we have to ensure that our IP NGN is designed in such a way that permits continuous learning and nearly dynamic application of new policies based on what we have learned. This is where the end-to-end architecture comes into play and where our operational support processes must be designed to leverage the latest knowledge drawn up from our NGN.”

This leads to a sandwich-type of security structure, in which security policies define the top, security operation (for security management, monitoring, and incident response) defines the base, and the filling comprises four interlinked functional areas:

  • Network infrastructure protection against vulnerabilities and attacks

  • Trust and identity to exploit the network to protect endpoints intelligently

  • Secure connectivity to provide both secure and scaleable connectivity

  • Threat defense to prevent and respond to network attacks and threats

These have to be continually reviewed according to a cycle of secure, monitor, audit, and manage.

Security for Sale

Of course, security is not just a matter of protecting the service provider's assets and services – it is also something that can be sold to customers, and becomes a service in its own right. Appealingly for service providers, it can be sliced and diced into a range of managed security services, each more expensive than the last.

Right at the bottom are secure access services. Managing Internet routers with basic access control lists and foundational protection mechanisms is the most basic of managed security services. However, with current integrated service routers, the service provider can go on to offer more advanced secure VPN, stateful firewall, and DOS protection services.

Moving even further up the scale, service providers can design and offer specialized and expert managed security services under the general banner of enhanced security services and options. Examples cited by Adams are managed security services using Cisco’s IPS and IDS capabilities, and managed endpoint protection using Anti-X.

“There is a wealth of security technologies that we would describe as advanced technologies to enable the service provider to further services and value into the enterprise LAN environment,” says Adams.

Next Page: Email Security Solutions

One of the most visible – and important – areas of security for service-provider customers is email. There are two sides to this:

  • Protecting customers from known and as-yet unknown threats, such as spam, viruses, and phishing.

  • Protecting the quality of the communications that leave the provider’s network – and hence its reputation. In particular, this means ensuring that the provider is not sending spam and viruses, and ensuring that customers are not bypassing provider systems to send spam and viruses themselves.

According to John Veizades, Senior Product Line Email Security, Mirapoint, there are best service-provider practices on inbound and outbound communications for both of these aims.

For inbound communications, service providers should tag or drop confirmed spam for customers, and drop inbound connections from known spammers (such as zombie PCs and known bad actors whose IP addresses are listed on the common black-hole lists).

For viruses, service providers should protect against known viruses by using a carrier-grade antivirus (AV) engine, which can be fast and effective, and is additional to desktop protection. They should offer, as a value-added service, protection against emerging viruses before they are commonly known.

“We have seen service providers being able to drop 60 to 80 percent of inbound traffic to their customers’ networks by offering reasonable spam protection at the edge,” says Veizades. “And using an AV solution that is specific to a gateway infrastructure won’t be a common solution to what’s on the desktop. So you offer two-level protection. Your customer is using something on the desktop, and you are offering something on the gateway that protects them.”

For outbound communications, service providers should protect the reputation of their service by stopping zombie-PC behavior. They should use SMTP controls to block unauthenticated TCP port 25 connections (the traditional message-submission port) and to allow port 587 message submission instead, as defined in RFC 2476 – Message Submission. This is an extension of SMTP to allow systems to submit messages to, for instance, their corporate environment, in a secure, authenticated fashion.

Service providers should scan outbound messages for spam and viruses, and develop and monitor acceptable-use policies (AUPs) on email sending – and enforce these AUP agreements. This means detecting unusual email behavior, and redirecting these systems to a notice page for possible system disinfection.

“Taking those systems that have unusual behavior and redirecting them to a notice page that tells them they possibly have an infected system is an effective control on your network,” says Veizades. “And it is a great value-added service to your customers as well, because most of them don’t realize they have an infected system.”

Figure 2 illustrates a service-provider email security solution using this approach. Customer inbound messages follow the steps of the upper green arrows; outbound messages follow the lower blue arrows.

Figure 2: Email Security Solution Source: Mirapoint, 2006

Adding Dynamism

Filtering in various forms plays a key functional role within email security solutions such as that of Figure 2. A traditional approach is to use a combination of protocol filters and content filters, as shown in Figure 3.

Figure 3: Traditional Email Security Solution RBL = Real-Time Blacklist
Source: Mirapoint, 2006

Unfortunately, there are some drawbacks to many of the commonly used filtering technologies, according to Cloudmark’s de Guerre:

  • Protocol filtering is based on static, infrequently changing data, and tends to give low visibility into false positives – senders are assumed guilty until proven innocent.

  • Content filtering is processor-intensive and suffers from rising infrastructure costs because of ever-increasing CPU loads, and scaleability suffers because of the resulting slow throughput of message scanning. Attacks are often missed while the system is waiting for rules or heuristics to be created, and users and administrators often cannot correct filtering issues quickly enough.

“The next-generation solution is to add security in multiple layers of the network – protocol, content, and network layer – and to try to ensure that use at each of those layers is based on dynamic data from users’ feedback, and hence build in a system of real-time checks and balances,” says de Guerre. “Thus if an error happens and an IP address ends up on a blacklist by mistake, it can be automatically removed based on feedback from users or administrators received dynamically.”

Figure 4 illustrates this idea, as being developed by Cloudmark, in conjunction with partners like Cisco and Mirapoint. At the protocol layer, for example, the approach tries to add intelligent data into the data used to set incoming-traffic rate limiting and shaping. The result is that rate limiting and traffic shaping are based not only on incoming traffic volumes, but also on data from the content filter and the community of users that may be providing feedback into the system.

Figure 4: Next-Generation Email Security Solution Source: Cloudmark, 2006

Users vote on messages, and the system uses fingerprinting algorithms to allow the precise identification of emails for spam and phishing so that further emails can be blocked. The goal is to identify all messages in an attack with a single fingerprint that can cope with polymorphism.

Controlling the application of the user feedback is the Trust Evaluation System (TES), which tracks the reputation of each user reporter (classified on a scale) to ensure data integrity and accuracy. It is the TES which determines when to mark a fingerprint as spam or phishing – essentially filtering out reports deemed to be untrustworthy.

The overall advantages are safe filtering in the network layer combined with a low risk of false positives and the assurance that it can self-correct itself if anything goes wrong. Additionally, it provides the ability to have an automated response based on users’ feedback or administrators’ feedback, and also provides collaboration with ISP networks worldwide. So feedback from other providers can be used immediately to stop new threats within the provider’s own network and to correct any message misclassifications that may be occurring.

In principle, the same collaborative feedback approach can be applied to antivirus protection to give a highly dynamic response. Conventional AV protection works on the principle that AV firms collect new viruses, analyse them, and create virus signatures that can be used to detect the new viruses. Clients download the new signatures, and are then protected against the virus. However, this is a multistep process that can take typically from 8 to 48 hours, leaving a potential window of vulnerability.

“We have created a fingerprinting algorithm that generates fingerprints on Windows binaries in such a way that it flags portions of the machine code least likely to change or mutate with polymorphisms of the same virus,” says de Guerre. “The community then votes on viruses, and we are able to stop them in near real time.”

As an example of the effectiveness of this approach, he cites the so-called Kama Sutra worm. Cloudmark began early blocking the Kama Sutra worm at 13:08 UTC (5:08 AM PST) on January 16, 2006, two days before the peak in the worm’s attempts to propagate itself.

“If every other AV company had filtered the worm as quickly, the initial peak would not have materialized – so the widespread use of collaborative techniques would significantly lower virus impacts,” says de Guerre.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights