Republished with permission from WatchGuard Technologies, Inc.
WatchGuard LiveSecurity


Security and xDSL Connections
by Dave Piscitello

Broadband local access technologies (cable modem, digital subscriber line, and fixed wireless) deliver significantly higher bandwidth than traditional analog and digital modems. All this is achieved using the same wires that deliver TV signals, the copper pairs that deliver telephone service, and/or the microwave radios and infrared beams aimed at and transmitting to your residence or office.

Over the next twelve to eighteen months, the market for broadband local access in all forms is expected to explode. Of all the services that will be offered using these technologies, Digital Subscriber Line (DSL) has particular appeal for telecommuters, homes, small businesses and branch offices.

Besides delivering higher bandwidth, these technologies are fundamentally different from traditional "dialup" modems. Just like the WAN services and leased lines that enterprises use to connect to the Internet, these technologies are always on. From a security perspective, a reasonable initial reaction is that broadband local access connections should be protected to the same degree that one protects enterprise Internet connections.

This is the first in a series of related editorials. From the perspective of a system administrator, I'll consider many of the perceived threats, vulnerabilities and issues presented by broadband local access connections—particularly DSL. Part of this exercise is to de-bunk myths that these threats are pertinent only to broadband local access connections. Subsequent columns will consider policies and technologies to mitigate these threats.

What is DSL?
Digital Subscriber Line (DSL) is a method of using the unused parts of the spectrum available on ordinary copper telephone pairs to provide higher bandwidth than traditional analog and digital modems. DSL technology uses "frequency division multiplexing" and special coding so that data transmission occupies spectrum ranges not used for standard telephone service. This allows DSL deployment to provide voice and data over the same copper pair. DSL, however, works only over a telephone line no longer than about eighteen thousand feet—about 3.4 miles or 5.6 kilometers.

Despite early struggles between incumbent and competitive local exchange carriers (ILECs and CLECs) over the interpretation of the US Telecom Reform Act of 1996, xDSL service is now available nationwide from several large national CLECs (Covad, Rhythms, Northpoint), the Baby Bells (ILECs), and many other regional carriers. Using DSL, ILECs and CLECs can deliver up to one Mbps service over existing copper to 80% of 550 million residences worldwide.

The widespread availability and performance characteristics of DSL make it very attractive for telecommuters, homes, small businesses, and branch office connectivity. For this reason—and because I use DSL every day—I concentrate on DSL here. However, much of what I say about security in this and ensuing editorials will apply to cable modem and broadband wireless as well.

How is DSL deployed?  
DSL is typically provided as a layer 2 Permanent Virtual Circuit (PVC) service, and the service model is nearly equivalent to an ATM or Frame Relay PVC. Each PVC is a private point-to-point connection—think of this as an Ethernet hub with only two jacks. Data is transported over DSL access networks without examination. Each PVC requires explicit initial setup by both customer and the service provider.

The majority of DSL service is sold through ISPs. In this service model, you install a DSL access modem at your home or office, and run IP over DSL in one of the recommended encapsulations. The DSL (layer 2) service runs over an ordinary telephone copper pair and terminates in a telephone company Central Office at a device known as a DSL Access Multiplexer (DSLAM for short). An ATM PVC, or leased circuit, aggregates traffic from all the DSL subscribers of a particular ISP and sends it to a router or layer 3 switch at that ISP's point-of-presence (POP). (In some cases, this ATM PVC, or leased line, is connected directly to a router or switch at an enterprise or private network). As you can see, this scenario is not at all similar to how your dialup modem connects over the public switched telephone network (PSTN) to a modem bank at an ISP POP, or company RAS.

This is only a basic outline, there are common variations to this topology. In multi-tenant units, for example, DSLAMs may be located in building wiring. Often times, the CLEC or ILEC may also be an Internet Service Provider. 

Security Issues for the System Administrator
The most frequently cited "worries" expressed by system administrators about empowering telecommuters and remote offices with remote access via broadband local access services are:

1. The transmission facility is not a secured link, so communications over the link are vulnerable to hijacking, replay, and modification. This is perceived as a BIG problem for cable modem, which is a shared medium, and for broadband wireless. But DSL is not immune, especially since the most common deployment of DSL is via a public Internet provider.

2. The home or small office now has an always-connected link to the enterprise's network. Like enterprise Internet connections, the link is always available and thereby subject to attack.

3. The home or small office frequently lack sufficient physical security. Equipment and sensitive information are vulnerable to theft and unauthorized access.

4. The connection from home or small office is a high speed link: Think of the higher bandwidth in terms of the rate at which information can be stolen (downloaded) from a compromised server.

What is troubling from a security "purist" standpoint is that some of these concerns have a wider applicability than broadband local access. As we seek to leverage the Internet infrastructure to reduce communications costs we multiply our exposure to its dangers.

Are these problems unique?
Too often, most of the attention to security outside the corporate perimeter is focused on data transport. But all communications services used by telecommuters, SOHOs and roaming employees exhibit some of the same characteristics described in (1) and (2) above. How is "always connected" any less secure than remote or roaming access via modem or ISDN via the public Internet?  From a transport perspective (just the underlying technology), and absent the use of secure remote access (VPNs), it's not. You should worry equally about securing communications for your laptop-encumbered road warriors as for your broadband-enabled telecommuters regardless of how they connect.  

Regarding the issues raised above:

1) If you are connecting telecommuters directly back into your enterprise with DSL, no leg (hop) of your data transport will traverse the public Internet.  Given this, you should apply the same security policy regarding encryption over untrusted links as you do for your Frame Relay and ATM PVCs. Cable modem and broadband wireless, on the other hand, are easily eavesdropped "broadcast" technologies. Treat these with the same policy as access via the public Internet.

2) The perception that you achieve some level of security through obscurity by using dialup or ISDN services, and so can avoid the responsibility of protecting a PC or LAN in these configurations, is plain wrong. Connectivity is easily automated using autodial analog modems, ISDN or dialup modem SOHO routers. User connect time to Internet services now ticks along in hours, not minutes. Following dialup through an ISP, at least one of your systems has a public and hence scan-able IP address. IP addresses associated with ISP dialup, and ISDN modem banks, are published, well known, and routinely scanned. Don't rely on NAT to protect you, depending on how you are using network address translation (NAT), there may be ways to hack in to your SOHO LAN. You are much more vulnerable, even with an intermittent connection, than you may care to believe.

3) Many telecommuter residences, homes and small offices don't have the kinds of physical security that enterprises employ. But there's nothing unique to broadband local access here: The lack of physical security is an epidemic problem among road warriors, telecommuters, and many small offices, where laptop theft is increasing at rate of over 25% per annum (Safeware Insurance Company, 1997).

Arguably, the only truly unique aspect of broadband local access is its high speed link. But consider the Internet cafés, e-mail kiosks with complimentary LAN cabling (or wireless LANs!) and—increasingly—hotel rooms with cable modems. In all these areas, sensitive information can be downloaded from a compromised host at a frightening rate, long before the intrusion is discovered or addressed. What is definite is that the new technologies that enable high speed access are bringing some of the thorniest problems in network security to a whole new segment of the wired world. 

Initial Conclusions
To react to broadband local access as somehow different from all other forms of communication is to fail to appreciate the overall security picture. Broadband local access doesn't create that many new issues, but it does call attention to security policy and implementation issues that may have been overlooked or neglected. It creates an opportunity to address the larger set of issues facing a company when it acknowledges that security can no longer be implemented solely with, (as Fred Avolio discusses in his April editorial Extending the Perimeter), a "secure perimeter" mentality.

Forthcoming columns in this series will consider problems system administrators will face as they attempt to:

§ Cede administrative control of desktops, stored information and information confidentiality to telecommuters

§ Provide telecommuters and roaming employees with access to intranets and mission-critical servers over untrusted links, particularly over the Internet

§ Deal increasingly with telecommuter and small office LANs

In my next editorial, I'll suggest appropriate security policies for each scenario and discuss technologies you may find helpful when implementing these policies.