Securing the Access Network
By Alan Skinner
There was a time in the very recent past when outside plant network security meant locking the cabinet or pedestal to protect the valuable electronics inside. The components comprising the plant could be stolen or damaged, and the resulting outage could take down hundreds or even thousands of customers. There was no real risk of network intrusion, however. The fibers carried only amplitude-modulated (AM) light representing an RF spectrum.
Today this is only partially true — the electronics are still valuable and the outages still hurt. However, with the advent of distributed access architectures (DAA), network security has taken on a new meaning. Those former analog fibers now carry the ones and zeros of Ethernet, and represent potential entry points into the provider’s managed network. Add to that the fact that fiber nodes are now “smart” networking devices rather than simple media converters, and it’s time to revisit security in the outside plant.
One way that Cox tackled this issue was to utilize a third-party security consultant to perform an audit. While the focus was on the remote PHY device (RPD), the security implications for the network itself also became clear. Our audit revealed that we had some work to do both in securing the devices and in protecting the network.
The devices themselves, it would turn out, were the easy part. Cox uses administratively protected IPv6 addressing for the RPDs, meaning that neither customers nor bad actors on the Internet can reach them. Even so, we put in place safeguards to ensure that only authorized users can remotely connect — something that was never an issue for legacy analog nodes. Well-intentioned security practices can sometime backfire, however. One RPD vendor began enforcing a default password-changing requirement, even though the devices aren’t customer-facing. This requirement had the unintended side effect of breaking our automated provisioning system and resulted in a delay of pushing new code to the field. On the plus side, IP-managed nodes can send us things like enclosure door opening alerts or temperature alarms, which help mitigate criminal or environmental threats.
While the devices were straightforward to secure, the network was more challenging. RPDs use industry-standard small form-factor pluggables (SFPs) to interface with the provider’s Ethernet network. The common optics help keep costs down, but also provide the potential for an intruder to utilize the connection to gain access to the network. Once inside, an attacker now has the potential to do far more damage than just cause an outage to the customers in that serving area. There are some roadblocks to slow them down, for sure: physical hurdles (buried or pole-mounted housings), enclosure door open alerts, an outage notification resulting from all the modems that just dropped offline, custom-tuned wavelengths on the SFP, and a DHCPv6 server that is configured only to service CableLabs-specified RPDs. Nevertheless, additional protection is needed since there are now thousands of potential entry points in the new digital plant.
Cox took a two-pronged approach to this vulnerability: protocol-based filtering and network access control. One of the great things about deploying standards-based technology (CableLabs DCA-MHAv2, in this case) is that the protocols used are well-known and common to all vendors. With a little research and packet-snooping, we were able to configure our CIN (converged interconnect network) routers to permit ONLY the traffic required to operate remote PHY while dropping anything else. This was step one and was implemented with little fanfare. But as security folks are not happy unless the backup’s backup has a backup, we also implemented network authorization using 802.1X. Again, the specifications are our friends and detail exactly how the RPD must work with the authenticator and authentication server to come online. Any device attempting to send packets on the network will fail unless specifically permitted by our authentication system.
Both device security and network security are needed to ensure that our next-gen outside plant doesn’t expose us to vulnerabilities. With the belt and suspenders in place, we can rest easier knowing that we’ve taken solid precautions to protect our network.
Alan Skinner
Principal Engineer
Cox Communications, Inc.
alan.skinner@cox.com
Alan Skinner is a 12-year veteran of Cable Access Engineering at Cox Communications. His current efforts center around remote PHY and CCAP video integration, but for the three years prior to that he served as technical lead for IPv6 implementation throughout the company. His responsibilities have also included the design and implementation of DSG and related STB technologies. Prior to joining Cox, Alan spent eight years in DOCSIS engineering at Arris and Cisco.
Feature Image: Shutterstock