This invention relates generally to telecommunications networks and, in particular, to security management and controls for broadband switching nodes, gateway devices, routers, and multimedia applications servers in an Internet.
As is known in the art, the Internet is a huge collection of globally interconnected computers networks. The computer networks include Internet devices such as switching nodes, gateways, servers or routers. Networks are interconnected by routers that route traffic from a source device (e.g., switching node) to a destination device (e.g., services server) passing through some number of intervening networks. The Internet devices have computing abilities and utilize protocols conforming to the open system interconnection (OSI) model of which the transmission control protocol over Internet protocol (TCP/IP) is a widespread implementation. All information transported over the Internet is parcelled into TCP/IP packets, which are routed to an intended destination.
Because of the low-cost, global access provided by the Internet, one desired use is in electronic business (e-Business) services and applications. For the purposes of this application, e-business services and applications shall be any type of process, communication or transaction that may be undertaken in a revenue generating business. Such service and applications include, but are not limited to telephony, facsimile, electronic-mail, data transfer, electronic-commerce, e-mobile, video-on-demand, remote access to business services (including Business-to-Business and Business-to-Consumer), and any kind of transactions that are used to access digitized information.
Electronic business (e-Business) services are increasing rapidly for businesses and consumers. But without security and trust, there wouldn't be a notable shift towards commercial and financial transactions on the Internet. As e-Business consumers take advantage of the permanent broadband access and connections to the Internet, they will face security challenges
In today's network, security incidents with dialup access are limited because consumers dial-up for a service and then terminate the connection. Further, most digital subscriber line (DSL) and cable subscribers are permanently connected to the Internet without firewalls and they are vulnerable to security breaches.
The growth in public Internet use and the security concerns that exist created a strong demand for firewalls and other security capabilities for all broadband technologies including DSL, cable, and fixed and mobile wireless.
In the Internet, the traffic flows from multiple subscribers get aggregated over high-speed connections to backbone or core routers that transport such aggregated traffic over high-speed backbones. In this environment, service provider lacks the visibility into each individual subscriber's traffic flows. For example, while edge devices with Remote Authentication Dial-In User Service (RADIUS) provide service providers complete knowledge, control, and visibility of the subscriber and their traffic flows. Visibility of subscriber's traffic flows is not complete at other devices in the Internet, (e.g., services servers).
For Internet security management, edge device firewalls work as a form of perimeter defense to allow acceptable traffic, as defined by the service provider, and drops all other traffic before it enters the network. Firewalls perform this defensive function by monitoring packets and sessions, making decisions based on the established rules in order to determine the appropriate action to take.
There are various firewall products for enterprise, small, medium, large service providers, and also for personal computer (PC) users. These overlaid firewalls solutions complicate the service provider's network by increasing the cost of subscription per user, software updates, or network complexity. In a scenario in which the provider does not offer the firewall as part of their service offer, it is highly unlikely that the provider can support trouble calls nor validate whether the source of subscriber problems is due to network problems or the subscriber firewall configuration. In a scenario in which a service provider does provide personal firewalls, the provider will need to maintain records on individual firewalls and will be responsible for the software update, as appropriate.
In addition to the fact that the management and maintenance of firewalls in the Internet can be difficult, they often cannot protect the Internet against so-called “spoof” attacks. Spoof attacks involve sending traffic that appears to be a legitimate source IP address and therefore acceptable to the firewall, but the source address has been hijacked and used illegitimately. Even the most advanced firewalls can and have been spoofed by the serious hacker.
In today's network, providers use identity verification in order to validate users requesting access to their networks. The authentication mechanisms will take many forms and identification information will typically reside in a Remote Authentication Dial-In User Service (RADIUS) or other Authentication, Authorization, and Accounting (AAA) server.
Spoof attacks typically take advantage of the authentication mechanisms in order to cripple the server. The Internet Denial-of-Service (DoS) attacks prevent a target services device (or victim server) from performing its normal functions through the use of flooding of or irregular sizes of certain types of protocols, such as “Ping” requests aimed at the “victim” server. The DoS attacks are launched from a single machine to a specific server to overload the processor or monopolize the bandwidth for that server so that legitimate users cannot use the resource. Another type of spoof attack takes advantage of the Distributed DoS (DDoS) in much the same way, however, they are launched from multiple machines for the same intentions. Most of the DDoS attacks are done through propositioned code on the offending machine, also known as a “slave”, so that the remote or “master” machine can command the “slave” to launch the attack at any time.
Because many attacks are bandwidth attacks, very few solutions are available to avoid such an attack. The attacks continue until all bandwidth or server resources are monopolized and no further traffic is permitted through. For broadband edge device, it is difficult for such attacks to quickly consume the entire bandwidth. Other devices in the Internet, including services servers will be victimized by the DoS and DDoS attacks and the device will fail.
Currently there is no way any device can entirely defend against DoS and DDoS attacks. Here, attacks come from thousands of computers fooled into launching the attacks on the services server.