IP Television (IPTV) presents tremendous business opportunities for service providers, enabling telecommunications companies to compete more effectively with the cable industry’s existing triple play services, offset declining voice revenues and generate significant additional revenue. The successful and profitable delivery of television service over IP requires an intelligent network with advanced security that enables carriers to protect the video serving infrastructure while also capitalizing on the reliable delivery of rich content that increases profit, reduces customer churn and creates long-lasting subscriber relationships.

Although IPTV does not run over the Internet, it is nonetheless an IP-based service on a network with other users and services that may have origins outside the service provider’s network. As such, IPTV can be subject to the same hackers, threats and vulnerabilities that plague other network-based services such as email and Internet access. Historically, hackers have been quick to exploit services in the early phases of their adoption cycle--before security countermeasures have been fully hardened, and while consumers’ opinions and impressions are most malleable.

IPTV providers cannot afford any consumer dissatisfaction in their critical early adoption phase. For this reason, providers must build comprehensive security into their IPTV networks from the start. But what does a comprehensive security plan for IPTV services look like?

First and foremost, it must provide multiple layers of security to protect content, end-users, and the network itself. Additionally, a comprehensive IPTV security strategy must take into account all areas of the network that can, and must, be protected from security breaches—from the video serving infrastructure in a provider’s network all the way to the “last yard,” an end-users’ home network.

IP is a standard and a well understood technology that has been a reality for years. Many of the same concepts and strategies that network security experts have used for other IP services can now be applied to protect IPTV and the IPTV content delivery network. However, despite its inherent similarities to other IP-based services, IPTV also presents its own unique set of challenges.

For example, IPTV has unique high-bandwidth, real-time requirements and a different set of user expectations from services such as “best effort” e-mail delivery. Combined, these structural differences make it difficult to apply traditional protection techniques to the video serving infrastructure in a cost-effective manner—a new approach is needed.

Additionally, security for IPTV is crucial since IPTV services ride on the same network that is also shared with other IP services being delivered to the provider’s subscriber base. Availability of all services on the network could easily be impacted by security attacks on IPTV services or any of the other services sharing the same network pipes. With HDTV and the ever-expanding size of the average consumer’s television set, an IPTV user is not likely to be as understanding if packet loss or jitter interrupts the Super Bowl in overtime or the selection of the next “American Idol”—even if this jitter is the result of their own home network design. IPTV service providers will need a new degree of control over network security and protection inside the consumers’ home.

Video Serving Infrastructure

Protecting the video serving infrastructure from attack requires maintaining video streams and equipment at optimal performance levels. Anything bogging down the video streams or serving equipment can potentially degrade subscriber quality of experience and therefore must be prevented. Multiple video servers result in multiple targets for Denial of Service (DoS) attacks, which flood servers with illegitimate requests or by running a port UDP flood. This malicious attack robs the server of processing cycles to handle legitimate requests. The problem is compounded when faulty equipment or connections create unintentional DoS attack conditions. For example, faulty memory or even a loose network connection could cause a STB to continually request resending of packets.

Direct subscriber interaction makes the video serving infrastructure particularly vulnerable to DoS attacks. Adding stateful firewalls to complement DoS protection features of in the network can be effective if they can monitor the number of requests per second per subscriber and scale to support a high number of subscribers. However, these firewalls do not continually sustain more than a few gigabits per second, so many firewalls are required to support the video serving infrastructure. Sending video packets through a firewall also adds latency, requiring more buffering in each STB.

Video on Demand (VoD) servers are also susceptible to Transmission Control Protocol (TCP) attacks as well as application-level attacks. To protect VoD servers against frontal and backdoor attacks on the Video on Demand application requires the ability to perform signature or pattern matching. Therefore, stateful firewalls that combine intrusion detection and protection (IDP) functionality with the ability to identify attack signatures are highly effective at protecting VoD servers.

However, maintaining a dedicated security device for each video server is simply not a cost-effective solution. In large provider networks with many video serving offices, this creates an operational challenge to manage and update the large number of firewalls, as well as to monitor for attacks. In fact, stripped down high-capacity firewalls without IDP functionality often cost more than the servers they protect. In the end, the number of security devices must be reduced in order to make protection more cost effective.

A solution to this problem is to take advantage of asymmetric traffic routing so that firewalls/IDP gateways are not overloaded and fewer devices are actually required. This asymmetrical approach keeps downstream video traffic from overwhelming the firewall/IDP gateway, and only looks at upstream control traffic, which is low bandwidth by nature.

Service providers can determine network protection policies and then set the filters on the combined firewall/IDP functions to detect and stop undesirable behavior. For example, the service provider may choose to limit the number of requests that will be forwarded to the serving infrastructure from a given source. Stateful firewalls can keep state on the number of requests per second for a given IPTV client and a threshold can be set so that requests exceeding that threshold for the given time period (in this case, per second) are then discarded. In this way, if a particular server is experiencing an unreasonable number of requests, providers can maintain service quality for most subscribers served by that equipment, while impacting service for the offending client only momentarily. Excessive or persistent levels of unreasonable requests that violate network policies can be elevated as an alarm and service requests temporarily denied. This approach prevents DoS attacks automatically, while enabling the network operator to be notified of the condition and the source as an attack is actually occurring.

Equipment vendors have established signatures of acceptable traffic patterns as well as malicious ones. Through this knowledge, the video serving infrastructure can be protected from frontal application attacks by looking for signature matches of known attacks. Of course, this method should be one of many since it is only as strong as the frequency of signature file updates.

Home Network Vulnerabilities

As home networks grow in popularity and utility, so does the likelihood that IPTV services will be carried over the same home networks as Internet services, file transfers, gaming sessions and Voice over IP (VoIP) calls. Unfortunately for service providers, additional user activities on the home network can shape end-user attitudes with regard to the quality of service being delivered, and these subjective value judgments are difficult for the provider to manage. Worse, do-it-yourself home network schemes can not only introduce problematic contention, but also create security vulnerabilities. A security breach on the PC opens up the opportunity for bandwidth-consuming attacks that can degrade performance of the provider’s service and result in user dissatisfaction, increased support costs, and possible service cancellation.

For this reason, it is important to consider the security requirements in the “last yard” as service providers offer more advanced services to end users. Attacks on one service must be isolated and not impact other services on the home network. Since IPTV has the highest performance requirements of services likely to be running in the home, it is especially sensitive to network performance degradation resulting from security attacks. This is a challenge for the IPTV service provider since the provider will typically have little control over the home network beyond set top boxes and residential gateways. Technologies such as Network Node Validation, 802.1x, and others may prove very beneficial in this area since they can enforce a particular security policy before a device is allowed to connect to the network.

As a new service, IPTV is particularly vulnerable, both from a security standpoint and from a competitive perspective. To ensure the success of their new IPTV services, providers need to build into their networks a comprehensive, network-centric security strategy, right from the start. This security strategy needs to be as comprehensive as it is high-performing and reliable, and should consider all the points in the service provider and home networks where security breaches can occur.

Matthew Marnick is Director of Multiplay Marketing and Partnerships for Juniper Networks.