By Matthew Marnick, Juniper Networks
May 31, 2007 12:07 PM
IP Television (IPTV) presents tremendous business opportunities for service providers, enabling telecommunications companies to compete more effectively with the cable industry’s existing triple play services, offset declining voice revenues and generate significant additional revenue. The successful and profitable delivery of television service over IP requires an intelligent network with advanced security that enables carriers to protect the video serving infrastructure while also capitalizing on the reliable delivery of rich content that increases profit, reduces customer churn and creates long-lasting subscriber relationships.
Although IPTV does not run over the Internet, it is nonetheless an IP-based service on a network with other users and services that may have origins outside the service provider’s network. As such, IPTV can be subject to the same hackers, threats and vulnerabilities that plague other network-based services such as email and Internet access. Historically, hackers have been quick to exploit services in the early phases of their adoption cycle--before security countermeasures have been fully hardened, and while consumers’ opinions and impressions are most malleable.
IPTV providers cannot afford any consumer dissatisfaction in their critical early adoption phase. For this reason, providers must build comprehensive security into their IPTV networks from the start. But what does a comprehensive security plan for IPTV services look like?
First and foremost, it must provide multiple layers of security to protect content, end-users, and the network itself. Additionally, a comprehensive IPTV security strategy must take into account all areas of the network that can, and must, be protected from security breaches—from the video serving infrastructure in a provider’s network all the way to the “last yard,” an end-users’ home network.
IP is a standard and a well understood technology that has been a reality for years. Many of the same concepts and strategies that network security experts have used for other IP services can now be applied to protect IPTV and the IPTV content delivery network. However, despite its inherent similarities to other IP-based services, IPTV also presents its own unique set of challenges.
For example, IPTV has unique high-bandwidth, real-time requirements and a different set of user expectations from services such as “best effort” e-mail delivery. Combined, these structural differences make it difficult to apply traditional protection techniques to the video serving infrastructure in a cost-effective manner—a new approach is needed.
Additionally, security for IPTV is crucial since IPTV services ride on the same network that is also shared with other IP services being delivered to the provider’s subscriber base. Availability of all services on the network could easily be impacted by security attacks on IPTV services or any of the other services sharing the same network pipes. With HDTV and the ever-expanding size of the average consumer’s television set, an IPTV user is not likely to be as understanding if packet loss or jitter interrupts the Super Bowl in overtime or the selection of the next “American Idol”—even if this jitter is the result of their own home network design. IPTV service providers will need a new degree of control over network security and protection inside the consumers’ home.
Video Serving Infrastructure
Direct subscriber interaction makes the video serving infrastructure particularly vulnerable to DoS attacks. Adding stateful firewalls to complement DoS protection features of in the network can be effective if they can monitor the number of requests per second per subscriber and scale to support a high number of subscribers. However, these firewalls do not continually sustain more than a few gigabits per second, so many firewalls are required to support the video serving infrastructure. Sending video packets through a firewall also adds latency, requiring more buffering in each STB.
Video on Demand (VoD) servers are also susceptible to Transmission Control Protocol (TCP) attacks as well as application-level attacks. To protect VoD servers against frontal and backdoor attacks on the Video on Demand application requires the ability to perform signature or pattern matching. Therefore, stateful firewalls that combine intrusion detection and protection (IDP) functionality with the ability to identify attack signatures are highly effective at protecting VoD servers.
However, maintaining a dedicated security device for each video server is simply not a cost-effective solution. In large provider networks with many video serving offices, this creates an operational challenge to manage and update the large number of firewalls, as well as to monitor for attacks. In fact, stripped down high-capacity firewalls without IDP functionality often cost more than the servers they protect. In the end, the number of security devices must be reduced in order to make protection more cost effective.
A solution to this problem is to take advantage of asymmetric traffic routing so that firewalls/IDP gateways are not overloaded and fewer devices are actually required. This asymmetrical approach keeps downstream video traffic from overwhelming the firewall/IDP gateway, and only looks at upstream control traffic, which is low bandwidth by nature.
Service providers can determine network protection policies and then set the filters on the combined firewall/IDP functions to detect and stop undesirable behavior. For example, the service provider may choose to limit the number of requests that will be forwarded to the serving infrastructure from a given source. Stateful firewalls can keep state on the number of requests per second for a given IPTV client and a threshold can be set so that requests exceeding that threshold for the given time period (in this case, per second) are then discarded. In this way, if a particular server is experiencing an unreasonable number of requests, providers can maintain service quality for most subscribers served by that equipment, while impacting service for the offending client only momentarily. Excessive or persistent levels of unreasonable requests that violate network policies can be elevated as an alarm and service requests temporarily denied. This approach prevents DoS attacks automatically, while enabling the network operator to be notified of the condition and the source as an attack is actually occurring.
Equipment vendors have established signatures of acceptable traffic patterns as well as malicious ones. Through this knowledge, the video serving infrastructure can be protected from frontal application attacks by looking for signature matches of known attacks. Of course, this method should be one of many since it is only as strong as the frequency of signature file updates.
Home Network Vulnerabilities
Matthew Marnick is Director of Multiplay Marketing and Partnerships for Juniper Networks.