CLECs Should Be Proactive In Security

By David M. Piscitello
Core Competence, Inc.

February, 2000 has been a watershed—or perhaps bloodshed—month for Internet security. Unless you were in hibernation, you can’t have missed the unheralded press coverage the distributed denial of service attacks on major e-Commerce sites attracted. 

The response from my security colleagues? “What did you expect?” and “expect more of the same in months to come.”

We glorify hackers in commercials, TV dramas and movies. That’s the bad news. The good news is that everyone now has an opinion on security, and anything that helps drive the message security matters is a Good Thing.

Opportunistic individuals and companies in both the private and public sector are filling the air- and e-waves with tales of new security shortcomings, calls for government intervention and the formation of cyber-security analysis centers. And, of course, discussions also focus around remedies involving the purchase and deployment of hundreds of millions of dollars of new security technology.

While ISP’s are taking the brunt of the cries for change and improved security practices, competitive local exchange carriers (CLECs) should also bear some of the burden.  After all, broadband local access hasn’t been excused from criticism, and public sentiment is growing more alarmist. More attention than ever is being drawn to the need to improve security over last mile, broadband connections. Imagine the black eye the entire DSL community might experience should someone decide a really clever hack would be to simultaneously deny service to every broadband subscriber. 

This attention really spells opportunity for CLECs. You can spin negative press to positive by taking a proactive in security, for you, and your customers. Here are some of the things you can do.

Be sure your standard operating procedure (SOP) includes anti-spoofing measures.  For instance, implement filters to restrict outbound packets leaving your network to only those networks that you have assigned and agreed to advertise. Block ports known to support zombie agents and other Trojans and worms. Implement some form of network Intrusion Detection.

Take measures to assure that your own infrastructure isn't a harbor and breeding ground for attacks of any form. Consider whether any point in your topology facilitates sniffing and scanning. Actively scan your systems, maintain hosts with current security patches, and run only services you need on servers.

If you’re hosting customer network management services and want to avoid the embarrassment of getting DDOS’d yourself, look into some of the ways to tune and distribute the load across multiple servers.  Two terrific, evolving sources of useful information on DDOS can be found in SecurityPortal.com’s DDOS FAQ and David Dittrich’s Distributed Denial of Service (DDoS) Attacks/tools page at the University of Washington.

Be proactive on behalf of your subscribers. Provide education to your enterprise and consumer subscribers. Covad Communications invited me to provide a white paper on DSL security for teleworker PCs and LANs over a year ago; while a bit outdated, many aspects remain relevant today.

Another useful service is to provide links from your Web site to security news that affects broadband local access users. Issue or re-distribute relevant security advisories.  Consider strategic relationships with security services companies who can advise enterprise customers about VPNs, strong authentication, and security for corporate desktops that are located outside physically secured corporate premises.

It’s especially important to provide plain-speak advice and education to your consumer subscribers. This population is destined to be your cash cow, and growing the base of early adopters is essential to near-term growth. Follow the laudable lead Excite @home has taken and offer free or subsidized personal firewall software to your subscribers. Take the initiative to offer to scan your customers as a service.  Point them to places where they can have their PC's scanned, or add scan software to your “security downloads”.

Consumer and government anxiety, and increased skepticism over the security of e-commerce are bad for the Internet. These worries hurt the sale of broadband access. Internet security isn't someone else's problem: It's also the responsibility of CLECs. Plus, there's the marketing advantage: Being proactive in security is a good differentiator in a noisy marketplace.

David Piscitello is president of Core Competence, Inc., a network consulting firm and founder of The Internet Security Conference. He writes for CLEC-Planet from the comfort of his DSL-enabled home on Hilton Head Island, South Carolina.