Home Asia-Pacific II 2006 Guarded personality
Asia-Pacific II 2006

Guarded personality

by david.nunes
Andrew CowardIssue:Asia-Pacific II 2006
Article no.:18
Topic:Guarded personality
Author:Andrew Coward
Title:CTO, Asia Pacific
Organisation:Juniper Networks
PDF size:44KB

About author

Andrew Coward is Juniper Networks’ Chief Technology Officer for Asia Pacific. Prior to Juniper, Mr Coward co-launched the Asia Pacific operation of Unisphere Networks. Mr Coward has been working in Asia for ten years, working with service providers, enterprises and governments across the region on IP technologies, first with Bay Networks and later with Nortel, and has designed and planned some of the largest IP networks in Asia Pacific. Mr Coward started his career in government as a network engineer and progressed to role the of Network Manager responsible for building-out one of the first United Kingdom nationwide government backbone IP networks. Later, with Xylogics Ltd, he was responsible for delivery of the first dial Internet access services in North Asia.

Article abstract

Personalization of programming and the delivery of content on demand, including television programmes, satisfy users and drives service provider and content developer growth. Unfortunately, they bring security threats. Personalization requires transmission of personal and financial data that criminals try to steal for illicit purposes, and unauthorised pirating of content for illegal distribution threatens the economic foundation of the industry. Countering information abuse requires a digital security framework that considers every aspect of, and every party to, the information exchange.

Full Article

The era of personalization is upon us. Dynamic content, including television programmes, mobile phone ringtones and music, can now be delivered, even wirelessly, on demand. While personalization is popular among end users, service and content providers are also driving it because it brings not just subscription and advertising revenue, but also differentiates them from the competition. The trend is further fuelled by the explosive growth of communications devices and software, including mobile phones, video and music players, digital television and PC software. Unfortunately, when new technologies appear, new threats also often accompany the innovation, and guarding against them can be complex. Because personalization requires transmission of personal identifying data and financial information, criminals endeavour to intercept or otherwise steal this sensitive traffic for illicit purposes, including identity theft, and banking or credit card fraud. Still another type of information abuse is copyright theft, involving the circumvention of copyright safeguards – digital rights management, DRM, software – for piracy, epitomised by illegal music distribution via peer-to-peer, P2P, networks. Historically, sensitive network information was ‘secured’ by private networks such as the SWIFT infrastructure used by banks. Private networking, although the private networks must be physically secured from unauthorised users, is still the most robust method to protect information. Spurred by increased demand for higher performance business systems organisations traditionally on leased-line and Frame Relay private networks have migrated to IP-based networking, not because they wish to connect with the Internet but because IP has evolved at a significantly faster clip than legacy networking protocols. When private networks run on the IP protocol, complete separation from the Internet becomes paramount. There are, however, applications that cannot operate on a private network. An Internet banking website must be available over the Internet and at some point communicate with the bank’s highly sensitive back-end systems. Aside from securing the ‘front end’, or Internet, portion of this service, communications with back-end systems must be restricted and monitored. It is here where intrusion detection and prevention, IDP, systems come into play. IDP systems are sophisticated security devices that understand protocols and network behaviour. They monitor network traffic at an application level for anomalies, and either alert the administrative staff or instantly halt abnormal network behaviour before further harm is caused. When transactions, whether for personalization, billing or content data, are processed over the Internet rather than in a controlled private network environment, there is an additional need to verify the identity of all parties involved. End user authentication can be as simple as the familiar user-id and password combination or can involve stronger measures like such dynamically generated ‘token’ codes as the RSA SecurID device. Users of Internet banking in Hong Kong are familiar with these types of devices. Authenticating merchants and content providers who operate on the Internet is more involved. Users need to be aware that they are responsible for validating the authenticity of the vendor from whom they wish to purchase to ensure that their end-user information, such as credit card numbers, do not fall into the wrong hands. This is not a simple matter, and the general lack of consumer awareness of this issue is one of the main reasons why phishing attacks – falsely claiming to be a legitimate business to solicit personal information for identity theft or other illegal uses – have been so successful at snaring information. The only real solution is end-user education. The security squeeze It seems obvious that all parties involved in transactions should implement the strongest possible security measures, but there are costs. Security mechanisms need to be purchased and administered. In addition to financial and human resource expenses, security can also slow down procedures and constrain network performance. Implementing security measures is a delicate balancing act and, because of increasing variety and quantity of threats, providers are likely to err on the side of caution and compromise performance rather than information. Network equipment vendors are also offering in-line security devices, often hardware-based, that minimize the performance impact. These purpose-built security devices have given rise to ‘front end processing’, the practice of separating the security mechanism from the information delivery system. In the case of an e-commerce website, the Web Tier – traditionally comprising the Web-server, Web application servers and database system – becomes isolated from the transaction processing system. In a way, the centralisation of transaction processing is reinterpreting the legacy mainframe paradigm of yesteryear. The practice of centralisation is being applied beyond Web architecture optimisation. Distributed organisations are embarking on consolidation initiatives, mimicking the revival of mainframe topology by collapsing network servers and bandwidth connectivity into physically centralised data centres. Data centre consolidation simplifies network topology and bandwidth provisioning, saving costs. Data centres also allow organisations to focus on IT security and data integrity efforts, and cater to the increasing need for regulatory compliance including data archival and business continuity. Protecting a data centre begins with physical protection. The best digital security mechanisms can be circumvented if unencrypted data on laptops, hard disks, or DVDs is physically stolen. An industry anecdote recounts a consultant who hacked into a network without entering the premises merely by unscrewing the front door security panel and using the exposed Ethernet cabling. After physical security comes digital protection. Firewalls are the first line of defence. They have evolved from simple port-blockers to intelligent devices that scan traffic packets for anomalies. The two most common transaction-oriented protocols are Session Initiation Protocol, SIP, and Extensible Markup Language, XML. A good firewall needs to be capable of analysing both SIP and XML traffic. While port blocking and packet inspection can thwart intrusion attempts, service downtime is often as damaging as information theft, especially for real-time transactions such as for stock trading or Internet banking. Therefore, data centre firewalls need to defend against denial-of-service, DoS or distributed DoS attacks which criminals often use to blackmail organisations. Network attacks can also be mitigated with the help of an organisation’s service provider. IP-address spoofing masks network traffic, hiding the geographical location of intruders. Although service providers can combat criminal anonymity by activating anti-spoofing features, many do not do so because many networks suffer performance degradation as a result – an unfortunate trade-off. Not all routers suffer this trade-off and it is important that service providers implement networks that deliver anti-spoofing without performance penalties. Network security becomes even harder to ensure when information flows through the air. Wireless networks, including WiFi and mobile data networks, are attractive targets for criminals because they can be hacked anywhere. Unsecured WLANs, wireless local area networks, are accessible by anyone within range, facilitating the interception of mobile data. For customer billing, mobile operators keep detailed transaction information. While they have historically operated within private wireless networks, many operators are now connected to the Internet to provide value-added services. These Internet back doors are attractive hacker targets because of either the sensitive personal and financial information residing in the operator networks, or nuisances such as SMS spam. Therefore, the operator’s infrastructure needs security measures as least as stringent as those implemented in data centres. Mobile operators, at least, have dedicated IT teams. In the case of wireless LANs, the onus of network security discipline falls upon the network administrator, or even the end-user. Access to wireless infrastructure is difficult to manage, due to factors including the inherent physical characteristics of radio signals and brute-force pass phrase attacks by hackers forcing their way into WLANs. To compensate for these weaknesses, WLANs should be secured with Secure Sockets Layer, SSL, virtual private network, VPN. technology. SSL is the same encryption standard used for securing Web browsers during e-commerce transactions and SSL VPNs can be used on top of basic wired or wireless LAN security for added protection. Because of the strength of their security, and the advantage of not requiring client software pre-installation, SSL VPNs are quickly becoming the de facto secure remote access solution for organisations of all scales. SSL VPNs are increasingly used compared to other solutions such as IPSec-based (IP Security – a packet-level security protocol) VPNs, especially when the service needs to be rolled out across large numbers of computers. The advent of personalization has been a boon for providers and consumers. Guarding against information abuse, however, requires a comprehensive digital security framework that considers every aspect of the information exchange and encompasses all the parties involved in the transaction. With inadequate user training or with improperly designed or enforced security policies, even the best technological security solutions can fail. Personalisation provides customised services to individuals, but it can only continue to be successful if it services the right individuals.

Related Articles

Reducing IPTV total cost of ownership

TV in Asia – a look at the...

Wireless – transcending the digital divide

Customization in global business communications

Personalisation ‘magic’ – a personal edge

Next generation infrastructure, next generation growth

Broadband – a wider range of personal alternatives

Bridging the many divides

Making triple-play work for the subscriber

Regulating the transition of Pakistan’s telecom sector

Upcoming Events

Contact us
Copyright © Connect-World 2022. All rights reserved

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More