EtherLECs and Security

One measure of the risk associated with an Internet connection is its bandwidth. Given, the same window of opportunity, an attacker can copy more information from a compromised system over a fast connection than a slow one. Based even on this single metric, it's easy to appreciate that very high-speed broadband access for enterprises demands considerably more attention to security than slower broadband local access to home and small offices. Ethernet-based services offered over metro area fiber rings provide hundreds and even gigabits per second of bandwidth. These services must be made more secure "out of the gate" than cable modem passings or metro Ethernet will burn on the launching pad.

A preliminary look suggests EtherLEC service providers appreciate the importance and value of security as a complementing service to "very broadband" access. But the nature and extent of security services one can expect to receive from an EtherLEC is very dependent on business model and "access play" that the EtherLEC has selected. To make this point, I investigated the security offerings from three EtherLECs: Telseon, XO Communications, and Yipes.

Telseon
Telseon's security features begin at its demarcation point, an RJ-45 termination into its service interface unit (SUI) on the customer's premises. Telseon delivers a layer 2 (below IP) service, so its security features combine physical and Ethernet MAC level security. "We're building a switched network not a piped network", explains Telseon's Vice President of Product Development and Founder, Bob Klessig, "but we have no local switching on our SUI. The physical connections from our dedicated SUI's to the access switches in our network are individual fiber strand, one Gbps uplinks." Traffic is aggregated from the access switches into Telseon's core network, which operates from physically secured sites. Although the SUI is not tamper-proof, any change in the device connected to an SIU is alarmed, and any break-in attempt to the SUI is alarmed as well. As a further precaution, all MAC level security features are performed by non-CPE equipment located in Telseon's physically secured premises.

Telseon emphasizes MAC level security, which begins with MAC Address Resolution. To prevent MAC address spoofing and bandwidth theft, and to guarantee authenticity of origin of MAC frames, Telseon's network only accepts customer traffic received from a single, unique, and recognized MAC address associated with that customer. The recognized address feature also guarantees that MAC frames are not mis-delivered. Telseon's Jay Gill, Telseon's Director of IP Service Product Management adds, "Customers can choose to have this address learned dynamically or it can be manually selected [via Telseon's secure web-based provisioning system]. Once learned or selected, the SUI can latch or lock down this MAC and will not permit the use of another MAC address on this interface except through a provisioning change." Telseon also provides duplicate MAC address detection and discards traffic at the offending interface.

XO Communications
XO Communications security story is short and simple. Like Telseon, XO provides a Layer Two (below IP) Ethernet service. In many respects, XO's Ethernet service is similar to the service a telco customer gets from a virtual circuit network, but XO's is constructed using Ethernet access into a SONET infrastructure rather than ATM. "XO builds private physical networks for each customer", explains Scott Pace, XO's Manager of Corporate Communications. Gigabit Ethernet customers access XO's network using an optical interface on individual fiber strands which carry Ethernet over DWDM. 10/100 Mbps customers are served off switches in XO's Ethernet over SONET infrastructure. Each customer network is constructed using self-healing SONET equipment. Customer traffic remains physically separated from the access interface through the SONET metro network.

XO can take the customer's private physical network beyond the metro area by back hauling connections between metro markets over XO's national infrastructure. Again, according to Pace, "Our per megabit cost ($14.00) is more competitive than a VPN. All ingress and egress points are considered equidistant, and the customer can eliminate the VPN component".

Yipes
Yipes offers both MAC and IP level services. Yipes MAN service uses customer tagging (VLANs) for local customer sites served from a single metro area. Yipes NET provides Layer 3 switched access from customer sites to Tier 1 ISP peering partners. Yipes complements this service with managed firewall and IPsec-based Virtual Private Networking services. The site-to-site IPsec service is offered using Netscreen Internet security appliances that are physically secured on the customer premises. Yipes will manage all aspects of the IPsec tunnel configuration for an individual customer's Netscreen appliances, including authentication and policy enforcement monitoring. According to Yipes Director of Product Marketing, Eric Zines, "We manage the Netscreens because we want it [Yipes WAN service] to be simpler to use than [using] Frame Relay service," Zines continued, "Yipes also uses Netscreen equipment for its managed firewall service, especially for customers who have stepped up to 10/100 Mbps service with firewalls incapable of operating above T1."

Yipes partners with RipTech for firewall monitoring and log analysis. "Yipes benefits from having RipTech manage all customer firewalls. With a large sampling size, RipTech's eSentry monitoring system learns (new) attack signatures faster," claims Zines. RipTech monitoring is one of several security management services offered by Yipes, including online firewall reporting, Web-based security recommendations from live analysts and secure Web-based configuration management.

What should EtherLEC security look like?
As we've seen, the answer depends on the service(s) offered. Telcos have successfully marketed dedicated fiber strands to individual customers in the local loop for years; building physical networks for customers will satisfy or exceed the desired security policy of many enterprises. Traffic separation at the MAC level may be important whether or not a customer is using encryption-captured encrypted traffic. It's very hard but not impossible to decrypt, and certain customers may request such stringent attention to how their traffic is handled. MAC address validation and associated screening features are valuable safeguards against service theft, customer spoofing and traffic mis-delivery.

How necessary is this for a CLEC in need of low-cost, high bandwidth access to its ISP partners or back haul connections to its data center or network? Very important. These Ethernet connections become a segment of your overall path to the public Internet or to enterprise networks operated by your subscribers. EtherLEC security becomes an extension to your own network security, much as a business partner's security becomes an extension in a collaborative, e-business venture.

EtherLECs that offer IP services on top of Ethernet should complement MAC level security with premises-based firewalls and site-to-site VPN services for customers. VPNs are still difficult to deploy, so providers who can demonstrate competencies in authentication and VPN management , and who can also provide configuration management, monitoring and intrusion prevention will compare favorably with the best pure-play ISPs.

These are important considerations for CLECs as well as EtherLEC end customers. Are EtherLEC IP-based security services a good complement to your own services? Establishing a business relationship with an EtherLEC that can help you deliver firewall and VPN services may help you better meet security needs for teleworkers, branch offices, and corporate offices in a metro area, regionally, or even nationally.

Equally importantly, CLECs should judge EtherLECs by the quality of the operations and security support they can provide. Do they have the technical expertise to deploy and manage site-to-site VPNs between corporate locations and branch offices. Can they also manage client-to-site VPNs to support DSL-connected teleworker PCs? Can they deploy and maintain a uniform security policy across VPN security gateways and managed firewalls, and provide 24x7 monitoring and reporting? Does the EtherLEC have the skilled staff to insulate its own network, yours, and your customers, against DDOS attacks? Can it help you respond quickly and correctly to security incidents? Can their infrastructure provide you with near- or real-time provisioning changes to respond to an attack initiated through your metro access link?

EtherLECs appear to be taking a proactive role in security. How CLECs adapt EtherLEC security efforts to their own benefit demands investigation and careful planning, but the end result can be positive.

David Piscitello is president of Core Competence, Inc., a network consulting firm and founder of The Internet Security Conference.