Sanjeev Challa, Ikanos Communications
05 Mar 2010
Residential gateways (RGs) have over the past decade evolved dramatically into devices that support time sensitive and higher bandwidth applications. RGs are now capable of delivering a vast array of services – such as VoIP, IPTV and security services. Web 2.0 is driving even more new applications which introduce significant security threats. As a result, service providers need complex RGs that can deftly handle new applications while safeguarding users from potential security breaches.
The capabilities of today’s RGs have become pivotal to service providers’ success. Service providers increasingly rely on the RGs to deliver the best quality of service (QoS) and highest level of security for delivering services to the networked digital home. Providing the expected quality of experience (QoE) while delivering advanced applications is critical to ensuring a service’s providers continued, successful growth.
A key element essential to ensuring QoE is the overall security framework of the service providers’ network. While the traditional VPN model provides a certain degree of security, it does not fully address security threats like denial-of-service attacks that exploit protocols and packet payload embedded signature-specific threats.
A comprehensive security framework must protect against IP header checksum anomalies, header options and spoofing, IP fragment attacks involving buffer full conditions, overrun and over write conditions, Internet control message protocol anomaly protection involving large ICMP packets, and denial-of-service attacks that originate from universal datagram protocol/transmission control protocol operations.
While an overall security framework still requires the functionality of firewalls, advanced stateful firewalls and a comprehensive set of policy-based access control lists, their effectiveness is limited because they are dependent mainly on packet header parameters. To be effective, service providers must ensure security by comprehensively examining the entire packet.
Deep packet inspection (DPI) uses packet payload inspection to prevent hackers from attacking end nodes, and prevents hackers from manipulating service delivery parameters and impacting QoS requirements of sensitive traffic.