Securing Your Network: Satellite Users Have Many Concerns, Options

Regardless of whether data is transmitted via radio wave, fiber optic strand or copper cable, if the network the data rides on interconnects with the Internet, the data is at risk. For many years, satellite networks were isolated, private affairs enjoying security through obscurity, but that all changed with the advent of IP-based networking gear, VPN backhauls and broadband ISPs. Network security should be the top priority of every hardware manufacturer and satellite service provider, but unfortunately, many satellite networks are not subjected to the same rigor as terrestrial-based networks. In short, security is an afterthought.

Breeches of network security are at best embarrassing. More often than not, they involve malicious damage to the network, loss or theft of customer data, and network downtime. Network operators are left red-faced and lighter in the wallet as they rush to patch the newfound holes in their network’s armor. But what are the minimum steps that should be taken to safeguard a satellite network? What security technologies can be used to bolster your defenses against attacks? Are these steps cost effective?

Network security has a real value and security breaches have real costs. It is important to understand the magnitude of the costs when a breach occurs. Lost business is the first obvious cost and this term can have two meanings: lost business transactions because the satellite network is down and the loss of customers who abandon their service provider because of the security breach. Both are important and can be significant. A 2004 Gartner Study suggested that network downtime costs $42,000 per hour. That figure was for an individual company, so one could assume that the hourly rate multiplied by the number of customers affected by an outage would get you in the right ballpark when it comes to calculating costs. Labor to correct the problem, new hardware and software, and travel costs also must be factored in once the breach has been discovered. After the network has been secured and restored, a forensic investigation is usually the next order of business, adding even more labor costs. If the breach is bad and the damage is substantial, you can count on spending extra funds on legal fees to defend yourself from lawsuits and a public relations effort to repair the damage to your company’s stature.

“Customers really are your company’s first asset,” says Steven Klein of IsoTropic Networks, a Lake Geneva, Wis.-based satellite carrier. “To really be security focused, you need to be empathetic towards your customer. Asking questions like: ‘How can I better provide for your security?’ ‘How can I lower your cost?’ ‘How can I better protect you?’ These steps allow customers to concentrate on their own business because they know their security needs are being take care of.” Klein is director of emerging threats for IsoTropic Networks, and not only does he oversee the security of his company’s global satellite network, he leads the security practice for the company, providing professional services to enterprise customers and other satellite carriers. “It is sad to say but a number of satellite carriers are primarily worried about the satellite connectivity they provide and not the security of the network. They simply aren’t in tune with their security needs. Although it has been overused for a long time, the term ‘security awareness’ is still pertinent in today’s business climate. Carriers should be proactive to protect their customers and their data.”

Klein, a certified ethical hacker with Global Information Assurance Certification (GIAC) Certified Incident Handler (GCIH) and GIAC Security Essentials Certification, adds, “Organized crime rings in Russia, China, Iran, and different European nations have complete underground networks of people that do nothing but find holes in networks and then exploit them. Laws aren’t in place in those countries, so these people and the criminal organizations they work for can’t be prosecuted. Even though they are halfway around the globe, in an all-IP world the bad guys might as well be right down the street. If the satellite industry would concentrate on Security 101, it would be a much safer place. Although it sounds obvious, you would be surprised by the number of satellite modems I have seen that still have the default user name and password from the factory. That needs to change.”

Terry Slattery, Cisco Certified Internetwork Expert (CCIE) No. 1026 and principal consultant at Chesapeake NetsCraftsmen, has founded and built several well-known network consulting firms. Throughout his career, Slattery and his team of network engineers have helped government and large enterprise clients, assisting them with network design and trouble shooting. NetCraftsmen’s current brain pool includes eleven CCIEs. Regarding user names and passwords, Slattery agreed with Klein. “Every network operator should have a password policy which requires strong user names and passwords. Policies are worthless if they aren’t enforced. Relying on the factory defaults for your user name and password is an invitation for trouble.”

Moving on to another important issue, Klein touched on satellite modems and network devices that can be controlled through a Telnet session. “If you have open services to the Internet your network gear is open to compromise. There is simply no good reason for doing this.” Slattery concurs, noting that access lists should be configured which only allow Telnet sessions to be initiated from known management stations. “Every service provider should build appropriate access systems which include only those engineers which are authorized and exclude everyone else. The device may be still be manipulated via Telnet but you have walled off access. The best way to do this is to build a subnet for all of the management stations. Having a redundant subnet is a good idea so you can take one down for maintenance and not miss any events. In addition, if someone does a denial of service attack on the primary network management subnet, the redundant subnet is available.”

Although it has been overused for a long time, the term ‘security awareness’ is still pertinent in today’s business climate. Carriers should be proactive to protect their customers and their data.

­— Klein, IsoTropic Networks

Slattery recommends that network devices send all network events, such as a syslog (a common logging mechanism) or SNMP trap, to a network management system. “For instance, the network device can be configured to send an SNMP trap or syslog message when the utilization on a network interface gets too high. The network devices essential monitor themselves for anomalies and report back to the network management system in the event. Network devices that cannot perform self-monitoring should be monitored by a network management system. While that consumes some bandwidth, ignoring it is like working blind. If a satellite modem or router is rebooted, the NMS will detect the change. If the run time on the clock goes back to zero it is a sign the device has been rebooted,” Slattery says.

When it comes to network traffic, Klein says, “Once you have secured access to the network gear running the network, you need to turn your attention to the type of traffic that is running across it. You need visibility inside the network. Without it, you don’t know what you don’t know.” Klein insists that deep packet inspection is a must for service providers carrying customer traffic. “Simply looking at port activity, protocols, and IP addresses isn’t enough in today’s world. Application aware firewalls are another important tool. They allow us to investigate things all the way up the OSI stack. Bandwidth is the life blood of a satellite service provider. Peer-to-peer file sharing applications, such as BitTorrent, which are used for downloading very large files like movies, cause havoc in satellite networks by consuming large chunks of bandwidth. IsoTropic Networks contractually discourages peer-to-peer traffic on our network but we have to be able to recognize it first before we can block it,” he says.

Slattery also recommends paying attention to the physical access to network management system as well as limiting physical access to networking gear. “The network management system serves as the drawbridge over the moat. If the bad guys get access to your NMS, the game is over. They can control your network. Restricting physical access to networking gear in remote locations is just as critical. If the bad guys plug in a laptop into a satellite modem and Telnet into it, the game is just as over. Keep in mind that it is possible to download operation manuals for many popular brands of satellite and networking gear which makes it much easier for hackers to lean about the devices they are attacking.

Both Klein and Slattery encourage end users and service providers to augment their NMS system with an AAA system. Authentication, authorization and accounting management systems add a layer of management tools to your network administration and improve security. The authentication piece validates a network engineers credentials and makes sure they are who they say they are. Once the engineer’s identity has been validated, their level of authority is checked to make sure they have the necessary permissions to access specific network gear. In some cases, the permission may be “read only,” which can help the engineer trouble shoot a problem, or they may allow the engineer to make changes. The accounting portion of the system logs every event in a historian. Tacacs and Radius are the two leading AAA systems on the market. To demonstrate the value of an AAA system, Slattery offers an example of an attack which happened to one of his clients. “One of our clients had accidentally left open an old network address translation, and the router interface activity was extremely high. The client’s Tacacs system logged the log-in failure and notified the NMS of the problem. We found that the IP addresses with the log-in attempts were from China and the address translation problem was corrected,” he says.

With a look to the future, Klein would like to see automated management tools that would enhance security in the satellite industry. “It would be great if modem and other manufacturers offered an applet which would review the strength of all passwords in a network. To the best of my knowledge, I don’t know of any manufacturer that offers this capability. Microsoft has the ability to automatically send out security updates. Why can’t satellite modems and other devices be automatically updated? Automating the security updates would be much more pleasant than sending out a new router to the field. If network service providers don’t have the staff looking out for themselves, then network equipment should have embedded capabilities,” he says.

Every satellite service provider, broadcaster or network operator should take an introspective look at the security of their networks. For a security strategy to be effective, you must be rigorous in its application and adherence. A password strategy should be adopted and strictly enforced. User names and passwords should be strong. Once in place, passwords need to be changed on a routine basis and even more frequently if there is employee turnover. To insure the policy is being adhered to, a password audit should be conducted. Walling off Telnet access to satellite modems and other network gear which can be manipulated via Telnet session is another must. Physically securing access to your network management system and remote gear follows closely behind.

Enhancing your network management tools with an AAA system will improve your capability to limit access only to authorized personnel make changes to your network and to keep records of the changes that were made. Depending on the type of network, the cost of network downtime can range anywhere from $40,000 to $1,000,000 per hour. A security breach will likely impact your network for several days. When you consider the true cost of a security breach, can you really afford to ignore the security of your network?