Satellite Companies Tackle IP Network Security Issues
For many years, satellite networks were isolated, private affairs enjoying security through obscurity, but that all changed with the advent of IP-based networking gear, VPN backhauls and broadband ISPs. Network security should be the top priority of every hardware manufacturer and satellite service provider, but unfortunately, many satellite networks are not subjected to the same rigor as terrestrial-based networks. In short, security is an afterthought.
Breeches of network security are at best embarrassing. More often than not, they involve malicious damage to the network, loss or theft of customer data, and network downtime. Network operators are left red-faced and lighter in the wallet as they rush to patch the newfound holes in their network’s armor. But what are the minimum steps that should be taken to safeguard a satellite network? What security technologies can be used to bolster your defenses against attacks? Are these steps cost effective?
Network security has a real value and security breaches have real costs. It is important to understand the magnitude of the costs when a breach occurs. Lost business is the first obvious cost and this term can have two meanings: lost business transactions because the satellite network is down and the loss of customers who abandon their service provider because of the security breach. Both are important and can be significant. A 2004 Gartner Study suggested that network downtime costs $42,000 per hour. That figure was for an individual company, so one could assume that the hourly rate multiplied by the number of customers affected by an outage would get you in the right ballpark when it comes to calculating costs. Labor to correct the problem, new hardware and software, and travel costs also must be factored in once the breach has been discovered. After the network has been secured and restored, a forensic investigation is usually the next order of business, adding even more labor costs. If the breach is bad and the damage is substantial, you can count on spending extra funds on legal fees to defend yourself from lawsuits and a public relations effort to repair the damage to your company’s stature.
“Customers really are your company’s first asset,” said Steven Klein of IsoTropic Networks, a Lake Geneva, Wis.-based satellite carrier. “To really be security focused, you need to be empathetic towards your customer. Asking questions like: ‘How can I better provide for your security?’ ‘How can I lower your cost?’ ‘How can I better protect you?’ These steps allow customers to concentrate on their own business because they know their security needs are being take care of.” Klein is director of emerging threats for IsoTropic Networks, and not only does he oversee the security of his company’s global satellite network, he leads the security practice for the company, providing professional services to enterprise customers and other satellite carriers. “It is sad to say but a number of satellite carriers are primarily worried about the satellite connectivity they provide and not the security of the network. They simply aren’t in tune with their security needs. Although it has been overused for a long time, the term ‘security awareness’ is still pertinent in today’s business climate. Carriers should be proactive to protect their customers and their data.”
Klein, a certified ethical hacker with Global Information Assurance Certification (GIAC) Certified Incident Handler (GCIH) and GIAC Security Essentials Certification, adds, “Organized crime rings in Russia, China, Iran, and different European nations have complete underground networks of people that do nothing but find holes in networks and then exploit them. Laws aren’t in place in those countries, so these people and the criminal organizations they work for can’t be prosecuted. Even though they are halfway around the globe, in an all-IP world the bad guys might as well be right down the street. If the satellite industry would concentrate on Security 101, it would be a much safer place. Although it sounds obvious, you would be surprised by the number of satellite modems I have seen that still have the default user name and password from the factory. That needs to change.”
Terry Slattery, Cisco Certified Internetwork Expert (CCIE) No. 1026 and principal consultant at Chesapeake NetsCraftsmen, has founded and built several well-known network consulting firms. Throughout his career, Slattery and his team of network engineers have helped government and large enterprise clients, assisting them with network design and trouble shooting. NetCraftsmen’s current brain pool includes eleven CCIEs. Regarding user names and passwords, Slattery agreed with Klein. “Every network operator should have a password policy which requires strong user names and passwords. Policies are worthless if they aren’t enforced. Relying on the factory defaults for your user name and password is an invitation for trouble.”