Regardless of the network access service employed, service subscribers should take precautions to secure their systems prior to attaching them to a public network. Owners of systems running Microsoft Windows should unbind NetBIOS from TCP/IP, effectively disabling file and print sharing over the Internet.
DOCSIS-based cable modem systems provide users with high-speed access to packet-based data services. These services include Internet access, packet telephony, video conferencing and telecommuting (i.e., remote access to enterprise networks). Security threats associated with these services fall into two general categories: security of data transport services and security of CPE devices, which use cable modems to attach to public data networks. The DOCSIS architecture includes security components that secure data transport services across the shared-medium cable network. DOCSIS data transport security provides cable modem users with data privacy and prevents unauthorized access to DOCSIS data transport services across the cable network. Any CPE device attached to a public network will be subject to security threats. Given that the purpose of an access network is to provide subscribers with data access to public networks, the access network cannot take full responsibility for protecting subscriber systems from attacks originating from that public network. DOCSIS-based cable networks provide, as do dedicated subscriber line systems, traffic filtering, which reduces threats from attacks that may target specific operating system features common to many of the attached CPE devices. (For example, filtering traffic on UDP/TCP ports 137, 138 and 139 to prevent unintentional Microsoft Windows SMB/NetBIOS file and print sharing.)
Regardless of whether a user employs cable, telephone, or DSL access networks, that user cannot rely solely on the access network to protect his or her system from attack. Subscribers to these services MUST, in all cases, take precautions to secure their systems prior to attaching them to a public network.
The situation is analogous to how an individual protects his or her home. While the individual trusts that the local police will do a good job protecting the neighborhood from burglary, the homeowner still locks the doors in the evenings or when absent from the home. The more populated the community, the greater the potential security risk, and thus the more caution demonstrated by the homeowner.
Attaching one's computer to the Internet is like living in a large urban area. There is much to gain in terms of the wealth of information, however accompanying that access are risks associated with having a direct ramp onto a global information highway.
Section 2 of this report examines security features built into the DOCSIS architecture to secure data transport services across the shared cable network.
Section 3 looks at policing mechanisms these systems can provide in order to reduce security risks associated with linking individual computer systems to large public networks (e.g., the Internet).
2. Security of Data Transport Services
DOCSIS data transport security provides cable modem users with data privacy across the cable network by encrypting traffic flows between the Cable Modem (CM) and the Cable Modem Termination System (CMTS) located in the cable network headend. In addition, DOCSIS security provides cable operators with protection from theft of service. Protected DOCSIS MAC data transport services fall into three categories:
- best effort, high-speed, IP data services;
- premium quality-of-service (QoS) data services; and
- IP multicast group services.
- An encapsulation protocol for encrypting packet data across the cable network.
- A key management protocol for providing the secure distribution of keying material from the CMTS to client CMs.
- frame format for carrying encrypted packet data within DOCSIS MAC frames,
- set of supported data encryption and authentication algorithms, and
- rules for applying the cryptographic algorithms to a DOCSIS MAC frame's packet data.
The Zoom cable modem uses the DOCSIS key management protocol to obtain authorization and traffic encryption material from a CMTS, and to support periodic reauthorization and key refresh. The key management protocol uses X.509 digital certificates, RSA public key encryption and triple DES to secure key exchanges between the CM and the CMTS.
The Zoom cable modem data transport security provides a level of data privacy across the shared-medium cable network equal to, or better than, that provided by dedicated-line network access services (e.g., telephone, ISDN or DSL). It should be noted, however, that these security services apply only to the access network. Once traffic makes its way from the access network onto the Internet backbone, it will be subject to privacy threats common to all traffic traveling across the Internet, regardless of how it got onto the Internet. If a subscriber's concerns over communications privacy go beyond the access network, he or she should be using higher level security solutions: for example, VPN technology, to tunnel private data securely across public networks, or application-layer security (e.g., PGP or privacy-enhanced mail for email, SSL for Web-based transactions).
3. CPE System Security
DOCSIS-based network access systems support the same range of policing functions (filtering) available in remote access servers employed by traditional dedicated line network service providers. The issue within these systems that has attracted the greatest press attention is unauthorized access to system files using TCP/IP NetBIOS (NBT) and System Message Block (SMB) file-sharing protocols that run on various Microsoft Windows variants (e.g., Windows for Workgroups, Windows 95, Windows 98, Windows NT).
Hackers need to know the Internet address of the target system. If a hacker can obtain the name and address of the targeted host system, he or she can then begin sending network traffic to that host in order to pry it open and gain unauthorized access. Windows PCs employ TCP/IP the NetBIOS (NBT) name service for advertising and for determining names and addresses of shared system resources on a LAN. Depending upon the system configuration, this name service may employ broadcast messaging, which allows systems on a shared LAN to exchange the names and addresses of shared services directly across that LAN.
The Zoom cable modem present to their attached CPE devices, a high-speed LAN interface. Attached Windows PCs can run the NBT broadcast name service across these interfaces to share name and addressing information with PCs attached to the same "cable LAN." Thus, if an attached PC has file and printer sharing enabled, its services will be advertised across this LAN interface, and other devices on that cable-based LAN can determine names and addresses of those shared file and print services.
These NBT name service broadcasts employ UDP port 137, and thus can be filtered readily. However, not all- proprietary systems support comprehensive filtering of this broadcast traffic; if they do, service providers prefer not to employ it for performance reasons.
Remote access servers used in dedicated line network access architectures do not reflect broadcasts received from one client out to other clients; hence, the names and addresses of a PC's shared services cannot be exchanged through NBT name service broadcasts. This explains why proprietary cable modem systems are more vulnerable to the unintended distribution of shared service names and addresses than dedicated-line systems.
Once an attacker determines the name and the address of a Windows-shared service, he or she then can establish a point-to-point NetBIOS session with the shared service. Depending upon the shared system's configuration, the shared service may or may not be password protected.
Thus, with regard to Windows-shared file and print services, the principal difference between the proprietary cable modem systems and dedicated subscriber line systems is support, in the cable environment, for NBT name service broadcasts. This vulnerability addressed by the cable service provider:
- making users aware of the issue,
- requiring users to disable file and print sharing, and
- Educating users on how to disable sharing.
It should be noted that even if NBT name service broadcasts are inhibited, an attacker can use other methods (although certainly not as conveniently as simply double clicking on "Network Neighborhood") to determine host names and addresses and to begin an attack. Anyone can try to access shared files if they know an IP address, regardless of the type of access network. Knowledgeable system administrators recommend that any Windows system directly attached to a public network should unbind NetBIOS from TCP/IP, thus disabling Windows (SMB) file and printer sharing over the Internet.
Note that enterprise networks typically have a firewall separating themselves from the Internet, and this firewall filters all TCP/IP NetBIOS traffic. In this way, Windows systems within the enterprise network can use Windows networking (SMB over NBT) to share files internally, yet can be protected from external attack.