Thursday, March 9, 2017

Network Security Through the Eyes of a 'Cable Guy'

Written by CCI Solutions Director, Drew Kempen
News Flash! The world of the traditional cable service provider is changing...
We all know about how consumers are consuming video via streaming; about the growth of DOCSIS and Internet services; about how the Internet of Things (IoT) is bringing massive amounts of new devices into the network; and about how almost everything we do as a consumer continues to migrate to the ‘cloud’. In short, everything is moving to ‘IP’. 

Unfortunately, growing the capacity and speed of the network isn’t the only area of concern that comes with this change. With IP, network security becomes a huge concern. Oftentimes, security of the headend-to-consumer pipeline has been overlooked in the traditional cable service provider environment. It is also not the sort of cost that many traditional service providers are used to stomaching. So how does someone who is not a security expert, or even an IP expert, wrap their heads around security? And how can you justify requesting funds to spend on security?

Why does my system need security?

There are a number of reasons operators need to begin to take security seriously. The most overt and publically familiar concern is being maliciously hacked. This is when hackers are accessing[G1]  your network or subscribers off your network to gather personal information, business data, insert malware, or hold you digitally hostage. We all hear the horror stories of companies being hacked, identity theft, computers being taken over, networks crashing, and so on.
CCI’s Security Solutions Director, Andy Erickson, points out “Ransomware has become the malware of choice for many hackers.” Ransomware is on its way to becoming a $1 billion market (Taylor, 2016).  This issue is not getting better, it is getting worse. Yet we still see many operators continuing to play Russian roulette by putting off investing in security solutions.



Second, attacks are happening all of the time. No unprotected network is safe. Every operator experiences these attacks and most don’t know they are happening at all. Imagine running a large business with hundreds of employees, products, revenue streams and costs. Now imagine the only report you get is dollars in and dollars out. Basically, you know how much money you are making. How easy would it be to hide fraud, wasted dollars, and identify critical aspects that allow you to know how each product and employee are performing? Network security today is like that. Your IP bandwidth is that business, and everything is hiding in the IP packets. It could be legitimate traffic, it could be malicious traffic, or it could be useless or DDoS generated traffic. You only see how much traffic is used. 

Examine the large DDoS attacks we have seen in the news lately about services such as Amazon, Netflix, and so on being taken down. These are not shut down by someone from Russia hacking their sites. The hackers hack entire groups of IP devices in people’s homes and program them to request access to an IP address all at one time. Take the massive outage that occurred late last year that affected the east coast of the United States. This was a DDoS attack against Dyn where the attackers used IoT devices to effect and attack (Newman, 2016). We are talking about refrigerators, watches, phones, tablets, thermostats, etc. This happens all the time and will happen with more frequency as more and more devices come online and are unprotected. 

How do I justify the cost?

Investing in security is not as unfamiliar to cable operators as many may think it is. Consider video encryption requirements and the challenges the presented for the entire industry from both a technical and financial aspect. This was to secure the content. This introduced millions of dollars of cost to operators simply to meet requirements. Today, security is different and more complex.  However, unlike the investment in encryption, these security technologies offer the opportunity for new and next-generation revenue generating services. 

For the sake of an example, let’s assume that when your traffic is at peak burst time, that 20-25% of that actually turns out to be malicious or attack oriented bursts. You provision your entire network because of peak time traffic usage. For a cable/DOCSIS operator, that is the difference between 16 and 20 DOCSIS QAM or 24 and 32 QAM. Without visibility into this traffic, huge amounts of money may be being spent to scale a network faster than it needs to be scaled. At first glance, these percentages seem high but look no further than last January’s Arbor DDoS report that clocked the largest ever DDoS attack at 500 Gbps[G2]  (Ungureanu, 2016).  Many respondents to the report saw an over 100 Gbps[G3]  attack during the year. Again, this problem isn't getting better, it is getting worse. As more and more devices come online, this percentage will inevitably rise. Now is the time to gain visibility into this and implement solutions to stop that traffic. [G4] [G5] 

Potential Monetization

There is also a value to the consumer. Next-generation firewalls provide a huge security benefit. Coming from a cable guy, using the term ‘firewall’ for this solution is very misleading. When most people think of firewall, they think of some mass marketed software that everyone has tried, yet we always seem to get viruses on our devices one way or another. Unfortunately, this has been the only layer of security most consumers have ever had. These next-gen network firewalls actually provide many of the benefits of a desktop security solution and more. Not that you would recommend not having desktop security on a computer, but Anti-Malware detection for the entire home is part of these network firewalls. It provides an additional layer of security for the entire IP stream to that home. 

Deep packet inspection is also a key feature of these network firewalls. Malicious programs and code are hidden within the IP packets. Unless you unwrap and analyze the contents of these packets, you will not be able to find the illegitimate source code. Next-generation firewalls provide this capability which helps protect your network and your subscribers. It is important to remember that as consumers information and data continue to migrate to the digital realm, it is not just data that needs to be secured, it is their life, intimate information, and identities. 

These values can translate into and additional revenue generating service to subscribers both commercial and residential. For example, let’s assume you have a 100 MB data tier. 

Option 1:
100 MBPS Class of service- Unlimited Data = $79.99/mo

Option 2:
100 MBPS Class of service- Unlimited Data= Whole home network security, firewall, malware protection, virus prevention, all-device protection = $89.99/mo

You could throw in an option 3 ‘business class’ that offers DDoS protection as well. The primary point is that you now have the capability to realize an additional revenue stream for an area of growing importance and relevance for your subscriber base. This is valuable especially considering the shrinking revenue and income generated by traditional video.

From a solution standpoint, there are many layers of security to be considered. For example, there are network-wide options that also help with the problems, such as Cisco Umbrella (OpenDNS) and Arbor DDoS detection, and mitigation solutions. 

CCI Systems CTO Matt Reath comments regarding the value of this solution; “In this case, a service provider can setup up their network and subscribers to utilize the open DNS solution so that DNS requests are scrubbed and requests protected. Arbor looks at all packets going in and out of the network and alerts and reacts to DDoS attacks. This combined with proper end-user education and in-home firewall systems creates a multi-layered approach to security.” This multi-layered approach is critical to offering a comprehensive solution for security. 

CCI’s Security Solutions Director, Andy Erickson proposes; “From a Service Provider’s perspective, security can be implemented in a phased approach:  crawl, walk, run.  Next-generation firewalls with Cisco’s Umbrella is a great starting point and can be the foundational framework for your security to build from.” In conjunction with this solution approach, CCI offers security consulting in a crawl, walk, run method. This starts with providing visibility into network attacks that are happening and security threat assessments of the current network. 

Summary

Network security should not be looked at as optional or as an ‘insurance policy’ any longer. It should be a requirement for the foundation of any long-term strategy. How many operators sink millions of dollars to make the physical layer redundant? Fiber links, line cards, switches, etc., all to increase reliability and minimize downtime. It’s time we all start understanding the preventative nature and benefits of enhanced network security solutions, as well as the asset they are to our systems and services we can offer to our subscribers.

For more information or to discuss your network’s security strategy, reach out to CCI on social media or contact us at info@ccisystems.com.





References

Taylor, H. (2016) Ransomware Spiked 6,000% in 2016 and Most Victims Paid the Hackers, IBM finds. Retrieved February 7, 2016 from www.cnbc.com
Newman, L. H. (2016) What we know about Friday’s Massive East Coast Internet Outage. Retrieved February 7, 2017 from www.wired.com.
Ungureanu, H. (2016) Worlds Largest DDoS Attacks Breaks Records, Clocks at Massive 500 gbps. Retrieved February 7, 2017 from www.techtimes.com.

Thursday, February 2, 2017

Are we prepared for bandwidth growth?

Analyzing the 50% Growth Rate of Data

Author: Drew Kempen, Solution Director - Strategy & Consultin


Since the inception of consumer data services, history has shown that a 50% data growth CAGR on a year-over-year basis is seen. At least when averaged out over that time period. That essentially breaks down to a doubling of traffic usage every 18 months and corresponds with Nielsen’s Law (Nielsen, 1998). This continual growth rate presents a significant challenge for operators who continue to need to migrate and scale their networks. One would think that a provider that provisions their network for 50% utilization of available capacity would be smooth sailing for awhile.  In relative terms, that may be correct but it still means you may be at 100% utilization in just 18 short months. The network never stops growing.

Much of this growth over the past decade has been the gradual transition of consumers to Over-the-top streaming services. Companies like Netflix, Hulu, Amazon, YouTube and now SlingTV and DirectTV-Now have brought an entirely new experience to the subscriber. In addition, more and more data moves to the cloud. Information once stored on disks and hard drives such as video, pictures, data files, and backups are now becoming common cloud operations consuming larger amounts of downstream and upstream bandwidth. As people continue to migrate to this method of IP-delivered video, this growth trend of data usage will continue. 

One must ask the question however, will this ever slow down, or will it speed up? Many operators have a difficult time planning past 18 months. For those who are trying to be proactive, they are probably basing their growth on a 50% CAGR. Others, however, are being extremely proactive by rolling out 1 GB service initiatives today. Much debate has been had over the practicality of a 1 GB service. Other than marketing, what is the true need?  When will we really ‘need’ that much pipeline. 

At the doorstep is 4K and HDR technologies. The typical streams for these technologies can range from as low as 15 MBPS to over 30 MBPS and varies based on if it is true 4K, frames per second, and compression technologies. However, even at worst case and with a number of simultaneous streams, a household may only be pulling 100-200MB of traffic.  Certainly a hog on the aggregate bandwidth, but barely a dent in a 1 GB service. The evolution and adoption of these services via IP certainly seems to fit well into the 50% growth CAGR of data when looking at a 5-10 year period. 


For example: Assume that the peak utilization of data divided by the amount of subscribers is in the 2-3MB range today. This is certainly on the high side for most operators. At a 50% CAGR, this is how that average grows (shown in kbps per sub on average). 

2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2000
3000
4500
6125
10125
15188
22781
34172
51258
76877


This growth trend and curve fits nicely with the 50% CAGR model that we have seen. As the big push to streaming services carried that curve for the last decade, it will continue to grow by adding additional subscribers as well as the resolution quality of the video advance. 

What could change the model?
There are some reasons for a concern of a disruption of this model. All of this growth has revolved around one thing that has remained somewhat unchanged. The viewpoint of all of these screens was fixed. It was a rectangle. While size does matter in the ABR world, it is still a small viewing window relegated to the size and shape of televisions and devices.  Virtual reality is changing that model. That small window into life now becomes a full 360 viewpoint. 

If you have been to CES the past few years, you have seen the rapid adoption and development of VR technology. At first, it seemed interesting but gimmicky and far from being useful. Then it looked like the next revolution for gaming. Now it looks like the next revolution for video. Today, VR is addictive and immersive. However, content is limited and video quality is far from SD, much less HD. However, the long-term end-game of VR is exactly that. A virtual replication of reality. A 360-degree view that has the same resolution as the human eye is capable. Now, we are a ways from being able to replicate that from a screen and camera standpoint; but the resolution we can achieve today is impressive. 

There is a great article to gather more information on this referenced below where the author points out that a VR stream in 4k would use approximately 300 MBPS (Begole, 2016). That is with some pretty hefty resolution. They also do the math that a 5.2GB stream would be required to come close to replicating the human eye experience. While we may be decades from a human eye experience, 4k VR is certainly realistically achievable in the next 5 years. This would be a truly disruptive service to the traditional 50% CAGR model if these capabilities mature and the demand increases. 

Before you discount the potential of this, consider this: In the 2016 Olympic games, some of the content was made available in VR. By 2020, a much larger amount of Olympic programing will be available in VR and much better quality. Now imagine being able to watch an Olympic event from a stadium seat or floor-side viewpoint in 360 HD. Then imagine watching a basketball game from the scoring table or Saturday night live as if you were sitting in the audience. Perhaps you will be able to buy a ticket to a Broadway show and never leave your living room. The applications and potential are awesome for consumers and stomach churning for network planners! 

Will VR take off? Will people want to wear a headset? Keep in mind that VR is essentially in the ‘Nintendo NES’ phase of its technology cycle. It is going to get a whole lot better and easier to use. 

All of the sudden, a 1 GB service doesn’t just seem like a marketing ploy any longer.  Thankfully, none of this is going to happen overnight and there will be visible signs of when it will happen and the adaptation will be gradual. It is worth noting however that there are signs today that need to be taken into account. We can already see the potential that this will have on the horizon. Do the network enhancements and investments you are making today leave room for migration, scaling and adaptation for this possible disruption? 

It will be interesting to see what happens with VR and if it will disrupt the growth model most network migration plans are accounting for.

CCI can help you ‘Future-proof’ the Network
Future-proofing is in many ways an inaccurate term. Future-resistant is a better term as you never know exactly what will happen in the future. However, the ability to plan for multiple scenarios exists today. This planning is not easy. There are multiple dynamics and metrics to consider that are not easy to analyze. It can take a lot of time and resources that many operators do not have, particularly the mid to smaller operators. For a traditional cable operator, it is all too easy to fall into the fix it when it breaks or shows signs of breaking mentality. 

Fortunately, CCI has the expertise, experience, and tools to help you plan across-the-network. From analyzing growth trends and service migration to architecture migrations.  From the core/route/transport aspect to DOCSIS, HFC, and FTTx technologies. 

For more information, reach out to Drew via Twitter at @drewkempen

References
Nielsen, J. 1998. Nielsen’s Law of Internet Bandwidth. Retrieved January 25th from www.nngroup.com.
Begole, B. 2016. Why the Internet Pipes will burst when VR takes off. Retrieved January 17th from www.forbes.com.

Tuesday, January 17, 2017

CES 2017 Recap: From a Service Provider Perspective

Written by CSE,  Drew Kempen

The Relevance of CES

In order for any business to thrive and grow, it must be able to adapt and plan for changes in the market space. What is changing? When will it change? How will we make that change? What are the options? How much will it cost? Attempting to answer these questions requires a large dose of prognostication. CES is one of the best windows into the future that the service provider industry has. CES is effective because it focuses on the consumer; what they will be using and how they will be using it. This drives the migration of services that are important to consumers, thus driving network changes.

With a tagline of ‘WHOA’, CES 2017 seemed to come up short of anything mind-blowing this year. CES 2017 was essentially 2016 v1.1. We saw primarily the same technologies, slightly more refined. This is an encouraging trend for service providers. For a number of years, there has been much change and uncertainty about which directions both consumers and manufacturers would grow. We are now seeing a more stable and focused technology wave.

Last year, 4K and Virtual Reality (VR) were all the rage. This year, we had a few slight modifications to that. Almost every booth in 2016 had some version of 4k playing video in their booth, regardless of the products they were touting. This year, almost every booth had a VR experience. Also, rather than 4k being highlighted; it was HDR technology that took center stage.

All Things IP

Last year we saw an explosion of new connected devices and concepts. Very few ‘new’ ideas were demonstrated this year, however, there was a strong focus on refining these products. From Streaming boxes to VR to wearables; the focus was on better performance, better design, and more functionality. This stronger focus on technologies allow us to get a clearer picture of where services are going, thus defining which direction our network needs to grow.

4K, HDR and VR will continue to drive the next video transition. However, this transition also comes along with a migration of this video content to all IP. While video is alive and well, it is clear that traditional forms of video services are fading. Consumers are becoming more and more accustomed to on-demand, no/minimal commercial, and a seamless/mobile viewing experience. The crux of future video uncertainty currently rests with the content providers and networks. What will they do with broadcast, commercials, re-transmission rights, bundle requirements, and contract negotiations? With a-la-carte channels, skinny bundles, and quality original programming from OTT players such as Netflix and Amazon Prime; consumers continue to take back power from the networks. No one yet knows how or if they will adapt.

In the meantime, it is the OTT and direct to consumer streaming apps that are taking the lead with 4k, HDR and VR services. True 4K and HDR undoubtedly offer a mesmerizing large screen experience. Just as the theater experience continues to attract 10’s of millions of customers keeping the theater industry relevant, 4k and HDR can do that for the living room experience. As we see the OLED paper-thin televisions develop, it validates that the large screen experience is here for the long-haul.
OLED is Awesome

The thin OLED televisions were arguably the coolest piece of technology at the show. The current generation of LG W OLED TV’s are less than 4mm thick. The newest advancement which wasn’t shown at the show is less than 1mm thick, and can be rolled like a newspaper! It is not difficult to envision an entire wall of the living room becoming an OLED TV in the future essentially making your wall an IMAX theater. Looking even further out into the future, one could certainly see an entire room dedicated to 360 degree OLED essentially giving you a headset free VR experience.

VR Continues to Impress

VR once again took center stage at this show. The reason this is so interesting is that VR is truly in its infancy. In many ways, VR is currently a parlor trick. When you put on the headset, it quickly becomes immersive, fascinating and addictive. However, when you think about it in the real world, it still has a long way to go. The content is minimal, functionality is crude, and video quality is extremely poor. Yet it still is growing in use at a rapid pace. One can only imagine how more effective and desirable this service will be when it is refined and in a true HD format.

All this means one thing for service providers. The pipeline will always be growing and growing fast. Historically, a 50% CAGR for data usage has been seen. There is certainly no reason to think this will slow down and could very well me more than this for the next few years as these technology and service transitions mature.

While there are certainly challenges to service providers in continuing to grow the network, the growing requirements of large bandwidth streams and services presents a significant opportunity and welcome trend. It keeps their hardline service relevant and required to the home, potentially staving off the next generation of LTE capabilities as a peer competitor.
Virtual Traffic Jam

Finally, service providers must consider the implications of the combination of exploding wi-fi connected devices within the home, mobile streaming devices and TV’s, and the large stream rate requirements of 4k, HDR, and VR. This presents a huge wi-fi, network management, and security issue within the home. It also presents so a growing opportunity and market for new revenue-generating services of which the service provider is in an ideal situation to provide. A number of vendors were showcasing new wi-fi management platforms that provide visibility to the in-home network and devices. While these are almost all in their first software generation of functionality, the platforms provide the capabilities required to help service providers delve into these abilities today, while providing the scalability to increase capabilities and functionality with software upgrades.

Summary: Future-world

For those of us who grew up in the 70’s and 80’s, by now we should be playing in holo-decks, visiting the moon, speaking some version of pseudo English-Chinese, and flying around rather than driving. In reality, the next-generation future world lies before us. Self-driving connected cars before flying, VR before holo-decks, and obviously google translate is the mechanism that will facilitate the English-Chinese language transition. Every device, application, and execution of what we do in life is becoming connected and part of the way we live. There are few things that slam this reality into mind than your child wondering why a hotel remote has so many buttons and doesn’t know why you can’t speak to the remote. It’s no wonder the generation of knob-turners didn’t make the transition to flying cars and the moon. Perhaps our current generation of ‘remote control talkers’ will take us there. 

Stay in touch with Drew on Twitter at @DrewKempen

Wednesday, January 11, 2017

5 Consumer Technology Trends Impacting Service Providers Today

[Authored by: Matt Reath, CTO at CCI Systems]

I attended the Consumer Electronics Show (CES) in Las Vegas last week with the purpose of analyzing consumer technology trends and how those trends may or may not impact service providers. The underlying themes at CES this year were immersive video experiences with 4k, 8k, and virtual reality tech, as well as connected home and automation, connected cars, and the Internet of Things (IoT). Many of these technologies were visible at last year’s CES, though my conclusion is that they have since matured and service providers should be addressing the impacts they have on business. Based on this information, I have compiled what I feel are the five most important consumer trends and discuss specifically how those trends are impacting the service provider industry.

1.       Broadband Demand
I always refer to Nielsen’s Law of Internet Bandwidth when discussing bandwidth consumption growth by subscribers.  It states that a high-end user’s connection speed grows by 50% per year.  This has held true since 1983 (Figure 1).

Figure 1: Bandwidth consumption growth since 1983
The cloud is transforming consumption models and is driving end consumer bandwidth needs. Music and video quality is increasing with 4K/Ultra HD. Services like Apple Music and Google Play are now built into Apple TV and Roku devices so that this enhanced media can be consumed by end users. Google and Apple are utilizing cloud storage for photos, videos, and device backups. Combine these cloud services with an increased number of devices in the home and you have the potential for a bandwidth explosion.


This increased bandwidth consumption puts pressure on service providers to make network and outside plant upgrades. However, the market won’t necessarily allow price increases on these services as competitive pressures mount. This is a major challenge for providers today.

While their current revenue streams are suffering, customers aren’t spending any less.  Operators have a wide-open opportunity to adapt their service strategy and replace legacy revenue streams with a whole host of new potential streams from managed Wi-Fi, Security, Storage, Connected home, Home network management, amongst many other possibilities.

2.       Content Consumption Models
The upcoming generation of subscribers consumes content very differently than those of older demographics. The traditional method of watching TV at pre-determined times with a standard guide is dying. On demand, streaming content that can be viewed in any location on any connected device is the new normal. Conversely to traditional video which is receding, the streaming market is exploding with growth and opportunity.  

This brings into question how relevant traditional service providers can be in response to this paradigm shift. Service providers could become the “dumb” pipe for consumers to access content, leaving them out of the equation, if providers don’t constantly analyze their consumer’s behavior and trends and adapt their strategies appropriately.  Instead of purchasing content from the service provider, consumers are instead opting for streaming devices such as the Roku and Apple TVs, and content streaming services like Hulu, Sling TV, Netflix, and HBO Now, to name a few.

Despite this shift, there is still hope. TiVo and Pace/Arris have come together to create a set-top box, the MG1, that supports both traditional video content through broadcast QAM and over-the-top (OTT) application integration such as Netflix, Hulu with integrated search across the different sources. The roadmap for the MG1 includes the ability to ingest broadcast TV through the QAM interface or via multicast IP on the Ethernet interface. This allows a service provider to offer the best of both worlds and create a transition plan to get to an all-IP network, which is exactly what the NCTC has enabled for its members.

In the end, subscribers will be given the flexibility and freedom they demand by being able to purchase their own streaming devices, and installing both OTT apps and an app provided by their service provider that supports broadcast content and local content.

3.       Mobile Connectivity
At CES this year, Qualcomm had a major presence around 5G technologies and how it will enable multi-gigabit speeds with a combination of licensed and unlicensed spectrum solutions. AT&T has also released its broadband and 5G plan. These solutions have a focus on enabling IoT expansion, wireless broadband access, and advanced mechanisms for delivering quality content across the spectrum. 5G is positioned to disrupt fixed broadband access, with multi-gigabit speeds, and augment Internet delivery to the subscriber in more flexible ways. 




Adapting a strategy for delivering a combination of fixed broadband and wireless access—and in some cases, a mix delivered to the same location will be required. This will enable IoT device connectivity, UltraHD video delivery, mobile device access, connected vehicles, and other devices to communicate back to cloud-based management and analytic systems.

Service providers must partner with their predominant farming, automotive, municipal, emergency response, and other mobile industry customers to create wireless coverage and fixed broadband initiatives and strategies. These partnerships should include revenue sharing and business partnership models that are win-win for the customer and provider. 

A legitimate concern for those providers with no spectrum, no Wi-Fi solution, or no partnerships for spectrum, is that due to these advances in wireless communication, they will be unable to deliver the truly mobile solution that consumers demand.

4.       Internet of Things (IoT)
Although not clearly defined by all, and perhaps combining trends 1 and 3, the IoT is adding a multitude of devices onto networks at a rapid pace. Cisco defines the IoT as the mechanism that “links objects to the Internet, enabling data and insights never available before.” Industries are being transformed, from connected cars with thousands of sensors communicating issues back to service centers, to farmers with sensors sending data back to the cloud to analyze soil composition and weather patterns to optimize yields. The IoT is changing how we live and conduct business. The advances in Wi-Fi, 4G/LTE, and 5G technology is continuing to enable more and more IoT devices, all communicating back to management and analytics systems to create optimizations and applications that have never existed before. Cisco has published specific case studies that demonstrate the value that can be created.

This growth in IoT is putting demand on service providers to have more encompassing and reliable mobile solutions through Wi-Fi, near field communication, and LTE today and 5G in the future. Business and residential subscribers are demanding more intelligent, flexible, and reliable connectivity methods to enable these applications. Much like the mobility strategy, providers must partner with their most strategic customers and understand their IoT and mobility needs to co-create solutions that create positive impacts for both the subscriber and the provider.

5.       Home Automation
The last technology on my list is home automation. Although this technology has been around for a while, this year’s CES showed me that the technology and more specifically the management applications for mobile devices has matured. Technologies such as Zwave create a standard for other vendors to base their technology on—allowing consumers to mix and match Zwave compatible devices in their home. Zwave has created a solution guide based on common use cases in the home. By following these use cases consumers can create their customized home automation install.

These technologies in the home will require additional bandwidth, especially streaming video camera feeds, and secure home networks to isolate and protect their connected devices. Setup, installation, and support for Zwave solutions and other home automation solutions are probably out of the reach of non-technical folks. This creates some opportunity for service providers to create and perform setup, installation, and ongoing support of home automation bundles and solutions based around some of these standard technologies. 

Conclusion
Key strategies for service providers going forward will be to partner with customers to understand their mobility and IoT needs; co-develop solutions for mutual success; and should include a mobility strategy that utilizes Wi-Fi, 4G/LTE, and fixed broadband to enable IoT and home automation solutions.

Despite the challenges facing service providers in delivering high bandwidth-consuming content—especially video, they should not give up. Service providers can protect their brands and even make up any margin loss resulting from broadband growth-driven network upgrades by creating new revenue streams made possible by these changes. These additional revenue streams will include managed WiFi and IT services, cloud applications, home automation, IoT backhaul, and most importantly security services for business and residential subscribers.  The importance of adapting strategy to meet changing consumer, technology, and bandwidth-related demands cannot be stressed enough. It is a truly exciting time in the market where innovative and creative service providers will come out ahead.

Follow me on Twitter: @mpreath

Thursday, January 5, 2017

CES 2017 Kick-Off

[Authored by: Drew Kempen, CCI Cable Architecture & Strategy CSE]


Another year has passed and CES 2017 has arrived! As the show floor opens today, we are looking forward to what might surprise us or wow us. More importantly, we want to understand how the technologies available today and soon to be released are going to impact our service-provider networks.

2016 Recap:

In 2016, the theme of the show seemed to be “all things IP”. Everything was becoming connected and the age of the connected ‘man’ has arrived. The future ramifications that the Internet of Things (IoT) will have on our networks cannot be understated. It signaled the beginning of the end of the old guard of broadcast video delivery. It would probably be safe to assume the nearly 100% of most service providers growth last year was focused around growing IP service delivery capabilities.

For topics relative to video impact: We saw a focus on Streaming Devices; and the first year of aggressive promotion of ‘Skinny Bundles’, Ultra Def (4K+) video and Virtual Reality (VR). Throughout the year, the market saw tremendous growth in the adaptation of skinny bundles and a large increase in OTT streaming devices in homes. 4K still hasn’t made any significant impact and is still TBD on when, if and how hard it will hit.

VR is scary. If you haven’t tried VR, go buy a Samsung S7 version phone and the Gear VR and put it on. Call it a business research expense. Within 10 minutes, it should be apparent the potential this has to take over the world. Or at least our ability to socialize in a traditional face-to-face manner.

CES 2017: What lies in store?

In 2016, we saw the introduction of a vision of the future. The potential for the eventual ‘All IP’ world. In 2017, we will begin to see the execution of that vision. It will be interesting to see how far along technology has come into making that execution faster, easier, more scale-able and cost effective. We are at the dawn of a dramatic shift in the way people live. If feels that we have lived in the digital age for a while, but many analysts and technology experts say we are barely scratching the surface of what is to come. This is exciting for consumers but daunting for service providers. Seeing these trends and vision ahead of time is critical for developing the solutions, strategy, and plan for the growth of our networks into the future. We at CCI are committed to helping our customers successfully navigate this transition through this exciting time!

Stay tuned as we keep you updated throughout the event.

Thursday, October 27, 2016

Because They Can: Spawning of the IoT DDoS

Authored by: Keely Richmond, Sr. Cybersecurity Engineer

On September 13, 2016, the website of a US-based Cybersecurity Journalist (Brian Krebs) was hit by a DDoS attack that knocked his site offline. The resulting investigation uncovered a type of DDoS attack different in composition and scale than that of the typical DDoS attack.  In fact, this type of DDoS attack had only been seen in the wild a handful of times—the earliest known detection: April 2016.

Two pieces of malware (similar, but different), Mirai and Bashlight, were used to enslave enough Internet of Things (IoT) devices to launch a 620Gbps DDoS attack for the sole purpose of silencing a journalist whose articles threaten the livelihood and freedom of criminals.

As expected, an IoT DDoS attack sustaining 620Gbps got the attention of all types of people and organizations and the internet was soon riddled with a flurry of partial facts and theories about who, how, why, and what might be next. 

Then it happened again! 

On September 20, 2016, approximately 150,000 IoT devices (primarily DVRs and CCTVs) were enslaved to launch a 1.1Tbps DDoS attack against OVH (a French hosting company service provider). The target: Minecraft servers. The culprit: Mirai.

By September 30, 2016 the creator of Mirai decided to cut bait and released the monster (source code) into the public domain for anyone to use. This put distance between them and the source code, making the job of law enforcement more difficult because the code was now in the “possession” of virtually everyone. It also put a very powerful weapon in the hands of anyone with a moderate level of technical prowess and malicious intent.

At the same time the source code was published, the list of IoT devices targeted by Mirai (with default login credentials for each) was also published. This accomplished a few things:
  • Put the manufacturers and vendors of those devices on notice that their equipment needs to be secured or securable
  • Informed consumers (at least those who read tech news) of the lurking vulnerabilities in their homes and small businesses
  • Provided a seed list to anyone who wanted to give that source code a test drive
  • Made IoT vulnerability a hot topic for Cybersecurity specialists and service providers 
  • Caught the attention of legislators—domestic and foreign

In addition to releasing the Mirai source code, its creator touted that it had been able to enslave 380,000 IoT devices before the scrutiny following the OVH attack made such endeavors too risky. 

And then…it happened again!

On October 21, 2016 the US-based DNS provider, Dyn, was the third known victim of Mirai. The metrics of the attack have not been released to the public, but speculation puts the volume of the DDoS at 1.2Tbps. The Dyn attack impacted millions of people in the United States and Europe. Traffic destined for sites such as Twitter, Amazon, PayPal, and Netflix could not be resolved if public DNS providers (such as Dyn or Google) were used. Cisco’s OpenDNS, however, held steady because it uses smart caching.

Via a Twitter post, a hacking group called New World Hacker has claimed responsibility for the initial Dyn attack. Their motivation was simply to prove they could do it. Shortly after the attack by New World Hacker ceased, the hacker group Anonymous is said to have performed a second wave of the attack. The participation of both groups is unconfirmed at this time as the Department of Homeland Security continues to investigate.

The Mirai source code had been in the public domain for less than one month when the attack on Dyn was launched.

Now What?

"Perfection is not attainable. But if we chase perfection, we can catch excellence.”- Vince Lombardi


Devising a security strategy for IoT devices is challenging. Not all devices are created equally.  Some are patchable, some are not.  Some have configurable login credentials, some do not.  Some are “smart”, some are not. 

For Subscribers (End Users)
The recommendations offered by researchers are limited and responsibility falls squarely on the owner of the IoT device.
  • Purchase and implement IoT devices that require the password be changed upon initial setup. 
  • If possible, change the default login credentials. Unfortunately, not all devices allow the login credentials to be changed.
  • Upgrade the device firmware as new versions are released. Be mindful, however, that a firmware upgrade may reset all login credentials back to default.
  • Configure your router to point to OpenDNS for DNS resolution.
  • Disable UPnP on routers
  • If the device resides behind a firewall…
    •  Disable unnecessary ports. The Mirai attack looks for devices listening on telnet (especially ports 23 and 2323), SSH, HTTP, SMTP, etc. It’s not realistic to block those ports outright, but limiting their use to specific IPs is a good idea.
    • Monitor traffic on port 48101. Port 48101 is commonly used for the transport of malware.
    • Segment all IoT devices to a specific VLAN and restrict outbound traffic from that VLAN.

 As with any project, we must use the right tool for the job.  Relying on subscribers to build and secure their private networks isn’t the right tool for this job. 

For Service Providers

What tools are available upstream from the subscriber, at the service provider level?
  • DDoS mitigation tools (e.g. Arbor) are effective in monitoring and alerting as bandwidth usage thresholds are exceeded.
  • Ensure your IPS malware signatures are up-to-date. Because the Mirai source code was released, it will be fairly easy for vendors to write a signature.
  • Implement OpenDNS to ensure your DNS traffic is scrutinized with the most up-to-date rules in the industry and to take advantage of smart caching.
  • Use the published list of IoT vendors to seed a DENY rule that restricts traffic from those specific device types. This is feasible, but tricky because blocking all outbound traffic would also prevent those devices from pulling firmware upgrades from their manufacturers.

DDoS attacks are just one of the nefarious acts for which IoT devices are being used. An article published by Brian Krebs on October 13, 2016 explores how they’re also being used to turn consumer-grade routers into SOCKS proxy servers, anonymizing the source of suspect traffic.  Use of these hijacked routes are then offered for sale on the dark net to further the spread of various forms of cybercrime. 

What’s Next?

Device Recall
The IoT devices favored by Mirai use components built by a China-based company named XiongMai. In a statement issued on social media , XiongMai said it would be issuing a recall on millions of devices—mainly network cameras. Details of the possible recall are unknown at this time.

Growth
Per Gartner Research, there will be 6 billion IoT devices at our fingertips and on our networks by 2018. New and existing communications standards such as Wi-Fi, Bluetooth Mesh, Low Power WANs, Narrow Band IoT, and ZigBee will grow in usage as the footprint of “things” expands and smart homes grow into smart cities. 

Standardization
Encouraging or regulating the manufacturers of “things” to adhere to basic security practices is key to standardizing how those “things” can be monitored and managed on our networks.

The European Commission, in an effort to enhance the European Union’s telecommunication laws, is developing requirements to standardize security for IoT devices. At this time, there’s no indication of how security for an IoT device will be defined, measured, or monitored. Though not subject to EU regulations, we will benefit if they are successful in enforcing standardization.

CCI Systems’ Recommendations

CCI Security Engineers have studied the three recent IoT DDoS attacks and devised two lists of recommendations (one for the owners of the IoT devices and one for their service providers), each stated earlier in this article under the “Now What?” section. Ideally, the two lists should be deployed in concert, but it is not realistic to expect subscribers to have the technical knowledge to perform the recommended steps nor for the service provider to have the access or ability to monitor the security measures of privately owned networks.

Cybersecurity = Risk Management! 
  1. Employ security best practices.
  2. Design and implement enforceable security policies. 
  3. Review and incorporate the National Institute of Standards and Technology (NIST) Cybersecurity Framework into your Security Strategy.
For more information regarding your network security, or to discuss the recent DDoS attacks, reach out to us! We’ve got the expertise and know-how to keep your network protected.

References

ABC7News. 2016. ABC7News. Oct 23. Accessed Oct 24, 2016. http://abc7news.com/news/hackers-claim-responsibility-for-massive-cyber-attack/1569209/.
Akamai. 2016. Akamai. Sep 30. Accessed Oct 12, 2016. http://www.akamai.com.
Gartner. 2016. Gartner. Oct 12. Accessed Oct 12, 2016. http://www.gartner.com.
Krebs, Brian. 2016. KrebsOnSecurity. Sep 30. Accessed Oct 12, 2016. http://www.krebsonsecurity.com.
McCarthy, Kieren. 2016. The Register. Oct 21. Accessed Oct 24, 2016. http://www.theregister.co.uk/2016/10/21/dns_devastation_as_dyn_dies_under_denialofservice_attack.
NIST.gov. n.d. NIST.gov. https://www.nist.gov/cyberframework.
Savage, Marcia. 2016. Network Computing. Oct 12. Accessed Oct 12, 2016. http://www.networkcomputing.com/applications/attackers-exploit-weak-iot-security/1139771366.
US-Cert. 2016. USCert. Oct 14. Accessed Oct 14, 2016. https://www.us-cert.gov/ncas/alerts/TA16-288A.
Zeifman, Igal, Dima Bekerman, and Ben Herzberg. 2016. Incapsula. Oct 10. Accessed Oct 12, 2016. https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html.
ZigBee. 2016. ZigBee. Oct 12. Accessed Oct 12, 2016. http://www.zigbee.org.

Thursday, June 16, 2016

The Benefits of DOCSIS 3.1

Author: Drew Kempen, Consulting Systems Engineer


DOCSIS 3.1 has finally arrived! After years of talk and development, we are finally beginning to see the initial roll-outs of this next-generation technology. A few years have passed since the benefits of DOCSIS 3.1 were touted. 

Are those benefits still relevant today? It's worth revisiting.

In order to fully understand the benefits of DOCSIS 3.1, it is necessary to understand the boundaries of DOCSIS 3.0. DOCSIS 3.0 was a transformational technology in its own right and time. It provides the capacity to provide up to 1 GB of data to a service group, the ability to offer a high class of service, and provides many features and functionality that help operators with managing the customer, reporting, and reliability. 

Over time, the strengths of DOCSIS 3.0 become its weakness. The ability to achieve 1 GB downstream with up to 32 QAM becomes a limitation. Long-term bandwidth projections predict that DOCSIS 3.0 will begin to reach maximum capacities as soon as 2019 (without continuing to scale down service group sizes). In addition, competition driving 1 GB classes of service has accelerated the need for something beyond DOCSIS 3.0. The once high service group capacities of 3.0 platforms are now no longer enough. As service groups migrate to smaller and smaller groups of homes passed to manage bandwidth availability, more and more ports are required. The continual scaling of chassis, optics and other equipment to accommodate this growth becomes unsustainable. 

To put this scale into perspective, some operators have said they will need to split nodes from 4 to 10x what they are today over the next 10 years. And this is with the full capacity used on 3.0 chassis. The result would be 10x the CMTS chassis, 10x the optics, and 10x the nodes. Facilities, rack space and power requirements cannot scale with this growth. 

For a time, these inevitabilities were pushing many operators to consider a wholesale infrastructure transition to FTTH and PON technologies. The challenge with this was the complete overhaul of the entire network from video, to data provisioning, to OSP cabling and equipment to CPE. The cost, technology and knowledge change and disruption to the customers (and roadsides) made this a very unattractive option.

Enter DOCSIS 3.1. The first problem solved is the 32 channel limitation. DOCSIS 3.1 provides the ability to bond much larger groups of spectrum together to provide a true 1 GB Class of service and beyond. This also assists in the scaling problem. Whereas before, node segmentation would often be required when groups meet the 32 QAM limitation; the ability to use the full spectrum for data removes that requirement. 

DOCSIS 3.1 also allows for enhanced spectral efficiency. For math purposes, consider that a 3.0 256 QAM channel provides approximately 40 MB of throughput. DOCSIS 3.1 uses Orthogonal Frequency Division Multiplexing (OFDM) technology that allows QAM modulations to reach 1, 2, 4k and beyond. A 1k QAM provides approximately 50 MB of throughput or a 25% increase in the same amount of spectrum. When you combine this capability with distributed access architectures (DAA), we see added improvement resulting in 4k QAM modulation and beyond. Therefore, DOCSIS 3.1 provides the bandwidth with more ‘bang for its buck’. 

High level-comparison features and capabilities of Next-Gen 3.1 platforms vs legacy 3.0. *Numbers may vary slightly by vendor chassis

Originally, the new DOCSIS 3.1 and DAA technologies were designed with smaller and smaller cascades in mind. However, testing has shown that improvements can be made over some of the longer cascades that exist today. For example, it is possible to achieve 1024 QAM where 256 QAM currently exists. This improved performance continues to increase as you get down to smaller and smaller cascades. 

Addressing the Upstream

As data rates increase, the upstream continues to become more and more of a choke point. Studies suggest that the upstream capacity should be 10% of the highest class of service offered. For example, for a 1 GB service to be fully functional, approximately ~100MB of upstream throughput is required. As larger and larger data pipes are brought to each service group, the upstream limits will be pushed. DOCSIS 3.0 allows for a 5-85 upstream, allowing room for growth to handle this change. DOCSIS 3.1 pushes the split to 5-200 which allows for HFC systems to theoretically achieve a GB symmetrical service. 

The Importance of DAA 

DAA architectures such as Remote Phy or Remote Mac/Phy are inseparable from DOCSIS 3.1 when discussing the benefits next-gen DOCSIS platforms. While 3.1 chassis do traditionally offer a higher amount of port density in a chassis, this still becomes a limitation of the box. The next generation of CCAP platforms have more throughput potential than the physical RF output limitations can take advantage of. DAA becomes extremely valuable in that it removes that limitation by providing a digital link to the node itself, eliminating the limitation of physical RF ports. This also provides better link performance which continues to compliment the ability to achieve higher orders of modulation (better throughput performance across the same amount of spectrum). 


Improvement in MB throughput of spectrum by leveraging higher orders of modulation made possible by DOCSIS 3.1 and DAA. 

Perhaps the greatest benefit of DOCSIS 3.1 is that it dramatically extends the life of the HFC network and physical architecture. By extending the life of the physical infrastructure, it extends the life of all the assets of the network—from the video platform, existing CMTS chassis and provisioning systems, optical infrastructure, OSP, and CPE. 

The new urgency of a long-term plan

DOCSIS 3.1 in many ways did swoop in and save the day, but it also brings to light a flaw and errors that cannot be made again. For nearly a decade, many cable operators got trapped in operational mode without a long-term strategy. Had 3.1 not come along, the push to get to FTTH would be exploding at a rate that the supply cannot provide. 3.1 has brought new life to existing infrastructure and has allowed for a more graceful migration to fiber deep, higher bandwidth capacities, system upgrades, service migration and virtualization. All of these solutions need to be executed with an eye on the longer term future, to ensure that the things we do today compliment the needs of tomorrow instead of simply extending the limits of the past.

Tuesday, May 3, 2016

CCI Is Making Investments

CTO Matt Reath explains how CCI is preparing for the future of service providers.

Over the past few years, service providers across America have been challenged with increased costs, increased complexity, changing regulations, security, and most importantly, a changing consumer. Consumers have more choices and more options than ever before when it comes to how they consume content, how they access the Internet and the number of cloud-enabled devices they have. This puts pressure on service providers to increase capacity but not necessarily increase price. 

CCI Systems’ (CCI) unique perspective as both a solutions-focused value-added reseller and a service provider fuels a deep understanding of these challenges. As your clients’ needs change, CCI is taking the steps necessary to ensure those needs are met. We are investing in key technologies and solutions that will enable our clients to create higher customer satisfaction, offer additional services to capture more revenue, and optimize their operations to create a strong bottom-line.



Investment 1: Security

CCI has launched a Cyber Security Practice lead by dual-CCIE Adam Harden. This Practice is unique with its focus on service provider networks. CCI’s Cyber Security Assessment Workshops (CSWAP) program can get a provider on track with a Security Improvement Plan (SIP) that can serve as a personalized guide book of how to secure their network. Security services ranging from DDoS detection and mitigation to clean subscriber access. This will further enable providers to protect network infrastructure, improve their customer experience, and overall improve the performance of their network.


Investment 2: Data Center & Cloud

CCI continues to invest in its Data Center & Cloud Practice to evolve with the changing service provider landscape. The Practice takes two solution approaches. The first approach, internal virtualization, enables providers to reduce operating expenses by consolidating all company servers and storage into a central data center. Providers can gain space, reduce power consumption, and through orchestration—manage it as an integrated solution. The second approach, revenue creation, enables providers to generate new revenue by investing in a data center that includes orchestration and automation. Providers will gain the ability to create and deploy unique value-added managed offerings for their subscribers. A few examples include managed firewalls, virtual CPE services, hosted Wi-Fi, and secure SLA-backed storage.



Investment 3: Hosted Services

Service providers are looking for ways to create additional revenue streams but don’t necessarily have the staff or know-how to launch these services on their own. CCI is investing in infrastructure, talent, and software systems to enable our clients with services ranging from Wi-Fi to virtual CPE solutions. Clients will be able to white-label CCI’s solutions to quickly build a managed service offering in their footprint.




Investment 4: Orchestration and Programmability

Service provider’s networks are becoming increasingly complex and the speed at which new services must be deployed is accelerating. CCI is investing in Cisco Network Services Orchestrator, or NSO, to provide our customers with automated solutions for some of their top business use cases. CCI’s engineers are learning Python and other automation tools. We are investing in new talent and creating industry partnerships to bring the best solutions to our service provider customers.


CCI wants to translate our 60 plus years of expertise into benefits for service providers by addressing their biggest challenges today while preparing them for changes down the road. We work with our customers as a true ‘across the network’ solutions providing partner—enabling them to increase subscriber satisfaction, reduce costs, expand their footprint and grow revenue.

For more information on what CCI can do to help, contact us.