NBN: ACCC wet dream, security nightmare

NBN: ACCC wet dream, security nightmare

Summary: The National Broadband Network (NBN) will provide unprecedented opportunities for consumer choice and competition, says network strategist Paul Brooks from Layer 10. But, at the same time, it will create 10 million potentially insecure home networks and unprecedented security challenges.

SHARE:
TOPICS: NBN, Broadband
13

The National Broadband Network (NBN) will provide unprecedented opportunities for consumer choice and competition, says network strategist Paul Brooks from Layer 10. But, at the same time, it will create 10 million potentially insecure home networks and unprecedented security challenges.

"The vast majority of the networks in this country over the course of the next decade, the person installing them, buying them — forget about maintaining them — will not have the foggiest clue what they're doing, and that's scary from a security perspective," Brooks told the AusCERT information security conference last week.

The key security challenge, Brooks said, will be managing multiple secure networks in homes and small businesses.

Most of these broadband-enabled locations currently have a single data network running through a simple internet gateway device to an internet service provider (ISP). The default configurations are usually adequate.

The NBN, however, will provide an optical network termination (ONT) device that has four Ethernet ports and two PSTN ports, and each port may connect to a different service provider. A home might use one Ethernet port each for their ISP, pay TV, their energy provider's smart meter and a security system with cameras and alarms.

Service and content providers will want each service to be on its own network. A pay-per-view movie service, for example, would want a separate encrypted connection all the way to the TV screen to deter copyright infringement. Consumers, however, will want to cross-connect services so that they can, for example, watch movies or take phone calls on the computer.

Consumers will probably avoid the cost of separate data networks for each service. Brooks believes that they're more likely to keep using a single local area network (LAN) for all their NBN-connected devices, and a single gateway device to connect the LAN to the NBN's ONT. Services that are kept separate within the NBN itself will become mingled in this home network.

If a householder uses a standard broadband gateway for this, they'll create a routing nightmare. If they make a mistake setting it up, they run the risk of data intended for the once-separate secure networks finding its way to the wrong network or, worse still, out to the open internet.

"How do we handle multiple upstream ports running through one device? How to handle when you get different multiple IP address ranges to be assigned by your different service providers? What happens when those ... service providers send down the same IP address overlapping? How is your gateway supposed to figure out which one of those providers to send the upstream packets to?" Brooks said.

"Are we going to have to get the ISPs to all send trusted routing updates down, and have your broadband router be a real router and understand how to distinguish between three, four, five, six different upstream channels all at the same time? At the moment, they don't have the chipset power to do that."

If a consumer fails to solve these more difficult routing problems, the result could be confidential information being set upstream along the wrong network path. "If you want that information, it's going to be far, far easier the crack the home of a plumber than to try to tap NBN Co's network or the ISPs, because they actually know what they're doing," he said. And none of this is the NBN's fault, he said, because the NBN is working perfectly.

From a service provider's point of view, the customer has bridged your network to the that of the other service providers.

Despite these problems, Brooks believes that the NBN is "the ultimate enabler of competition and choice".

"We're now entering a third era of home and small business communications where you can choose several providers from many providers and have them all running simultaneously," he said. "If you wanted to do time-of-day internet routing and choose which ISP you wanted to use — one in the morning, one in the afternoon — because they each offered an off-peak rate at different times, you can do that."

You could also try a new service provider on a spare port before committing to them, and transferring between service providers could be done without a gap in service.

"The [Australian Competition and Consumer Commission']s wet dream is the NBN," Brooks said.

Topics: NBN, Broadband

About

Stilgherrian is a freelance journalist, commentator and podcaster interested in big-picture internet issues, especially security, cybercrime and hoovering up bulldust.

He studied computing science and linguistics before a wide-ranging media career and a stint at running an IT business. He can write iptables firewall rules, set a rabbit trap, clear a jam in an IBM model 026 card punch and mix a mean whiskey sour.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • The NBN does not create 10 million or any other number of insecure networks than exist now. We aren't changing anything except the carriage medium. People still have a router, and people who don't know what they are doing now will still not know anything about them going forward. Equally, the people who know what they are doing now will still "get it". Security is important, but the NBN does not change the logical positioning of home networks across the entire internet ecosystem.
    mwyres@...
    • I think the author has a fair point. We're not "just changing the carriage system", we're looking at going to a situation where a home network doesn't just manage a single broadband connection but multiple connections from different service providers. It makes resource provisioning, interopability and security more challenging. In other words, it's not a layer 2 (NBN) issue it's higher up the pyramid.

      However having said that, I suspect that the inherent premium placed on information hiding in software development should lead to adequate solutions by the time it becomes necessary.
      redrover-fac06
    • He's right to a point but is going way off tagent, there will be few home users that connect to multiple ISPs simultaneously so routing shouldn't be an issue.

      Right now the home router provides some sort of filewall, so if you remove that and plug the home machine directly into the NBN box if the machine isn't secure then it's open slather, that's where a potential problem could be.
      Tezmyster
      • Not at all. Consider the reasonably realistic scenario a few years down the track where a residential customer has internet services from one RSP, a video(TV)-on-demand service from a second RSP and a dedicated eHealth service from a third. The safest option would be for all three services to plug into their own separate box and thus be isolated from each other. However, it's not unreasonable to assume that many customers would like to integrate their services within a common portal run over a home network (just like some people use universal remote controls because they don't like having to use separate ones for tv, dvd, foxtel, gaming console, stereo and god knows what else). The security issue would be if one service has a security exploit (most likely the internet) does it put the other services at risk as well? Home networks will need appropriate security to deal with this otherwise there's a real danger of identity and financial phishing.
        redrover-fac06
        • Like the article I think you're going a little bit off track.

          I am not referring to multiple services running via the NBN box or anything like that, I am referring to an individual internet service running via the NBN box, where the user plugs their machine directly into the NBN box without anything in between them. That is different to right now because right now typically people have a router in there that handles the connection as well as acting as a firewall.

          Do you not see the inherent security risk of having unsecured machines connected directly to the NBN?
          Tezmyster
          • Ah but that's not the point of the article. The author even states in the 4th paragraph that for the current situation where the customer/home is only receiving a single service (internet) then the current security arrangements are typically adequate. He was addressing the situation where the home is using multiple services (the nbn box does come with 4 ethernet ports for different services)

            As far as your concerns I guess that if someone is currently using a router to implement a home network so that multiple computers can connect to the internet they'll continue to use one. They'll just run a cable from an nbn ethernet port to the router instead of from an adsl or cable modem. If someone is connecting a single computer directly to the nbn box then they'll be relying on a software firewall to protect them, again just as they do now.
            redrover-fac06
  • I think you underestimate the security impact of having more complex home networks. Home networks today are generally not multi-homed.
    stilgherrian
    • Perhaps - but I don't agree that they must be multi-homed - that will depend on the devices that the RSPs roll out.

      For example, your internet comes into a router, and you back it onto your 192.168.1.x network, say as 192.168.1.1.

      Say then, your Foxtel starts getting provisioned over another NBN circuit, they would do that straight into the box, and have an ethernet port you could place on your network as 192.168.1.2 so you might be able to access recorded material on it. It doesn't have to be - (and I see no need for it to be) - providing a routing function.

      It gets down to how the RSPs architect their solution, and puts that security into their hands - away from those who don't know. If you take the responsibility away from the "unknowing end user", which 95% of people will be either way, there *shouldn't* be a problem.

      All their needs to be is an accreditation scheme for gateway devices for connection to NBN services. That way, if you run a non-accredited device, you do so at your own peril.
      mwyres@...
  • I don't think the "complications" of different services on different ports will be a real issue. When you sign up to Foxtel/Austar, someone comes to install the dish/cabling/ports etc. right? It's the same, except they will come and connect the box to the right port on the NBN box. Of course it would vary depending on the service, for example internet providers don't generally come and set up your modem for you - but some local resellers may do so. I guess it's a matter for each individual retailer to decide.
    Chuqtas
  • For security, the situation is in fact quite similar to VPNs. Multiple networks shared in a single box creates potential security issues when the networks are of different security grades.

    The issue is that consumers demands integration of devices both for ease of use and to prevent duplication.

    In the end, people expect to run a single CAT6 cable to individual devices. Alternatively connect to a single wireless network to access all network resources. Any possible service delivered through the ONT, you can think of a compelling case to enable exchange of information to shared devices. Even that PSTN SIP port, I'd like the ability for my iPhone to receive and make calls over WiFi.
    AndersonL-e0a14
  • Our home network has 2-3 outlets in most rooms, with two CAT5Es plus a coax going to each. This should be enough by the sound of it.

    Stumps me why people skimp on a few duplicated wires when building the network, even though it costs little extra.
    csomole
  • The thing is you are all way off the point,

    The NTU has 4 ports yes, But just like any other NTU that has multiple ports each port is mapped to a different provider and only that provider will be using that port.

    This article is just a scare tactic with no basis what so ever, Just like the mid band Ethernet that is delivered today it will be mapped to a port then the customer will plug that companies CPE (customer router) into the port specified by the provider. It does not matter if there are overlapping IP ranges at all because it is on a seperate port on the NTU, logically seperated from other providers using other ports.

    I Hate the idea of the NBN I think it is a massive waste of tax payers money when we could be using upgraded HFC and FTTN with VDSL instead of FTTH but I really wish that the media would get facts straight before posting hogwash like this.
    chris.benecke@...
  • I just want to be sure what is being said here.

    The NBN box will connect your house to the Internet, yes? This will be provider-independent, so no matter who you end up signing with, it will not matter from the router's point of view (just a matter of the settings and the route mappings).

    This will also integrate your pay TV, gaming, smart TV and other gear into one unit, rather than multiple connections thus far.

    Well... it would seem to me to be that support for IPv6 should be in-built to the unit, with NAT and DHCP support. Your ISP could provide your home network a range of 10 or so IP addresses (this would reasonably cover multiple PCs, a gaming console, smart TV, and mobile devices connecting via Wi-Fi) with one dedicated to the router. Smart TVs and gaming consoles would connect to the Internet via your router in any case, so it would make no sense to change this design.

    Pay TV and security systems could be a bother, but if it is true that multiple connections can be established on the one box, then this could probably be a matter of IP routing and mapping (when you subscribe to these services, a technician is usually required to install the physical components, so it would be fair to say that they could also configure communications for these devices).

    This is just my opinion. If anyone has more technical details on the NBN (particularly on setup, and integration of household devices), I'd be happy and quite interested to know more.
    dmh_paul