As Johna Till Johnson watched World Trade Center collapse, burying Verizon Communications' megacentral office in rubble, she had an epiphany.
"If they really wanted to do damage, they would have taken out the telco building," she said. "They went after the thing that had press potential."
Johnson wasn't alone in that assessment. Although the network performed remarkably in the aftermath of the terrorist attacks on New York and Washington, D.C., the attacks reminded security experts, network providers and administrators, and policy makers that the world's miraculously robust telecommunications network remains extremely vulnerable.
Long-haul networks, central offices, peering points, telecom hotels and metro loops may fall victim to low-tech attacks by backhoes and bombs. Wireless networks that may wobble if a cell site or two is lost are only as good as the wireline network that supports them. At the edge of the network hangs a mishmash of computers and routers that are essentially an open door to a list of threats as vast as the imagination.
"I think our communications system is vulnerable to the things we don't consider, like terrorism," said Frances Clairmont, former director of Pacific Bell's Network Access Point (NAP). "I don't think it is vulnerable to a kid that has a bad attitude."
U.S. intelligence and security policy experts have warned for several years that the open nature of the Internet has made the nation's infrastructure assailable. But they acknowledged last week that little has been done to mitigate potential threats from disruption of emergency communications in cities across the country, damage of power grids, disinformation campaigns and the crippling of financial communications by dedicated and sophisticated attacks.
And yet, absent a coordinated government infrastructure security policy, private enterprise has managed to evolve its own set of protections. The points at which data and voice traffic are handed off from one network to another are hidden and geographically diverse, and key switching gear is housed in hardened buildings. Redundancies are built into networks, and the Internet is so widely distributed that it is literally hard to kill.
The nation's backbones, for example, run on Synchronous Optical Network rings. If one node is knocked out, the system knows to find another route, explained Bandwidth.com CEO Henry Kaestner.
"It would take a highly intelligent attack on one carrier's backbone. They'd have to knock out two nodes simultaneously, and even that would take down only one carrier," Kaestner said. "We have much more protection than we once had, when all communications were moving over one carrier."
Johnson, chief technology officer of network engineering and consulting firm Greenwich Telecom Partners, said, "AT&T has been thinking about this for 50 years, and finding their data centers is almost impossible."
Additionally, the Federal Communications Commission established the Network Reliability and Interoperability Council 10 years ago, after a series of major outages in the telecom signaling system. The industry group works without government intervention to develop best network practices, attacking problems such as year 2000 and packet network reliability.
Doug Sicker, Level 3 Communications' director of global architecture and chairman of the NRIC's steering committee, said he doesn't expect major policy changes as the result of the terrorist attacks. And on some levels, he said, the Telecommunications Act of 1996 was the best infrastructure insurance policy the FCC could have taken out.
"The government has done the right thing in having a pro-market approach to telecom policy, which allowed for a diversity of infrastructure to exist. That diversity aids redundancy, and makes for a more reliable network," Sicker said. "That doesn't mean that we don't need a strategy."
The Nimda virus attack on the nation's desktop shone a spotlight on how vulnerable the Internet infrastructure truly is. But that same structure--distributed and diverse--is also the network's strength.
"It runs on different platforms, on infrastructure built by different people. If the Net were built completely out of the same vendor's piece of hardware, you could take it all down with a fell swoop," said Doug Jacobson, director of the Information Assurance Center at Iowa State University. "The virus today attacks Outlook, but not everyone uses Outlook, not everyone uses Windows and we all don't run Cisco [Systems] routers."
Nevertheless, it's the only part of the network to which everyone has access.
By Todd Spangler
By far the most unstable, vulnerable and insecure portion of any network today is the loose agglomeration of systems that hang off the edge of the Internet.
The millions of desktop PCs and servers that connect to the Internet and corporate data networks are susceptible to a long--and constantly growing--list of hacks, attacks, probes, worms, viruses, packet floods, outages, data sniffers, rogue employees and unreliable software. Security technologies and practices continue to evolve to minimize these threats. But as more computers connect to the Net, the chaos at the edge could become even worse.
"We see the edge--all the way out to remote end-points--as definitely the most vulnerable point of the network," said Matthew Kovar, a Yankee Group analyst. "That's the biggest problem out there, but it has been wildly ignored."
Just one point of proof: The Nimda worm outbreak, considered the largest-scale attack on Windows machines ever, disabled countless thousands of computer systems in a matter of hours.
While Nimda is a serious problem, able to give unauthorized users full access to a company's servers, security experts said it's only a matter of time before some evil genius releases an even more powerful and destructive worm that steals, deletes, or corrupts corporate data.
"A payload that actually goes after databases is completely possible. You could easily envision a virus that can zap an entire Oracle database," said Jim Reavis, chief marketing officer of Vigilant-e, a network vulnerability assessment software vendor.
This is particularly threatening to enterprise networks that have remote users who connect to the main office by modem or by tunneling in through a virtual private network. Often these PCs are not managed as part of a company's overall security policy. In some cases, malicious code is stopped at the perimeter, only to be introduced to the network by a remotely connected machine. Add up all the telecommuters and road warriors, and "you don't have one Internet connection in an organization--you have a thousand," Reavis said.
After the terrorist attacks on New York and Washington, D.C., some corporate security managers reviewed the state of their network security and decided to simply pull the plug on their remote access, Kovar said. They concluded that the security risk far outweighed the convenience of letting employees work from home.
But that's a short-term, head-in-the-sand approach, said Greg Smith, Check Point Software Technologies' director of product marketing. What's needed is a personal firewall for each remote user's PC that can be centrally managed--such as those that Check Point can provide.
"The way to roll out and manage personal firewalls is not how people envision today," Smith said. "They imagine that the end user installs and manages that firewall. But that has to be done at a corporate level."
If you really want to take down a network operationally, though, nothing beats a distributed denial-of-service attack. Such DDoS attacks are simple to execute and effective in temporarily putting a network out of service. Basically, they overwhelm a network with multiple megabits per second of bogus traffic. Edge networks are especially vulnerable to DDoS attacks, since they typically have lower-bandwidth connections than service provider networks.
The distributed and open nature of the Internet makes it tough to defend against DDoS attacks. "The Internet and its protocols were designed and built to be cooperative," said Stefan Savage, co-founder and chief scientist of Asta Networks, which makes an anti-DDoS system. "But if someone doesn't want to play by the rules, they can do a tremendous amount of damage." And so far, there's no great defense.
By Max Smetannikov
In a physical attack, disabling communications in the U.S. would be a frightfully simple task because both voice and data traffic move through as few as four buildings in some cities, and many are far less secure than they probably should be.
Take out the main central office, cable headend, telecom hotel, and carrier-neutral peering point in a particular city, and all but the simplest Internet-based communications would be seriously disrupted.
There would be no cable television. Businesses would not have working telephones or high-speed Internet connections. Most would not be able to facilitate any paperless transactions because all data lines, from frame relay to Gigabit Ethernet, would go dark. Wireless calls would fail to be completed. Many Web sites would go dark. The Internet would slow to a crawl, rendering such things as instant messaging unusable. ISPs would have no dial tone. Cable and DSL modems would fail.
The new networking message is clear: In the wake of the latest terrorist attacks, modern information-based companies can no longer afford to rely on infrastructure with single points of failure. The best insurance, networking experts say, is in geographic diversity.
While most Internet traffic is exchanged at five high-profile locations--Metropolitan Area Exchange East and MAE West, and NAPs owned by Ameritech, Pacific Bell, and Sprint--a lot of the traffic is exchanged privately between major carriers.
An attack on major backbones owned by Cable & Wireless, Genuity, Sprint, or WorldCom could be devastating, but built-in rerouting redundancies make the Internet truly hard to kill. Data traffic on major backbones is handed off at 50 or so locations, and could be rerouted through a large number of "ghost routes" that even the best-connected networking professionals can't count. Internet networks are often interconnected in unmarked manholes on the street, which adds to the security.
"Unless you are a company insider, you can't tell the difference between a green telephone box which serves Aunt Minnie, and a green telephone box which serves the First National Bank by looking at it," one networking engineer said.
But redundancies grow slim as customers start using facilities such as telecom hotels, carrier exchanges, and telephone companies' central offices.
"Should companies, banks, stock houses and other financial institutions be in facilities like telecom hotels? No. They should get out of there," Pacific Bell's Clairmont said.
These buildings are connectivity hubs for telephones; DSL, dial-up and cable modems; T1 (1.5-megabit-per-second) leased lines; and high-speed fiber connections. Needless to say, their loss would be devastating.
By Bill Scanlon
One of the least vulnerable networks is metro Ethernet, which has a multiple-ring architecture that lets data change directions and reroute if it runs into congestion or equipment failure. It also lets customers ratchet up bandwidth in seconds--rather than days--during an emergency.
Gigabit Ethernet networks can be constructed with so much resilience, they are almost fail-safe in any situation, said David Neil, vice president of Gartner. "You can have more than one ring going around the city, and leap from one ring to another to get over a failing component."
The problem, however, is that many metro rings rely on the more vulnerable first-mile connection. "Once you get on the Gigabit Ethernet ring, the metro area network, you should be quite safe. The issue is getting on there," Neil said.
Providers such as Yipes Communications offer their customers ring architecture right to the building. And most of Yipes' 3,000 customers opt for it, said Kamran Sistanizadeh, the company's CTO. "We have a north and south entrance. The fiber comes into the building, gets terminated in a box, then comes out at another box and exits the building on a different path." If one side of the ring is lost, the data turns and goes through the other.
Yipes' networks performed without a hitch during the terrorist attacks on New York and Washington, just as they did in February, when an earthquake rocked Seattle.
"Regardless of what we say about why metro Ethernet is theoretically better, in a practical demonstration, our networks survived," said Ron Young, co-founder of Yipes and chairman of the Metro Ethernet Forum.
Telephone companies snipe at the Ethernet players, saying rerouting through the maze of Ethernet rings and meshes can delay delivery of traffic anywhere from 200 milliseconds to two or three seconds. That's in contrast to the much faster 50-millisecond latency in the circuit-switched world.
But the members of the MEF bark back that they'd rather have a two-second delay and get the data, than have the data get close to the destination at blinding speed, only to disappear because a line card or trunk card has failed.
"The majority of enterprises would prefer to have the service, although it might be a few milliseconds later," Young said.
But Peter Evans, Nortel Networks' vice president of marketing of metro optical solutions, said a two-second delay is too long for banks, brokers and financial institutions that transfer money and stocks in milliseconds.
Nortel is building 50-millisecond latency into optical Ethernet networks, Evans said. Putting "five nines" reliability into the networks it builds for carriers gives Fortune 250 companies the option to get out of the network business and instead rely on service-level agreements from trusted carriers.
Still, any network--circuit-switched, Ethernet or IP--has several single points of failure if redundancy hasn't been built in to guard against a natural or human-caused disaster.
By Bill Scanlon
Most enterprises are poorly prepared to deal with natural disasters or terrorist attacks, often because they wrongly assume their circuit-switched networks have end-to-end backup resiliency.
The typical enterprise relies on an amalgam of circuit-switched, Ethernet, IP and wireless networks that far too often share the same central office and don't have the redundant routing to survive a direct hit to that office.
Circuit-switched networks have been rapped for not having the resiliency and redundancy to reroute traffic that runs into a fiber or wire cut, because they don't have as many dispersed points of presence as IP networks have.
But the big problem for enterprises running circuit-switched networks is that first stretch that connects them to the public network--a vulnerable mile, or two or three, that links them to a solitary central office shared by several carriers and service providers.
And that's a vulnerability that circuit-switched networks share with Ethernet, IP, data-only and sometimes even cable networks. If a tornado, earthquake, ice storm, or terrorist attack disables that shared central office or the lines leading to it, all data and voice communications for miles around could stop dead in their routes.
Small and midsize enterprises rarely have backup lines connecting them to the public network--and when they do, they too often find that both lines go to the same central office.
Businesses wrongly think they're protecting themselves by getting one line from, say, Verizon to connect to the public network, then turning to a second carrier for backup, Gartner's Neil said. "What they don't know is both those companies are sharing or storing their equipment at the same premises."
Jack Norris, head of customer service and equipment of global carrier Equant, said the ideal safeguard is diverse local loops. "They're not always available," he said. But office buildings that are served by more than one central office can install separate routes to the outside, and so offer the peace of mind that comes from redundancy.
Still, information managers have to be careful. A building may be served by both an incumbent carrier, such as BellSouth, and a competitive carrier, but that doesn't mean the two carriers are taking separate routes to the Internet.
"It's going to be quite expensive, but you have to look at this as an insurance policy--balance it against what it would cost to be knocked out of business for eight hours or a day or a week," Neil said.
By Nancy Gohring
The most serious threat to wireless networks is call volume. Wireless architecture has enough redundancies built in that a failure along any point wouldn't significantly cripple an entire network.
If one cellular base station or antenna--a node of the network that receives calls--were brought down, wireless phone and network devices would still be able to communicate with another one nearby. "Typically, your mobile phone is talking to from two [cells] to six cells," said Jim Freeburg, Lucent Technologies' director of wireless architecture.
In addition, most wireless operators own spare cell sites, called cells on wheels. Carriers typically use them when they expect a surge in volume on a portion of the network, such as during major sporting events, but they can also be used to quickly replace a malfunctioning site.
Cell sites are connected to base station controllers and then to a switch, which connects the wireless network to the wireline public switched telephone network. Because as many as 25 to 50 cell sites might link to one controller, a failure at the controller could be damaging to a network. However, some wireless operators build their networks so that every other cell site in an area is connected to the same controller, so if one fails, the network can at least offer spotty coverage, said John Touvannas, senior product manager of Motorola.
Lucent's gear combines the controller function and the switch, but most of its customers can reroute traffic to a different switching facility if one fails, Freeburg said.
In today's circuit-switched wireless networks, unusual call volume will always harm network performance as too many users compete for a limited number of circuits. But some mobile voice operators now using circuit-switched technology said they plan to move toward a packet-based network similar to that used by the Cingular Interactive data network.
"It's the difference between circuit-switched, where you need to have a direct connection and you only have so many circuits, versus packet, where data gets through in order of priority," said Jesse Perla, CTO of MobileQ, a developer of software for mobile e-mail and Internet access.
Motorola has developed an IP radio access network that it says will make networks more reliable. In such a configuration, all components, including the cell sites and controllers, are distributed and work as a peer-to-peer network. "If you lose one, the base station isn't specifically tied to one controller. It's routed based on load," Touvannas said.
But not everyone is convinced IP will make networks more robust; Lucent's Freeburg is particularly worried that a software problem could spread across all the nodes. "The challenge I see for us is how to maintain the same level of reliability in the new IP networks. They aren't automatically more reliable than today's networks," he said.
By Richard Williamson
In a world that runs on information, the loss of Cable News Network in a crisis might seem unthinkable. But today, the cable infrastructure is carrying a lot more than Animal Planet and reruns of The Brady Bunch, and like all other networks, it has its vulnerable points.
About 70 million U.S. homes receive video cable; of those, 1.3 million get telephone service over the same pipe and 5.5 million get broadband Internet access.
Traditionally a regional or local service, cable consists of 224 networks across the country. But the industry is undergoing steady consolidation as major operators such as AT&T Broadband, AOL Time Warner, Comcast, Cox Communications and others seek greater efficiencies through less redundant infrastructure.
Still, it would be highly improbable for terrorists or saboteurs to be able to deliver a national knockout punch to cable communications, industry experts said. Instead, networks in major metropolitan areas might be targeted.
"In a nutshell, the cable industry would be a difficult target, mostly because it has vulnerable points, but they're very broadly dispersed," said Mike Paxton, Cahners In-Stat Group's cable analyst.
Satellite broadcast networks are even better protected. Knocking out a single satellite would be damaging, but few nations--much less terrorists--have the ability to knock out a target 22,000 miles above the planet. The Earth-bound distribution system would be more vulnerable, but that, too is geographically scattered.
Like traditional telecom networks, cable has hubs and spokes, with the headend serving as the equivalent of a telephone company's central office. As part of the cable consolidation, the number of headends in major metropolitan areas is declining. But they are still numerous enough to prevent an entire urban area's communications being lost in a single blow.
Across the country there are roughly 11,000 headends, Paxton said. And while security is always an issue, most of the headends are protected by little more than "an 8-foot fence and a building with a lock on the door," Paxton said.
Perhaps the biggest blow to the video world would be an attack on satellite uplink centers such as AT&T's Headend In The Sky. The 7-year-old HITS installation in Littleton, Colo., delivers digitally compressed cable TV programming signals to cable operators around the U.S. For companies such as AT&T and Cox that operate primary cable telephony systems, the security of switched networks operated by other carriers is a concern.