Voice Plus - How Secure Is Your Multiservice Over DSL Network?

Enabling Secure Broadband Access

All of these new services need to be supported by the ICP's broadband service access networks, whether they are based on DSL or wireless. Furthermore, data security--as well as communication confidentiality--is perhaps the most fundamental requirement for many of these services to be adopted widely.

The bottom line is that communications security will become a fully embedded function in future broadband service access networks. This creates a new paradigm for service providers and equipment vendors in the access network industry--the secure multiservice broadband access (secure MSBA) infrastructure.

Economics of Service Bundles

In a world of open competition, service revenues of individual telecommunication services--such as Internet access--are dwindling. Often, they're even offered as free services. Similar trends are seen in the world of voice telecommunication services--most notably for long distance, but also for wireless. This endangers the business case for many service providers because they cannot prevent customers from changing to more cost-effective service bundles, and their net revenue is constantly diminished.

As a result, new technologies have emerged to solve this business problem--specifically, converged access network technologies utilizing DSL and wireless networks. These network solutions are providing a bundle of traditional voice and data services together with Internet access. These new converged networks consist of two essential components: IADs and voice gateways.

IADs are deployed on the customers' premises and perform the task of interfacing with new and existing products such as routers, LAN switches, telephones, fax machines and PBX systems. This task can only take place at the customer premises in order to aggregate all of these technologies across one converged access network, typically one that is ATM-based. Voice gateways provide access to the voice service networks, thus enabling feature-rich, toll-quality voice communications services.

A New Breed

As early adopters, ICPs are capitalizing on the merits of these new technologies.

The economics are simple: The same infrastructure investment that was already made to reach a customer over DSL, wireless or traditional leased lines can now be utilized to draw many times the monthly revenues of standard Internet access offerings. Business cases for new service offerings show investment amortization within just a few months.

But even here it becomes increasingly obvious that standard service bundles comprising long-distance voice, local dial tone and Internet access will also see increasing competition. Therefore, service providers are already looking into more incremental revenue streams that can be rendered specifically to the small to medium-sized enterprise business customers.

A second emerging segment of new and aggressive service providers are the ASPs. While the term "application service provider" is simple, it actually refers to a variety of services, starting with hosting services for data storage, web services, security and even media services. These services are based on an extension of customers' corporate networks into the service provider's data center, where the actual server and media hosting infrastructure is provided.

The appeal of offering more margin-rich business application services with the standard telecommunications service bundle is compelling, but any enterprise customer contemplating the transmission of confidential data or the outsourcing of any type of business application will require strict guarantees that data communications are absolutely secure.

Security at Infrastructure

Given the security requirements, new margin-rich data services will only gain traction once business customers are assured of network security. In fact, the very success of these new service providers--whether they are infrastructure providers or ASPs--is dependent upon the presence of security across the broadband access network.

While DSL, T1 and many wireless broadband technologies have eased the last-mile bottleneck, this "broadband" (at an average of 2mpbs to 8mbps) is still a relatively slim pipe when compared to the high-speed networks at the customer premises and at the data center. Thus, when addressing security, a critical requirement is that the broadband pipe maintains wire speed. Security features cannot compromise the throughput of the access network. In addition, security cannot obstruct the delivery of real-time multimedia services across this access infrastructure.

Undoubtedly, there are many areas within the network where security can be implemented, and each has its merits and ideal applications. For service providers that focus on delivering a broad menu of services over a DSL, T1 or wireless access facility, however, installing a wire-speed, customer premises-located security solution is the most cost-effective, the highest performing, and by far most robust approach, and the only one that supports the requirements mentioned above.

The challenge for the service provider, then, is to provide wire-speed, multimedia-capable broadband security services at cost points that are suitable for the small and medium-sized enterprise market.

Table Stakes or Winner's Spoils?

As mentioned previously, converged access networks provide service aggregation using IADs--customer premises-located devices that aggregate all telecommunications service aspects.

At the customer location, the service provider can quickly deploy a custom-designed hardware option for these IADs providing a firewall. Because hardware application-specific integrated circuit (ASIC)-based solutions run much faster and are much less expensive than comparable fast processor-based solutions, wire-speed communications are maintained, enabling even real-time multimedia delivery at a cost point well suited for the target segment of small and medium-sized enterprise locations.

The synergy of this approach is that a service provider will have already planned for the installation and deployment of a managed IAD in order to deliver a basic bundle of voice and data services, such as a handful of analog telephone lines and Internet access. With a small investment, the service provider can add the option required to offer a managed firewall service--a margin-rich incremental revenue opportunity to business Internet access services.

Even in the case of a managed firewall service, the return on investment typically occurs within three to four months--after that period, the revenue becomes pure profit.

No upfront investment in network infrastructure is necessary to secure customer premises access until after a customer has signed up for service delivery. Hence, the IAD-integrated, premises-based solution offers the customer the best possible performance while also being the most cost-efficient solution for the service provider: a clear win-win.

Now that the customer has been equipped with a full-featured, managed security service platform, the service provider has a whole new set of value-added services to offer in addition to the basic voice and data bundle, including: managed wire-speed firewall service, managed IP security (IPSec)-based site-to-site VPNs, managed IPSec based business-to-business infrastructures, secure remote access and teleworking VPN support, hosted certificate authority services, and secure broadband media services (e.g., videoconference hosting).

More Than Just a Firewall

Firewalls are a first line of defense for protecting the enterprise. But for fully secure VPNs, businesses also require IPSec VPNs, along with 3DES (data encryption standard) encryption, using Internet key exchange (IKE) and public key infrastructure (PKI) for automated service configuration. IPSec-based VPNs form the essential, secure umbilical cord between the customer and the data center of his ASP using public certification technology and 3DES encryption. Many types of application and hosting services can now be rendered across the broadband network--providing a level of privacy, confidentiality and data integrity that even exceeds the capabilities of normal ATM, frame relay or voice networks. These services can now gain widespread acceptance.

IPSec's open topology, and the fact that it enables any information to pass safely through the public Internet, allows service providers to enable other telecommunication services as well. Traveling salesmen, remote corporate sites and teleworkers, for example, can be connected safely into the intranet of a business customer.

Last but not least, the same technology can provide the trusted infrastructure between two businesses, exchanging confidential pricing or ordering information in today's automated commerce infrastructure.

The Secure MSBA

The fundamental drivers for a secure MSBA network are very real today--application or business-level services will simply not be accepted by customers without high-performance, embedded, infrastructure-level security. The key point for scalability in performance and operations, administration and maintenance (OAM) is integration with the entire managed broadband service access infrastructure--enabling secure wire-speed broadband services for the estimated 8 million small to medium-sized enterprise business customers in the United States alone.

Secure MSBAs, enabled with a premises-based service delivery platform, will immediately provide ICPs with margin-rich revenue streams from firewall and managed VPN services. In turn, the ubiquitous availability of the secure MSBA infrastructure will pave the way for the emerging managed application and media hosting services that small and medium-sized enterprises are already looking for--allowing service providers to create even more incremental revenue opportunities from the same initial investment.

Joachim Hallwachs is senior director of product marketing at Accelerated Networks Inc. (www.acceleratednetworks.com). He can be reached at jhh@acceleratednetworks.com.

Share this article: Email, Slashdot, Digg, Del.icio.us, Yahoo!MyWeb, Windows Live Favorites, Furl
Add this article feed to: RSS, My Yahoo, Newsgator, Bloglines