Incident Response, TDR, Vulnerability Management

Protecting the IPTV/VoD infrastructure


Depending on where you live, IPTV (IP Television) and video on demand (VoD) are already here or coming soon. Such services can create security risks. Although IPTV/VoD does not run over the public internet, it is an IP-based service, subject to the same hackers, threats and vulnerabilities that plague email and internet access.

Hackers are opportunistic, quick to exploit services in the early phases of their adoption cycle. That is, before security countermeasures have been hardened, and when consumers' opinions and impressions are most malleable. Thus, network operators and businesses or consumers using these services must correctly implement security measures from the start.

Many of the concepts and strategies that network security experts use for IP services can be applied to protect video and the content delivery network. Despite similarities with other IP-based services, however, IPTV and VoD also present a unique set of challenges. For example, video in general is a real-time application that requires high bandwidth. And customers have higher quality expectations for video than for “best effort” services such as email. Combined, these differences make it difficult to apply traditional protection techniques to the video-serving infrastructure in a cost-effective manner. A new approach is needed.

Video serving infrastructure

Protecting the video-serving infrastructure from attack requires maintaining video streams and equipment at optimal performance levels. Degradation of video streams or serving equipment can impact subscriber experience. Denial of service (DoS) or distributed DoS (DDoS) attacks are often the mechanisms for attackers to bring a video server to its knees. Such attacks flood servers with repeated illegitimate requests, robbing the video server of processing cycles to handle legitimate requests -- and eventually overwhelming the server. The attack is primarily intentional but can also be unintentional due to faulty equipment or connections. One example is faulty memory or even a loose network connection that could cause a set-top box (STB) to continually request resending of packets.

Direct subscriber interaction makes the video-serving infrastructure particularly vulnerable to DoS attacks. Stateful firewalls complement DoS protection features embedded within network devices and can be effective in monitoring the number of requests per second per subscriber. Repeated requests can be blocked by the firewall if they exceed the stated thresholds. However, due to the high bandwidth requirements of video, firewall capacities can quickly reach their limits. The demand can require large firewall farms to protect a farm of video servers. This can create network management challenges and high costs.

VoD servers are susceptible to application-level attacks. Successful application level attacks can result in subscribers receiving free movies or incorrectly charging subscribers for videos not ordered. To protect against this, stateful firewalls are used or intrusion detection and prevention (IDP) systems, which can perform signature or pattern matching. (IDP systems use signatures for known attacks and also recognize protocol anomalies to detect zero-day or unknown attacks.) However, some solutions combine functionality into one device.

Video's high bandwidth requirements may dictate a dedicated security device for each video server, which is simply not cost-effective. In large provider networks with many video serving offices, this creates an operational challenge to manage and update the large number of firewalls, as well as to monitor for attacks. In fact, stripped down high-capacity firewalls without IDP functionality often cost more than the servers they protect.

One solution is to take advantage of asymmetric traffic routing so that firewalls/IDP gateways are not overloaded and fewer devices are actually required. The asymmetrical approach means the firewall/IDP device looks only at the upstream control traffic -- that is, traffic coming from the subscriber to the video server. The upstream control traffic is where security threats are initiated and are thus the highest risk. Upstream control traffic is also much lower bandwidth by nature since it is primarily subscriber requests only and much more manageable. The downstream video traffic is sent directly to the access network without passing through the security device. Since it comes directly from the video server, downstream traffic is considered safe.

Service providers can determine network protection policies and then set filters on the combined firewall/IDP functions to detect and stop undesirable behavior. For example, the service provider may choose to limit the number of requests that will be forwarded to the serving infrastructure from a given source such as a set-top box. Stateful firewalls can keep watch on the number of requests per second for a given box and a threshold can be set so that requests exceeding that threshold are discarded. In this way, if a server is experiencing an unreasonable number of requests, providers can maintain service quality for most subscribers served by that equipment, while impacting service for the offending client only. Excessive or persistent levels of unreasonable requests that violate network policies can be elevated as an alarm and service requests temporarily denied. This approach prevents DoS attacks automatically, while enabling the network operator to be notified of the condition and the source of an attack.

Equipment vendors have established signatures of acceptable traffic patterns as well as malicious ones. Through this knowledge, the video-serving infrastructure can be protected from frontal application attacks by looking for signature matches of known attacks. Of course, this method should be one of many implemented because it is only as strong as the frequency of signature file updates.

Home network vulnerabilities

As home networks grow in popularity and utility, so does the likelihood that IPTV/VoD services will be carried over the same home networks as internet services, file transfers, gaming sessions and voice over IP (VoIP) calls. A security breach on a home PC opens up the opportunity for bandwidth-consuming attacks that can degrade performance of the provider's service and, worse, provide an inroad to the service provider network itself.

For these reasons, it is important to consider security requirements in the “last yard”, as service providers offer more advanced services to end users. This is a challenge for the IPTV/VoD service provider since the provider will typically have little control over the home network beyond set top boxes and residential gateways. Technologies such as Network Node Validation, 802.1x, and others may prove beneficial in this area since they can enforce a particular security policy before a device is allowed to connect to the network.

As a new service, IPTV/VoD is particularly vulnerable, both from a security standpoint and from a competitive perspective. To ensure the success of their new IPTV/VoD services, providers must build into their networks a comprehensive, network-centric security strategy right from the start.


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.