Telco Security Misses Mark

Carriers such as WorldCom and Sprint that are rushing headlong into the managed security services business are drawing fire from security experts, who say they should first secure their own networks before offering external services.

Searching for relief from the pressures of abundant capacity and intense competition for their core services, carriers such as WorldCom Inc. and Sprint Corp. are rushing headlong into the managed security services business.

But the plans are drawing fire from security experts and customers, who say the carriers should look internally and secure their networks before offering external services.

Although for years many carriers have employed large staffs of security professionals, most providers still lack basic security safeguards such as DDoS (distributed-denial-of-service) protection on their data networks. Indeed, Telus Corp., a Canadian company, last week became the first North American carrier to install an anti-DDoS system.

Preventing and mitigating DDoS attacks is a challenge in that it requires cooperation among the victim, its ISP and, often, the attackers ISP. But such cooperation is nearly impossible if providers arent prepared for an attack.

"The things enterprises can do [to protect themselves] are limited unless the carrier gets involved," said Ted Julian, chief strategist of Arbor Networks Inc., of Waltham, Mass., which sells an anti-DDoS solution to enterprises and carriers.

But according to some customers, most of the carriers still dont have their security houses in order.

"I think its a lack of understanding on their part and a lack of perceived return on investment," said Jon Rosensen, director of strategic initiatives at Inc., a Pittsburgh-based technology solutions provider and customer of several large carriers, including Sprint. "Theyre more focused on the physical security of the network."

Rosensen said when Stargates network was the target of several large-scale DDoS attacks several years ago, he decided to install his own protection rather than seek help from the carriers. "Customers were making decisions to go with other companies because they had more bandwidth and could absorb the attacks," Rosensen said.

For their part, the carriers say that while they may not have commercial DDoS protection products installed, they have done other things to mitigate security threats.

Executives at Sprint, which recently unveiled a new set of security services, including penetration tests and vulnerability scans, said the investment and complexity involved in deploying DDoS or firewall protection makes it difficult.

"Imagine how many entry points there are on our network," said Dale Bachman, security practice manager at Sprint, in Overland Park, Kan. "It would be a large technical challenge, but it might be worthwhile. It sounds like a reasonable value-add."

"WorldCom has taken a lot of steps in addressing DDoS, but theyre not things that were packaging and selling to our customers, so wed rather not talk about them," said Bob Blakley, manager of Internet security services at WorldCom, in Ashburn, Va. WorldCom recently announced a partnership with Internet Security Systems Inc. to offer customers a set of managed services, including event response and remote scanning services.

Still, some in the industry question whether the carriers can pull off a move into managed services.

"The telcos are good at things that are highly repeatable and highly automated. Security is anything but that," said Daniel McCall, co-founder and executive vice president of Guardent Inc., a managed security services provider in Waltham, Mass.

Related stories

  • ISP Protects Its IP Backbone From DDoS Attacks
  • Sprint to Roll Out Security Service
  • Anti-DDoS Tool Keeps Networks Running
  • Commentary: Fighting the Disorder of Magnitude