DOCSIShelp

A Forum to help DOCSIS Engineers

Skip to content

cable security mechanisms

This is where we talk about all things DOCSIS. :)
Post a reply

cable security mechanisms

Postby mpb » Wed Jun 23, 2010 1:43 pm

hi all,

I run a cable eurodocsis network (cisco pretty much) and been reading about the various cable security and anti theft of service mechanisms.

to cater for modem config file tampering we have 'tftp download enforce' and 'dynamic secret' enabled and working

and for cloned modems we have BPI+ mandatory as well as an external script to detect any duplicate macs of perfect modem clones that may show up on separate nodes in our plant.

are you admins out there doing anything else, or are hackers trying other methods for theft of service ?

feel free to talk to me offline since subject is perhaps a bit sensitive for public consumption :)


thanks

Mark
mpb
Board User
 
Posts: 5
Joined: Thu May 27, 2010 1:06 pm
Top

Re: cable security mechanisms

Postby wittmann » Thu Jun 24, 2010 5:17 pm

Hi,

BPI+ Mandatory is a pretty good solution and one of the best steps for security.

A other good solution is to make sure that unknown cable modems don't come operational with NetworkAccess Off only. That means: you should have different IP-Scopes for unknown cable modems. Then you can set NetworkAccess to 1 in the default configfile for unknown cable modems. This solution will help you to use a separate DNS-Server for Walled-Garden setup aso.

The security issue of NetworkAccess Off is: With an debug image or hacked image like haxorware it's possible to set the bit for NetworkAccess on the REG-REQ allways to 1 equal whatever which value in the configfile is available.
wittmann
Board User
 
Posts: 22
Joined: Fri Oct 31, 2008 11:39 am
Location: Germany
Top

Re: cable security mechanisms

Postby mpb » Sat Jun 26, 2010 2:09 pm

thanks for the info.

if a user does manage to get control of the modem (via whatever means) what can they really do that can cause issues, besides reading the config, enabling the network disable option as you mention.

i guess a hacker cannot change his service (upload/download) if he has access to the config file, as wouldnt this need the modem to re-register with the CMTS and go through all the DMIC and other checks ?
mpb
Board User
 
Posts: 5
Joined: Thu May 27, 2010 1:06 pm
Top

Re: cable security mechanisms

Postby wittmann » Sat Jun 26, 2010 2:23 pm

You've got a PM ;-)
wittmann
Board User
 
Posts: 22
Joined: Fri Oct 31, 2008 11:39 am
Location: Germany
Top

Re: cable security mechanisms

Postby kryhavoc » Wed Jun 30, 2010 11:46 pm

We use a ACL on the cable bundle interfaces which stops users from accessing RFC 1918 IP space.... if they can't scan your network... they hurt.
kryhavoc
Board User
 
Posts: 7
Joined: Wed Jun 30, 2010 11:04 pm
Top

Re: cable security mechanisms

Postby buzzwork » Thu Jul 01, 2010 3:32 am

We monitor the speed and usage on all modems, you could code something that monitor the RRD graph on the modem vs. the speed set in the modem, if these dont match, you have
a rouge modem.

Martin
buzzwork
Board User
 
Posts: 53
Joined: Fri Aug 01, 2008 5:53 am
Top
Post a reply

Return to DOCSIS Help

Who is online

Users browsing this forum: No registered users and 1 guest

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
cron