Security in DOCSIS-based
Cable Modem Systems
Editor’s Note: Some media coverage on security issues associated with high-speed, always-connected cable modems has left an impression that a large portion of consumers’ vulnerability to computer hacking is due to the very positive nature of high-speed connectivity. That is a misconception—a high-speed connection to the Internet via cable makes for an improved way of life, and should be used in a way that takes advantage of its many benefits.

he DOCSIS system architecture includes security components that will ensure user data privacy across the shared-medium cable network and will prevent unauthorized access to DOCSIS-based data transport services across the cable network.

The DOCSIS architecture also supports policing (i.e., filtering) functions, which can be used to reduce the risk of attacks targeted at attached CPE devices (Customer Premises Equipment, or personal computers). These policing capabilities match those available within dedicated-line network access systems (e.g., telephone, ISDN, DSL) and, as a result, cable data enterprises are as secure as DSL or other traditional phone architectures.

Regardless of the network access service employed, service subscribers should take precautions to secure their systems prior to attaching them to a public network. Owners of systems running Microsoft Windows should unbind NetBIOS from TCP/IP, effectively disabling file and print sharing over the Internet.

Introduction

DOCSIS-based cable modem systems provide users with high-speed access to packet-based data services. These services include Internet access, packet telephony, video conferencing, and telecommuting (i.e., remote access to enterprise networks). Security threats associated with these devices fall into two general categories:

  • security of data transport services, and
  • security of CPE devices, which use cable modems to attach to public data networks.

The DOCSIS architecture includes security components that secure data transport services across the shared-medium cable network. DOCSIS data transport security provides cable modem users with data privacy and prevents unauthorized access to DOCSIS data transport services across the cable network.

Any CPE device attached to a public network will be subject to security threats. Given that the purpose of an access network is to provide subscribers with data access to public networks, the access network cannot take full responsibility for protecting subscriber systems from attacks originating from that public network. DOCSIS-based cable networks provide, as do dedicated subscriber line systems, traffic filtering, which reduces threats from attacks that may target specific operating system features common to many of the attached CPE devices. (For example, filtering traffic on UDP/TCP ports 137, 138 and 139 to prevent unintentional Microsoft Windows SMB/NetBIOS file and print sharing.)

Regardless of whether a user employs cable, telephone, or DSL access networks, that user cannot rely solely on the access network to protect his or her system from attack. Subscribers to these services MUST, in all cases, take precautions to secure their systems prior to attaching them to a public network.

The situation is analogous to how an individual protects his or her home. While the individual trusts that the local police will do a good job protecting the neighborhood from burglary, the homeowner still locks the doors in the evenings or when absent from the home. The more populated the community, the greater the potential security risk, and thus the more caution demonstrated by the homeowner.

Attaching one’s computer to the Internet is like living in a large urban area. There is much to gain in terms of the wealth of information, however accompanying that access are risks associated with having a direct ramp onto a global information highway.

The following section on Data Transport Services Security examines features built into the DOCSIS architecture to secure data transport services across the shared-medium cable network.

The CPE System Security Section (on page 3) looks at policing mechanisms these systems can provide in order to reduce security risks associated with linking individual computer systems to large public networks (e.g., the Internet).

Data Transport Services Security

DOCSIS data transport security provides cable modem users with data privacy across the cable network by encrypting traffic flows between the Cable Modem (CM) and the Cable Modem Termination System (CMTS) located in the cable network headend.

In addition, DOCSIS security provides cable operators with protection from theft of service. Protected DOCSIS MAC data transport services fall into three categories:

1. best effort, high-speed, IP data services;

2. premium quality-of-service (QoS) data services; and

3. IP multicast group services.

The DOCSIS system prevents unauthorized access to these data transport services by the CMTS enforcing encryption of the associated traffic flows across the cable network, and employing an authenticated client/server key management protocol in which the CMTS (the server) controls distribution of keying material to client CMs.

DOCSIS data transport security has two protocol components:

  • an encapsulation protocol for encrypting packet data across the cable network, and
  • a key management protocol for providing the secure distribution of keying material from the CMTS to client CMs.

The encapsulation protocol defines the:

  • frame format for carrying encrypted packet data within DOCSIS MAC frames,
  • a set of supported data encryption and authentication algorithms, and
  • rules for applying the cryptographic algorithms to a DOCSIS MAC frame’s packet data.

DOCSIS currently employs the Cipher Block Chaining (CBC) mode of the U.S. Data Encryption Standard (DES) to encrypt a DOCSIS MAC Frame’s packet data. The protocols are extensible, can support multiple encryption algorithms and will, in all likelihood, be extended to support the new Advanced Encryption Standard (AES) once it is in place.

CMs use the DOCSIS key management protocol to obtain authorization and traffic encryption material from a CMTS, and to support periodic reauthorization and key refresh. The key management protocol uses X.509 digital certificates, RSA public key encryption and triple DES to secure key exchanges between the CM and the CMTS.

DOCSIS data transport security provides a level of data privacy across the shared-medium cable network equal to, or better than, that provided by dedicated-line network access services (e.g., telephone, ISDN or DSL). It should be noted, however, that these security services only apply to the access network. Once traffic makes its way from the access network onto the Internet backbone, it will be subject to privacy threats common to all traffic traveling across the Internet, regardless of how it got onto the Internet. If a subscriber’s concerns over communications privacy go beyond the access network, he or she should be using higher level security solutions: for example, VPN technology, to tunnel private data securely across public networks, or application-layer security (e.g., PGP (privacy-enhanced mail) for email, or SSL (secure sockets layer) for web-based transactions).

CPE System Security

DOCSIS-based network access systems support the same range of policing functions (filtering) available in remote access servers employed by traditional dedicated-line network service providers.

The issue within these systems, which has attracted the greatest press attention, is unauthorized access to system files using TCP/IP NetBIOS (NBT) and System Message Block (SMB) file-sharing protocols that run on various Microsoft Windows variants (e.g., Windows for Workgroups, Windows 95, Windows 98, and Windows NT).

Hackers need to know the Internet address of the target system—if a hacker can obtain the name and address of the targeted host system, he or she then can begin sending network traffic to that host in order to pry it open and gain unauthorized access. Windows PCs employ TCP/IP, the NetBIOS (NBT) name service for advertising and for determining names and addresses of shared system resources on a LAN. Depending upon the system configuration, this name service may employ broadcast messaging, which allows systems on a shared LAN to exchange the names and addresses of shared services directly across that LAN.

Cable modems present to their attached CPE devices a high-speed LAN interface. Attached Windows PCs can run the NBT broadcast name service across these interfaces to share name and addressing information with PCs attached to the same "cable LAN." Thus, if an attached PC has file and printer sharing enabled, its services will be advertised across this LAN interface, and other devices on that cable-based LAN can determine names and addresses of those shared file and print services.

These NBT name service broadcasts employ UDP port 137, and thus can be filtered readily. However, not all proprietary systems support comprehensive filtering of this broadcast traffic; if they do, service providers prefer not to employ it for performance reasons.

Remote access servers used in dedicated-line network access architectures do not reflect broadcasts received from one client out to other clients; hence, the names and addresses of a PC’s shared services cannot be exchanged through NBT name service broadcasts. This explains why proprietary cable modem systems are more vulnerable to the unintended distribution of shared service names and addresses than dedicated-line systems.

Once an attacker determines the name and the address of a Windows-shared service, he or she then can establish a point-to-point NetBIOS session with the shared service. Depending upon the shared system’s configuration, the shared service may or may not be password protected.

Thus, with regard to Windows-shared file and print services, the principal difference between the proprietary cable modem systems and dedicated subscriber line systems is support, in the cable environment, for NBT name service broadcasts. This is addressed by the cable service provider by:

1. making users aware of the issue,

2. requiring users to disable file and print sharing, and

3. educating users on how to disable sharing.

DOCSIS-based cable modem systems, like dedicated-line systems, can police the network by efficiently filtering the UDP port over which NBT name service broadcasts are sent.

It should be noted that even if NBT name service broadcasts are inhibited, an attacker can use other methods (although certainly not as conveniently as simply double clicking on "Network Neighborhood") to determine host names and addresses and to begin an attack. Anyone can try to access shared files if they know an IP address, regardless of the type of access network. Knowledgeable system administrators recommend that any Windows system directly attached to a public network should unbind NetBIOS from TCP/IP, thus disabling Windows (SMB) file and printer sharing over the Internet.

Note that enterprise networks typically have a firewall separating themselves from the Internet, and that this firewall filters all TCP/IP NetBIOS traffic. In this way, Windows systems within the enterprise network can use Windows networking (SMB over NBT) to share files internally, yet can be protected from external attack.

The Goals of DOCSIS Security
fig1.gif (7694 bytes)
  • To provide CM users with data privacy across the RF network

 

  • To provide cable operators with protection from theft of service

specstechend.gif (1776 bytes)