BT darns DSL security hole

The wider availability of broadband DSL creates a number of security challenges for those providing it, but so far none have been properly tackled.

The main concern is the technology's ability to stay permanently connected to the internet for speedier downloads of content. This instantaneous access to content gives potential hackers and similar miscreants the opportunity to take advantage of loopholes in the system.

Security experts have said that DSL users' IP addresses could be easy to target because of the instantaneous connections, as well as the fact that their PC line is always 'live', ready to be quickly activated for downloads.

As well as leading hackers to an individual target, these live lines can make it easier to enter the OS of an individual PC and turn it into a 'slave' computer to conduct remote attacks on others.

BT provides a direct DSL service to its customers through BTopenworld and a wholesale one to its competitors to sell to their customers, but has rejected the idea of giving users their own IP address until recently.

This decision, while made for good reasons, created problems for users, and hasn't produced or promoted the sort of security solution needed for DSL.

Firewall protection

BT's reluctance was based on the belief that if you don't give a DSL user a permanent IP address, they are not a fixed target for hostile data attacks. But if users had a permanent IP address which operated behind a strong data firewall, the operation of an 'always on' connection wouldn't be as dangerous.

BT instead provided a temporary IP address each time users connected to the internet. Users first connected to a BT server which designated their PC a random IP address to be used while online.

When the user ended their surfing session, the IP address was snatched back by the BT server so that it could be re-issued to another user. This theoretically means that hackers would find it much harder to track a user through their always-on connection.

NAT: what's that?

This way of working is called Network Address Translation (NAT), and BT isn't in a hurry to get rid of it completely, despite recent problems.

Some users can't connect to the service because BT's NAT servers have been down. Also, customers have been left with no service while BT finds the fault, because the web page or email servers that users are trying to connect to need an IP address to send data to users' PCs.

Some have viewed BT's decision to adopt NAT as backward, considering the move towards an information society where everything from mobile phones to fridges will have IP addresses.

If BT and other national operators can't cope with the relatively few users who have managed to get DSL, how will they cope when the majority of the UK eventually has access?

The vital VPN connection

As well as being 'backward', NAT poses interoperability problems. Without a permanent IP address, business users cannot securely link their home office with their secure corporate VPN system. Users need a permanent IP address to be part of the Lan that a VPN creates.

As more people work from home and the promotion of VPNs becomes widespread among those seeking more secure business communications, the current crop of DSL services won't sit well with the requirements of business.

BT has said it is working on supplying DSL services that will come complete with their own fixed IP addresses, but their availability won't be widespread and users will have to ask for them.

Hopefully, few business users will set up home offices only to find they can't connect to the corporate VPN, but need a VPN-friendly ISDN or leased circuit line instead. As these alternatives are more expensive, the operators, of course, won't suffer.

BTopenworld chief operating officer Marc Deschamps said existing business customers will have to wait until some time this summer to apply for a permanent IP address. He added that they will almost certainly have to pay more for the privilege.DSL SECURITY PROBLEMS

Lack of suitable firewall products directly available from DS providers
Most users are not given fixed IP addresses
There are interoperability problems with VPNs
Many VoIP services will not work without fixed IP addresses, and users are unable to host websites without one

CABLE ALTERNATIVE

The main broadband alternative to DSL is to use a cable modem service from either Telewest or NTL. Again, a permanent IP address is not on offer to users, and both services aren't sold to businesses anyway.

In the case of NTL, the Dynamic Host Configuration Protocol (DHCP) system is used, where consumers are given an IP address to use for a four-hour, five-minute period.

After this time has expired, the user's cable modem has to apply for the 'lease' to be extended, but the same IP address cannot be guaranteed, even if continuous work is in progress.