An exciting new era has dawned for service providers, because converged networks now carry multiple applications and types of services that can enhance provider offerings and enable brand differentiation. Now service providers are evolving into "experience providers" that define themselves competitively by how well they provide and brand a consistent quality experience across network layers, applications, and different user devices. Vital to this evolution is the ability to manage different services so providers can deploy more offerings faster with optimized return on investments and profit margins.
Although service providers must consider numerous perspectives when addressing this challenge, it is critical to keep the broad choice of services, technologies, delivery infrastructure, and subscriber requirements aligned to ensure a cohesive service-delivery environment. The Cisco® IP Next-Generation Network (IP NGN) has the inherent application and subscriber awareness to manage the array of data, voice, video, and mobility services that are being deployed singly or together. Cisco participates in major standards bodies and works closely with its customers to engineer solutions that provide the application awareness necessary for providers to offer a broader array of services on demand and personalized to their unique needs. Application-awareness features are also useful for optimizing networks, with intelligence that can be used for operational efficiencies, better enforcement of policies, and increased security effectiveness.
This paper examines the factors that have accelerated the need for application awareness and shows how it can be applied, in conjunction with enhanced user awareness, to improve the efficiency, profitability, security, and competitiveness of service provider networks.
Introduction
As customers adopt devices with multiple functions, such as phones that can switch between wired and wireless subnets, service providers are no longer confined to offering a single service to that device. Now they can offer new services that integrate different voice, video, and data services with mobility, such as video teleconferencing, peer-to-peer gaming, and other converged applications. Although these new service possibilities can bring substantial revenue opportunities, they also require greater scalability and availability, application and subscriber awareness, security, and the adaptability to adjust to changing requirements rapidly and cost-effectively.
Packet flow optimization, an application-awareness feature critical to this process, automatically detects application types, enabling the enforcement of policies and the optimization of network resources to meet subscriber service-level agreements (SLAs). Providers can efficiently allocate bandwidth using packet flow optimization and policy management at the network edge for both the services they provide and the services that subscribers access through Web-based over-the-top providers.
The solutions behind application awareness bring subscribers greatly enhanced features, such as self-service and personalization. In turn, service providers benefit from this capability to forge a much closer relationship with subscribers through a greater understanding and management of their network usage and customized enforcement of policies that in turn can be the basis for new and profitable offerings.
Providers have an opportunity to effectively differentiate themselves from competitors and to create long-term customer loyalty by providing dependable, high-quality network experiences. Detailed information about applications, subscribers, and network usage is vital for service providers to accurately price and bill for their services. This information can decrease - and possibly eliminate - network congestion and competition for scarce bandwidth.
With application awareness, traffic from peer-to-peer connections can be transformed from a financial burden to a new profit center. Today, peer-to-peer applications constitute the biggest category of network bandwidth demand, accounting for 70 percent and more of all broadband throughput. If it is properly metered and managed, peer-to-peer and other broadband traffic can be the basis for innovative partnerships and new sources of revenue.
The ability to understand how subscribers are using their broadband connections lets service providers establish the relative value of each service and better define subscriber segments. This understanding can spawn new service bundles that are aligned to customer needs and that can increase customer loyalty. For example, many service providers are offering their own broadband IP voice services, and they must be able to distinguish between different applications to ensure call quality and administration.
Securing the broadband network from malicious attacks is a must for service providers - and another capability enabled by application awareness. "Always-on" broadband connections open subscribers to malicious threats, including denial-of-service (DoS) attacks, e-mail spam, viruses, and worms. Gartner, Inc., an industry research firm, estimates that seven percent of subscriber turnover within service networks is due to dissatisfaction caused by spam. Recent surveys of broadband users have shown that, despite today's high adoption rates of antivirus and antispyware software, a very large number of residential PCs are infected with multiple viruses and other security breaches. Many personal computers have been literally hijacked to participate in so-called "botnets", where the user's PC is remotely controlled and used to launch a multitude of attacks. The financial damage that online identity theft causes is also increasing. Application awareness provides a network-based solution to these security challenges that further enhances the role and value of the service provider.
Solution
Enhanced application awareness is closely coupled with subscriber awareness. With technologies that can differentiate between types of applications and users, and apply policies, service providers can dramatically enhance the subscriber experience. Quality-of-service (QoS) parameters can be applied to different traffic streams, replacing "best-effort" network response time with priority service for such latency-sensitive applications as video, voice over IP (VoIP), or gaming. Packet filtering, application and subscriber awareness, and policy enforcement can also be used to offer a variety of valuable network-based security services that can turn subscribers into long-term, loyal customers.
By keeping track of all IP traffic and performing stateful packet flow optimization, service providers can collect data about the applications and services used by individual subscribers, including:
• Application activity during peak and congestion times
• Total volume of traffic and applications from both the service provider network and peer-to-peer Internet sites
• Service popularity, including popular Websites, news groups, and the bandwidth costs of delivering these services
• Security breaches and malware on subscriber devices
Subscriber-activated requests rely on "pull-based" applications that require the direct involvement of subscribers, such as making a selection at a Web portal. With an application- and subscriber-aware network, new "push-based" network features, where the subscriber selects an application or set of applications and the network automatically prioritizes resources to provide the highest quality of experience, are also possible. The following are examples of each type of application.
Pull-Based Applications
• Parental controls - Adult subscribers can access a Web portal and set Internet controls for children, including blocking access to certain types of Websites and imposing time limits on online access. Figure 1 shows the topology necessary to support subscriber and application awareness for applications that rely on both pull and push techniques. A packet inspection device can intercept the packets coming from a home computer. The router at the home gateway or network edge can then selectively redirect individual sessions or flows to a selected destination and send a request to a policy server or broadband policy manager to verify whether the traffic is permitted. If a particular URL is off limits, the policy server responds with this QoS policy to the gateway or edge device and the user receives a message indicating that the Website is off limits. If the request is approved, the user is allowed to continue. Time limits can be enforced with a similar communication between the computer, the packet inspection device, a policy server, and a gateway or edge router.
Figure 1. Cisco Solutions that Support Personalized Pull- and Push-Based Applications
• Bandwidth on demand - The ability to transparently provision bandwidth on demand in response to a subscriber request adds tremendously to a quality broadband experience. Unless providers can identify who is doing what on their networks, allocating subscriber bandwidth remains rather primitive. But application and subscriber awareness provide the information necessary to guarantee the optimal amount of bandwidth for each service and for each subscriber. Subscribers who may have a standard low-speed Internet service can visit a Webpage on the provider's site and click a turbo button to boost their bandwidth for a set period of time or to leave the button engaged until they return and deselect it. The policy server confirms the request and then pushes the QoS policy to the gateway or edge router and packet-filtering device, applying the new policy to the subscriber's connection. The policy server tracks the time allotment. When the time expires, the policy server pushes the previous QoS policy back to the gateway or edge router and packet-filtering device, restoring the subscriber's original service privileges. The subscriber pays for the extra bandwidth only when it is needed. This service could prove popular with gamers, telecommuters transferring large files, and parties making a video call.
Push-Based Applications
• Premium downloads - When a subscriber with the appropriate service package chooses to download premium content, such as a video on demand (VoD) or music, the network automatically prioritizes resources to provide the subscriber with the highest quality of experience. The gateway and packet-filtering device recognize the request for premium content and update the subscriber's QoS policy automatically for faster download times. Although many vendors claim to support the pull capabilities, they cannot provide these innovative push features - features that are essential for providing the best subscriber quality experience.
• Interactive sessions - The ability to push out QoS policies that support a two-way rich-media experience could involve a business video conference with a partner on the other side of the world or an electronic gaming tournament with many virtual partners. Again, the process of communicating the application and subscriber information and applying policies accordingly allows the high degree of personalization and customization.
Enhancing Broadband Security
Heightened application awareness and subscriber awareness can also provide service providers with the information necessary to deliver several highly valued security services. Research conducted by Ipsos MORI in 2004 among 100 network subscribers in the United Kingdom found that 58 percent of those questioned said they wanted their service provider to offer additional security services and that they would be willing to pay for those services. Subscribers can obtain protection from virus attacks, online identity theft, DOS attacks, worms, scan and sweep attacks, and spam with application and subscriber awareness.
Service providers can obtain additional revenue by providing trusted services that offer protection from these threats. They can also reduce their operational costs with features such as the automatic redirection of traffic to quarantined servers, reducing help desk costs because subscriber problems resulting from security concerns are automatically detected and resolved by the network. It also reduces Website-related bandwidth costs caused by outbound spam and distributed DoS traffic and helps prevent service-availability problems that can result from such attacks.
Network-based security services are therefore beneficial to both subscribers and service providers because:
• Network-based protection is most reliable because it cannot be disabled by desktop malware.
• Software updates are maintained reliably and frequently by the service provider.
• All devices within the office or home can be protected, independent of their operating systems.
• Network-based solutions can correlate information from multiple endpoints, making it easier to detect and protect against spam, worms, or distributed DoS attacks.
• Security services can increase service provider revenue.
• The perception by subscribers that one broadband service is more secure than others can provide competitive differentiation.
• These services minimize the chance of a subscriber or provider being blacklisted because of hidden botnets sending out spam.
• Network operations center and help desk costs can be minimized with network-based protection.
• Website-based and peer-to-peer bandwidth costs caused by outbound spam and distributed DoS traffic can be eliminated.
Network-based security services use packet-filtering technology to recognize malware, network exploit attempts, and spam. When a problem is identified, the traffic can be blocked or redirected to a Website that notifies the subscriber of the problem and proposes numerous actions.
The following sections discuss examples of secure broadband services.
Safe Harbor and Quarantine
The principle behind a safe-harbor service is to isolate all new hosts and proactively assess each host for potential vulnerabilities before it is allowed to join the network. If an infection is found, the subscriber is notified of the problem through redirection to a Website where the user is provided with a dialogue box with links to other sites with resources for remediation of the security problem. If the hosts pass this initial assessment, users are granted access to the network.
As shown in Figure 2, a new subscriber's traffic is identified and scanned for security problems. The packet-filtering device can isolate the traffic through HTTP Redirection, whereby a new user is assigned the "safe harbor" service package and is unable to proceed beyond the subscriber's assessment page until assessment and, if necessary, remediation is complete. When the subscriber passes post remediation assessment, the subscriber can return to the subscription page to select a service package.
Figure 2. Safe-Harbor and Quarantine
The principle behind quarantine is to identify an infected host computer by monitoring and inspecting traffic. The infected host is then isolated from the network to prevent it from further spreading security problems. As with a safe-harbor application, the user is typically redirected to a site where the host is assessed and the subscriber is guided through the necessary remediation steps. The challenges with quarantine are to accurately identify an infected host and offer effective remediation.
To accurately identify infected hosts, the detection device needs to be located close to the attached users within the topology of the aggregation network, enabling it to analyze all user traffic. A packet-filtering device is ideally suited to this role, because it sits in line in the aggregation network, providing detailed traffic analysis. The device uses heuristic and behavioral analysis to recognize security threats. After identifying an infected user device, the packet-filtering device can notify the subscriber of the security problem through HTTP Redirection to an assessment and remediation site. It is also possible to alert a policy server by using the Simple Network Management Protocol (SNMP), which could in turn enforce a traffic policy that redirects the subscriber's traffic to a task-specific VLAN or virtual routing and forwarding. When remediation is completed, the subscriber's original subscription package is restored.
Managed Firewall Service
Service providers can offer subscribers customer premises-based managed firewall services that can address specific SLA and reporting requirements, including regulatory requirements for data security. The service provides application-level monitoring at a session level and stateful packet inspection implemented for each individual user. User and security policies can be enforced through communication with a RADIUS or other type of policy server. Users can select a predefined set of security policies that establish what protocols and IP addresses are allowed from inside to outside - and from outside to inside - of the firewall. Inspection parameters are also defined.
Anti-X Protections
For antivirus, antiworm, and other malware protection, network packet filtering and application- and subscriber-aware intelligence can detect and block known malware and prevent network-based software from being disabled. Software updates can be maintained by the service provider. This type of network-based protection can greatly reduce help desk calls due to software incompatibility. Network-based solutions can correlate information from multiple endpoints for effective worm, distributed DoS, and spam detection.
Conclusion
Through enhanced intelligence from network elements and technologies, service providers can gain new levels of subscriber and application awareness to better understand who their subscribers are, where they are, how they are using their authorized services, and when the policies that govern their use are applied. Solutions exist today that support both IP Multimedia Subsystem (IMS) and many other non-session-based applications.
Service providers can use this enhanced subscriber and application intelligence to offer many new services that can add revenue, increase customer loyalty, and add new network-based efficiencies that can reduce costs and enable applications to scale. As the array of broadband applications grows and evolves, application and subscriber awareness are vital features that will allow the experience provider of tomorrow to respond quickly to the demands of the newly empowered subscriber, at home, in the office, and on the go.
