Fundamental Precautions You Should Take to Secure Your Network
DOCSIS security wholes are a serious problem, even if you are a major MSO (Multiple System Operator). Recently a reader contacted me and said that theft of service, especially uncapping cable modems via hacking, was still impacting his network. Not surprisingly, one vendor’s CMTS was able to ward off the hacker’s while another vendor’s CMTS was unable to prevent the uncapping and subsequent theft of service. I will protect the vendor’s identities because I believe that the CMTS is the first line of defense. Vendors have put into place very effective, CMTS specific techniques, such as Cisco’s TFTP-Enforce which prohibits a cable modem from registering and coming on line if there is no matching TFTP traffic through the CMTS preceding the registration attempt. But often individual techniques are “hacked” (such as in the TFTP-Enforce bypass method found on hacker sites). What this indicates is that any reliance on a single point or method of hack-proofing your network WILL NOT WORK. You must implement a layered approach consisting of a number of CMTS, DHCP, TFTP and potentially SNMP and Kerbos related methods. The later would apply for MTAs and set top boxes. For now we will just focus on cable modems and the realm of CMTSs and DHCP/TFTP servers. Here are is the bare minimum of what you should be doing:
