The forwarding and processing capabilities of devices have improved significantly thanks to the rapid development of chip technologies and dramatic increase in network bandwidth. For example, over the past 10 years, network bandwidth has increased from 10 Mbit/s to 100 Gbit/s, and processing capabilities of the forwarding plane have become much stronger.
However, software processing capabilities have seen only limited improvement because the control and management planes of a device run on the CPU. In the ultra-broadband era, larger bandwidth is required between terminals and NEs, making it easier to carry out flood and other DoS attacks.
As industry standards continue to evolve, devices may be designed with insecure access channels using protocols such as SNMPv1/v2 and Telnet to facilitate management and inheritance. Even though these access channels lack security, they are not replaced with higher-security ones using SNMPv3 or SSH. (SNMP is short for Simple Network Management Protocol, and SSH is short for Secure Shell.) If these insecure access channels are improperly used, information leaks may occur. In addition, malicious users may exploit these channels for unauthorized access.
And because such channels use insecure protocols that lack integrity checks, they are prone to man-in-the-middle attacks, allowing attackers to tamper with protocol messages in order to launch attacks.
The open nature of IP networks makes the network architecture more flexible but it also brings high security risks.
IP networks do not provide an authentication and authorization mechanism for terminal access, meaning that any terminal can gain network access. As long as the IP address of the target device is reachable, attackers can access an IP network and launch attacks. Attackers may also initiate attacks on a device by simulating massive numbers of source IP addresses using address spoofing.
These security risks may expose networks to a variety of attacks, such as address spoofing attacks, replay attacks, malformed packet attacks, network viruses, message tampering, and traffic flooding.
Telecom networks are typically large and complex entities that involve large numbers of network nodes, flexible but complex access channels, and diversified communication protocols. Consequently, management of telecom networks is often a difficult task. During the design of network security, it is important to consider service capabilities, service flexibility, and ease of management and maintenance. However, these conflicts often involve diversified solutions, as carriers and administrators have different technical and management capabilities.
Due to the preceding characteristics, telecom networks cannot be designed with consistent security policies, posing a variety of security risks. These risks may be exploited to initiate virus infections, unauthorized access, and penetration attacks based on NEs.
Because devices usually have complex configuration models, administrators may neglect security protection capabilities in the pursuit of service availability. As a result, necessary security measures are not configured, meaning that the security capabilities of devices are underutilized. The configuration of device security is a complex task that requires experienced engineers — inexperienced engineers may sacrifice security for service availability.