Geof, in fairness, I didn't scrutinize the concentrator alternative that I mentioned very closely "behind the curtains," since I wouldn't use it anyway, for reasons that I've already declined using them in the past. Those reasons are consistent with some of the issues you raised in your post. You may recall from my first message in this branch of discussion that I refused to use it already in my present location.
However, I am familiar with at least one multi-tenant, shared services arrangement that does boast individual security and firewalling for each tenant, but I'd have to go back in my notes to refresh my memory as to the specifics.
There are other non-DSL variations of what we've been discussing here which actually take a T1 or higher capacity line on the central office side of "the box," and provide routing functionality, backend-ed by variable speed ports (ranging from 56k, burstable to near T1 speeds) to end users in a statistical manner. These are not DSL in nature, but they appear to be the same thing, as they effectively do the same thing at the user account level.
I think that I've come across some premises DSL products that mimic Xedia's Access Point solution. If memory serves, they consist of multiport bursting, routing, security filtering and firewalling, at the user port levels. I'll see if I can come up with the names of these from my deskives, somewhere. scratch scratch...
Now that I think of it, I've also come across a situation where the Xedia's product was being used, and the real estate folks were billing it as a DSL type service. I thought to myself at the time that this was really some hot stuff, actually spoofing their way through the a sales situation in order to cull favor from their prospects, by saying it was dsl instead of something else. Marketing.
The concentrator variant of dsl which I described in my original post is, IMO, the most vulnerable to breaches due to the shared backplane nature of its makeup, as you, too, have picked up on. I was told, not by the real estate associate, obviously, but by some proponents of DSL premises design, that port level security filters now exist at layers two and above in some manufacturers units, although I don't know which ones.
I'd have to be sold on this with some means of proof before I believe in it, fully, however. I suspect that application layer encryption is always a means of double assurance in these matters, even when you do have firewalling, but it adds more complexity and dither to the process, which is just the opposite of what we want.
In previous posts on this thread you may recall my stating that the concentrator approach was the cheap-o way out (which, surprise, landlords, property owners, and the urban-gorilla genre of ISPs love to hear, which is what this is really all about) compared with going in with a more secure DSLAM approach.
I still maintain that notion. What we've stated here about security risk is only one of the consequences of going in on the cheap in this space. You have to pay one way or another, going in, or coming out. In this instance you must add another layer of security that would have otherwise been avoidable, or at least reduced to some extent, if a non-shared distribution environment had been implemented.
----------
What follows is an earlier article from Telephony Magazine on the concentrator approach from Amati's Tac Berry. It was written in '97, prior to the current generation of wares, but it's a good backgrounder and fyi piece behind the approach. Enjoy.
Regards, Frank Coluccio
internettelephony.com
=======================
"Powers of concentration"
As the number of ADSL users increases, an access concentrator can help provision and manage them more efficiently
BENJAMIN "TAC" BERRY
In the heated battle for market share, the local service provider's most formidable weapon is the twisted-pair copper that already connects all likely customers--now approaching 700 million--to a switching center. Asymmetrical digital subscriber line lets carriers capitalize on this singular asset and acquire rapid market share.
ADSL offers more than enough bandwidth for high-speed access to the burgeoning dial-up PC market. It also solves the network problems that extended data downloading times create and offers a migration path to the latest network infrastructures such as asynchronous transfer mode. Cable TV companies are bound to hybrid fiber/coax and increased subscriber investment; ADSL converts existing lines to megabit access ports.
To capitalize on the potential that ADSL offers, access to the customer infrastructure must be upgraded. The architecture for the data backbone must be implemented rapidly. And carriers must use an infrastructure that supports higher subscription rates over time.
An essential component of an infrastructure that can meet all these needs is a data/video access concentrator, which will permit a service provider to consolidate data traffic over the high-speed ADSL connections into a single high-speed data pipe for network interface, much like a digital subscriber line access multiplexer (DSLAM).
The key differentiating point between a DSLAM and a data/video access concentrator is that manufacturers offering or planning to offer DSLAMs typically envision an ATM-based design, whereas a data/video access concentrator is Internet protocol-based. Support for IP may facilitate the adoption of data/video access concentrators. A data/video access concentrator also enables a single ADSL connection to be used simultaneously for video and data transmission.
A flexible design
ADSL was originally intended for video transmission over phone lines. To meet this application, early ADSL services, as defined by Bellcore, were to include multiple downstream channels operating at 1.5 Mb/s and multiple duplex upstream channels totaling 640 kb/s.
Now the emphasis has shifted to data services, specifically Internet access. Rather than offering a single giant pipe to the user, however, a data/video access concentrator leverages the multipath capability defined in the early Bellcore specifications, offering two downstream paths totaling as much as 8 Mb/s, and two upstream data paths totaling as much as 640 kb/s over every ADSL link.
A data/video access concentrator can provide several advantages to the local communication services provider including consolidating the high-speed backbone connections for multiple subscribers.
Additionally, an access concentrator can allow better usage of rack space in the central office. In a typical application, the carrier would devote multiple shelves in the CO to support ADSL service. Each shelf could hold two concentrator cards that could support six modems each and would include a management interface card (Figure 1). The carrier could add concentrator, modem and management cards as needed to support new users.
The data/video access concentrator incorporates data level bridging of multiple TCP/IP data streams onto a common network interface.
In Amati's design, for example, the output from the data/video access concentrator to the network is a combination of 10BaseT connections for data and RS-422 connections for video. Using the multiple data channels per modem, an access system can then provide data and video channel access to each subscriber. The CO shelf concentrates the data traffic to a network Ethernet interface and provides individual serial interfaces for the video traffic.
At the CO, the data/video access concentrator includes external POTS splitters to separate the voice and data traffic from the combined telephone/ADSL signals in the twisted pair cable connection (Figure 2). A shelf configuration for the POTS splitter simplifies maintenance and CO distribution of the services.
Under control
As the number of ADSL customers increases, it will be increasingly important for carriers to manage a data/video access concentrator through a standard interface such as the simple network management protocol (SNMP). This can be accomplished by including an enterprise management information base (MIB) and an SNMP interface agent on the management interface card installed in each shelf.
The interface agent will be used to convert information about the transmission line, modem and configuration into the SNMP MIB structure. A management interface, supporting up to four shelves, or 48 modems, would deliver this information to an SNMP interface manager in a central location where all ADSL connections could be administered and maintained.
The management interface would support commands such as "get" to retrieve data, "set" to set a data parameter and "trap" to set an alarm parameter. The MIB would provide access to parameters such as performance of each ADSL line and modem, line statistics, noise margins and general system alarms. A 10BaseT connection on the master shelf should be reserved for transmitting management data.
The development of an access concentrator will be key to supporting widespread use of ADSL. A shelf system can provide a platform for future ADSL modem designs based on new generations of semiconductors and ADSL software. An access concentrator will enable upgrades to newer system protocols as service providers require them. From today's packet-based interface, an access concentrator can be extended to provide frame- or cell-based access in the future.
Benjamin "Tac" Berry is Vice President of Marketing for Amati Communications Corp., Sunnyvale, Calif. |
