Monthly Archives: January 2014

The Expanding Arm of Regulation

Black phoneOne would be expecting the regulation of telcos in this country to be decreasing. For the most part the various state regulatory commissions regulate two things – telephone service (and related TDM based data service) and companies that own physical networks. But residential landlines usage has been dropping drastically over the last five years and is now under 50% in some states (something I will talk about in Monday’s blog).

States generally have regulated a few different areas having to do with telephone service. Years ago they regulated prices for both residential and business telephone products. But business telephony has generally been competitive for over a decade and most commissions stopped regulating business services. Most states still regulate the price of a residential landline although some have given up on that as well. States have given up on regulating long distance rates as well. States have regulated customer service policies such as how a company can disconnect a non-paying customer. States still actively regulate 911 services and other safety-related issues.

But the amount of regulation of telephone service has decreased drastically. With business services deregulated or detariffed and with residential landlines disappearing quickly, it seems like there is little left to regulate. Further, there are whole new ways of delivering voice services using IP, and most states do not regulate VoIP providers, except maybe in areas like 911.

States still are involved in regulating physical networks. For physical networks states regulate things like pole attachments and rights-of-ways. And states are the arbiter of disputes between carriers. States don’t specifically regulate interconnection agreements, but they are often called on to settle disputes between carriers on these issues.

Overall would expect the activity at state commissions to have decreased. But from what I can tell it has not. States seem to be holding more hearings and opening dockets to regulate those areas that are still under control. I once said that I thought that with all of the changes in the industry that state commissions might largely fade away from the telco world from lack of things to regulate. But a wiser friend reminded me that regulators will regulate and that they will find ways to justify their existence.

Today I actually see several areas where commissions are expanding their regulatory reach. For example, the California Public Service Commission just issued a certificate of public convenience and necessity (CPNC) to Schat Communications. Schat is a classic ISP, and to any extent that they offer telephone service it’s through VoIP. Schat has never needed a license from the state to operate before (like most ISPs and WISPs).

But California has established the California Advanced Services Fund (CASF) which is providing some funding to companies who will build last mile in very rural areas. Schat and a number of other ISPs have found themselves having to become regulated in order to apply for these funds. Once they have a CPNC they are regulated in California in the same manner as other telephone companies.

And the same thing is happening elsewhere. The FCC rules for getting funding from the various programs that are part of the Connect America Fund (formerly the USF Fund) must obtain status as an Eligible Telecommunications Carrier (ETC). This was a certification that telephone companies have always needed to get federal USF funds, and now the FCC has extended that requirement to anybody who wants funding from the CAF to build or extend last mile facilities. In most states a carrier has to be certified (meaning regulated) in order for the state to grant them ETC status.

While we have less and less historic telephony happening we are seeing a new wave of companies being required to become certified as telephone companies. I think my friend was right and regulators will regulate.

Two Books on Network Security

VoIP-for-whom

VoIP-for-whom (Photo credit: Saad Faruque)

There are two books on network security that any network manager ought to read. It’s almost impossible to develop a network with no vulnerabilities because the dangers to networks seem to be growing faster than network administrators can keep up. I think anybody who is operating a network ought to read the following two books. They give a lot of practical advice about how to protect your network from the many threats that can damage your network and your business.

Hacking Exposed by Stuart McClure, Joel Scambray and George Kurtz. The first version of this book came out on 1999 and is now up to the seventh edition. One would expect that there soon will be an eighth edition. The authors are industry experts. Stuart McClure has been the CTO of both McAfee and Intel. Joel Scambray was a senior director of security for Microsoft and has gone on to found successful security consultancy companies. George Kurtz is co-founder and CEO of CrowdStrike, a big data security company. Additionally they have brought in guest authors from other parts of the industry.

This is an industry standby and lays forth network security by discussing ways that security can be breached. The books covers two primary topics. First it describes the basics of hacking and it describes the approaches that hackers take to violate networks. This is the basic stuff that every network engineer ought to know about. It covers hacker techniques like enumeration, foot printing, database hacking, operation system detection and many other techniques. And it describes the basic network security techniques that are used to protect against each of these kinds of threats.

The books also then covers very more specific examples of hacking and this is the section of the book that gets quickly out of date as hackers change their techniques to bypass security measures. However, the real-life examples given are fascinating and provide a detailed look into how hackers think and work. But these examples are often somewhat dated by the time they make it into the latest edition. So this is not a book that tells you every step you should take with your network today, but instead is a primer to teach network engineers how hackers think. Used in that manner this book ought to be required reading for anybody operating an IP network.

Securing VoIP Networks by Peter Thermos and Ari Takanen. This new book is a compendium of the kinds of threats that can disrupt a VoIP network (or any IP network for the most part). Many of the threats discussed are specific to VoIP while others are more generic and concern general network security.

This book is probably the best basic compendium of issues that affect VoIP security. It describes each of the basic different technologies that are used to provide VoIP. It then goes on to describe the kinds of problems that can be found in VoIP networks. It lists well over two dozen major problems that range from network design flaws to hacking vulnerabilities. It includes such topics as insufficient verification, too low resources, password management, authentication, error handling and lack of a fallback system. For each VoIP network vulnerability it then discusses ways to mitigate each type of problem.

This books should be required reading for anybody who is thinking about launching a new VoIP network. It will provide you with a wealth of knowledge that will stop you from making common mistakes. But this also ought to be required reading for anybody who is going to purchase a significant amount of VoIP from somebody else. There are literally hundreds of companies today operating VoIP wholesale networks and they are not all the same. This book will arm you to ask the right questions about a potential VoIP vendor rather than mindlessly going for the lowest price.