Downloads |
Converged broadband networks offer tremendous opportunities for service providers and their customers. As a shared medium, broadband is a vehicle for new blended media applications, a foundation for commercial efficiency gains, and a playground for collaboration across the human network. But there are risks as well as rewards to participation in the broadband community. Users can become victims of computer viruses, botnets, phishing scams, and other malware and their computers can be used to incubate or host threats to others in the broadband community. These users need protection. Just as individuals are willing to pay to keep their homes and personal property protected with security locks and alarms, network subscribers require and are willing to pay for security for their data and intellectual property: security that provides privacy and effectively combats intrusion attempts. Such security also protects the broadband community from the spread of malware and disruption of service.
Service providers must provide effective network security as threats to broadband networks grow and evolve. Network-based protection from Cisco® provides protection that goes beyond PC software and protects all converged services, including data, voice, video, and mobility-enabled applications. With residential subscribers and businesses willing to pay a premium for network security, service providers have a major opportunity to not only protect their own networks and the assets of broadband communities with network-layer protections but to generate new revenue from offering subscriptions to additional personalized security services.
This paper presents the Cisco Secure Broadband offer, which simultaneously protects broadband community assets while also offering personalized, self-service features to meet the security needs of individual users and offering managed and hosted security services for businesses - all of which aid service providers in delivering a very high quality of experience in converged broadband networks.
Overview: The Need for Network-Based Security
Throughout the world, broadband adoption continues to expand (Figure 1). As it does, protection is increasingly needed from the accompanying expansion of malicious and criminal activity on the Internet.
Figure 1. Worldwide Broadband Service Subscriptions
Source: IDC 2006
At the 2007 RSA conference, Greg Garcia, the U.S. Department of Homeland Security's assistant secretary for cyber security and telecommunications, said security is threatened by the reliance on the Internet or converged networks for communications, including the use of voice, video, and data as well as other services. "This proliferation of devices and applications within converged networks is going to create a breeding ground for security problems," said Garcia. Recent statistics support this view: In the final three months of 2006, the U.S. Computer Emergency Readiness Team (US-CERT) received nearly 20,000 security incident reports from public and private sources compared to 23,000 for the preceding 12 months.
The 2006 InformationWeek and Accenture Global Security Survey of 2193 global business technology and security professionals found that rates of reported attacks on customer records and identity theft had doubled from 2005. In January 2007, security e-mail services vendor MessageLabs reported that one in every 93.3 e-mails contained some form of phishing attack and that phishing had now overtaken virus attacks in their prevalence. And a February 2007 article in Newsweek Magazine identified "spear phishing" as one of the newest forms of attack whereby cyber criminals target individuals with personalized e-mails using information about the individual they have obtained. According to the Federal Bureau of Investigation, the method has proved so profitable that a large number of spear phishers have begun using the tactic to issue death threats to extort money.
Microsoft scanned the PCs of 270 million consumers and small businesses that used its free scanning tool between January 2006 and March 2006 and found malicious computer code on 5.7 million PCs, including 3.5 Trojans, most of which turned the PCs into botnets communicating over a private messaging channel to a controller. Significantly, 20 percent of these PCs had been disinfected before and had become re-infected.
Residential and business users are well aware of virus and worm attacks and the amount of unsolicited e-mail they receive each day. Yet still relatively few users know that their computers can be "hijacked" by powerful remote programs that turn their machines into botnets that can launch attacks or forward large quantities of unsolicited e-mail.
Protections on the broadband network must also include regulation of users who abuse network resources without malicious intent. Some customers, for example, want to broadcast information over the network or otherwise monopolize bandwidth. Others users want safeguards to prevent access to offensive content and protections from unsolicited e-mail. Customers want to know when a security breach has occurred and how to remedy it.
Desktop software is not enough. Many users do not install it and others do not understand how to properly use or update it. And with converged networks, PCs are no longer the only potential source for or victim of a security breech - mobile devices, VoIP devices, IPTV set tops, and appliances participating in the broadband revolution all are potential victims of malware or hostile attack. Call centers are not the only answer; security-related incidents are too numerous, too expensive for service providers to address with call center staff alone, and response time is inadequate. Yet security problems must be dealt with; bad publicity around security breaches can severely damage a service provider's reputation.
Solution
Service providers have a major role to play in helping to safeguard public and private networks by deploying a comprehensive network-based solution. The Cisco Secure Broadband Solution simultaneously protects the broadband community while also offering personalized, self-service features and managed security services for residential and business customers. With end-to-end network intelligence that can identify users and distinguish between their individual services, Cisco Secure Broadband meets the security needs of subscribers while helping service providers lower operational costs and effectively address network security and personalization to deliver the highest quality of experience with broadband networks.
The Cisco Secure Broadband Solution implements the Cisco IP Next-Generation Network (IP NGN) security architecture and uses Cisco security technologies to detect, isolate, and remedy intended and accidental threats to broadband assets. The solution includes:
• Cisco IP NGN Carrier Ethernet Design: A converged residential and commercial broadband network design that securely offers multimedia services while providing comprehensive visibility and threat control to the broadband community
• Cisco Personalized Security Services: Network additions and solution extensions to the IP NGN Carrier Ethernet Design to reduce junk e-mail, protect subscribers from viruses and worms, provide privacy protection against phishing, and enable personalized content categorization to monitor, control, or restrict access to network-based applications and content
• Cisco Hosted and Managed Business Security Services: Managed customer premises equipment (CPE) additions and solution extensions to the IP NGN Carrier Ethernet Design to efficiently and lucratively host and manage security services for businesses
• A Secure IP NGN Infrastructure: The IP NGN security blueprint is built on three main areas of focus:
– Operational processes for compliance to regulatory requirements, establishment of service-level agreements (SLAs), and structured as well as automated security processes
– Technologies including platforms and tools to embed, enable, manage, and monitor security compliance, and integration of these technologies across the network
– Solutions that provide automated network-level protection from distributed-denial-of-service (DDoS) attacks and identity theft; managed and hosted security services for businesses; and personalized security services to customize content access restrictions, reduce unsolicited e-mail messages, defend users from viruses, and more
Cisco IP NGN Operational Process Model
The Cisco Operational Process Model for Service Provider Security, Figure 2, addresses how a service provider can effectively deliver more services with better efficiencies and greater security.
Figure 2. Cisco Operational Process Model for Service Provider Security
This model is a proactive threat-mitigation approach that goes beyond a single box or technology. It anticipates the shortage of operational security expertise and helps minimize threats that cannot be completely controlled while controlling those that can. By formalizing a process model and linking it with technologies within the Cisco ServiceFlex design, Cisco offers a comprehensive security solution that reduces operational expenses for securing a rapidly expanding network. It provides technologies that bring total visibility and control of security threats at every layer in the network while simultaneously providing individualized features choices that can be offered as profitable new subscriber services.
Cisco Security Technologies
Figure 3 shows some of Cisco Layer 3 technologies that contribute to the Cisco Secure Broadband Solution.
Figure 3. Technologies Underlying Cisco Secure Broadband Solution
See references at the end of this paper for a comprehensive list of Cisco IOS® Software-based security features.
Cisco Security Design and Security Solutions
Cisco IP NGN Carrier Ethernet Design
The Cisco IP NGN Carrier Ethernet design, Figure 4, combined with specific security solution components and Cisco Service Exchange products, safeguard broadband community assets and provide options to offer personalized security services as additional fee-based services.
The Cisco IP NGN Carrier Ethernet design partitions and secures per-service flows across the converged network design. This not only optimizes per-service resource allocation across the network but serves to further isolate any potential security breach from impacting neighboring service flows within the network.
Figure 4. Cisco IP NGN Carrier Ethernet Design
The Cisco IP NGN Carrier Ethernet design is unique in the industry, taking advantage of intelligence at Layer 3 for per-service segregation that makes it easier to isolate questionable network behavior. For example, the service flow for a user who downloads an infected video file from the Internet can be automatically redirected to a security self-service Web portal to inoculate the PC and get rid of the virus before it spreads to other users in the broadband network. This Internet service flow is completely isolated from secure IPTV flows servicing the same household, which can bypass file content inspection.
The Cisco IP NGN Carrier Ethernet design provides direct visibility and control to guard against threats to the broadband community, including:
• Reconnaissance, the unauthorized discovery and mapping of systems and services with the intent to use the information to launch attacks
• DDoS attacks, which disrupt network services by overwhelming network resources
• Unauthorized access to network equipment with the goal of compromising the network or the service or of using the system as an agent for a DDoS attack
• Collateral damage, which refers to the aftereffects of an attack on the network; for example, a DDoS attack that traverses that network can cause network equipment to experience CPU overload, drop good traffic, or crash
• Service abuse attempts to exploit weaknesses in application protocols that have been inadequately implemented or do not adequately account for error conditions or anomalies
In addition to the security features and technologies that come as an integral part of the routers and switches in the Cisco IP NGN Carrier Ethernet design, Cisco offers security-specific service modules for the Cisco Catalyst® 6500 Series Switches and Cisco 7600 Series Routers deployed in the Cisco IP NGN. These include:
• Cisco Catalyst 6500 Series Firewall Services Module is a high-speed, integrated firewall module for the Catalyst 6500 Series and Cisco 7600 Series that provides among the fastest firewall data rates in the industry: 5-Gbps throughput, 100,000 connections per second, and one million concurrent connections.
http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4452/index.html
• Cisco Catalyst 6500 Series Intrusion Detection System Services Module is an intrusion prevention system for safeguarding organizations from costly and debilitating network breaches and helping ensure business continuity.
http://www.cisco.com/en/US/products/hw/modules/ps2706/ps5058/index.html
• Cisco Catalyst 6500/Cisco 7600 Router Anomaly Guard Module uses complex antispoofing, anomaly recognition, antizombie, and dynamic filtering algorithms to differentiate between legitimate traffic and attack traffic at multigigabit speeds to stop the broadest range of DDoS attacks.
http://www.cisco.com/en/US/products/ps6235/index.html
• In addition to the modules, the DDoS Protection Solution helps providers take a proactive approach to protecting their own networks and customer data from harmful DDoS attacks.
http://www.cisco.com/en/US/netsol/ns615/networking_solutions_sub_solution.html
Cisco Service Exchange Framework
The Cisco Service Exchange Framework offers the unique capability to inspect and control per-subscriber application characteristics. This capability further protects broadband community assets against DDoS attacks, viruses, botnet propagation, and more, while giving service providers the option to offer reliable network-based personalized security services for additional subscription fees. Two Service Exchange Framework products in particular, the Cisco Service Control Engine (SCE) and Intelligent Services Gateway (ISG), provide new and unique levels of awareness and protection necessary for offering network-based personalized security services. Both products reside in the aggregation or edge network and are not installed on the customer premises.
Cisco Service Control Engine
The Cisco SCE 1000 and 2000 Series Service Control Engines (Figure 5) are carrier-grade network elements designed for high-capacity stateful application- and session-based classification and management of application-level IP traffic per subscriber. The Cisco SCE inspects packet flows and fully reconstructs flows and the Layer 7 state of each application flow, making the network application- and subscriber-aware. The Cisco SCE can differentiate between different types of traffic, prioritize traffic flows, and thereby optimize the network to meet specific SLAs. Cisco SCE reporting and monitoring applications can provide data about top users, top applications, peak flows, and many other metrics to enable the service provider to continuously monitor the service quality and respond immediately to any problems.
Figure 5. Cisco SCE 2000 Series Service Control Engine
Deployments requiring high reliability can be supported by two Cisco SCE 2000 Series SCEs in a cascading configuration. One processes the IP traffic of two links while sharing state information with the secondary Cisco SCE, which takes over in case of a failure of the primary Cisco SCE.
The Cisco SCE is deployed at the network edge or aggregation layer, as close to the subscriber as possible (Figure 6). In the basic implementation, the Cisco SCE inspects packets and flows at the application level. Traffic records are reported to the Cisco SCE Collection Manager device, which provides data to the SCE reporting tool, including information about top users, top applications, and peak flows. To create services, the Cisco SCE Subscriber Manager, a software package on a server that integrates with an existing authentication, authorization, and accounting (AAA) Dynamic Host Configuration Protocol (DHCP) server, is used.
Figure 6. Network Topology with the Cisco Service Control Engine
Cisco Intelligent Services Gateway
Available in intelligent edge routers such as Cisco 7301 and Cisco 7200 and 10000 Series, the Cisco ISG automatically detects when users are accessing the network and determines both the type of service each user wishes to access and the type of client device that is being used. The Cisco ISG has the intelligence to manage access to various types of services, both Internet Multimedia Subsystem (IMS) and other services, by many different types of devices.
Figure 7. Cisco Products that Offer the Cisco Intelligent Services Gateway
The Cisco ISG is a very scalable solution based on years of Cisco experience deploying subscriber management and policy control for large broadband networks in Cisco IOS Software (Figure 8). The Cisco ISG handles traffic at Layer 2 and Layer 3, offering service providers an opportunity to provision their networks with intelligent policies, which can be defined and triggered to deliver services based on identity of the subscriber or any events that occur in the session lifecycle.
Figure 8. Cisco Intelligent Services Gateway
The Cisco ISG provides these benefits to all broadband applications, allowing them to be accessed from multiple types of network devices - from mobile phones to laptops and personal digital assistants (PDAs) - and from multiple access points in the network. Features include:
• Multidimensional identity capabilities simplify authentication using a single sign-on from any access point and build an extensible subscriber profile to enable high-quality, tailored service delivery.
• Integrated policy management allows service providers to dynamically apply QoS on a per-subscriber basis. By distributing network intelligence, Cisco provides for more scalable and efficient policy administration.
• Dynamic personalization allows transparent application of subscriber-specific personal preferences to enhance overall application performance.
• Operational integration simplifies the network management of multiple services. With broad cross-platform interoperability, the Cisco ISG acts as an open integration point that bridges service-to-network administration functions and eliminates the redundancy of multinetwork operations, allowing providers to speed new service offerings to market.
The Cisco ISG and SCE offer more than extensions to the Cisco IP NGN Carrier Ethernet design security. Their ability to identify individual users as well as specific applications and services in use enable another facet of Secure Broadband: personalized security services.
Cisco Personalized Security Service Applications
Service providers must help stop the spread of worms and viruses by the insecure PCs of unaware users. They must empower users to neutralize botnet attacks that seize their PCs, propagate junk e-mail, and launch DDoS attacks. Self-service features are possible with the Service Exchange Framework and Cisco service-control solutions that alert subscribers to malware and then let them disinfect their computers. Service providers can offer these features and many others as Personalized Security Services that can be deployed as new sources of revenue. Giving the subscriber these new security tools can also reduce call center workloads and costs by making it easier for subscribers to resolve threats and self-configure security settings. Examples include:
Self-Service Security Management
If a residence is infected with malware that threatens broadband community services, the offending service is isolated and the user is redirected to a self-service station to prevent the malware from spreading (Figure 9). At the Web-based self-service station, the user is guided through potential remedies to the security threat. This service applies to all subscribers to protect the broadband community.
Figure 9. Self-Service Security Management
A Cisco SCE located close to the subscriber within the aggregation network can analyze all user traffic using heuristic and behavioral analysis to recognize security threats. The Cisco SCE processes traffic directly and can optionally direct suspicious traffic for additional inspection from peer value-added services (VAS) server systems, such as virus scanners. After identifying an infected user device, the Cisco SCE can notify the Cisco ISG to issue a Layer 4 redirect - using HTTP, FTP, and Simple Network Management (SNMP) protocol - to transfer the subscriber to the Self-Service Security Management application for remediation. Alternatively the Cisco SCE can be configured with a service to mark traffic for redirection.
Two methods can be used to automate the process of guiding users to Self-Service Security Management. "Safe Harbor" directs the user to a self-service station at sign-on to scan for required preconditions (such as supported equipment, operating system, configuration) to remediate any issues before network session begins. "Quarantine" responds to violations during an active session and dynamically restricts offending use until a remedy is selected from the self-service station.
Personalized Content Categorization and Access Restriction
Residential broadband subscribers can classify and customize restrictions to Internet content to protect their children from what they consider inappropriate content. The enforcement of the security content compliance policy uses the "safe-surfing" capability of the Cisco SCE. The Cisco SCE performs a lookup against a pre-provisioned URL list to determine whether the request is for a restricted Web page. If there is a match, the Cisco SCE blocks the request. If the Web page is not on the URL list, the Cisco SCE permits the request. The carrier-grade design of the Cisco SCE allows for real-time classification of HTTP requests against the list of URLs without any noticeable delay in network performance. The Cisco SCE can store a list of up to 100,000 URLs. The joint Cisco SCE-SurfControl solution offers even more granular content management control and flexibility. In this solution, traffic that is authorized by the Cisco SCE pre-filter is redirected to the SurfControl Content Portal Authority (CPA) server for further analysis against a more granular subscription service controlled by the SurfControl Web-based subscription service. The CPA server responds to the Cisco SCE with a category for the requested URL. These URL categories are stored in a local cache on the Cisco SCE for improved performance and scalability. This network-based solution can be offered as a fee-based self-selection service.
E-Mail Source Control
Intelligence in the Cisco SCE can alert the service provider to statistically significant amounts of e-mail generated from any source entering the network. This feature can be used to correlate, detect, and block unwanted e-mail originating from a residential broadband customer. This capability can also be used as a pre-filter to offload on an as-needed basis the redirection of Simple Mail Transfer Protocol (SMTP) or HTTP e-mail traffic onto a more advanced detection device. Providers can deploy this solution as an operational service for all subscribers to assure fair use and proper registration of junk e-mail producers within the network. The Cisco SCE can detect and redirect unregistered sources of e-mail to the security self-service station to obtain remediation instructions, such as how to register as an online e-mail distributor or other usage policy reminders or restrictions.
Junk E-Mail Filtering and Reduction
Service providers can also use the Cisco SCE to better scale services to filter and manage junk e-mail destined for an individual. Providers can offer a fee-based self-selection service that uses the Cisco SCE to identify and block unwanted e-mail before it reaches the subscriber. The service for letting individuals further classify e-mail is managed as a combination of the content-classification feature and the third-party e-mail filtering agents It provides additional protection on top of the malicious traffic-monitoring service to identify and block unwanted e-mail headed to subscribers.
Personal Network Protection
Cisco network intelligence in combination with third-party security systems can detect and block known malware and prevent privacy probing and virus or worm attacks on residential subscriber devices. Service providers can offer a fee-based self-selection service or offer the service at no additional charge as part of their residential broadband service. Within the Cisco IP NGN Carrier Ethernet design, the Cisco Firewall Services Module in the Cisco Catalyst 6500 Series and Cisco 7600 Series and the personal firewall characteristics in the Cisco 7200 Series can be used to build a firewall between a personal network, broadband neighbors, and the rest of the Internet. This protects the residential subscriber from snooping, probing, and unauthorized access. And because the Cisco Firewall Services Module is part of the Managed Security Services offer, the service provider can use the same platform to sell advanced and managed firewall services to enterprises or small and medium-sized businesses while providing basic service for residential subscribers at a reduced capital cost. The Cisco ISG's ability to dynamically apply per-user access control lists (ACLs) adds an additional set of controls to the traffic that is permitted or denied entry into a residential subscriber's device. Finally, the Cisco SCE's ability to interact with a third-party malware detection and "traffic scrubbing" service is used to offer individual subscriptions to monitor all incoming content before it reaches the personal network device, to help ensure that potential threats are identified and blocked completely in accordance with personalized security policies.
Propagation Protection for Viruses, Spyware, Phishing, and Other Forms of Malware
Consider the following scenario: A residential subscriber's PC has been infected with a worm and is instructed to propagate its infection by sending the malicious code to other vulnerable machines over the Internet. The worm may also be instructed to "phone home" and send back confidential data to the controlling machine. The malicious code may be sent when the subscriber attempts to browse the Internet. The Cisco SCE detects the worm and forwards the subscriber's traffic with a special VLAN tag assigned in the Cisco SCE for the antivirus service. The VAS server runs through a series of real-time security checks and analyzes the content for malicious code. If it discovers that it contains a harmful worm or is attempting to send out confidential information, the VAS server terminates the transmission. The next time the subscriber attempts to send data, the VAS server displays a message on the subscriber machine with notification that their machine is infected and had attempted to upload a virus. This notification can be combined with information for self-remediation suggestions, allowing the subscriber to download antivirus software, install updates, and install software or OS updates.
IPTV Security
Cisco offers the industry's first IPTV network solution that uses the Cisco ServiceFlex network design to optimize and secure video transport in triple-play networks. Unlike other architectures that treat all voice, video, and data services the same, a Cisco IP NGN separates Internet data and video traffic to allow for more efficient, cost-effective service delivery. High-speed Internet traffic passes through a broadband remote access server while video traffic bypasses the server and instead runs natively over IP. With this architecture, service providers can use per-subscriber QoS and security features for Internet services and retain maximum flexibility in service-level agreements for Internet access. At the same time they can apply QoS to IPTV services on a more efficient, per-service basis. The Cisco IP NGN Carrier Ethernet design also optimizes IPTV delivery by utilizing the IP multicast and resiliency capabilities possible at Layer 3.
Managed and Hosted Business Security Services
Cisco Secure Broadband solutions - made possible by the Cisco IP NGN Carrier Ethernet design, the Cisco Service Exchange Framework, and third-party VAS servers - help make converged infrastructures secure and protect all members of the broadband community. While the broadband market is dominated by residential subscribers, a market sector that is now outpacing the business market, business users also require stringent security and are willing to pay a premium to manage the protection of their assets. Using the same Secure Broadband infrastructure that protects the service provider and residential subscribers, the service provider can offer baseline managed and hosted business security services or extend the security and capability to offer an array of additional managed services by placing Cisco CPE at the managed site. These services may include both managed and self-service solutions.
For businesses, managed security services can range from services as basic as providing a firewall solution for a small company to comprehensive security lifecycle management for global enterprises. Solutions with multiple security capabilities can be tailored to meet the needs of businesses, drawing from a menu of security features, including:
• Endpoint protection and 24-hour network monitoring
• Virus and worm scanning and intrusion detection
• Firewall management and managed VPN
• URL blocking and Web site security assessments
Two different approaches for providing managed and hosted business security services include:
CPE-based security services: CPE security solutions from Cisco provide security devices, or appliances, that are placed at the customer premises. These solutions support organizations that want appliance-based managed security solutions and include:
• Managed firewall: Cisco PIX® 500 Series Security Appliances, integrated service routers, Cisco ASA 5500 Series Adaptive Security Appliances
• Managed intrusion detection: Cisco IPS 4200 Series Sensors, integrated service routers, Cisco ASA 5500 Series Adaptive Security Appliances
• Endpoint security solutions: Cisco Security Agent, Network Admission Control (NAC)
Network-based security services: Cisco delivers cost-effective, scalable, integrated security services for enterprise customers. A centrally managed solution allows providers to expand their service portfolio with secure on- and off-net remote access, remote site-to-site services, and firewall capabilities.
Network-based managed security services are based on the following infrastructure products:
• Cisco Catalyst 6500 Series Switches
• Cisco XR12000 Series Routers
Conclusion
Service providers have no option but to protect both residential and business users from the evolving security threats to converged broadband networks. With shared multimedia applications and peer-to-peer connections, broadband networks cannot be secured with desktop software alone. Call centers cannot possibly respond to the bulk of growing security incidents and the costs would be prohibitive even if providers attempted to use resources in this way.
Products and technologies in the Cisco Secure Broadband Solution allow service providers to add effective network-based protections that will satisfy customers while also allowing service providers to generate new revenue from the US$5 billion and growing network security market, a market traditionally dominated by PC software and server-based solutions. Deploying security in the network layers protects VoIP traffic, video streams coming in through set-top boxes, and other triple-play and mobility services reaching other devices. Cisco Secure Broadband can be used to proactively alert users of attacks and guide them through self-service choices, thereby empowering the users and lowering operational costs by reducing the volume of help desk cases and bandwidth consumption. Safeguarding the reliable delivery of services 24 hours a day helps ensure that revenues are not lost to penalties due to network downtime.
Residential subscribers, enterprise companies, and small and medium-sized businesses are willing to pay a premium for network security. Cisco has the solutions and flexible options that service providers need to offer comprehensive protections tailored to meet individual customer needs. A secure network experience gives subscribers a greater sense of control and confidence that leads to a better, longer-lasting relationship with their providers.
For More Information
Cisco IP NGN: http://www.cisco.com/en/US/solutions/ns341/ns525/ns537/networking_solution_announcement0900aecd80381291.html#srvc_conv
Cisco Intelligent Services Gateway: http://www.cisco.com/en/US/products/ps6588/products_ios_protocol_group_home.html
Cisco Broadband Policy Manager: http://www.cisco.com/en/US/products/ps6478/index.html
Cisco SCE 2000 Series Service Control Engine: http://www.cisco.com/en/US/products/ps6151/index.html
Service Exchange: http://www.cisco.com/go/serviceexchange
A comprehensive list of Cisco IOS Software-based security features is available at: http://www.cisco.com/application/pdf/en/us/guest/products/ps6824/c1161/cdccont_0900aecd8041bb41.pdf
Personalized Subscriber Management Brochure: http://www.cisco.com/en/US/netsol/ns715/networking_solutions_white_paper0900aecd80581403.shtml