Skip to main content
Jun 06, 2022
6 min

4 Ways To Protect Your Broadband Access Network From Cyberattacks

Cybercrime is a major challenge facing all industries. SonicWall, an internet security company, recently reported a 105 percent surge in ransomware attacks in 2021. No industry was immune: cyber criminals targeted governments, the banking sector, the energy sector—even hospitals. The critical infrastructure we all rely on, including broadband networks, is at risk too. Lawmakers around the world are investing trillions of dollars in national cybersecurity regimes. Some are imposing new regulations on broadband service providers (BSP) to defend their networks from attack.   

It’s not only governments that worry about network security—your subscribers do too. As a BSP, they trust you to protect their data and keep them safe. A security breach has serious consequences for your business and will result in operational challenges and financial losses, but the negative impact on your brand could be far more damaging. Reassure your subscribers that your networks are secure and give them tools to keep their home and families safe, and you’ll drive subscriber loyalty, reduce churn, and increase revenue.  

There are four easy steps you can take today to protectsecure your network and your subscribers: 

  1. 20,000 reasons to keep your software updated. The number of new common vulnerabilities and exposures (CVEs) surpassed 20,000 for the first time last year. New malware, viruses, and other threats are being deployed faster than ever. Cybercriminals often target aged systems that are vulnerable to new modes of attack. It is crucial to keep software updated, make sure you have a plan to update your systems to the latest release, and automate the update process as far as possible. These updates will protect you against new threats. Calix issues quarterly cadence releases for the Network Innovation Platform (AXOS) which in addition to the latest innovations includes patches to security holes to keep hackers out. With the AXOS Always On upgrade capability subscribers are assured their connection to the network remains uninterrupted.  
  2. Boost your defenses by activating your security toolbox. The fiber technologies that Calix deploys for its customers are highly secure. For BSPs looking to turn up 10G speeds for their subscribers, XGS-PON offers mechanisms to protect traffic between the optical line terminal (OLT) and the optical network terminal (ONT). These include dual-key encryption using the Advanced Encryption Standard (AES), ONT device identification, and messaging integrity checking. These protect against a range of threats, notably preventing malicious users from accessing other ONTs connected to the same OLT. Make sure you activate these capabilities and use all other network security features available to you.  
  3. Protect both ends of the network by securing your perimeters. You need to build security perimeters where your network interacts with the wider world. These key points include the peering gateway to the internet and the residential gateway into the home. Secure the peering gateway with a firewall and use subscriber management and routing tools—such as an Access Control List (ACL)—to deal with inbound traffic. Deploy policy-based access controls at the residential gateway to ensure that only authorized identities and devices can access specific areas of the network. 
    It is essential to protect the control plane to prevent potentially thousands of subscribers being affected if a system fails—or falls victim to a cyberattack.  It’s imperative that access to the systems control plane be restricted. Tools to protect the control plane include the use of an ACL to filter traffic through the network interfaces; a Class-of-Service (CoS) profile to prioritize and rate-limit traffic to protect against flooding; and enable protocol authentication to assure that routing messages are only accepted from known entities.  
  4. Limit the blast zone with intelligent segmentation. No matter how strong your perimeter defenses, you’re never completely immune from a cyberattack. If your network becomes compromised, the priority is to limit the potential “blast radius” of an attack by segmenting the network at its logical layers. For example, you can use virtual networks and other mechanisms that limit network access, such as DHCP Snoop/Proxy and MAC Forced Forwarding (MACFF), at Layer 2. You can protect the control plane at Layer 3 with logical separation and authentication.

How End-to-End Network Security Keeps You One Step Ahead 

Security features must be implemented end-to-end, from the peering gateway to the access edge and right into the subscriber premises. A simplified network architecture, that consolidates and moves service enabling network functions closer to the subscriber, is key to building your network defenses. This helps reduce the number of systems you need to manage and secure, which reduces operational complexity and eliminates vulnerabilities. 

Security is an essential element of the end to end network strategy solution, allowing Calix to deliver the industry’s first, fully secure, broadband services delivery solution.  

The Calix Intelligence Access EDGE solution ensures a secure network that protects your business and is an essential foundation for delivering value added services to subscribers. It includes advanced tools and the implementation of best practices to protect your broadband network infrastructure. For example, the new advanced routing module (ARm) enhancement guards against unauthorized network traffic flowing between interfaces in the subscriber-facing network. This prevents bad actors from introducing traffic that could overwhelm the network, ensuring more bandwidth for subscribers, and eliminating service downtime.

In conjunction with managed home network security services available through the Revenue EDGE, such as ProtectIQ®, BSPs keep your subscribers secure, increase the stickiness of high-speed internet service, and grow customer satisfaction and revenue.  

Learn more about how you can deploy broadband network security best practices by watching the webinar “Have You Done All It Takes to Secure Your Network?” 

Director, Access Network Product Marketing, Calix

Andre Viera is the director of access network product marketing at Calix. Andre spearheads the creation of marketing initiatives that help service providers overcome obstacles and achieve growth. Before Calix, Andre worked at Fujitsu Network Communications, Oclaro, EMC, Alcatel-Lucent, and AT&T Network Systems. Andre has an MBA from and holds MSME and BSME degrees from the Rensselaer Polytechnic Institute.

Related Articles


Apr 12, 2024 | 3 min
Woman working with abstract charts and graphs
Mar 07, 2024 | 4 min
Jan 31, 2024 | 3 min