Subscribers expect operators to protect them from cyber risks, but how?
The mass market demand for network-based protection is no longer a question. Every time we have asked, the answer is unequivocal: Subscribers expect to be protected by their operator when they go online.
The logic is quite simple – these days, the Internet can be considered a utility and it should be as safe as one. When I get electricity, gas, and water delivered to my house, I expect to consume them safely without having to become an electricity, gas, or water engineer. I rely on my provider. The same concept applies to Internet access. Subscribers do not understand how to protect themselves when they go online, and they shouldn’t need to; online protection should be included as part of the package.
Ok, it sounds good. But how can the operator do it successfully? The most effective way to cover the largest percentage of subscribers in the shortest time possible is with a zero-touch, network-based solution. And here we have two options:
DNS-based solutions:
This has always been the traditional approach to filter networks and has been adopted by some operators. A DNS-based solution examines DNS queries to make filtering decisions, making it very lightweight, from a deployment perspective. Let’s say a subscriber has enabled the DNS threat protection service and their device attempts to access malware.com. When the solution sees this, instead of answering with the IP address associated with malware.com, it will reply with the IP address of a blocking page, causing a redirection on the browser and preventing access to the malicious content.
Allot NetworkSecure:
Think of it like a firewall, but much more scalable and optimized for very low TCO. NetworkSecure also looks at web requests to make filtering decisions but has more advanced threat-detection and bypass prevention.
Let’s say the subscriber has enabled the threat protection service and their device attempts to go to malware.com. When the solution sees this, it also redirects to the IP address of a blocking page, preventing access to the malicious content. So, what’s the difference?
First, it prevents access to a lot more malicious content than a DNS-based solution can. For example, if the device did not use DNS at all and went straight to an IP address, a DNS system would not see this and could not block it. NetworkSecure can block it because it also knows about malicious IP addresses.
Second, malicious actors often compromise pages inside a legitimate HTTP website (e.g., good_site.com/malware). DNS solutions only work at the domain level and would not know that there are compromised internal pages. NetworkSecure blocks access to specific compromised pages, not just compromised sites.
A third example is when there is an attempt to download malware from a legitimate or new site that is not yet known to be malicious. You guessed it, NetworkSecure can detect and block that too. Last, but not least, what if DNS settings are changed? Believe it or not, some malware and, of course, even many kids do this to bypass content controls provided by traditional layers. NetworkSecure is not impacted by this as its core filtering service is not based on DNS queries.
You may be wondering why we are comparing a category of network-based solutions (DNS) with our own, specific network-based product. Good question. While there are multiple DNS solutions in the market (we at Allot also offer one called Allot DNS Secure), there are no other solutions like NetworkSecure. Firewalls would be the closest category, but they lack NetworkSecure’s multi-tenancy capabilities that can support millions of end-users, and they don’t match the low TCO of NetworkSecure, making them unviable for the mass market.
So, which one should operators choose? We have customers using both, although currently NetworkSecure has significantly higher adoption rates, due to the evolving threat landscape and concerns about DNS bypass. At the end of the day, it all depends on the need. If you want to go the traditional way, you can go for DNS Secure. However, if you want to have wider threat coverage, greater difficulty to bypass, and differentiation from other local operators, NetworkSecure is your best choice.