China's Golden Shield

• Download PDF

One approach to the problem China’s security apparatus faces with the decline in effectiveness of the "Great Firewall" is to shift the focus of content-filtration firewalls from the national level to individual homes and offices – in effect, redistributing the "Great Firewall" from five international gateways to millions of household PCs and cellular phones.

This strategy has profound implications in terms of user privacy – since it makes government surveillance of an individual’s traffic a reality, and incorporates technologies that impact heavily on Chinese Internet users right to free expression, making it much more difficult for human rights and democracy activists to communicate with "illegal" information sources, and remain undetected by their government.

This trend, a shift from generalized content control at the gateway level to individual surveillance of users at the edge of the network, is underlined by the advent of new technologies for managing broadband content delivery.

At the Security China 2000 conference Nortel Networks was promoting the JungleMUX digital surveillance network and its OPTera Metro portfolio to the MPS. JungleMUX is a state-of-the-art system for transporting surveillance video from a network of remote cameras back to a control centre. The OPTera Metro portfolio is the mainstay of Nortel’s "Personal Internet" initiative, which is designed to enable Internet service providers to better track individual Internet users and their online activities, and thus heavily criticized recently by privacy advocates in the US. (52)

Nortel’s presentation at Security China 2000 must have impressed someone. Shanghai Telecom (ST) recently announced that it had selected Nortel’s OPTera product portfolio as a next-generation citywide fibre-optic broadband network. The contract estimated to be worth more than US$10 million means that Nortel will build China’s first optical city network including a broadband access system and an ADSL solution for high-speed digital service to approximately 200,000 subscribers. The project is due to be completed in time to support Internet and video conferencing services for international media reporting the APEC Leaders’ Meeting to be held in Shanghai in October 2001. Shanghai, powerhouse of the new Chinese economy, will be able to boast one of the most advanced citywide networks in the world.

The OPTera package is at the heart of Nortel’s Personal Internet strategy and has allowed Shanghai Telecom to build an advanced parallel optical network supporting streaming media and other time critical transactions. Media streaming is very difficult to achieve over conventional Internet circuits. While Nortel’s state-of-the-art fibre-optic links will dramatically increase the bandwidth available to the city, that is not the feature that stands out for anyone looking to increase security in the face of new, increasingly sophisticated threats to China’s network security. Important components of the OPTera portfolio and key to the Personal Internet strategy are Nortel’s Shasta and Alteon products (53), which will enable Shanghai Telecom to offer customized Web services to businesses and consumers. Nortel’s "Personal Internet" strategy is all about personalizing content delivery services with a user-aware, content-aware network. This means that the network is designed to "think," that is to identify individual subscribers when they log on, matching names to IP addresses, and learning over time what content interests the subscriber.

The Shasta 5000 BSN is designed to power the subscriber edge of the network, where "last mile" technologies like high-quality DSL meet the Internet backbone, and where broadband subscribers meet broadband services and content. Shasta is a universal aggregation point where conventional dial-up, DSL, fixed and mobile wireless, ATM/frame relay, and leased line connections all join the Internet. Shasta appeals to ST as a means to increase competitive advantage by becoming a value-added broadband services network. It appeals to Shanghai’s Public Security Bureau (PSB), the most advanced of China’s online police, because of a number of unique security properties it incorporates.

The Personal Internet strategy is presented to ST, as it is in the West, as a means to derive increased profits from its networks by, for example, offering security services or reselling data to other companies. This practice of reselling personal data, criticized by many privacy advocates, is explicitly ruled out in Nortel Networks own Privacy Statement. Nevertheless, the Personal Internet strategy depends on the network’s ability to match IP addresses to users’ demographic profiles.

Nortel believes that its Personal Internet strategy is the key to the future of the Internet, and has put the Personal Internet at the center of its latest publicity drive. It is remarkable that Nortel can enthusiastically promote business practices to other corporations that it claims to avoid in its own operations.

Nortel’s Personal Internet strategy enables Shanghai’s PSB to move beyond simply tracking Web hits to targeting specific audiences, and creating demographic profiles in real time. Such intelligent network distribution and delivery has a profound impact on user privacy. "Personal Internet" is a network that always "knows who you are."

Internet users coming onto the network via a range of broadband access technologies such as DSL, wireless and cable have security settings applied to them on a per subscriber basis. With an extraordinary level of packet processing, Shasta is one of the most powerful carrier-class platforms for managing network security. Mass market broadband introduces new security concerns with "always on" Internet connectivity. The Shasta 5000 BSN provides extensive firewall capabilities that are simple to provision, and enable constant monitoring of every individual’s traffic flow.

Broadband access contrasts with traditional dial-up access, where subscribers dial in through their Internet service provider (ISP), conduct their business, and then log off. The transitory nature of dial-up access provides a limited window of opportunity to exploit any security holes. Therefore, security incidents with dial-up access are limited and have not been widely reported.

On the other hand, businesses with dedicated access connections (T-1, frame relay) are protected, but the high cost of these dedicated connections has made them less viable for the small and medium business markets and particularly for individuals, community groups and non-governmental organizations. Broadband connections are always on and permanently connected to the Internet. Yet today, most DSL and cable subscribers are connected to the Internet without firewalls and are therefore highly vulnerable. This issue poses a real threat to network security.