What is UVerse?

UVerse is ATT’s current flagship product for internet, phone service, and TV service combined. ATT has been rolling out a fiber optic-based infrastructure. As a result, they have been sending letters to DSL customers to try to convince them to switch to UVerse.

The purpose of this document is to inform the public about the undisclosed technical ramifications of subscribing to UVerse. The product is not for everyone. Use of UVerse precludes many valid and necessary network connectivity, configuration, and security functions. The public should be aware of these factors so that they can determine whether or not UVerse is the right fit for them.

For people considering switching their home television service from a cable TV provider to ATT’s UVerse product, you should be aware of the physical cabling implications of this decision. Currently, the TV signal comes over cable TV cabling distributed throughout the house. Typically this is RG6 cabling.

UVerse does not send TV signal over the same RG6 cabling. Therefore, additional cabling is required. UVerse sends signal throughout the house using Ethernet network cabling. It is possible for the homeowner to have Ethernet network cabling installed by a qualified contractor. That is always the best option. However, cabling installation is rather expensive. ATT will not cover the cost of this installation.

ATT cannot send their technicians to wire your house with network cabling for free. You also would be much happier with the results of working with your own contractor that fulfills your objectives rather than the objective of simply trying to get the job done as quick as possible. Speedy installation does not facilitate quality.

As a shortcut, ATT technicians often use a technology called Ethernet over powerline. Netgear is one company that makes such technology.
http://www.netgear.com/home/products/networking/powerline/

Ethernet over powerline injects a network signal over the high voltage electrical wiring in the house. The is effectively signal noise. This technology is not only problematic, but has significant limitations.

In a proper network installation, all computer equipment, including network equipment, would be separated from high voltage spikes by UPS (uninterruptable power supply) equipment that actually conditions the power supplied to the equipment. UPS equipment is much more sophisticated than mere surge suppressors. Most surge suppressors are not sensitive to actually protect computer equipment. They might be fine for your refrigerator or microwave, but are generally ineffective at protecting computer equipment.

Now that you know what optimal configuration is, does it make sense to connect your network cabling, and by extension the motherboards of your computers, to unprotected high voltage electrical wiring? No, obviously it doesn’t make sense.

In all cases, the best outcome regardless of internet service provider will come from hiring a qualified cabling contractor to properly install a centralized patch panel and network distribution system for your home.

Other physical installation factors

There are other factors to consider regarding the use of Ethernet over powerline.

• Do you want more devices consuming electricity in your home?
• Do you know how many additional devices you will need to supply power to in order to simply make use of UVerse?
  Typically each TV will have a receiver/DVR unit.
  Each TV location will require a powerline adapter.
  Each place you want to have a physical network cable connection will require a powerline adapter.
  Then there are at least two ATT devices that will be installed in your basement.
• Do you want the look of that cabling as opposed to the RG6 cabling that is already hidden in your walls?
• Can your locations accommodate a powerline adapter?
  There may or may not be the physical clearance for the unit.
• PAT (port address translation)
• DDoS (distributed denial of service detection and protection)
• IPS (intrusion prevention)
• IDS (intrusion detection)
• web content filtering
• application control
• remote access two-factor authentication
• integrated authentication methods
• DLP (data loss protection)
• automatic attack blocking
• incoming IPSec VPN
• BOVPN (branch office VPN, site-to-site)
• RADIUS or certificate-integrated wireless

ATT requires the use of their router

ATT’s UVerse router must be used if you subscribe to their service.

Proper perimeter security can only be achieved by the use of a true extensible threat management security appliance that is also a firewall. The UVerse router does not meet this criteria.

ATT router is not a security appliance or real firewall

UVerse router has NO capabilities for:

Without these capabilities and XTM (extensible threat management) as well as detailed logging, you cannot really call the device a firewall. And you certainly cannot call it a security appliance.

Double-NAT is NOT an answer

This blog post explains why double-NAT is just plain stupid and will break all kinds of networking.

http://graemenoble.id.au/post/48695277030/double-nat-explained-and-possible-solutions

Your firewall will never get a WAN IP

ATT’s UVerse router is also a modem. It is the device that talks to their network and translates phone line signal to network signal. Modems are like interface translators.

With a cable internet provider, you use a cable modem and this translates the cable data signal to Ethernet. Your edge firewall is connected to that and you have full control over the network connection.

But with ATT UVerse, the UVerse router cannot even be configured in bridged mode. Without bridged mode, your firewall will never get a WAN IP address. Without this WAN IP address, you will never be able to use DynDNS dynamic update, port-forwarding rules, branch office VPN, or a whole host of necessary technologies.

UVerse used to be exclusively a residential product, but ATT is now claiming that UVerse is a business class product. I believe strongly that it can never be a business class product due to the requirement of the use of their router that cannot be configured in bridged mode.

ATT arrogantly claims that the entire 10.x.x.x address space is theirs

Per long-established internationally-agreed upon standards, the 10.x.x.x address space is reserved for private use. Private use means YOUR LAN.

https://en.wikipedia.org/wiki/Private_network

I had several clients that were using 10.x.x.x address spaces for their LAN. They had an entire LAN infrastructure setup based upon using a particular address space that they were legally able to use according to international standards. One day they received an email from ATT informing them that they could no longer use this address space. Instead, they had to use the inferior and limiting address space of 192.168.x.x. Obviously, this was another cause for billable charges to the client that did not need to occur. Had the client used another internet service, this would have not occurred.

ATT controls and changes the configuration of the UVerse router at their pleasure

You have no final control over the UVerse router. If you setup a configuration in the router, ATT has been widely known to overwrite that configuration if they want to. I have been called for many service calls because suddenly things are broken and not working. Ultimately, I have found that the source of the problem is that the custom configuration in the UVerse router has been blown away. That custom configuration could be policies, LAN design, wireless settings, and more.

Changing the admin password on the UVerse device is irrelevant because they have a backdoor into the unit.

Time Warner Cable will never change your router settings, because they offer you an internet connection and what you do with it after that is up to you. They won’t change your router or edge firewall settings because it is your device and only you have the password to it.

You cannot be HIPPA or PCI compliant with UVerse router

In order to be HIPPA or PCI compliant, a true security appliance and real firewall must be used. As previously discussed, the use of UVerse requires the user of their router. And the UVerse router cannot be configured in bridged mode. Therefore, your firewall or security appliance will never get a WAN IP address.

HIPPA and PCI environments require LAN segmentation and sophisticated non-broadcast certificate-based wireless security. The UVerse router cannot do this.

In many HIPPA or PCI scenarios, you have to have a static IP address, and that IP address must be hard-coded to the WAN interface of your firewall. It may be tempting to simply use the UVerse router as the edge security device, but due to the massive set of features that they do not have, they cannot be considered security appliances. Finally, you cannot have security compliance when a third party has a backdoor into your edge device and can change the configuration at will.

1/9/2014