Akamai Diversity

The Akamai Blog

Discover, Register and Pair: Securing and Managing Fixed and Mobile Users

Service providers looking to enhance and secure the online experience for their residential and business subscribers often struggle to find solutions that are easy for their customers to configure and use - particularly when it comes to setting policies that carry across fixed, mobile and converged networks. This type of simple, seamless management is actually a key distinguishing feature of Nominum, now part of Akamai, solutions. And not just from a "here's what our products can do" perspective, but from a "here's how easily your customers can do this" perspective.

Nominum, now part of Akamai, Secure Consumer and Secure Business - both of which protect connected devices from ransomware, phishing and other malware, and offer content filtering and internet access management for parents and IT administrators alike - work seamlessly across multiple types of provider networks, extending security and protection to users in the home or office, when on their mobile devices and when connected to public Wi-Fi networks.

Parents often have limited technical knowledge, as do small business IT administrators, and "setting policies" for who can access various types of websites or limit online access to specific times of day, can seem daunting and complex. As shown in the image below, our solutions simplify this process through a management portal where users can easily configure device discovery, registration, and pairing, and also assign devices to the right device profile ("Customers," "Employees," etc.) for managing content filtering and screen time settings.


Secure Business management portal enables SMB administrators to easily assign new users to specific groups.

Per-Device Access and Content Filtering Policies Fill User Management Gap
With device discovery, users log in to the subscriber portal and are able to see all the devices connected to their network, along with each device manufacturer name. Device registration allows users to go to a webpage, authenticate their device and add an easy-to-remember name for that device so it automatically authenticates and connects each time. Device pairing brings up a webpage where users see a unique device code - this code also appears in the management portal so each device can be identified without looking at hard-to-understand technical details.

Parents or small business administrators can use the device information from one of the above approaches to easily assign each person and device to an appropriate group where different policies apply.

Subscriber-awareness behind Carrier Grade Network Address Translation (CGNAT)
Another unique feature of Nominum solutions is "subscriber-awareness behind Carrier Grade Network Address Translation (CGNAT)." This feature allows fixed, mobile and converged operators to deploy Nominum applications with per-subscriber visibility and policies, even when subscribers are behind a device performing Network Address Translation (NAT). With this enhancement, CacheServe (our DNS resolution software) can associate each DNS query to its source (subscriber) on mobile and converged networks using CGNAT - which allows CSPs to apply policies configured at the per-subscriber level.

Here's how it works at a very high-level: the IP Tracker Relay component of the platform analyzes the "private network" address assigned to a subscriber. It uses Deterministic Port Block Allocation mechanism (RFC 7422) to determine the corresponding "public network" address that will be seen by Nominum CacheServe and then provisions the correct public address to CacheServe.

We also offer support for multiple subscriber identifiers - such as account number, phone number(s), cable modem MAC addresses and others - to simplify the process of classifying subscribers for mobile, converged and fixed networks. With this feature, service providers may associate multiple subscriber identifiers to one subscriber ID. For instance, converged operators can easily track a subscriber based on both their MSISDN (mobile) or RADIUS ID (fixed) and apply the same policies to the subscriber whether they are accessing the internet using the cellular or fixed network.

Finally, our support for LDAP authentication gives service providers centralized control over enterprise application access, primarily for their business subscribers. LDAP is one of the most popular protocols used to achieve this, and also supports the ability to confirm user credentials and pass additional assigned attributes. The Nominum Applications Portal supports both LDAP authentication for access control, as well as existing Applications Portal role assignment based on LDAP attributes, to greatly simplify the management of subscriber accounts.

Many of our customers offer internet access over fixed, mobile and converged networks - and seamless, automatic management of their subscribers and their devices that carries over from one access network to another is typically not easily achieved.