Network security

IP network security must stop being an afterthought

December 01, 2021 | Sponsored Q&A: Nokia

The volume of network attacks and security breaches continues to increase. This puts traditional bolted IP network security solutions to the test, with the potential to impact quality of service and increase latency at a time when customers expect the highest reliability.

We sat down with Rudy Hoebeke, vice president of product management for Nokia’s IP routing and data center switching business, to discuss the ever-growing number of security concerns. In this interview, Hoebeke explains how Nokia implements security considerations in every layer of routing software and hardware, without affecting performance.

1. What is the current threat landscape like for Communication Service Provider (CSP) IP networks?

During the pandemic, we all became dependent – to one degree or another – on networks to keep us alive. As the importance of IP networks and the services they support increased, so did the motivation to attack and disrupt them for financial or political gain. Distributed Denial of Service (DDoS) traffic has more than doubled since the start of the global pandemic, with peak rates expected to drop from 3 Tb / s to 15 Tb / s over the years, according to our Nokia Deepfield business unit. coming years. DDoS ransomware is now impacting all major industries and continues to be a major concern.
Security breaches disrupting critical infrastructure are also at an all time high. In the United States, everything from natural gas supply to beef supply has been affected in the first six months of 2021 alone. And while we’ve somehow managed to tackle the bandwidth challenges of the pandemic, the many high-profile outages and breaches we’ve experienced show that we still have work to do to deal with it effectively. the security issue.

2. What specific challenges does this landscape of growing threats create for CSPs, especially when looking to evolve their IP networks for 5G, IoT, smart cities and Industry 4.0?

What is common to all of these services, from the perspective of CSP customers, is the expectation of low latency, 100% reliability, and total security. The tolerance for low or variable quality of service has all but disappeared. CSPs are finding it increasingly difficult to meet these expectations as frequent attacks and breaches increasingly burden IP networks and the services that depend on them.

Much of the problem lies with today’s IP network security models, which are based on bolt-on security devices. These appliances add significant complexity and latency to IP networks. They also lack a cost-effective scale to provide universal protection to all clients and network elements.

Take volumetric DDoS for example. Terabytes of suspicious traffic are diverted from peering points to centralized appliances, where traffic is cleaned up and clean traffic is reinserted into the network. The solution is expensive, both in terms of backhaul and DDoS licensing costs. It is also operationally complex to configure and maintain, and introduces a significant amount of latency that interferes with the latency-sensitive networking that many of these new network services require. With so much impedance to manage, CSPs are forced to leave a large portion of their network and most of their customers exposed.
Encryption is another issue. To ensure the integrity and confidentiality of all data traffic, users, and control and management planes flowing over their networks, CSPs need a way to lock down their entire network infrastructure. None of the encryption options currently available can do this cost-effectively.

MACsec is silicon-based and therefore can provide the required low latency, but packets must be decrypted with every router hop in IP networks, which introduces significant operational complexity and risk.

IPsec is end-to-end, but it’s also bound to the processor, resulting in even higher operational and hardware costs, and comes with a high latency profile that makes it impractical for latency sensitive services. Neither option supports native encryption for MPLS or segment routing streams / slices, the preferred method for engineering networks that are the basis for many of the new services you just mentioned.

3. If the bolted appliance security model does not follow, how should CSPs go about mitigating the growing IP network security threat?

Simply put, IP network security must stop being an afterthought in IP networks – a bolt-on solution that is designed and deployed as an afterthought. IP network security must become an integrated line speed capability that is designed and delivered by the IP network itself, just as packet forwarding is today. It’s the only way to provide protection with the speed, functionality, and cost-effective scale required to solve the IP network security challenges facing CSPs.

4. But hasn’t Router Embedded Security already been tried? What makes Nokia different from others in the space?

We’re not talking about putting a security vendor’s line card in our chassis or adding security features that dramatically reduce performance when you turn them on. We have taken a much more holistic approach. We implement security considerations and capabilities into every layer of our routing software and hardware, and ensure that they can be used effectively at the scale required.

This gives CSPs the freedom to enable DDoS filtering anywhere there is a network footprint – without having to plan ahead or absorb additional capital expenditure and operational complexity. It allows them to encrypt individually designed streams or slices with the flick of a switch. And they can do it all at line speed, at massive speeds, with zero impact on performance, and without introducing latency that would disrupt the next generation of time-sensitive network services.
The purchase of Deepfield and its further development is a good example of our approach. We didn’t just acquire them for their DDoS analyzes; We have used their knowledge to optimize the detection and mitigation capabilities of network silicon DDoS attacks at the heart of the Nokia 7750 Service Router (SR) product lines.

Nokia FP4 and FP5 Silicon provide an industry leading access control list (ACL) ladder. They also work with Nokia Service Router Operating System (SR OS) software to deploy in seconds for an almost instant response to attacks. They go beyond 5-tuple filtering to detect more complex attacks, and they can do all of this without impacting the performance of any other service running on the same chipset.

Anything less and the router ends up becoming an obstacle, completing the attack on behalf of the attacker. Once you’ve turned DDoS protection into a line-rate capability of the network itself, you can turn it on when and where it’s needed, and protect every data center, every network service, and every customer – for a lifetime. fraction of the cost of the appliance. well-founded approaches.

FP5, our latest network silicon, goes one step further to address the issue of data flow integrity and confidentiality with ANYsec, our line rate universal network encryption designed specifically for CSPs.

5. How is ANYsec on the 7750 SR different from current network encryption options and the appliances that provide them?

ANYsec starts with the advantages of MACsec: low latency, simplicity and highly secure, standards-based encryption. But while MACsec only works with payloads and Ethernet and VLAN networks, ANYsec extends these attributes to IP, MPLS, and segment routing networks.

For example, CSPs can individually encrypt designed slices of network, switch them or route them natively over an IP, MPLS, or segmented routing network, and decrypt them as they exit the network.

It really changes the dynamic of encryption for CSPs. Instead of treating encryption as an expensive, complex, and limited capacity that requires significant advanced planning, ANYsec allows CSPs to activate it when and where it’s needed, regardless of the underlying network service or network transport being used. . And because it is provided by our FP5 silicon network, ANYsec can be used with our wire-speed DDoS protection capabilities on any port without impacting the performance of any other function running on the same chipset, regardless of the percentage of encrypted traffic.

Source link