IP network security needs to stop being an afterthought
Industry Insight

IP network security needs to stop being an afterthought

Rudy Hoebeke.png

The volume of network attacks and security breaches continues to rise. This puts traditional bolt-on IP network security solutions under strain, with the potential to impact service quality and increase latency in a time when customers are expecting the highest reliability.

We met with Rudy Hoebeke, vice president of product management for Nokia’s IP routing and data centre switching business, to discuss the ever-rising number of security challenges. In this interview, Hoebeke explains how Nokia implements security considerations into every layer of the routing software and hardware, without impacting performance.

1. What does the threat landscape for communications service provider (CSP) IP networks look like at the moment?

During the pandemic, we all became dependent – to some degree or another – on networks to keep us going. As the importance of IP networks and the services they support grew, so did the motivation to attack and disrupt them for financial or political gain. According to our Nokia Deepfield business unit, distributed denial of service (DDoS) traffic has more than doubled since the global pandemic began, with peak rates expected to grow from 3 Tb/s to the 15 Tb/s range over the next few years. DDoS ransomware now impacts every major industry and continues to be a significant concern.

Security breaches that disrupt critical infrastructure are also at an all-time high. In the US, everything from the natural gas supply to the beef supply was impacted in the first six months of 2021 alone. And while we somehow managed to deal with the bandwidth challenges that came with the pandemic, the many highly publicised outages and breaches we experienced show that we still have work to do to deal effectively with the issue of security.

2. What specific challenges does this growing threat landscape create for CSPs, especially as they look to evolve their IP networks for 5G, IoT, Smart Cities and Industry 4.0?

What’s common about all these services, from the perspective of the CSP’s customers, is the expectation for low latency, 100 percent reliability and total security. The tolerance for low or variable service quality has all but disappeared. CSPs are having an increasingly difficult time meeting these expectations, as frequent attacks and breaches take a growing toll on IP networks and the services that depend on them.

Much of the problem lies in today’s IP network security models, which are based on bolt-on security appliances. These appliances add significant complexity and latency to IP networks. They also lack cost-effective scale to provide universal protection for all customers and network elements.

Take volumetric DDoS for example. Terabytes of suspect traffic are diverted from peering points to centralised appliances, where traffic is scrubbed and clean traffic is re-inserted into the network. The solution is expensive, both in terms of backhaul and DDoS license costs. It is also operationally complex to configure and maintain, and introduces a significant amount of latency that interferes with the latency-sensitive networking many of these new network services require. With so much impedance to deal with, CSPs are forced to leave much of their network and most of their customers exposed.

Encryption is another problem. To ensure the integrity and confidentiality of all data, user, and control and management plane traffic flowing through their networks, CSPs need a way to lock down their entire network infrastructure. None of the encryption options currently available to them can do this cost-effectively.

MACsec is silicon based and as a result can provide the low latency required, but packets must be un-encrypted at every router hop in IP networks, which introduces significant operational complexity and risk.

IPsec is end-to-end, but it’s also CPU-bound, which results in even higher operational and hardware costs, and comes with a high latency profile that makes it impractical for latency-sensitive services. Neither option supports native encryption for MPLS or segment routing flows/slices, the preferred method for engineering networks that serve as the basis for many of the new services you just mentioned.

3. If the bolt-on appliance security model is not keeping up, how should CSPs go about mitigating the growing IP network security threat?

Simply put, IP network security needs to stop being an afterthought in IP networks – a bolt-on solution that is designed and deployed after the fact. IP network security needs to become an integrated, line-rate capability that is designed into, and delivered by, the IP network itself – just like packet forwarding is today. It’s the only way to provide protection with the speed, functionality and the cost-effective scale required to resolve IP network security challenges faced by CSPs.

4. But hasn’t router-integrated security been tried before? What differentiates Nokia from others in the space?

We’re not talking about placing a security vendor’s line card in our chassis or adding security features that reduce performance to a crawl when you turn them on. We’ve taken a far more comprehensive approach. We implement security considerations and capabilities into every layer of our routing software and hardware, and we make sure it can be used effectively at the required scale.

This gives CSPs the freedom to turn on DDoS filtering wherever there is a network footprint – without having to plan ahead or absorb additional capital expenses and operational complexity. It allows them to encrypt individually engineered flows or slices at the flip of a switch. And they can do all of this at line rate, at massive speeds, with zero impact on performance, and without introducing latency that would disrupt the new generation of time-sensitive network services.

Our Deepfield purchase and subsequent development is a good example of our approach. We not only acquired them for their DDoS analytics; we used their knowledge to optimise the DDoS detection and mitigation capabilities of the network silicon at the heart of Nokia 7750 Service Router (SR) product lines.

Nokia FP4 and FP5 silicon provide industry leading access-control lists (ACL) scale. They also work with Nokia Service Router Operating System (SR OS) software to deploy in seconds for a near instant response to attacks. They go deeper than 5-tuple filtering to sniff out more complex attacks, and they can do this all with zero impact on the performance of any other service running on the same chipset.

Anything less and the router ends up becoming an impediment, completing the attack on behalf of the attacker. Once you turn DDoS protection into a line-rate capability of the network itself, you can turn it on whenever and wherever it is required, and protect every data centre, every network service and every customer – for a fraction of the cost of appliance-based approaches.

FP5, our latest network silicon, goes one step further to tackle the problem of data-flow integrity and confidentiality with ANYsec, our universal, line-rate network encryption designed specifically for CSPs.

5. How is ANYsec on the 7750 SR different from current network encryption options and the appliances that deliver them?

ANYsec starts with the benefits of MACsec — low latency, simplicity, and highly-secure, standards-based encryption. But whereas MACsec only works with ethernet and VLAN payloads and networks, ANYsec extends these attributes to IP, MPLS and segment routing networks.

For instance, CSPs can individually encrypt engineered network slices, switch or route them natively across an IP, MPLS or segment routing network, and de-encrypt them on network egress.

It really changes encryption dynamics for CSPs. Instead of treating encryption as an expensive, complex and limited capability that requires significant advanced planning, ANYsec allows CSPs to turn it on whenever and wherever it is required – no matter the network service or underlying network transport being used. And because it’s delivered by our FP5 network silicon, ANYsec can be used in conjunction with our DDoS protection capabilities at wirespeed on any port with no performance impact on any other function running on the same chipset, no matter what percentage of traffic is encrypted.

Gift this article