IP network security must stop being an afterthought

December 01, 2021 | Sponsored Q&A: Nokia

The volume of network attacks and security breaches continues to rise. This puts a strain on traditional bolt-on IP network security solutions, with the potential to impact quality of service and increase latency at a time when customers expect the highest reliability.

We sat down with Rudy Hoebeke, vice president of product management for Nokia’s IP routing and data center switching businesses, to discuss the ever-increasing number of security issues. In this interview, Hoebeke discusses how Nokia implements security considerations into every layer of routing software and hardware, without affecting performance.

1. What does the threat landscape look like for Communication Service Provider (CSP) IP networks today?

During the pandemic, we have all become dependent – to one degree or another – on the networks to keep functioning. As the importance of IP networks and the services they support grew, so did the motivation to attack and disrupt them for financial or political gain. According to our business unit Nokia Deepfield, Distributed Denial of Service (DDoS) traffic has more than doubled since the start of the global pandemic, with peak rates expected to increase from 3 Tbps to 15 Tbps over the next coming years. DDoS ransomware now impacts all major industries and continues to be a significant concern.
Security breaches disrupting critical infrastructure are also at an all-time high. In the United States, everything from natural gas supply to beef supply has been hit in the first six months of 2021 alone. And while we’ve been successful in dealing with pandemic-related bandwidth issues, the many high-profile outages and breaches we’ve experienced show that we still have work to do to effectively address the security issue.

2. What specific challenges does this growing threat landscape create for CSPs, particularly as they seek to evolve their IP networks for 5G, IoT, smart cities and Industry 4.0?

What is common to all of these services, from the perspective of CSP customers, is the expectation of low latency, 100% reliability, and 100% security. Tolerance for poor or variable quality of service has all but disappeared. CSPs are finding it increasingly difficult to meet these expectations as frequent attacks and breaches increasingly strain IP networks and the services that depend on them.

Much of the problem lies with current IP network security models, which rely on integrated security appliances. These appliances add significant complexity and latency to IP networks. They also lack the cost-effective scale to provide universal protection to all customers and network elements.

Take volumetric DDoS for example. Terabytes of suspicious traffic are diverted from peering points to centralized appliances, where traffic is scrubbed and clean traffic is reinserted into the network. The solution is expensive, both in terms of link costs and DDoS licensing. It is also operationally complex to configure and maintain, and introduces a significant amount of latency that interferes with the latency-sensitive networking that many of these new network services require. With so much impedance to manage, CSPs are forced to leave much of their network and most of their customers exposed.
Encryption is another issue. To ensure the integrity and privacy of all data, users, and control and management plane traffic flowing through their networks, CSPs need a way to lock down their entire network infrastructure. None of the encryption options currently available to them can do this cost-effectively.

MACsec is silicon-based and therefore can provide the low latency required, but packets must be unencrypted at each router hop in IP networks, which introduces significant operational complexity and risk.

IPsec is end-to-end, but it’s also CPU-bound, resulting in even higher operational and hardware costs, and comes with a high latency profile that makes it impractical for latency-sensitive services. Neither option supports native encryption for MPLS or segment routing streams/slices, the preferred method for engineering networks that serve as the foundation for many of the new services you just mentioned.

3. If the bolted appliance security model does not follow, how should CSPs go about mitigating the growing IP network security threat?

Simply put, IP network security must stop being an afterthought in IP networks – an add-on solution designed and deployed after the fact. IP network security must become an integrated, line-rate capability designed into and delivered by the IP network itself, just as packet forwarding is today. It’s the only way to deliver protection with the speed, functionality, and cost-effective scale required to solve the IP network security challenges facing CSPs.

4. But hasn’t the security built into the router already been tested? What sets Nokia apart from others in the space?

We’re not talking about putting a security vendor’s line card in our chassis or adding performance-robbing security features to a scan when you enable them. We have taken a much more comprehensive approach. We implement security considerations and capabilities into every layer of our routing software and hardware, and ensure that they can be used effectively at the scale required.

This gives CSPs the freedom to enable DDoS filtering wherever there is a network footprint – without having to plan ahead or absorb additional capital expenditure and operational complexity. It allows them to encrypt individually designed streams or slices in a jiffy. And they can do all of this at line rate, at massive speeds, without any performance impact and without introducing latency that would disrupt the next generation of time-sensitive network services.
Our Deepfield purchase and subsequent development is a good example of our approach. We didn’t just acquire them for their DDoS scans; we used their knowledge to optimize the DDoS attack detection and mitigation capabilities of the networking silicon at the heart of the Nokia 7750 Service Router (SR) product lines.

The Nokia FP4 and FP5 chips provide industry-leading access control list (ACL) scaling. They also work with Nokia Service Router Operating System (SR OS) software to deploy in seconds for near-instant attack response. They go beyond 5-tuple filtering to detect more complex attacks, and they can do it all without impacting the performance of any other service running on the same chipset.

Anything less and the router ends up becoming an obstacle, completing the attack on behalf of the attacker. Once you’ve turned DDoS protection into a line-rate capability of the network itself, you can enable it when and where needed, and protect every data center, every network service, and every customer – for a fraction of the cost of the appliance-based approaches.

FP5, our latest network silicon, takes the problem of data stream integrity and confidentiality a step further with ANYsec, our universal line-rate network encryption designed specifically for CSPs.

5. How is ANYsec on the 7750 SR different from current network encryption options and the appliances that provide them?

ANYsec starts with the advantages of MACsec: low latency, simplicity and highly secure standards-based encryption. But while MACsec only works with Ethernet and VLAN payloads and networks, ANYsec extends these attributes to IP, MPLS, and segment routing networks.

For example, CSPs can individually encrypt engineered network slices, switch or route them natively over an IP, MPLS, or segment routing network, and decrypt them when exiting the network.

This really changes the encryption dynamics for CSPs. Instead of treating encryption as an expensive, complex, and finite capability that requires significant advanced planning, ANYsec allows CSPs to enable it when and where needed, regardless of the underlying network service or network transport used. . And because it’s provided by our FP5 networking silicon, ANYsec can be used in conjunction with our wire-speed DDoS protection capabilities on any port without impacting the performance of any other function running on the same chipset, regardless regardless of the percentage of encrypted traffic.

Kevin M. Risinger