• Blog
  • Securing IP networks from within
  1. Blog
    Item seperator
  2. Securing IP networks from within

Securing IP networks from within

by Tony Kourlas
7 Jun 2021
Securing IP networks from within

Network-level security threats are escalating

One of the lasting legacies of COVID19 is that it has changed the way we look at IP networks. With many of our daily activities – from work to shopping to entertainment – moving online during the pandemic, the tolerance for low or variable network performance all but disappeared.

As IP networks became more important, so did the desire to disrupt their operation for economic or political gain. DDoS traffic grew 40% since COVID19 and peak rates surged beyond the terabit mark. Billions of IoT devices and high bandwidth servers were hijacked and used in conjunction with amplification techniques to launch increasingly devastating attacks.

The growing threat to IP networks doesn’t stop there. CSPs are using public networks to extend or complement their private networks, exposing IP traffic to theft and manipulation. Network functions are being split up and distributed across the network, opening many new attack surfaces.

This expanded threat landscape is making it harder for CSPs to engineer the predictably high network performance and integrity expected from mission critical networks.

Traditional IP network security solutions are not keeping up

Most IP network security models that attempt to solve these problems are based on appliances and servers that lack cost-effective scale for broad deployment and leave CSP networks and virtually all CSP customers exposed. Vulnerabilities buried deep in router operating systems and silicon are largely unaddressed and continue to pose a significant threat.

IP network security from within

The answer lies within IP network infrastructure itself.  At-scale protection of IP networks is only possible if network-level security considerations and capabilities are designed and built into every layer of high-scale, high-performance IP networks:

  • IP silicon must endure the heaviest DDoS attacks without impacting services. It must work with DDoS security intelligence and analytics to identify and stop attacks with great precision and scale, without slowing down
  • The network operating system (netOS) must be impervious to attacks that violate its integrity, consume its resources or sabotage its ability to view or control the network
  • Network-level security tools and gateways, like firewalls and IPsec gateways, must be embedded within networks to leverage the high performance, scale and reliability of network infrastructure
  • Big-data security intelligence and analytics must be able to detect today’s sophisticated (D)DoS attacks and automate the networks’ response against them – quickly and with pinpoint accuracy

Fig. 1.

Nokia’s Secure IP Networks architecture

Nokia is first to deliver on this multilayer embedded approach to IP network security with its Secure IP Network architecture.
 
Network embedded security starts at the silicon layer with the FP4 chipset that is at the heart of our 7750 SR and 7950 XRS series of routers.  FP4’s fully buffered architecture supports line-rate access to packet buffer memory so that 100% of chip capacity is always available. This ensures network performance and service quality remain high even during the most intense DDoS attacks. FP4 also provides the scale and performance headroom necessary to be a highly precise attack sensor and mitigation element (in conjunction with Deepfield Defender), without compromising other services running on the same chipset. The highly granular queueing in FP4 stops all DDoS attacks from overwhelming the control plane processor, without impacting legitimate control plane interactions, and even before the attack itself has been identified. The security capabilities of our FP4 silicon are unique in the industry.

At the network OS layer, our highly secure and hardened SR OS is designed and tested to block all attempts at manipulation and unauthorized access.

At the tools and applications layer, our integrated, high-performance IPsec gateway (Nokia Secure Gateway) encrypts traffic passing across third-party networks or leased lines. Nokia Secure Gateway inherits the scale, resiliency, and security of the carrier-grade 7750 SR infrastructure. A single router can support up to 32,000 3G or 4G base stations and up to 960GB/s of encrypted traffic.

Our Nokia SR OS Firewall protects the integrity of the control and management planes between trusted zones.

And finally, at the application layer, our Deepfield Defender provides multi-dimensional intelligence, analytics, and automation that use the network infrastructure to quickly identify and mitigate DDoS attacks.

Over the next few weeks, we will provide additional focus on this multilayer embedded approach to IP network security, and how Nokia helps fulfill this new imperative in the evolution of mission critical networks.

Find out more

Learn more about Nokia’s unique approach to IP network security at Nokia IP Network Security web page.

Tony Kourlas

About Tony Kourlas

Tony is the Director of Product Marketing for the NSM and carrier SDN product portfolios within the IP-Optical Networks group at Nokia. Tony follows his passion for network management and carrier SDN marketing at Nokia by day as Director, Product Marketing with the IP-Optical Networks Group, and for connecting to the cosmos with his large telescopes by night. He has over 25 years experience in both.

Article tags