If you scan the headlines in any given week, you’ll likely find articles about distributed denial-of-service (DDoS) attacks or security breaches that target the internet or the many cloud and enterprise services that depend on it.

As we shift more things online, it seems like these attacks are getting bigger, happening more often and having a greater impact. And while there is general understanding that this kind of criminal behavior is unavoidable as networks become more important, there is also growing concern that the attacks will continue to disrupt critical services and create economic mayhem on a national scale.

Communication service providers (CSPs) sit at the center of this interconnected world, which makes them natural targets for attacks and the negative public perceptions that follow them. This begs the question: Given the high stakes involved, are we, CSPs and network vendors, doing enough to deal with this problem?

Many security experts and vendors believe there is a growing gap between what CSPs must do and what they can do to stop DDoS and man-in-the-middle attacks. They say bridging the gap is simply a software issue. Just add some artificial intelligence, specialized algorithms and the latest appliance and we’re sure to stem the growing tide. While there is some validity to these arguments, the gap is primarily fueled by an economic imbalance. It costs far more for CSPs to defend themselves than it does for attackers to target them. Attack tools are commodities. Defense tools come at a premium.

Much of the imbalance comes from the industry’s reliance on specialized appliances to deliver DDoS defense, network encryption and other security capabilities. Because of hefty appliance licensing fees, CSPs limit their deployment to select sites within the network. Appliances must be connected to the network, which consumes ports and increases operational complexity. Traffic must be backhauled to the locations that contain these appliances, which increases the already-inflated operating costs. As long as IP network security is delivered this way, CSPs will find it financially prohibitive to protect more than a fraction of their assets, or a select few of their customers.

So how do we fix this?

The answer is by transforming IP network security from a premium capability added to IP networks to a universal capability that is inherently part of the network and grows with it. With this transformation, there is no need for CSPs to take on the cost and complexity of adding security to a network that already has it everywhere. There is no imbalance between network capacity and security capacity because when one grows, so does the other. CSPs can filter DDoS packets at every network boundary without having to purchase, deploy and operate legions of specialized appliances. They can encrypt and lock down every flow, tunnel and slice in their networks, transforming any IP service into a secure IP service at a flip of a switch.

To make IP network security a universal characteristic of the network, vendors must go beyond the simple act of adding security software or security blades to routers. Security considerations and capabilities must be built into IP network silicon, which in turn must be designed with massive scale and performance in mind. Anything less and the act of using a router for DDoS defense will slow performance to a crawl and do the attackers’ job for them.

Universal protection means no caveats or “gotchas.” Security teams should have the freedom to turn on any number of filters and encrypt any amount of traffic without fear of consequences. They should be able to lock down their entire network by encrypting all flows, tunnels and slices – whether they’re based on IP, MPLS or segment routing – with no impact to performance. This can only be accomplished by fusing silicon-based encryption with silicon-based forwarding at each and every network layer, something we’ve accomplished at Nokia with ANYsec encryption in our FP5 chipset.

There is one caveat here. While a modern edge router like the Nokia 7750 SR removes all the performance, scale and functionality challenges that used to be associated with routers in security roles, it still requires CSPs to lower the organizational barriers between their network and security groups. The rewards of doing so are substantial. Bell Labs studies indicate a 60–80 percent savings versus appliances just on DDoS defense alone. That is certainly something worth working towards.

You can find out more about the pros and cons of securing services in IP silicon in a new study authored by Patrick Donegan, Founder and Principal Analyst at Hardenstance. Patrick is also anchoring a Light Reading webinar on this topic on April 14.

Visit our IP Network Security page to learn more about the security capabilities of our FP4/FP5 silicon, 7750 SR series of routers and Deepfield Defender big data analytics, all of which are part of our DDoS defense solution.