Broad Threats Require Network-Based Security

Building on different tools including virtual functions, service providers are using the network itself as a security device.

December 22, 2015

8 Min Read
Broad Threats Require Network-Based Security

As last week's news clearly shows, there are constantly new threats to the telecom network and the technology on which it's built. The most serious of those seems to be the compromise of Juniper Networks' ScreenOS, but even as that was happening, there was also a massive cyberattack on a core part of the Internet infrastructure, its domain name servers (DNS).

In both cases, the vendor community reported the problem. Juniper Networks Inc. (NYSE: JNPR) alerted its customers and provided a patch, which it urgently requested its customers apply. Because ScreenOS is used to deliver secure VPNs, that particular hack is being investigated by multiple federal agencies and is suspected to be the work of a foreign government. (See FBI Investigating Juniper VPN Hack.)

The DNS attack's existence was made public by Nominum Inc. , which specializes in protection of Domain Name Servers. The vendor reported a 500% increase in the number of what are called random subdomain DNS attack queries, essentially designed to overwhelm critical servers by making them work harder, says Bruce VanNice, product manager. In making the attack public, the company also was able to highlight the fact that its ISP customers weren't being impacted because Nominum has automated the process of identifying the problem and shutting down the bad traffic without also blocking the legitimate traffic headed for the same servers.

The DNS attack could be the work of almost anyone and could be intended to disrupt Internet commerce at a peak moment, VanNice noted.

Network as protector
Both of these attacks only underscore what telecom service providers already know -- they are facing a growing and increasingly sophisticated set of threats from global players with varying motives that drive their remarkable innovation. That reality is driving an approach to security that is more comprehensive -- or as AT&T Inc. (NYSE: T)'s Chief Security Officer Ed Amoroso said last month, it's really all about architecture. (See Accedian Lands Global Deal at Telefónica .)

In his keynote at Light Reading's Carrier Network Security Strategies event, Amoroso said the fundamental architecture of network security has to change if network operators will be able to address the reality of today's threats. He also acknowledged the fact that "architecture" isn't sexy enough to attract venture capitalists and thus isn't on the road map of many security vendors. (See AT&T's Amoroso: Build Botnets of Security and AT&T's Amoroso: Taking Security to the Cloud.)

As Heavy Reading Chief Analyst Patrick Donegan notes, Amoroso's focus on architecture fits in nicely with his other emphasis on virtualization and distribution of the security features, so they are not all huddled behind a point-based solution or allegedly secured perimeter. Instead security is distributed along with content or other features that need to be secured. (See In Defense of the Security Team.)

What has emerged within telecom is a network-based approach that builds on analytics and other tools, including automation, as well as virtualization, to deliver the kind of security service enterprises are seeking, that is protection for threats before they hit the enterprise and the ability to anticipate problems, as well as react to them.

"We are seeing this pop up in some places, like Japan, where network operators are asking, 'How can I operate a safer network in general?'" says Sam Curry, chief technology and security officer of Arbor Networks "They are changing the notion of what telcos do for the wider community, in the sense of how to provide a safer network in general."

As a result, he says, network operators are looking for greater insight into their own network traffic, so they can become the primary point at which traffic is collected for examination and threat insights are detailed.

In some cases, they are using automated tools such as Nominum's, which responds to the DNS attacks by identifying the bad traffic and protecting the good traffic to mitigate the impact of the massive spikes, says VanNice.

But they are also going beyond individual tools. Verizon Communications Inc. (NYSE: VZ) has noted its growing customer expectations and one of its responses is to be more aggressive in going after the bad guys, says Dave Ostertag, chief investigations manager. "They are telling us very clearly that we expect you to do more outside our perimeter to protect us," he says. "We are having to invest heavily, we are having to expand those groups within Verizon that look to identify the criminal infrastructure, and we have people hunting for the bad guys -- working with federal law enforcement in a lot of different countries under the appropriate court orders to be able to go after that infrastructure and even be able to follow the net flow, the metadata on the net flow, to identify the different points."

Next page: Virtualization's Role

Enter virtualization
Virtualization offers an opportunity to distribute security to more places within the network, including at its edges, so that attacks can be detected more rapidly and in different ways from the traditional signature-based approaches. Virtual firewalls are one prime aspect of the virtual CPE trend that is one of the early uses cases for network functions virtualization.

At the same time, virtualization makes centralized approaches to things such as traffic scrubbing more difficult, notes Bipin Mistry, VP of product management for Corero Network Security Inc. , which provides a range of DDoS protection solutions. Because services are more localized, it becomes highly inefficient to pull traffic back to a central location and that is helping push forward the distributed architecture approach.

Once they move in that direction, he notes, network operators are also beginning to see things such as DDoS protections as a means of monetizing their services and in doing so, are actually providing a baseline level of protection for everyone, then selling premium protections on top of that.

What they are doing is different from traditional "clean pipe" services, Mistry says, in that it recognizes that providing DDoS protection means protecting everyone that is downstream from the attack, and not just companies paying for that protection.

"They flip the whole thing on its head and will offer a level of protection for everyone," Mistry says. There are then different business models for offering protection when a DDoS attack occurs, whether it's giving the affected customer the option to upgrade and pay more for a scrubbing service or delivering DDoS protection as a service, in essentially a cloud-based approach.

Carrier Activity
AT&T is using a network-based approach that builds on virtualization to deliver security that dovetails with enterprise demands for comprehensive security, notes Jason Porter, VP of Security Solutions for AT&T. (See AT&T Virtualizes Multi-Layer Security and listen to Cyber Security: What CEOs Need to Know Now.)

"That's where we started, with our customers expecting us, as their network provider, to be able to secure their mobility, their IoT, the distribution of data to the cloud and the apps they'd never had before," Porter says. "It is too hard to manage security in all these different locations unless I can leverage the network."

So analyzing the 100 petabytes of traffic that AT&T sees every day, to detect misbehavior and new trends, becomes a fundamental part of what the carrier provides -- and that's something many big network operators are doing.

Level 3 Communications Inc. (NYSE: LVLT) is leveraging network intelligence both to identify bad actors and to help enterprise customers audit their own networking to see, for instance, where their assets are being accessed improperly without their knowledge, says Chris Richter, senior vice president of Global Security Services. (See Level 3: Security Is Company-Specific.)

Leveraging its work in the cloud in developing its NetBond platform to automate connections to multiple cloud environments through applications programming interfaces, AT&T also can connect to multiple security environment, including its security vendors such as Fortinet Inc. and Palo Alto Networks Inc. , Porter says.

Amoroso actually compared the perfect security architecture to that of a botnet, in that it is distributed, diverse and resilient -- but he also foresees security being spun up as needed, when an application, workload or virtual function is created. That kind of specific flavor of distributed security matches resources to specific needs.

In general, those engaged in security operations are embracing virtualization's possibilities, notes analyst Donegan, but also recognizing that virtualization creates new vulnerabilities that must be addressed. His May 2015 research shows security experts are more aware of the security challenges of virtualization, but also more confident in their ability to use virtualized security functions to address those challenges.

"Security experts are much more bullish [on virtualization's possibilities] because they are much more on top of the issues, they are ahead of the game and they are much more confident in their ability to use virtual security functions than non-security experts" within the telecom operators, Donegan says.

In AT&T's case, the next phase is virtualizing its security to be context-aware, and transaction or application-based, says Jon Summers, senior VP-growth platforms, because what is appropriate security for one type of transaction may not fit another. "Security also needs to be like the cloud -- elastic, on-demand, usage-driven and context aware," he says. (See Advance Warning: Security Threats to Watch in 2016.)

One of the advantages to doing that, say Summers and Porter, is the ability to move much faster, once threats have been identified, to automatically distribute policy updates to enterprise customers.

— Carol Wilson, Editor-at-Large, Light Reading

Subscribe and receive the latest news from the industry.
Join 62,000+ members. Yes it's completely free.

You May Also Like