Introduction: The EANTC Perspective
Communications service providers and enterprises are increasingly conscious of network security issues for a number of reasons: Their complex network and IT infrastructures are becoming more sensitive to an increasing range of malicious threats; their business continuity depends more than ever on the ability of their networks to perform while under attack; and their networks are becoming increasingly distributed as cloud services play a greater role in day-to-day operations.
New threats are increasingly more sophisticated and are exploiting the growing attack options presented by new services, expanded network connections and device proliferation. To counter such threats, service providers need to quickly detect and mitigate threats as close to the source as possible across their networks.
This is one of the reasons why Light Reading commissioned EANTC to validate the functionality, performance and manageability of Cisco's virtualized security products line-up and ask the question: What is the state of the art in the functionality and performance of (telco) cloud-ready network security solutions?
Another key reason to undertake such an evaluation is the emergence of network functions virtualization (NFV), which opens up new opportunities for more fine-grained, precisely-placed, adaptable security functions. NFV permits the stitching together of network security components and enables the management of those components from a common platform based on SDN principles. In effect, network security could evolve from the traditional perimeter-style approach to a web of functions located close to assets exposed to potential threats, wherever needed across the cloud.
With this in mind, Light Reading asked EANTC to evaluate how prepared Cisco's virtualized security portfolio is for the new challenges (and opportunities).
But it's not all about virtualization: There is also the need to test the traditional network perimeter security functions that are still so important to enterprises and service providers alike. There is still the need for what insiders jokingly call a "BAF" (a big **** firewall). So does Cisco have a modern product to meet such needs, one that is ready to serve 100 Gbit/s and more?
Finally, complex IT solutions require superior orchestration, so that the operator understands what is going on at any time: Element management, network-wide management and fault and performance management aggregation must all work together with orchestration to provide a timely insight into any current threats and their mitigation options.
In summary, there are new risks as a result of more complex telco cloud technology and new types of threats -- and there are new security infrastructure opportunities surprisingly enabled by that same complex technology. This provided EANTC with a great opportunity to dive into practical, independent performance testing and functional evaluation of what Cisco has ready for current commercial production.
Service provider security is a multi-dimensional challenge. This test validates the function and performance of virtual security services, also known as VNFs (virtual network functions), which, in this case, deliver security services.
The security controls validated in this test protect the trust boundaries at critical points in the service provider network, data center and cloud. Security is an in-depth process requiring the mitigation of threats as close to the source as possible so as to minimize collateral damage. In the course of our evaluation we looked at threats in the context of:
- Before -- things that can be done before the attack happens
During -- things that need to be done while the attack is happening, and
After -- things that should take place post-attack, so the network operator is better prepared to deal with it the next time.
Cisco calls this the "threat-centric security model."
There is no single "box" that secures everything. As the diagram below shows, virtual network functions are delivered differently by Cisco in different form factors dependent on the use case. Each use case leverages the network to deliver augmented security capabilities. Just having a security function is not sufficient: It must be placed into the right network context at the right time and at the right place in the network to minimize a threat as close to the source as possible and so minimize collateral damage.
The tests run in this validation highlight use cases where the chain of security functions is purchased as a managed service focusing on service agility and use cases that apply the virtual security functions in a purpose-built appliance that delivers them with the performance and scale required to protect the service provider data center and cloud.
That appliance is the Cisco Firepower 9300. It takes the capabilities of a typical NFV system (orchestration, VM Lifecycle Management and other functions) and brings it all into an appliance showing the delivery of a catalog of security functions in a highly scalable, high-performance appliance.
Cisco NFV Security Solution Scope
In Cisco's view, there are five key areas that must be addressed for cloud security solutions, including:
1. Security Effectiveness. One can't stop invisible threats: Does the solution quickly and accurate detect a threat? Does the operator have the ability to quickly detect and mitigate against sophisticated attacks that are designed to evade traditional defenses?
2. Service Chaining and Stitching. Different security functions must be linked (chained) together in proper order to provide proper protection, such as ASA Firewall/Next-Generation Firewall (NGFW), Distributed Denial of Service (DDoS), Next-Generation Intrusion Preven-ion (NGIPS), and Advanced Malware Protection (AMP). Ideally a solution is capable of supporting best-in-class virtual functions from third parties, since no single vendor has all of the technologies required for "defense-in-depth."
3. Orchestrating Security in SDN & NFV. The dynamic nature of cloud-delivered services means that security must "keep up" and be capable of being orchestrated and instantiated "on the fly." Manual processes must be minimized, if not eliminated.
4. Security as a Service in a Virtualized Multi-Tenant Environment. Security is a business enabler that can help carriers develop their cloud & NFV business transformation initiatives. They can extend security capabilities that they typically use to protect their own network infrastructure into revenue-generating offerings that also protect their customers from cyber attacks.
5. Carrier-class Performance, Scalability & Resilience. Any service provider solution must be "carrier-class" in terms of meeting the performance demands of such networks, including high throughput and line rate security processing, easy scaling as the network demands grow to address high bursts of network traffic and millions of subscribers and devices, while maintaining resiliency to minimize network or service disruptions.