DDoS attacks are growing faster than any other type of internet traffic, says the director of product marketing at Nokia
A week or so after announcing its fifth generation of routing silicon, dubbed FP5, Nokia spoke with RCR Wireless News in more detail about the security features FP5 will provide. Tony Kourla,s who works within Nokia’s IP-Optical Networks group as the director of product marketing for the NSM and carrier SDN product portfolios, first characterized the changing landscape of network security.
He explained that distributed denial-of-service (DDoS) attacks, which disrupt the normal traffic of a targeted server or network by overwhelming the surrounding infrastructure with a flood of traffic, are growing faster than any other form of internet traffic.
“It’s gone from about 750 megabytes about a year ago to 1.5 terabytes. That’s a 100% increase,” he said. “That’s more growth than video streaming or gaming.”
The rise of DDoS attacks, as well as other types of cybersecurity threats, is primarily the result of our networks becoming more important to every part of our society. The more critical they become to users, businesses and governments, the more they are targeted for political and financial gain.
“These attacks are also more widespread,” Kourlas added. “It used to be that the ‘same old, same old’ got targeted. Now, more than half of attacks happen to new victims, all sorts of industries and customers.”
And this, he articulated, is having a big impact on the brand and reputation of communications service providers (CSPs).
To help CSPs address this growing problem, Nokia is enabling networks to play a larger role in defending themselves against such attacks by building network security right into its latest generation of silicon.
Today, CSPs deal with DDoS attack prevention by purchasing an add-on appliance that is bolted onto the existing network. But, Kourlas argued, this method has several flaws.
“First, it’s expensive,” he said. “And they’re complicated to set up. Each [appliance] ha[s] to be connected to [a] router, and a CSP either has to add one at every router location or has to pick and choose locations, leaving some users open to attack.”
Further, today’s encryption options — IPsec and MACsec— also have their drawbacks. While IPsec takes just a single network hop, it is slower and expensive. MACsec, on the other hand, despite its low latency and cost-effective characteristics due to being silicon-based, has a hop-by-hop architecture that introduces risk and latency when applied to IP services like MPLS and segment routing.
As Kourlas pointed out, any added latency from encryption is particularly undesirable in a 5G era where most of the new use cases and applications will require very low latency.
As a result of this present-day approach to network security, Kourlas suggested that CSPs tend to treat security as a secondary priority, choosing only to protect the parts or customers deemed particularly critical.
“But,” Kourlas continued, “we have to start locking down the entire network.”
And because Nokia’s solution is simpler and more affordable as it’s already built into the network, it can go a long way in helping CSPs do such that. More so, because it’s silicon based and in the routers themselves, it offers the lowest latency possible, making it ideal for securing low latency services for 5G.
To make this all possible, Nokia developed ANYsec beginning with the encryption and authentication of MACsec, but then applying that technology beyond Ethernet, but also to EMPLS, segment routing, VLAN and IP.
“Through silicon […] we can encrypt traffic at the edge no matter what our transport method is at an extremely high speed,” said Kourlas. “If [a CSP] needs security somewhere on the network, [they] just turn it on because it’s already there. We’ve given providers a tool that will allow them to turn any service into a secure service whenever they feel like it without impacting performance. It’s an integrated part of the network.”
Additional features of FP5 include 75% reduction in power consumption per bit and support for 800GE routing interfaces. The FP5 is also backwards compatible with the previous-generation FP4 and fully integrated with the latest versions of Nokia’s Service Router operating system.