Key security tenets for 2021
Over the past few years, as the architecture of ISP networks has evolved, there has been more investment in content and services infrastructure, and distributed peering, across the customer edge. In the last year, this seems to have taken on a new aspect, with ‘edge’ data-centres being planned and deployed in many wireline network operators. We’ve all heard about MEC (Multi-Access Edge Cloud) enabling new services in 5G mobile, with low-latency access to application and services for 5G users, but wireline ISPs - in some cases - are already there. The shape of traffic in ISP networks is changing (again), and what’s apparent is that in 2021, with more critical infrastructure distributed across the network edge, rather than in central data-centres, we will need to take more care of threats targeting this expanding threat surface.
New opportunities at the edge
A decade ago, ISP networks were hierarchical, with Peering, Core and Provider Edge routers providing layers of connectivity and a clear north-south prevailing traffic flow, as eyeballs and enterprises consumed content sucked in through centralised peering and transit connections. This has changed, with networks becoming much more meshed, routers becoming multi-purpose and traffic flowing every which way as content caches and peering have become more distributed. This has been driven by the growth in the volume of OTT service traffic, especially video, making it necessary for ISPs to acquire or cache content as near to its consumers as possible, to keep costs down and service quality up. This isn’t news, but it has changed the way that network investments are being made – with much more focus ‘at the edge’.
What is news, is that the distributed cache infrastructure mentioned above is now being joined by other value-added service infrastructure e.g. cloud gaming infrastructure such as Microsoft’s xCloud and Google Stadia, service enablers such as DNS and AAA, and 5G packet-core. This new infrastructure is being deployed within new Software-Defined-Data-Centres or extensions of public cloud infrastructure, deployed near to the customer edge in ISP networks. These new environments are racks of generic compute connected to an SDN environment, where all of the services and applications are virtualised or containerised, and fully orchestrated. These new environments enable new services and greater efficiencies, enabling ISPs to open up new opportunities for revenue growth, and operational and infrastructure cost savings.
The risk of the edge and a new approach to securing networks
However, as with every new opportunity there is risk. ISPs have been used to defending the availability of their networks, services and customers from DDoS attacks using semi-centralised mitigation capabilities, usually deployed at major peering locations. Given that investment in capacity and service infrastructure is now at the edge, backhauling potential attack traffic across the network is no longer desirable or practical. This is driving a need to mitigate threats in a more distributed way ‘at the edge’, blocking attack traffic at its entry point – regardless of whether it is coming from a peer, customer or public-cloud connection – all of which are common attack sources.
This is a big change, and to make matters worse, the DDoS threat landscape has also shifted; attacks have become more frequent - up 15 per cent in 2020 - more short-lived and more complex – with attacks comprising 15 or more attack vectors up 2851 per cent since 2017. And, of course, there’s the continuing risk from IoT devices of all shapes and sizes being subsumed into botnets and used to launch DDoS attacks.
The three key network security tenets of 2021
All of this is driving a new set of requirements from ISPs for their DDoS defences, with automation, orchestration and integration as core capabilities, if ISPs are to balance the risks with the rewards:
• Automation: to manage the mitigation of more sophisticated attacks without increasing operational overhead; to speed up response, as the Internet is now seen as a ‘utility’ by many; and, to enable new types of value-added DDoS protection services at greater scale, driving much needed revenue.
• Orchestration: to pull together and manage distributed mitigation capabilities across the edge of the network, and beyond, protecting more fragile virtualised and containerised environments from any attack, effectively and efficiently.
• Integration: to combine both the intelligent and infrastructure mitigation capabilities across the network edge to best effect, in complex multi-vendor environments.
Existing solutions must evolve to meet these new requirements, and we have to remember that there are few fixed points here, with new technologies, changing working practices and major shifts in traffic now the norm. Taking care near the edge of the ISP network, managing threats such as DDoS quickly and cost effectively, will be an essential component for an ISP’s success in delivering next generation services in 2021.
Darren Anstee is CTO for Security at NETSCOUT