Building a self-defending IP network from within

More than ever before, people and organisations depend on network connectivity. While this trend has been ramping up across Asia-Pacific over the past decade, the COVID-19 pandemic pushed the envelope; enterprises, communities, and governments must now adapt to the new, digitalised normal or risk their long-term sustainability.

As the region continues to digitalise, there will be increasing demand for mission-critical IP networks by communications service providers (CSPs) to facilitate the needed connectivity fit to power myriad applications. However, increased connectivity is giving rise to cyberthreats. In the coming years, such threats are projected to increase drastically, especially in sub-regions like Southeast Asia where digital connectivity is rapidly growing. With these threats becoming a mainstay of the future economy, IP networks today must include protection at scale to provide high-performance security.

IP networks face new security threats

As organisations become more reliant on digital applications to keep their operations running without disruption, they require IP networks that can respond in real time and possess fully reliable and secure connectivity. Achieving this high performance is crucial, but such IP networks must also adapt to the increase in new-generation security threats, including network distributed denial-of-service (DDoS) attacks which can paralyse important resources such as websites or applications, making it inoperable or inaccessible.

Asia-Pacific is already among the world’s most vulnerable regions for malicious network attacks. This susceptibility will be even more apparent when more organisations harness innovative technologies such as 5G and the Internet of Things, which depend on high-bandwidth servers that are exposed to hijacking and unforeseen threats. As these attacks become more sophisticated as technology evolves, engineering predictably high network performance will become more complex.

These threats are also emerging from the constant development of network architectures and delivery models. New attack surfaces are opening from network functions being split up and distributed across the network. Simultaneously – just as there are risks for individuals to download sensitive information over public Wi-Fi – CSPs are using public networks to extend or complement private networks, further exposing IP traffic to risks of theft and manipulation.

The challenge is that conventional IP network security models are unfit to address these threats; most of them are based on appliances and servers that do not scale cost-effectively for broad deployment. This leaves not only CSP networks but also customers exposed. This is largely due to vulnerabilities hidden deep within router operator systems and silicon that go unaddressed, thereby leading to threats such as DDoS attacks.

For example, if IP networks for enterprises are left unprotected, there is a great risk of fallout causing revenue losses and customer dissatisfaction. Meanwhile, governments may experience disruption of critical infrastructure of services. In either situation, there will be growing unease on the confidentiality and integrity of customer data flowing through these networks, affecting both their profitability and reputation.

To be self-defending, IP networks must be secured from within

IP networks must be provided with at-scale protection and be able to self-defend against potential cyberattacks. This can be achieved if the IP network security acts like “packet forwarding”, which essentially means having the IP network itself be of high performance and high-scalable capability.

Firstly, the IP silicon (also known as the semiconductor IP; a reusable unit of logic, cell, or integrated circuit layout designed belonging to a certain party as its intellectual property) must be designed to endure constant bit-rate attacks without service disruptions. The IP silicon must deliver the filtering speed, precision, and scale to be a highly precise DDoS attack sensor and mitigation device, while also providing built-in encryption to protect all data flowing through it at a line rate. Crucially, this must all be done without impacting the performance of any service running on the same chipset.

Next, the network operating system (netOS) must be built to be secure, robust, and operate in tandem with the IP silicon. This is to mitigate all attacks that try to consume resources, hijack processes, or sabotage the control plane. Together, the IP silicon and netOS provide not only a protective shield but also an ideal base to layer additional security tools, including DDoS defence, encryption, firewalls, and carrier-grade network address translations.

Lastly – and especially as business sectors make use of digital technologies and automation – a self-defending IP network must include a big data security analytics component. Particularly, it must contain the broad situational intelligence and multi-dimensional analytics needed to detect modern and sophisticated DDoS attacks. They also need to detect such attacks with minimal false positives and false negatives, in addition to automating the network’s response to minimise impacts on CSPs and their subscribers.

Effectively, a robust IP network infrastructure is one that embeds security into the DNA of every layer of the IP network infrastructure. This enables it to be a network that is fully featured, high-performance and – above all – protected.

CSPs must fundamentally shift how they protect IP networks

IP networks are playing an increasingly crucial role for societies and enterprises, so attacks against them will potentially increase. These threats will also grow in their frequency and sophistication – especially as they are aiming for both network performance as well as the confidentiality and integrity of data flowing through them. This places the pressure on CSPs to proactively counter these attacks, or at least identify and eradicate them quickly.

That is why the successful creation of a self-defending IP network requires CSPs to move away from conventional overlay solutions. Instead, they must now look towards embedding security capabilities into the network infrastructure itself. Embedding this network-centric approach creates resolute IP networks that protect both CSPs and their customers at massive scales, without trading off network performance.