Securing rising east-west network traffic could send profits north

Now is the time for telcos to grab the $9.5 billion automated security market – integrated encryption a la Nokia FP5 is a good start.

Appledore Research’s recent report, Automating security, makes a fitting late addition to what has been another rollercoaster year, neatly bringing together two of the most pressing issues for telcos of all kinds – revenue and cybersecurity.

Service providers the world over can be justly proud of their responses to the pandemic, yet telcos entered this year with their shares at a low ebb indeed, despite the fact their core product – connectivity – has never been in such high demand.

Investors, it seems, are put off by their high capital expenditure, almost flat returns, operators’ staggering debts and repeated failure over a decade or more to find substantial new revenue streams. Never mind that investment funds are queuing up to get their hands on communications infrastructure.

Attacking gas, finance and water

Another item to add to their list of woes is that the pandemic has also seen a huge surge in all kinds of cyberattacks: indeed research carried out by Nokia found Distributed Denial of Service (DDoS) is the fastest growing type of traffic on networks.

In the first half of 2021 in the US alone, security breaches led to an interruption in gas supply, a financial firm being locked out of its own network for two weeks and pollution of drinking water.

Why is automation so important? Human error is by a mile the top cause of cloud misconfigurations and other vulnerabilities that lead to breaches in security. So how can telcos grab this lucrative opportunity?

Appledore states that encrypting transmission paths within enterprise customers’ virtual private or wide area networks would be a great start and cites Nokia’s FP5 chip for its Series 7 routers, launched in September, as a good example of this approach.

Motivations

Tony Kourlas, Director of Product Marketing at Nokia, explained in an interview with Mobile Europe, “We were motivated by DDoSs, which are a growing concern, and the integrity and confidentiality of data in flight…These are the two hottest topics because they cause the most damage”.

He added, “Networks are becoming increasingly porous, by which I mean service providers are increasingly leveraging third-party transport networks that are public and open to breaches by individuals or corporations” or states, of course. As such, he said, “The networks span international boundaries and are beyond [service providers’] jurisdictions, where data can be manipulated.

“At the same time, there’s a lot of disaggregation – network elements are essentially being blown up into multiple pieces and placed throughout the network and creating a lot more east-west traffic now that is subject to attack.

“Also, there’s a lot of distribution, especially in the context of information; data moving closer to subscribers and a lot more of this east-west traffic…moves to this new edge cloud…so again a lot more opportunity to interfere with data as it flows and manipulate it.”

Developing analytics

Not long before the launch of FP4 (in 2017), Nokia acquired an analytics company called Deepfield which specialised in tech to protect against DDoS. Nokia has since developed that tech further, intregating ANYsec – flow-based-based encryption – into the chipset.
 
ANYsec provides security at layers 2 and 3, which was lacking in FP4, and it’s standards based because it combines the best aspects of MACsec and IPsec, the two primary options for encrypting network traffic.
 
MACsec is silicon-based and so low latency and relatively cheap, but it’s hop-to-hop architecture introduces risk where one hop ends and the next begins in services like MPLS and segment routing.
IPsec avoid this by taking ‘a single bound’, but it costs more and is slower.

ANYsec deploys several encryption standards from MACsec to support encryption natively over MPLS and segment routing, but without damaging performance or increasing power consumption, according to Nokia, and without the hop to hop approach.

Nokia claims it also supports high-density 800GE (Gigabit Ethernet) router ports – ahead of the optics to support 800GE that are expected to hit the market mid-2022. Nokia claims it can handle throughput of 1.6Tbps, although the standards stop at 800GE.

Further, the Finnish vendor claims the FP5 uses 75% less power than its predecessor (0.1 Watts per gigabit of traffic versus 0.4 Watts on the FP4) due to its 7 nanometer design, down from 16. This has been achieved by consolidating chips for the FP5 thereby reducing the number of connections between them.

Now…and soon

Kourlas said, “Right now communications service providers are only protecting less than 5% of customers and they screen a lot and the rest are unprotected because it’s too complicated, too difficult too expensive.

“They’re not rolling out encryption other capabilities throughout their whole network so it’s really a pain basically the way it is right now”. He also pointed to the growing need for lower latency services with 5G and IoT.

He continued, “We said to ourselves, ‘We need to get the network to defend itself more and more’. It can’t do everything, but protecting data in play, protecting against DDoS, then the network connection can do that for itself far mor economically and efficiently than trying to string a whole bunch of appliances around it.

“If you integrate certain security measures from the network, the lower cost is already there, it’s simpler to set up – you just turn it on. Anywhere you have a network footprint, it’s available and far more scalable.”

As the FP5 was only launched in September it’s too soon to tell if its potential has been recognised and adopted by telcos, although there’s certainly been a flurry of promotional activity in recent weeks. We’ll get the first inkling from the reported results for Q4 sometime in the New Year.

That could make interesting reading.