A Security Guide for Next Generation Service Provider Network Architecture

A couple of weeks ago I presented at the United Kingdom Network Operators’ Forum 33, an open forum for operational, technical and engineering information exchange related to networking technologies and practices.

Theoretically, 5G will be available by the year 2020. 5G environments are still being architected in the standards bodies. That said, a number of Tier 1 carriers are already looking at initial testing. Inherently, 5G is a move away from centralized static environments to a more programmable, server-centric, virtualized and cloud-based architecture. The idea behind 5G is not just about increased radio capacity and performance, but enabling a multitude of different services to traverse the architecture, irrespective of their capacity and performance needs. In essence, 5G will enable millions of devices to be attached with millions of interconnection points. Where everything is inter-connected, this opens the door to a broad range of network and service level attack vectors.

In the typical service provider network today, security is often an afterthought; after building the network, engineers typically add encryption and firewalls, neither of which is sufficient to protect against the increasing malware and DDoS attacks that plague networks and service functions. With the dramatic increase in DDoS attacks, providers are looking at including inline DDoS mitigation solution on the SGI-LAN interface. This will not only protect downstream backhaul and RAN elements, but also the Service complex itself.

The question is; what will security architecture look like and what will the mix be between virtualized and appliance based solutions? What will ensure the correct performance, capacity and security characteristics?

My talk focused on 5G environments; however, the same requirements also applies to other use case scenarios, including wireline/cable environments.

When you start putting enterprises on the edge of the network, one problem is that even small DDoS attacks do have a large impact; although small attacks look like only noise on the network, they can propagate through the network and take down any subscribers. At Corero we regularly see not only large volumetric DDoS attacks that capture attention, but also low level attacks of 2 or 3gbps that last about 5 minutes; if not mitigated, these small attacks would impact every application or server down that side of the network line.

When you start building the next generation architecture you can’t afford to think about security as an afterthought, you have to think of it from day 1. Service provider and carrier architectures are evolving; this drives the need for a more holistic security posture.

If you’d like to watch my full 17-minute conference presentation, see the YouTube below: