private key Node A @fibresystemsmag | www.fibre-systems.com
private key Node B
FEATURE NETWORK SECURITY
the complexity and cost consequences of this trend, and the need both to provide faster updates and for new products to reach the market more quickly. So, they asked the European Telecommunications Standards Institute (ETSI) to define the network function virtualisation (NFV) standard to address this issue. NFV uses commercial computer platforms to
implement network services using soſtware, where previously these would have relied on dedicated hardware. Tis approach has numerous advantages as multiple services can be configured on the same platform, saving money, and it is straightforward to perform soſtware updates for the latest releases or bug fixes. In this environment, individual cyber security
services are configured as virtual network functions (VNFs). Te NFV platform can then apply ‘service chaining’, linking a series of appropriate security applications that steer the traffic to the pertinent cyber security VNFs. For
Figure 3: A holistic view of network cyber security
Real-time viewer such as ECI Telecom’s LightSec-V
Real-time unifi ed dashboard
7 7 6 All log info 5 5 6 All traffi c info 1 4 3 2 4 3 2
1 2 3 4 5 6 7 8
L1 – L3 encryption DDOS protection Secure site gateway (UTM) Strong authentication Unidirectional secure gateway Network anomaly detection Big data analytics Real-time dashboard
1 2 3 4 5 6 7 8
Public domain Classifi ed network
example, an email service chain might include virus, spam and phishing protection. Since all of the functions are hosted in the same appliance, this makes the process a lot shorter and simpler, saving considerably on network and application resources.
Table 1: The cyber security suite of applications L1 – L3
Encryption Physically the NFV platforms can be
Encryption is a special subset of the cyber security suite. Layer 1 optical encryption makes optical fibres impregnable to tapping, protecting all payload and higher level addressing information. Layer 2 and Layer 3 encryption protects Ethernet and IP layers. Multilayer protocol protection provides similar benefits to multilayer physical protection.
Secure Site Gateway
You can never predict the launch of a denial of service (DOS) attack, whether from malicious intent or as a prank, but it will stop legitimate users and customers from accessing your network. DDOS protection keeps traffic flowing using leading edge filtering and upstream mitigation techniques.
The bad guys will throw an arsenal of attacks in attempts to infiltrate and disrupt your network. Unified threat management (UTM) at the site gateway defends against these with an array of security engines, including firewall, intrusion prevention system, deep packet inspection, anti-bot, and anti-malware.
You want to make absolutely sure that only authorised users access the network, servers, and applications to which they are entitled. Strong authentication guarantees user identities by using privileged account password management and policy enforcement. In the event that you need to analyse access attempts, it is supported with session monitoring and recording capabilities.
Perimeter (Unidirectional) Gateway
Network & Endpoint Anomaly Detection
Big Data Cyber Analytics
Many enterprises have specially classified sub-networks – such as for surveillance or for signalling and control within mission-critical operations – that need to share information with less secure networks. As the name implies, a unidirectional gateway ensures that the information can only flow one way, and the gateway cannot be used to access the more secure network.
Major attacks on networks are generally mounted over a sustained period of time, with the attackers chipping away at defences here and there until they suddenly launch a major assault. Network and endpoint anomaly detection flags possible early breaches and exercises counter measures to prevent major attacks in their earliest stages. It employs state-of-the-art techniques to analyse traffic over time.
In the way that network anomaly detection analyses traffic over time, big data cyber analytics is its corollary for analysing user behaviour. It employs sophisticated machine learning of user behaviour, without pre-defined rules, signatures, or heuristics. It detects patterns that may indicate malicious users and trends, so that actions can be initiated before a problem occurs.
Real Time Viewer
Managing and dealing with the information from increasingly complex security applications can be overwhelming. A consolidated real time viewer simplifies the task. A smart web-based threat management system allows the user to manage and visualise cyber security applications. This provides a centralised, aggregated view of threats from multiple security engines, including from third parties, and facilitates configuration of the protection suite to match the user’s specific needs.
deployed at various choke points in the network where traffic crosses from public to private domains, as illustrated in Figure 3. Te platforms themselves can be stand-alone modules or blades integrated into the packet transport systems. Te NFV-based security services can be delivered by multiple types of service provider or vendor, including by communications service providers as a value-added offering to their business customers, or by data centre operators or cloud content providers as a cloud-based service.
Freedom with peace of mind Just as society sees a continuous push-pull between maintaining personal freedom and placing restrictions on our freedom to protect ourselves, so it is in the internet cloud. Te freedom to innovate also facilitates hackers who would do us harm. Tankfully technology also provides mechanisms to protect ourselves in the form of multilayer encryption and cyber security suites. Indeed, these capabilities are now being
integrated into the telecommunications fabrics connecting business customers to the cloud. Packet-optical transport equipment directly supports features such as Layer 1 optical encryption, and rich cyber security suites can be delivered as virtualised network functions. Optical systems vendors are doing their bit in building peace of mind to support the move to the cloud.l
Jonathan Homa is director, portfolio marketing, at ECI Telecom, www.ecitele.com
This article is based on a presentation delivered at Next Generation Optical Networks nextgenerationoptical.com
Issue 11 • Spring 2016 FIBRE SYSTEMS 29
| Page 2
| Page 3
| Page 4
| Page 5
| Page 6
| Page 7
| Page 8
| Page 9
| Page 10
| Page 11
| Page 12
| Page 13
| Page 14
| Page 15
| Page 16
| Page 17
| Page 18
| Page 19
| Page 20
| Page 21
| Page 22
| Page 23
| Page 24
| Page 25
| Page 26
| Page 27
| Page 28
| Page 29
| Page 30
| Page 31
| Page 32
| Page 33
| Page 34
| Page 35
| Page 36
| Page 37
| Page 38
| Page 39
| Page 40
| Page 41
| Page 42
| Page 43
| Page 44