Securing our IP gateways
As I work from home this week and watch the pandemic unfold, I can’t help but be struck by the extent to which the world is relying on networks in order to operate. The reliance that society is placing on our networking infrastructure is both exciting to me as a network engineer and, at the same time, a growing concern, especially around security.
My concern arises from the fact that decisions around networking architectures and vendor decisions are often made without sufficient consideration given to security, despite the increased role networks play and the target they have become. Issues of cost, commoditization, and automation often eclipse security in many of today’s architecture and sourcing decisions. This goes for IP network decisions overall, however, in this post, I want to focus on the security of IP gateways.
I don’t need to spend a lot of time emphasizing the critical importance of security, but it is worth pointing out that we’ve already seen, with the Mirai botnet DDoS attacks and subsequent amplification attacks, just two of the many examples of what can be done by leveraging infrastructure as well as hundreds of thousands of poorly secured IoT device. In the 5G and cloud era, we will potentially have billions of these kinds of devices and the attack surface will grow exponentially.
As becomes more evident every day, secure and reliable broadband access is business-critical for participating in the digital economy. Businesses, governments, health and safety professionals and consumers increasingly rely on the cloud to store and exchange personal and sensitive data. With trends like Industry 4.0, our most critical infrastructure is being digitally transformed, tied into cloud-based AI systems that collect data from enormous numbers of sensors and connected devices. Security breaches of many of these systems could literally be catastrophic.
The methods and numbers of attacks, as well as the levels of sophistication, are constantly growing. Because the rewards are getting higher by the day, criminal organizations are willing to dedicate more resources to finding vulnerabilities. In this escalating game, we need to prioritize our readiness for the inevitable growth of malware and associated attacks This is especially true for the most critical network defense points, such as IP gateways.
Since IP gateways include functions such as subscriber session initiation (including authentication and authorization) and subscriber session management, as well as IP routing and services, attacks on gateways may target:
- The network itself
- The interfaces and functions involved in subscriber authentication
- The control plane used to control sessions and provide services
- The management plane involved in configuring and operating these critical services.
Thus, IP gateways play a key role in ensuring that subscriber and device access remains private, secure and reliable. They are the demarcation points that connect customer end devices to their enterprise, residential and mobile services. They control access, they enforce policies, and they protect valuable user and device data from abuse and theft. Much of that critical information is kept in the gateway and can potentially be compromised or hijacked for malicious purposes.
Integrity of the gateways requires integrity of router hardware, firmware and operating system (OS) software, and how they are designed to handle security threats and vulnerabilities. Security in a gateway is not something that can be bolted on as an afterthought. To be secure and reliable, gateways must be designed from the ground up. That includes not only hardware and software design but rigorous testing methodologies.
At Nokia, we use automated testing that submits every line of code to stress testing. We avoid custom forks in our development stream so that we can optimize our testing on a single software stream. We continuously regression test using tens of thousands of servers 24 x 7 x 365, with all the test cycles focused on the single software image. This is a significant reason for the code robustness and eliminates the occurrence of major bugs in the field.
The Nokia SR OS is further hardened by a dedicated IP routing security test team that is independent from the software development and test teams. Security testing is conducted throughout the development of a new major release as well as for each minor release and includes:
- Testing for robustness and protection from DoS attacks
- Fuzzing tests for control and management protocols to ensure against malformed packets
- Port scanning
- Vulnerability scanning.
The Nokia SR OS has a robust set of features to protect and secure the router from attacks. This set of features is far too long to cover in blog post, but we have an application note you can download that is very thorough.
The shift from best-effort internet services to business- and mission-critical IP networks has the potential to catch some organizations off guard. Security practices that were sufficient even a few years ago, including the reliance on commodity routers, need to change. It is no longer sufficient to evaluate IP gateways solely on capacity, scale and performance per dollar spent. Given the role they play as guardians of the network, IP gateways also have to be evaluated on their security.
The IP gateway of choice must support a comprehensive and holistic approach to securing the router at the hardware and router OS software level with no loopholes or backdoors. Look for a “security by design” philosophy supported by rigorous testing to ensure that the gateway is fully secure from threats and attacks from bad actors and rogue operatives. Given the essential role networks are now playing delivering the most socially critical services, we can’t afford to do anything less.
For more information about Nokia IP gateways,
- Download the application note Secure the IP gateways in your 5G-era network
- Visit the Nokia 7750 Service Router and Nokia Virtualized Service Router web pages
Share your thoughts on this topic by joining the Twitter discussion with @nokianetworks or @nokia using #security #IP