IP Network Security
Protect your customers against network-level threats with a self-defending IP network infrastructure
Emerging cloud architectures, 5G, and Industry 4.0 are opening the door to a new generation of network-level security threats and attacks on IP network infrastructure. Current solutions lack the scale and functionality to address the growing threat volume and complexity.
At Nokia, we embed security into every layer of our IP network infrastructure. We deliver the at-scale, fully-featured protection you need to guarantee the performance and integrity of your mission critical networks.
Why IP networks are vulnerable
IP networks are changing faster than ever. With these changes come new network-level security threats and a broader attack surface:
- Increasing numbers of IoT and Industry 4.0 devices are being connected to the IP network, and may be vulnerable to hijacking. Once hijacked, these devices have access to wide bandwidth to launch attacks.
- Communications Service Providers (CSPs) are using third-party transport to extend their reach. Control, user, and management plane data may be vulnerable to interception and manipulation as it passes across these networks.
- 5G is accelerating cloudification, which enables network functions and services to run anywhere. As network functions become more distributed, the attack surface increases.
At the same time, volumetric DDoS attacks are growing in frequency, complexity, and scale. Millions of hijacked IoT devices are used in conjunction with amplification techniques to flood the network with terabits of data and hundreds of millions of packets per second. A new generation of attacks use short, intense bursts of traffic to disrupt networks, making them hard to pinpoint and stop.
Whether volumetric DDoS attacks target the CSP’s IP network or simply use it to reach another target, they always impair the CSP’s ability to maintain consistently high service quality.
Addressing all these network-level threats is difficult for security solutions that run on top of IP networks. They lack the cost-effective scale and functionality to fully protect IP networks from the growing threat landscape.
We secure IP networks from within
To provide at-scale protection of IP networks, IP network security must be like packet forwarding – a high-performance, highly scalable capability of the IP network itself.
Nokia has pioneered this approach by embedding security into the DNA of every layer of our IP network infrastructure, providing high-performance, fully featured and at-scale protection for your mission-critical IP networks.
Adopt a self-defending IP network infrastructure
Our multi-layer embedded approach to IP network security begins at the IP silicon layer with the FP4 chipset at the heart of our 7750 SR and 7950 XRS series of routers. The fully buffered architecture supports line-rate access to packet buffer memory so that 100 percent of chip capacity is always available. This ensures network performance and service quality remain high even during the most intense DDoS attacks. FP4 also provides the scale and performance headroom necessary to be a highly precise attack sensor and mitigation element, without compromising other services running on the same chipset.
At the network OS layer, our highly secure and hardened SR OS is designed and tested to block attempts at manipulation and unauthorized access. SR OS leverages highly granular queueing in FP4 to limit every control plane interaction to its fair-share slice of the control plane CPU. This stops volumetric attacks from overwhelming the control plane processor, without impacting legitimate control plane interactions.
At the tools and applications layer, our integrated, high-performance IPsec gateway (Nokia Secure Gateway) encrypts traffic passing across third-party networks or leased lines. Nokia Secure Gateway inherits the scale, resiliency, and security of the carrier-grade 7750 SR infrastructure. A single Nokia Secure Gateway can support up to 32,000 base stations and up to 960GB/s of encrypted traffic.
Our Nokia SR OS Firewall protects the integrity of the control and management planes between trusted zones.
At the application level, our Deepfield Defender provides multi-dimensional intelligence, analytics, and automation that use the network infrastructure to quickly identify and mitigate DDoS attacks.
Learn more about IP Network Security
Identify and mitigate attacks automatically
Using manual solutions and forensic analysis, you can’t respond quickly enough to stop attacks from causing disruption, and accuracy is sometimes compromised.
Nokia Deepfield Defender and 7750 SR and 7950 XRS series routers allow you to identify and respond to attacks automatically. Security policies are continuously monitored and tuned using telemetry from the network. With the automated workflows in Deepfield Defender, you can update tens of thousands of IP silicon filters in seconds to respond to changing security conditions without delay.
Accuracy is high. High-scale, highly granular filters can inspect IP headers or use signature matching to identify and mitigate against sophisticated attacks, without impacting router performance. Deepfield Defender adds multi-dimensional security analytics, giving you unprecedented insight into DDoS attacks of all types. This information is combined with Deepfield Secure Genome, which provides unique visibility into internet traffic, to further minimize false positives and negatives.
With Nokia, you can block attacks with greater precision before they impact service quality.
Learn more about our big-data security analytics
Protect everything, everywhere, all the time
Due to the prohibitive cost and limited scale of traditional DDoS solutions, CSPs have only been able to protect a few select customers or a portion of their network from DDoS attacks.
With IP security embedded within the network, you can protect your whole network and all your customers, all the time. Deepfield Defender and 7750 SR and 7950 XRS series routers shield you from all types of attacks (such as multivector, spoofing, botnet, or carpet bombing), from any origin (inbound or outbound), towards any target (not just protected targets), on any boundary (core, peering, data center, or service edge).
By stopping all customer directed attacks at the edge of your network, service quality and network performance always remain high.
It’s about protecting your brand and business: customers want a network that won’t let them down and providing one will help to reduce churn.
At-scale protection for mission-critical IP networks
Let’s discuss how our unique approach to IP network security delivers the protection you need to guarantee the performance and integrity of your mission-critical IP networks.