Abstract
Security has always been a major concern of network operators. Despite a pretty rich security toolbox that never ceased to improve over the years (filters, traffic wells, encryption techniques, and intrusion detection systems to name a few), attacks keep on increasing from both a numerical and amplitude standpoints. Such protean attacks demand an adapted security toolkit that should include techniques capable of not only detecting these attacks but also anticipating them even before they reach their target. Strengthening future networking infrastructures so that they become protective, instead of being “just” protected must thus become one of the key strategic objectives of network operators and service providers who ambition to rely upon robust, dynamic, security policy enforcement schemes to develop their business while retaining their existing customers. This chapter discusses the various security challenges that may be further exacerbated by future networking infrastructures. It also presents some of the techniques that are very likely to become cornerstones of protective networking.
TopBackground
Security Demands Global Thinking
Security is a global thing. It not only relates to the protection of infrastructures, customer premises, and end-user applications. It also includes the preservation of privacy data, the ability to provide hard guarantees about the identity of an end-user before he/she can access the service he/she has subscribed to, let alone the ability to provide hard guarantees about the nature of information exchanged between networks, e.g., for route computation purposes as well as the identity of the peer that announces such information. Means to ensure the integrity of this information must be provided. Future networking infrastructures are no exception and the aforementioned security challenges also apply to these infrastructures, hence the need for means to:
- 1.
Access services with proper credentials (and their management).
- 2.
Securely exchange information between operators to deliver multi-domain/multi-tenant services (including the ability to provide guarantees about the identity of such partners before exchanging information with them).
- 3.
Secure the transport of (policy-provisioning/configuration) information between logically centralized computation logics responsible for designing, delivering and operating services and the participating components of the service.
- 4.
Authenticate tenants who may be granted access to service parameters and who may trigger resource negotiation cycles.
- 5.
Make sure decisions made by various computation logics operated by different parties are consistent within the context of dynamically provisioning services that span multiple networks operated by different parties.
- 6.
Dynamically define and enforce appropriate mitigation plans to prevent attacks preferably way before they reach their target(s).
Key Terms in this Chapter
Predictive Traffic Analysis: A technique that consists in developing traffic patterns deduced from the observation of the traffic that goes through a network or a network component. The library of normal traffic baseline can be elaborated and maintained by means of Machine Learning techniques. Such traffic patterns are used by agents that monitor the traffic (or a part thereof, according to traffic selection criteria such as the Source Address (SA)/Destination Address (DA) pair, the protocol number, etc.) that goes through a network device or is forwarded along a network segment, so that they can compare what they observe against the normal traffic baseline. By means of AI algorithms, they can detect potentially suspicious traffic that doesn’t match with any of the said traffic patterns or update the library of traffic patterns.
Security Policy: A set of measures (e.g., traffic encryption, traffic filtering, traffic redirection) defined by a security Policy Decision Point (e.g., an SDN controller) and enforced by a set of components (e.g., routers, firewalls) to protect a networking infrastructure and the devices (e.g., Customer Premises Equipment, mobile terminal) connected to it against attacks.
Collaborative Networking: A framework that extends the concept of protective networking at a global scale. Collaborative networking includes (but is not limited to) the ability to dynamically exchange best attack mitigation practices between partnering networks, the ability to provide an assistance service where a protective network can help a partnering network to elaborate an attack mitigation plan (AMS) and the ability to instruct partnering networks to proceed with attack mitigation actions that will limit the propagation of an attack.
Attack Mitigation Plan: An instantiation of a security policy that is designed to respond to an attack by any means appropriate (e.g., redirection of the attack traffic, creation of traffic wells, activation of traffic filters), as a function of its nature (e.g., a spoofing attack, a DDoS attack), its origin, its scope, etc.
Network Automation: A set of techniques meant to facilitate the design, the delivery, and the operation of services (e.g., VPN services) supported by a network infrastructure. Within the context of collaborative networking, network automation tools include dynamic security policy enforcement and resource allocation schemes, dynamic signaling mechanisms to report and exchange about a potentially suspicious traffic, as well as a set of Artificial Intelligence (AI) tools such as Machine Learning, computation algorithms like Reinforcement Learning and neural networks that assist attack traffic identification procedures, as well as the elaboration of attack mitigation plans.
Protective Networking: A set of detection, signaling, and attack mitigation means that provide a network with the ability to dynamically anticipate and mitigate attacks (hopefully of any kind), regardless of their origin, scope, and amplitude, way before they reach their targets.
Attack Mitigation Service (AMS): The service provided by a Mitigation Service Provider, particularly by means of protective networking. An AMS relies upon one or several mitigators and scrubbing centers that are responsible for processing attack mitigation requests signaled by one or more several agents deployed in the protective networking infrastructure. Agents are responsible for monitoring and detecting any suspicious traffic that may correspond to an attack and to report such suspicious traffic to one of the mitigators they communicate with.