Do More with MPLS: A Foundation for Security
By John E. Burke
Principal Research Analyst, Nemertes Research
Executive Summary
Organizations of all sizes find it a challenge to maintain the skilled staff and specialized infrastructure required for optimal network security. Most are unable to staff a 24/7 security operations center. To address their staffing and skills gaps, they are increasingly using managed security services. The rise of the distributed enterprise and the spread of MPLS as the de facto WAN and ISP standard give carriers an opportunity to expand their piece of the managed security services market offering innovative security services in their MPLS clouds. Beyond offloading the burdens of monitoring and management, carrier-cloud security has position-driven advantages, especially in reducing the amount of traffic hitting enterprise sites, in mitigating DDoS attacks, and in providing complete security meshes to match communications meshes, without additional effort by the organization itself.
The Issue
The modern enterprise is spreading ever more widely through space, with the number of enterprise branches growing by 6.8% on average going into the recession, and likely to grow by better than 9% as the economy moves into recovery. In combination with ongoing consolidation of IT services into data centers, and consolidation among data centers, this growth in distributed enterprises places ever more focus on the WAN. The parallel trend toward using software as a service (SaaS) solutions has 59% of organizations now getting at least some of their enterprise applications over the Internet.
As the importance of the WAN and the Internet to the daily conduct of business continues to grow, the need to improve network security grows as well. The idea of a hard network perimeter has given way to a more porous perimeter combined with defense in depth. However, this means only that no one expects a perimeter firewall to be their first, last, and only line of defense on the network -- it does not diminish the need for strong network defenses.
Many organizations face significant hurdles as they strive to improve their security posture. Often they lack sufficient staff to adequately cover all areas of
security. And the staff members they have do not possess the skills needed to manage all the different kinds of security systems required. In fact, 60% of benchmarked organizations report trouble hiring staff with the required skills. Even if they could find the staff they needed, they haven't the money to staff a 24/7 security operations center.
Managed Security Services
An increasing number of organizations are using managed security services to address these staffing and funding problems with security operations. (Please see Figure 1: Primary Drivers for Using Managed Security Services, Page 2.) Already, 55.2% of participants in Nemertes benchmark research use some form of managed security service; 72.4% plan to do so by 2011.
The benefits of managed security services to an organization working with limited security budgets or staff are significant: continuous monitoring and management of key security infrastructure by a specialist staff, without the expense of hiring, training, and equipping the operation in house. In-house security staff can focus on other, more strategic aspects of security, such as compliance initiatives, improving separation of duties among IT staff, and protection of confidential information.
Managed Security Service providers (MSSPs) come in many forms, from specialty shops through general-purpose IT outsourcers and system integrators to carriers. Each has its advantages: specialty shops are often local, and focused very sharply on serving the needs of small to midsize customers. They sometimes have trouble scaling, or serving geographically distributed customers. General purpose IT outsourcers can fold security into a broader engagement, but have less focus on serving smaller and midsized businesses. Carriers have the advantage of position--for those using their services.
Currently, system integrators lead the MSSP market, slightly, with 42% of organizations choosing them, compared with 37% that say they will use a carrier. We expect to see a shift as carriers expand their security offerings and the importance of the WAN continues to rise.
Security in the Cloud
The advantage of position is a significant one when it comes to network perimeter defenses. This is true both for the external perimeter--the connection to the Internet—and the internal perimeters, the connections to other corporate sites on the WAN. Position lends two important advantages: It allows traffic to be filtered before it hits the organizations own links, reducing the bandwidth consumed by traffic destined for the trash bin anyway. It also allows security systems to see attacks before they reach the organization's network. To reduce "bad traffic" carrier security can perform higher-level tasks such as anti-malware and anti-spam filtering.
Ideally, carrier-based security can take advantage of what it sees occurring on any client's network to improve the security of all clients' networks. And, because it is the conduit for distributed denial of service attacks (DDoS), the carrier network is the ideal place to detect and filter out the traffic from such attacks in order to prevent them from reaching their targets.
When selecting a partner, organizations look first and foremost at an MSSP's range of services offered--things like managed firewall, managed IDS/IPS, DDoS protection--in selecting their providers. (Please see Figure 2: Selection Criteria for Managed Service Providers, Page 3.) Next most important, of course, are start-up and ongoing costs, followed by geographic reach. Here a carrier has significant advantages: the WAN carrier most likely already serves all the locations where managed security services would be needed.
MPLS, as the new de facto standard for WAN and carrier connectivity, is ideally suited to serve as a basis of carrier-cloud security services. Through its support of full multi-site meshing, it can pass—and secure—traffic from any site to any site. MPLS can also be used to create security zones, mirroring and extending zones inside data centers, as defined by subnets and Virtual LANs (VLANs). VLANs replicate the security of segregating hosts that need to talk to each other on a single switch without requiring that they all actually be on the same switch; switches assign ports to VLANs and won’t pass traffic from one VLAN to another directly; routers handle that, and can apply filtering rules (or push traffic through other security infrastructure). Virtual Private LAN Services (VPLS) replicate VLAN functions on and Ethernet over MPLS network, segment traffic among sites. (Please see Figure 3: Propagating VLANs with VPLS, Page 4.)
No Perimeter or Perimeter Anywhere?
Using MPLS as its foundation, carrier-cloud security can put the network perimeter anywhere it makes sense. It can even be used to rationalize an existing system of network “demilitarized zones” (DMZs), the network segments that host servers facing the Internet or other un-trusted networks. Consider, for example, a company with many DMZs dispersed among many data centers wanting to consolidate down to a pair of data centers, primary and backup. It could bring all the firewalls into its primary site and replicate the existing complex of DMZs, and then replicate that in its secondary site as well, adding a huge amount of complexity to the networks in both. Or, it could shift filtering and segmentation of traffic into its carrier’s cloud: use a firewall there, and propagate the required VLANs across the cloud to the secondary site. This would simplify the network in both locations and shift the heavy lifting of traffic filtering to the carrier infrastructure. (Please see Figure 4: Virtual DMZ., Page 5.)
Of course, the possibilities for further taking advantage of the carrier's position as Internet access point and WAN connection point allows security to be inserted between locations as well as between the organization and the outside world. Given that security compromises can originate anywhere there is a computer or other networked device (switch, router, printer), inter-branch security—a full meshing of security that matches the communications mesh—is increasingly necessary.
There are two basic configurations onto which a carrier MSSP can overlay full-mesh security: a data-center/backhaul network, and a direct-to-net network.
In a backhauled network, Internet access is channeled through the main data center, and users in branches get access to the Internet through the WAN. The WAN provider can put protections--firewalls, IDS/IPS, even data leak filtering--onto the inter-branch mesh of connections. The organization may handle security on the Internet connection in-house, or have it handled by the Internet provider, which does not have to be the same as the WAN provider, although a single provider would have some advantages for coordinating monitoring, alerting, policy enforcement, and logging across the whole set of security services. (Please see Figure 5: Internet Gateway on Main Site, Page 6.)
If the WAN and the Internet provider are the same, then the direct-to-net model also becomes a possibility. With direct-to-net, branches get direct access to the Internet rather than routing traffic through the main connection. This has some obvious benefits for reducing the amount of traffic on that link, and for reducing contention for resources between internal users reaching out to the Internet for work purposes and external users reaching into the corporate web presence as prospects or customers. Because the MPLS mesh enables traffic to flow to any site, it is simple to include Internet traffic and rules for filtering it into the firewall and other protections for each site. (Please see Figure 6: Internet Gateway in the Cloud for Direct-to-Net Sites, Page 7.) This configuration also has the benefit of reducing, to a minimum, the bad network traffic actually making it to any site.
Figure 6: Internet Gateway in the Cloud for Direct-to-Net Sites
Conclusion
Organizations of all sizes, are caught up in the continuous security arms race between bad guys trying to break in (or just plaster users with spam) and security systems aimed at keeping them out. Many find themselves struggling to keep up with the technology, let alone maintain the skilled staff required for optimal use. And most are unable to staff a /7 security operations center. They are increasingly interested in making use of managed security services to address their staffing and skills gaps.
The rise of the distributed enterprise and the spread of MPLS as the de facto WAN and ISP standard present a new opportunity for carriers to expand and improve their ability to provide security services. Beyond simply offloading the burdens of monitoring and management, providing security in the carrier cloud has advantages related to its position. It offers the ability to reduce the amount of bad traffic hitting enterprise links or sites, to mitigate (or block entirely) DDoS attacks, and to support novel security architectures - complete security meshes that match the communications meshes organizations are coming to rely on.
About Nemertes Research: Nemertes Research is a research-advisory firm that
specializes in analyzing and quantifying the business value of emerging technologies. You can learn more about Nemertes Research at our Website, www.nemertes.com, or contact us directly at [email protected].
