By Nick Cadwgan, IP Networks at Nokia
We find ourselves of in a world of accelerated broadband investment looking to address the global broadband divide, continued digital transformation with the shift of applications into the cloud and the recognition that our global networks are business and societal-critical infrastructure. Within this wider industry trends there are some areas that are of influence on IP network security.
Broadband networks have been identified as a key part of digital inclusion strategies and supporting the participation in and growth of the global digital economy. So, we are seeing the continued investment globally in fiber, driving an increase in broadband access service speeds. 1 Gbps now represents an increasing percentage of broadband subscription plans, and this trend is predicated to grow in the forthcoming years. This fiber investment is complemented with the deployment of fixed wireless access to expand the footprint and speed the deployment of ‘Gigabit’ broadband services. While this continued increase in capacity is noteworthy in itself and is helping to enable the widescale deployment of IoT devices. It is the change of the characteristics of the broadband access services themselves as they become more symmetrical that will provide a new challenge.
Also, the critical nature of communications networks has been, identified over the last decade and continues to be identified by governments globally, with communications networks being an integral component of their economies underlying the operations of all businesses, public safety organizations and government – the communications networks are critical because it provides an “enabling function” across all other identified critical infrastructure sectors.
What is DDoS and the increasing influence of IoT botnets?
This continuing proliferation, with millions of IoT devices, while potentially beneficial to our society and global economy, also provides an opportunity to malicious parties globally. Unfortunately, many of these IoT devices are operating with versions of Linux that are easy to compromise, or firmware that has not be kept up to date making them easier targets for parties to remotely gain control. This combined with access to high-bandwidth more symmetrical broadband services provides an opportunity to deliver higher scale multi-terabit, and beyond, DDoS attacks when these devices are combined into botnets. IoT botnets are now responsible for the majority od Distributed Denial-of-Service (DDoS) attack traffic and this has led to the collapse of DDoS service process globally, to a mere fraction of the cost in the last few years. They are one of the tools now available to political activists, extortion operations and even nation states.
Assuaging the thirst for botnet DDoS attacks
When we look at identifying potential botnet DDoS attacks, that is often the easy part. The more difficult challenge is how to address the attack in a granular manner without creating a traffic bottleneck or black holes. How do you distinguish traffic that is originating from hundreds, potentially thousands, of compromised IoT devices, and valid traffic. How do you limit or even stop this compromised traffic without impacting the service experience of valid users. While there maybe a drive to introduce more intelligence on the IoT devices themselves and into their supply chain, how does the IP network defend itself. It requires an ability to rapidly set up and tear down hundreds of thousands of IP filters in the network – all without impacting the performance of the IP network.
Why is connectivity in the quantum era vital?
The rapid digitalization of industries, government, and individuals has driven the recognition that our global networks are business and societal-critical infrastructure. By 2023, digitalization had far exceeded simple transactions like order placement, inventory management or logistics optimization- it has embraced cloud-based compute and storage, process automation and AI-based customer experiences. All of this means that network connectivity is vital to most any organization or individual.
While the industry has worked to protect this network connectivity through introduction of wide scale encryption, we are seeing a new threat – the quantum threat. The quantum threat comes from the massive processing power quantum computers can bring to bear on algorithms used to safeguard public key network encryption. There is wide industry debate as to when a quantum processor – or network of quantum processors – will amass enough qubits to break public key network algorithms in a timely manner. The debate is not ‘if’ but ‘when’. Due to its implications, the industry has given it a name: Q-Day.
To avoid the potential catastrophic impacts, work is underway to develop a new set of public key cryptographic algorithms that will take quantum computers an impractical length of time to break. This work is being overseen by bodies such as a NIST (National Institute of Standards and Technology), with the initiative known as post-quantum cryptography (PQC). It is making good progress, but standardization and mass deployment is expected to take years. Who gets to the finish line first – sufficiently powerful encryption-breaking quantum computers or universal PQC deployment – is the subject of yet another unnerving debate.
While this debate continues, the time to act is now. Of increasing concern are so-called harvest-now-decrypt-later (HNDL) attacks. If malicious parties with adequate resources can intercept and harvest sensitive data flowing in today’s networks, then that data can be decrypted on or following Q-day.
How to make networks quantum safe?
Thankfully we are in a position to make our networks quantum safe today. According to multiple authorities – including the NSA, NIST, ETSI and ANSI – symmetric encryption algorithms like AES coupled with highly randomized and large 256-bit keys are quantum safe.
These symmetric encryption algorithms can be used to introduce quantum safe encryption of traffic flows between routers or optical switches today, safeguarding all data well in advance of Q-day. The symmetric keys can be distributed using quantum-safe encryption over traditional IP and optical links, or via quantum key distribution (QKD) mechanisms.
Are you prepared?
Regardless of these powerful new threats to network security coming from the incomparable attack bandwidth of IoT botnets, or the raw processing power of quantum computers, help is out there. Network operators just need to ask the right questions to ensure the requisite IP network security capabilities are an integral, multi-layered part of their new or upgraded IP network builds.
To find out how we can help please visit our IP network security web presence.