Security in the Cloud? It’s a Matter of Position


One of the biggest challenges facing network architects is in crafting a security architecture that protects internal network resources from external attack-- typically in the form of denial of service (DoS) attacks against public-facing servers. These kinds of attacks can range from a nuisance, to one that threatens to disrupt overall business operations.

One of the keys to a successful attack mitigation strategy is keeping a DoS attack from reaching your network in the first place. Here is where a “security in the cloud” strategy comes into play. By leveraging the positioning of security services outside of your network, you can identify and stop DoS attacks before you feel the impact.

The advantage of position is a significant one when it comes to network perimeter defenses. This is true both for the external perimeter--the connection to the Internet—and the internal perimeters--the connections to other corporate sites on the WAN. Position lends two important advantages: It allows traffic to be filtered before it hits the organization’s own links, reducing the bandwidth consumed by traffic destined for the trash bin anyway. It also allows security systems to see attacks before they reach the organization's network. In addition to reducing "bad traffic," cloud-based security can perform higher-level tasks such as anti-malware and anti-spam filtering. Indeed, the highest overall performer in our recent PilotHouse awards was a cloud-based messaging security service.

Ideally, cloud-based security can take advantage of what it sees occurring on any client's network to improve the security of all clients' networks. And, because it is the conduit for distributed denial of service attacks (DDoS), the carrier network is the ideal place to detect and filter out the traffic from such attacks to prevent them from reaching their targets.

When selecting a partner, look first and foremost at the provider’s range of services offered--things like managed firewall, managed IDS/IPS, DDoS protection--in selecting their providers. Most important, of course, are start-up and ongoing costs, followed by geographic reach. Here a carrier has significant advantages: the WAN carrier most likely already serves all the locations where managed security services would be needed.

MPLS is ideally suited to serve as a basis of carrier-cloud security services. Through its support of full multi-site meshing, it can pass—and secure—traffic from any site to any site. MPLS can also be used to create security zones, mirroring and extending zones inside data centers, as defined by subnets and Virtual LANs (VLANs). VLANs replicate the security of segregating hosts that need to talk to each other on a single switch without requiring that they all actually be on the same switch; switches assign ports to VLANs and won’t pass traffic from one VLAN to another directly; routers handle that, and can apply filtering rules (or push traffic through other security infrastructure). Virtual Private LAN Services (VPLS) replicate VLAN functions on and Ethernet over MPLS networks, segmenting traffic among sites.

Using MPLS as its foundation, carrier-cloud security can put the network perimeter anywhere it makes sense. It can even be used to rationalize an existing system of network “demilitarized zones” (DMZs), the network segments that host servers facing the Internet or other un-trusted networks. Consider, for example, a company with many DMZs dispersed among many data centers wanting to consolidate down to a pair of data centers, primary and backup. It could bring all the firewalls into its primary site and replicate the existing complex of DMZs, and then replicate that in its secondary site as well, adding a huge amount of complexity to the networks in both. Or, it could shift filtering and segmentation of traffic into its carrier’s cloud: use a firewall there, and propagate the required VLANs across the cloud to the secondary site. This would simplify the network in both locations and shift the heavy lifting of traffic filtering to the carrier infrastructure.

Bottom line: the “build your own firewall” model to network security is no longer viable or often cost-effective. Work with your providers to take advantage of services that block attacks before they reach your network.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.