Fighting the unknown unknowns: Building the network of the future
With a predicted tripling of internet traffic over the next four years, it's clear that the heart of networks need to be both fast and secure, and ready to cope with the vast quantities of data we're going to be sending their way.
Recently I popped over to Amsterdam to take a look at Juniper's Proof of Concept centre, where it builds and tests networks for customers before they deploy them, and to talk to the company about how it sees network design evolving, particularly for the big carriers and for ISPs.
With the shift to cloud well under way, along with the popularity of consumer streaming services for both video and audio, carriers' and ISPs' infrastructures are starting to feel the pressure — and with more traffic to come, they're going to need to change to support the new demands on their networks.
The death of the PC has been exaggerated: Get ready for the era of ubiquitous computing
Of course, it's not just the core of the net that's feeling the pressure. It's also the data centre that's changing, turning into a private cloud that needs to respond flexibly to changes in demand, and to behave as a combination of compute and storage fabrics, all supported by a software defined network. It's a networking future that's fraught with unknown unknowns.
Juniper's first hardware was designed for the 1990s network, where client server dominated. Now it needs to design for a distributed world, where networks need to be as flexible: that means changes in network topology, and in the way networks are managed. It also means finishing the move away from circuit switched networks to packet switching, getting rid of those SONET and SDH links, and delivering packet switching across the entire network; from data centre to core routers and beyond.
That change has meant rethinking the architecture of core systems. Juniper's latest hardware is designed to shift packets fast, using nothing but Ethernet. It's also only delivering the appropriate parts of the routing table to its hardware, allowing it to be stored in on-chip memory in the route lookup ASICs. That means it's a lot faster than traditional techniques — as well as allowing Juniper to make its hardware a lot smaller, using less power and generating less heat.
Chip design is only part of network router architecture, and Juniper is using different architectures for core and edge hardware. Core hardware is optimised to push packets as quickly as possible (terabits a second), while things are more complex at the edge, where packets need to be delivered to endpoints. That means edge routers are built up of arrays of cores, and are able to host services built up of third party applications.
A big part of any future network is giving it a secure foundation. As we distribute services, we need to distribute security by building it into the network and into our applications and our information, rather than relying on the bottlenecks of standalone firewalls and security appliances. That change has meant that Juniper is building security into its routers, focusing on managing next generation data centres.
Part of that new security model is tooling that continually monitors web applications, with the aim of reducing the risk of penetration and of site compromises. WebApp Secure is installed on an appliance or in a VM (or even in the cloud), and collects forensic data on attacks, including the device used, its location, and the methods being used. That information is used to build attacker profiles that are then shared with other WebApp Secure installations — so if one site is attacked, all sites are protected.
What's most interesting about Juniper's approach to security is the way that it detects attackers. Instead of monitoring a whole site for attack, something that can lead to false positives, WebApp Secure adds dummy code to the outbound HTTP stream — code that looks like query strings, or form fields, or even faked server configuration files. As these are the cues and clues an attacker will look for, by detecting attacks on the spoofed data, Juniper can reduce the risk of false positives.
If someone is getting into the WebApp Secure tar pit, it's good odds that they're not a legitimate user. If they're attacking with a browser, WebApp Secure will send tokens to help identify the attacker in future — rather than just identifying by IP address. Over 200 different fingerprinting techniques are used to identify machines using scripts and other attacks, from browser and timezone, to the add-ons that have been installed — and even an attacker's choice of font.
The result is a profile of an attacker that's stored in Spotlight Secure, a cloud database of known attackers. Associated with generated pseudonym, a profile includes activity records, known attack methods, and a threat level based on the attacks they're using. That database is shared, in real time, between all WebApp Secure users, making sure that there's a current picture of attacks and attackers that tracks what's being attacked, where, and how.
It's fascinating seeing how networking providers like Juniper are working to deliver the networks we need. With IP networks now critical infrastructure, building security like this into network hardware is vitally important. Security can't interrupt the flow of data, so building it into edge routers makes sense, especially when it doesn't impact services.