/vnd/media/agency_attachments/bGjnvN2ncYDdhj74yP9p.png)
/vnd/media/media_files/2025/09/05/728x90-banner-2025-09-05-13-57-21.jpg)
Security in the carrier space has typically meant physical security of the public line or access facilities. In the past years, data or content security was deemed the responsibility of end-users or customers attached to the carrier’s backbone network.
Carriers viewed themselves as providing the data pipe, and remained confined to issues like quality of service, availability, network and component redundancy, cost effectiveness, and transition technologies for the backbone, such as IPv6 routing
Providing these capabilities on a regional or national scale was certainly a daunting task and could only be undertaken by organizations that had enormous manpower, networking infrastructure, financial resources, and the technical ability to deliver these services.
/vnd/media/post_attachments/1316cf131fe7113ee2ac8ab6e7181c5a5880e7391f2c9583643d9e6e4428469c.jpg)
Today, the combination of next-generation applications, the ongoing conversion of private networks in favor of cost-effective and more viable public networks, increased worldwide business collaboration, and the advent of serious cyber terrorism, have forced carriers to play a much larger role in the secure delivery of customers’ data.
At the lowest denominator, this means that the security component of the carrier network must be resilient, redundant, high-performing and completely compatible with the existing carrier infrastructure. Otherwise, it becomes the Achilles heel or bottleneck in the network–something carriers (and their enterprise customers) cannot afford if they wish to remain in business.
More Services, More Pressure
Today’s applications such as voice-over-IP, streaming media, multimedia, multi-cast, etc. require that the security element directly participates in the delivery of the data session. This presents significant challenges for firewalls and VPN devices that are the traditional elements of network security, particularly because data frames and content must be inspected at a much deeper level and track protocol exchanges.
As if this were not enough, today’s applications are more and more client/server-based and small packet-oriented. This is particularly true of peer-to-peer applications like e-commerce, SMS, and MMS. Because of this, the security device must operate at extremely high processing rates without losing any frames. This is a hurdle that only dedicated security devices can overcome. Some additional areas that a carrier must consider and provide for include:
- Ramp rate–stateful connections per second
- High throughput under high session load
- Small packet performance at gigabit and multi-gigabit speeds
- Hardware-based AES encryption for VPN or wireless
- Application Layer Gateway support (ALG)
- Infrastructure security (in addition to perimeter security)
- Intrusion detection AND prevention (not just detection)
- Massive deployability so that customers can quickly join the network
- Scalable management and ease of use
- Expandability, extendability, cost-effectiveness
- Redundancy and resiliency
- Best-of-breed integration–not worst-of-breed
That Asian telecom carriers have been slower to evolve their networks has, in fact, turned out to be a blessing in disguise. They were able to benefit from the experiences of their counterparts in the US and Europe, as well as the recent advances in security technologies. Today, Asian carriers are primarily building infrastructure for their countries. They are preparing the backbones for access by large enterprises and the masses via xDSL, wireless and other access technologies. Initial deployments within the carrier infrastructure have primarily been accomplished with high-performance, appliance-based technology, with firewall capability as the initial security element.
| |||||||||||||||||||||
/vnd/media/post_attachments/eb731fe1b1d2217789d64d8904d772a82b9da62ac61f6b0b2e298f0bade53cf2.gif)
/vnd/media/post_attachments/7beaec8b2a3a5d11c8641fd496c6b37a54969089503da93d8fbd92322710782c.gif)
/vnd/media/post_attachments/2d70bc29878f74625eb93c831e3dc34b2a52bc440dbbe2ceb2783a6bfa8a6f7a.gif)
All carrier equipment is designed to meet the demanding performance and capacity needs of today’s networks. Security equipment is no different in this regard. Dedicated security hardware appliances have significant advantages over PC-based appliances (or even a PC in disguise) and that’s why carriers favor deploying hardware-based appliances.
The Always-on Factor
Besides ensuring performance, carriers need to minimize the risk of service instability and disruption. There are many ways to achieve redundancy and resiliency, of which the following three common implementations result in increased availability:
Active-passive System Redundancy: This is the basic HA topology in which one of the paired units act as master/primary device, while the other unit is in standby mode. However, in case of service disruption, there will be a certain time delay for system failover, which might result in session loss.
Active-active System Redundancy: This is an improved HA configuration in which the two units are in active mode and thus, enable load balancing. However, if any one networking device fails, the overall firewall performance will be impacted.
Active-active-full mesh Topology: This is a carrier grade HA implementation in which the firewall and other key networking devices are interconnected in a fully meshed topology. This enables load balancing, and also ensures service resiliency and stability when any one firewall or networking device fails.
|
/vnd/media/post_attachments/79d128baa483eaa45f44d24c93540f5b7ead0a983981b774f5fc0e836ba66737.gif)
Security, With Performance
The firewall or network security device must perform for the carrier at high aggregate speeds with high throughput. In addition, most Asian carriers are concerned with how the firewall can provide many key security and networking functions without sacrificing performance.
As mentioned earlier, carriers must now support deeper inspection of data packets so as to cater to the unique needs of today’s business applications. For example, they need to provide support for VoIP. In this case, capacity and ramp rates are key issues.
Carriers also need to ensure that the system deployed can cater to future expansion needs. In particular, where managed service providers are concerned, they need a device that offers benefits like scalability and flexibility. Carriers are able to achieve lower costs and pass on these savings to their customers when they use technologies like virtual systems. Virtual systems enable carriers to divide one physical firewall/VPN device into hundreds of logical firewalls, each with its own security policies. The carrier is able to provide service for new subscribers without making significant investments in both hardware equipment and manpower resources necessary to perform installation and configuration. Once again, performance is critical when providing these capabilities because of the sheer capacity required.
Evolving to the Next Level
Many carriers are thinking of the future and beginning to invest in additional security technologies to provide higher levels of security to their customers, to bring in additional needed revenues. Analysts worldwide have already predicted the need for security consolidation by bringing technologies like firewall, VPN, denial-of-service, traffic management, and intrusion detection and prevention under a single carrier-grade appliance. Some of the most compelling drivers for consolidation include:
- Advanced levels of security
- Total cost of ownership (TCO)
- Enhanced manageability
- Integration and interoperability with the rest of the network
With consolidation, carriers can enjoy significant cost savings in terms of capital expense, installation and support. They can then meet ongoing customer demand for new services and protection. The more progressive carriers are already beginning to deploy the latest in security technologies, which include proactive intrusion prevention technologies and deeper levels of packet inspection. Again, the power and performance needed to do this should not be underestimated and a truly integrated, high-performing hardware appliance is coming out as the only true carrier-grade solution.
Clearly, the job of a carrier has never been more difficult as it takes on the added responsibility of security for its customers. The scale at which a carrier must perform is unprecedented in today’s world. One is likely to see an increased role of vendors who design dedicated platforms to service this demanding environment.
Paul Serrano, senior director (marketing) Asia-Pacific, NetScreen Technologies