Cleaning up the IP cloud

Business continuity on the commercial Internet is moving away from just hardening the corporate network perimeter toward identifying and removing threats further upstream - because once the barbarians are at the gate, they have effectively disrupted corporate communications - both internally and vis-‾vis the customers.

The Clean Pipes strategy focuses on carriers' and other service providers' ability to police their own IP cloud by identifying and destroying malicious traffic aimed at corporate customer sites. Typical key areas where clients are looking for protection includes managed intrusion prevention (IPS), managed anti-malware (including anti-virus, anti-spam, and URL filtering), mobile device security, secure content management and vulnerability management.

Following on from converged IP voice and data services, enterprise customers are seeing their corporate perimeters dissolving as more traffic is generated by employees on the go. Also more corporate data resides on mobile or remote devices and is exchanged with other remote devices, and thus never touches corporate CPE firewalls or filters. This makes traditional CPE-based security solutions less and less secure. Changing attack vectors deployed in networked based attacks are also rendering other corporate security strategies such as stand-alone solutions obsolete. As more commerce becomes networked based, security must be in the network rather than at the edges, and this security must be monitored and maintained by the infrastructure owners.

Traffic disruptions caused by malware and DDoS attacks present both a danger (loss of credibility) and an opportunity (selling managed security capabilities) for service providers. Clean Pipes will enable carriers to maintain a constant scan for malware and traffic abnormalities, have a real-time link to security organizations monitoring the public Internet traffic and have data scrubbing facilities on hand to filter out unwanted 'bad' traffic to ensure individual customers' business continuity irrespective of where or how a company employee accesses the network. No carrier has a 'certified' NGN Clean Pipes environment yet, but we expect it to appear in carrier marketing material within the next six months, whereas true NGN-based solutions such as BT's 21CN are 18 to 24 months away.

An important interim initiative to help carriers develop a pre-NGN certified Clean Pipes environment is the McAfee Clean Pipes Initiative (CPI), which targets managed service providers, including telcos and ISPs.

McAfee has integrated its anti-spyware technology into the appliances, which, like its AV technique, relies on signature files. The company leverages the anti-spyware engine used with its McAfee Anti-Spyware Enterprise product, which blocks 5,000 forms of spyware. However, anti-virus vendors like McAfee and Trend Micro are not viewed as having the most solid anti-spyware technology, particularly in the areas of cleaning and spyware defence, so some carriers still prefer to use security products from pure-play vendors in this area.

When leading carriers launch their Clean Pipes services, customers can expect safer and better application performance within the carrier's IP cloud, and the Clean Pipes environment can ensure that traffic between corporate sites can continue despite external attacks on any single Web site. The next step is clearly the establishing of interconnect agreements between Clean Carrier Clouds based on some industry-wide definition of Clean Pipes. This is probably four to five years down the line.

Once SLA-backed Clean Pipe services emerge, they will most likely be included in the slew of vertical industry security regulation requirements such as the EU Data Protection Directive and US HIPAA, SOX, SEC and the California Bill initiatives.

Bernt S. Ostergaard is Current Analysis' research director of business telecom services, Europe ([email protected])