Ask Not What Security can do for the Cloud—Ask what the Cloud Can do for your Security

The number one concern revolving around the cloud right now is how to secure it.  How can a security administrator take a concept that most people only know as a loose idea in the first place and build an effective security posture? The many answers to this question are the fuel for almost every blog entry by every network know-it-all in the past six months, but what if I were to pose an entirely different question... Instead of concentrating on how to secure the cloud, what if we turned the concept on its head and asked how the cloud can actually provide security to our networks?

In a simple sense, it’s easy to see why the cloud is a growing strategy for enterprises, but something many don't take into consideration is the impact that the cloud has on the ISP (think Windstream). More specifically, the fact that the ISP is the cloud. That's right, we're the public cloud and we're the private cloud.  We connect businesses to the Internet and we connect business locations to each other over wide areas using technologies like MPLS and VPLS.  As a result, the cloud phenomenon puts ISPs like Windstream in a pretty interesting position.  Using our position as the fabric of the cloud, we can deploy certain network elements throughout our infrastructure in ways that can provide a cloud experience with huge economic savings and a major increase in security.  Yep, I said it - Increased security resulting from using the cloud. 

Let's visit the growing phenomenon of targeted attacks and hacktivism that have taken the form of denial-of-service attacks (also known as DOS attacks).  In a DOS attack, a perpetrator identifies a target's public web site, and then executes enough requests to that website to overwhelm the link serving that website, effectively putting it out of service.  Simply put, if we try to push 40mb of bandwidth across a link that can only handle 10mb, we're going to experience a bottleneck that will result in resource unavailability.  This malicious technique is growing in popularity because it’s devastating to businesses and it’s pretty easy to execute.  Furthermore, there's a monetary aspect to these attacks, the extreme cases generally come with some kind of a ransom, “pay us $30,000 to free up your web site”, and a lot of companies have no other choice but to comply with the demands, until now.

By leveraging the ISP and the cloud, businesses can protect their brand and their web presence from denial-of-service attacks by taking advantage of what amounts to a side effect of the Windstream Network Firewall product.  Network Firewall utilizes a large, carrier class router chassis outfitted with multi-tenant firewall modules that can empower the device to act as a virtual firewall for all sites on an MPLS network.  This virtual firewall provides firewall protection and Internet by way of a connection directly to the Internet upstream, avoiding the enormous costs of local loops for Internet access.  These firewalls are paired throughout the United States using a fail-over topology that provides a backup for all sites in a geographically dispersed setup.

All of this is wonderful, but the interesting part of the service that provides a very unique style of denial-of-service protection resides in the way in which Windstream provisions the interfaces for each customer network.  We provision an inside interface, which is inside of the firewall facing the MPLS network, and we create an outside interface, which is on the outside of the firewall facing the Internet.  We rate-limit the inside interface of the firewall to the desired Internet throughput that a business needs for its whole network.  For instance, if my company needs 10mb of symmetrical Internet access, Windstream will rate-limit the inside interface at 10mb, effectively giving me that 10mb of throughput.  The interesting part is that Windstream doesn’t rate-limit the outside interface at all.  What this means is that if my company uses Windstream’s Network Firewall product and my web site is hosted at my headquarters location, users who want to access the web site go through my 10mb Network Firewall to do so.  If someone with malicious intent decides to flood my web site with a denial-of-service attack, Windstream is able to absorb multiple gigs of traffic on the outside interface of that Network Firewall before resources are rendered unavailable.  Windstream monitors these links for denial of service activity, and once suspicious traffic appears and ramps up, Windstream can black-hole that traffic before it consumes the multiple gigs of bandwidth available to the outside interface of the firewall. This means that even though my business is suffering a denial-of-service attack, my web site never becomes bogged down because Windstream’s cloud-based security service is able to absorb the bandwidth of the attack for long enough that Windstream’s security team can remediate the attack.  The best part about this layer of defense is that it is part of the standard Network Firewall service.  Not only do you get all of the advantages of a private cloud-based firewall with geographically diverse and redundant Internet, but you get a denial-of-service protection that’s unmatched in the industry.

The cloud gives us a lot of opportunity to turn traditional thinking on its head and to develop efficiencies and functionality far beyond that of the network solutions of yesteryear.  Denial-of-service mitigation and remediation as a side effect of Network Firewall is just one example of how we’re pushing the limits of the cloud and the role of the ISP to bring winning designs to your business.  Imagine what we’ll think of next…