Back issues of Eurotrade computer & communication monthly

COMPUTER NEWS & TRENDS

Layered security
     Now interestingly, if I also connect out to a service provider, they will also have different security levels in their network, and the first thing we do is ask for a clean pipe to our office because we don't want it to be full of spam and other things. If I'm paying for say 100Mbps connectivity, I don't want 20Mbps of bandwidth to be full of threats and insecurities. We have a firewall here that's prevents that type of thing coming in, but the service provider will also have a firewall on the other side of the connection preventing most of it from getting into the pipe. So that's what we mean by layered security.
     There are two or three sides to layered security, and what I've just outlined is the prevention side. Then we have NSM, our network security manager. The NSM is a product we acquired and then integrated with JUNOS. It is the most powerful tool we have to prevent intrusion because it uses the most powerful tool you have when you're fighting security issues, and that's your own intelligence. Hackers are extremely good at fooling machines and algorithms and so on, but if you have all the information and all the charts and all the data you need to make intelligent informed decisions, you're in a much more secure position. And that's what NSM does for you. It provides the alertness and information that allows you to assess whether you have a problem or not. With all the aspects of security I've just mentioned, whether firewalls protecting you from the outside in or intrusion detection protecting you from the inside out, NSM gives you the information that can help you to look at that intelligently.

CH: Can you elaborate a little on how the NSM functions, to achieve that level of intelligence?

AJ: Essentially the NSM looks at all the nodes on the network, and each of those security nodes will have a profile. You will configure the firewall, for example, to allow only such and such traffic on a particular port and so on, and that provides the NSM with a profile. And if a particular event is triggered that doesn't follow that pattern, that will go back to the NSM as a report or piece of information that you, as a manager, will need to assess.

A human interface
     With NSM, you can set up profiles and algorithms, and so on, but it's only when you, as a security manager, are presented with information that you will know whether it represents a security problem or not. And that's what happens in data centers; that's what happens at the service providers. They have these banks of screens, and watching those and the information they provide allows them to provide managed security services for the enterprise. People will be watching those monitors extremely closely, watching to see whether any red alerts and so on are triggered. If there are alerts, they can go to a network security manager who will then assess whether it's a real threat or not.

CH: Would it be true to say that MPLS technology represents a revolution in high-performance networking, given its key advantages, such as its compatibility with IP? Is MPLS, in fact, a work in progress, with development and standardization on-going? If so, what is the Juniper perspective on key issues, and where can Juniper claim to have innovated, or at least made significant contributions to the evolution of MPLS?

AJ: If there has been one technology that has driven the success of Juniper inside the service provider in the Asia Pacific, over the past two to three years, it is MPLS. We were one of the founders of MPLS technology. Things like fast re-route, pseudowires, point-to-multipoint VPNs, MPLS multicast – all these different variations of MPLS really originated with Juniper.

     Bearing that in mind, why is MPLS so useful? Why is it so important for us? Number one, MPLS returns the security and performance of circuits back to the connectionless world of IP. People used to love the TDM circuit-based voice network, where the security was a given because it wasn't connectionless and part of this big "IP cloud." As well, performance was measured, so you knew exactly what you were getting from it. IP, however, is connectionless. The Internet is a wonderful thing, but when you are delivering business services, or when you are trying to deliver specific applications across an IP network, you do need some order and some form inside the network, and that's what MPLS provides. It provides the same level of security and performance that we used to love in the circuit based world.

Virtualization via MPLS
     MPLS also has tremendous virtualization capabilities, and MPLS has changed the service provider. Five years ago, if you looked at a major service provider here in Asia, it wouldn't be uncommon for them to be running 20 to 30 different types of network to deliver different types of service. For example, multiple frame-relay networks might provide managed services to enterprise customers, and there could be X.25 networks and ATM networks for video distribution and TDM networks for voice. And you would have a number of different departments to manage all these different networks. But what's happened over the last five years, is that all of those networks are being consolidated onto a single IP infrastructure, and it's the capabilities of MPLS that have given the communications industry the confidence to make that happen.
     Why is that? It's because I can run multiple networks, multiple virtual networks across an IP cloud, using MPLS, and completely segregate my high performance, low latency, high cost video traffic from my best-effort Internet users, over the same network, without these different streams interfering with each other.
     And that is a very powerful tool. It has saved millions of dollars in the operating costs of networks and it has also provided endless possibilities and capabilities for rolling out new services across the network. If I start a new video service here in Hong Kong, guess what, I don't have to build a new network to do it. In Hong Kong for example, 10 years ago PCCW built an ATM network for video, and it proved very expensive, with a lengthy wait before any return on investment. But of course all VoD networks are now based on IP. Now, Hong Kong has probably one of the most successful VoD networks in the world today and it is based on IP.

CH: The ability to virtualize across large networks presumably has implications for setting up VPNs.

AJ: Absolutely. VPNs are part of an MPLS network, one that provides many mechanisms for establishing IP VPNs between service providers, and between enterprises. And again, that's just the virtualization capability of using part of that IP network to create what you think is a private network, over a public network. That's the beauty of MPLS.
     But doing all of this in a carrier-class environment, where you are connecting the biggest networks on the planet, with millions of users and terabits of data, is very difficult. And that's really the domain where Juniper focuses its time and efforts because that can be a very hard problem to solve.

MPLS in the enterprise
     However, MPLS is not just the domain of the service provider. The other trend we're seeing ---- and this is one reason why we're increasingly successful in the enterprise ---- is for high performance networks to do, within the enterprise, what service providers did six or seven years ago: build very large IP based networks with MPLS at the core.
     If you look at large enterprises, they're trying to solve the same problems that service providers had six or seven years ago. Multiple networks, IP VPNs, remote access, they're trying to provide all these different technologies inside their enterprise infrastructure. They've seen the carriers do it. They know it can be done. And that's the trend we're seeing.

CH: The communications industry anticipates a transition or evolution to IPv6. How would you assess the progress to date, and where is Juniper particularly active in the transition process?

AJ: I've been in Asia for 12 years, and every year you think, "This is going to be the year of IPv6." It's almost two steps forward and one step back. Having said that, there has been a lot of work done on IPv6, and Juniper has been at the forefront of the development. The very first ASICs we developed and our very first routers had IPv6 inside. Providing IPv6 hasn't been simply providing a software add-on; it's been fundamental to our product range.
     Obviously there's an IP addressing issue here in Asia, more so than anywhere else in the world. So now, in the RFPs (requests for proposals) and RFIs (requests for information) we're seeing from large government entities and from service providers, IPv6 is mandatory in the specifications.
     I think we've just about reached the tipping point, now, in the proliferation of IP devices, and the inability to assign real IP addresses to all these devices. However, there's not going to be a move from IPv4 to IPv6 overnight; IPv4 and IPv6 networks are going to co-exist.
     We've spent a lot of time on R&D and working with our customers on transition mechanisms for v4 to v6 interworking and the migration that will happen over time. I think we now support over 20 ways of providing v4 and v6 delivery, whether it's encryption of v6 over v4, whether it's providing dual stacking of v4 and v6, and so on. There are many different ways of doing it, and we're at the forefront of providing the kind of technology mechanism that will make it happen. Is it real and is it important? Absolutely. Has it had a couple of false starts? Without a doubt. But again I think we've reached the tipping point. If you go to Taiwan or China or Japan, more and more you're seeing many types of appliance, whether a fridge or a PDA or a game console, that are IP aware and have an IP address, and you can't do that without moving to IPv6.

CH: Would you say that other members of the industry are as fully behind IPv6 as Juniper?

AJ: I think that everyone would give an answer similar to mine. But it's not a simple problem to solve, and how you solve it is really important. I mentioned earlier that IPv6 is integral to our ASICs. That's important because it means we can implement it at scale. Because if you don't do something in silicon, it means you're doing it in software, in systems with RISC processors and so on. That can work on a small scale, but it doesn't work inside a service provider or a high performance network. Juniper, on the other hand, has multiple technologies delivering IPv6, and it's something that we do well.

A transition to IPv6
     I think the industry is completely behind it. I don't think there's any argument that v6 is not going to be important. However, it's certainly not the case that we'll move from v4 tomorrow. There will be a transition period.

CH: The one criticism I have heard of IPv6 is that in fact it provides too many addresses, but presumably that's a non-problem.

AJ: It's a non-problem, if you can solve it in an ASIC way. If your IP routing table or the way that you look up and assign IPv6 addresses is infinite, that will require a lot of memory, and it could create a lot of complications as to how it could be routed and how it could be switched. Again, that means how you deliver it has to be inherent in the ASICs. Complex problems are what we like!

CH: Obviously then, Juniper has within it the ability to design ASICs.

AJ: Absolutely. I'm not sure just how many patents we have for ASIC technology, but it's many. Our founder and CTO originally came from Sun Microsystems, and ASICs are at the heart of his skill set. ASICs are the core skill set of our company, to be frank with you.

CH: And what happens when it comes to fabrication?

AJ: We design ASICs, but we have multiple partners who help fabricate them.