AT&T: Network perimeter security should be virtual

Enterprise companies will soon begin offloading many of their network security responsibilities to telecommunications and Internet service providers and save vast amounts of time and money doing so, if AT&T has its way.

Speaking to the assembled crowd at the IDC Security Forum in New York on Wednesday, Edward Amoroso, chief security officer for AT&T's services division, predicted that enterprises will begin adopting more "virtual" security capabilities from their ISPs and bandwidth providers in the coming years as those companies are better positioned to do battle with botnets, spam, and DoS (denial-of-service) threats.

Based on the bandwidth providers' existing abilities to see spikes in traffic that are telltale signs of botnet, spam, or other malware activity -- long before enterprises can see evidence of the attacks on their own -- Amoroso contends that companies will soon concede the process of fighting the threats and turn to companies such as AT&T for help.

"We think that security at the perimeter should be virtual, which is a somewhat controversial concept, because a lot of time, effort, and career capital has already been spent securing the perimeter," Amoroso said. "But we think a lot of existing technologies there are running out of legs, and simply running firewalls at the gateway is no longer a valuable proposition."

The U.S. government's Telecommunications Act of 1996 prevents carriers from approaching customers and marketing services to them based on any trends they observe on the end-users' network connections. However, the companies can already identify much of the spam and malware activity being carried out in the pipe, based on their massive infrastructure, and should be enlisted to help solve security issues, he said.

For threats such as distributed DoS that can easily be thwarted upstream, the CIO said, it makes little sense for companies to continue to invest in new technologies and staff when the carriers could easily detect and snuff out the campaigns ahead of time.

"How do you stop DDoS at the edge? The physics just don't make sense. When these attacks happen, the customers' routers will already be dead," said Amoroso. "We think the idea that the pipe should be dumb is strange; with spam accounting for 90 percent of all traffic on the e-mail pipe, we're delivering nothing but more attacks, malware, and junk. If people want us to keep doing that we can, but why would they want us to keep doing that when we can see it, scoop it, study it, and stop it?"

Lest someone should contend that AT&T and other carriers are merely licking their chops at the prospect of adding pricey new security services to their products, the expert said security services should eventually become a set of nonoptional capabilities included with the purchase of ISP and telephony services.

Much as the carrier community focused on providing faster services in the 1980s and added tools to improve quality to their products in the 1990s, the CIO said that security services will become a de facto element of all the capabilities that the firms market.

While early adopters are already paying a premium to use the security capabilities offered by carriers today, eventually the price should be blended into the packages of capabilities that companies buy from providers such as AT&T, the expert predicted.