New networks need better network security

Dec 14, 2001 12:00 PM

The events of September 11th have made security a national priority. The drive to "keep America safe" has extended into securing our national network infrastructure. However, this challenge will not be so easy to answer as bolting cockpit doors or more thoroughly screening airline passengers. As our network technology migrates from electrical to optical, we face a critical juncture - specifically, a clear and growing gap exists between the capacity for optical networks to transport data and the degree to which that data can be made secure. What has been made brutally clear by the most recent network attacks (and those that will surely follow) is that without 100% inspection of every bit of every packet, data networking will always be vulnerable to security breaches.

Network managers have always understood the tradeoff between speed and security. Most have been willing to sacrifice one for the other depending on the priorities of their user community. Fast and safe networking has either been technically impossible to achieve or too costly for most companies to implement. But now the tables have been turned. Consumers, businesses and -- most important -- the government, all demand better network security. And therein lies the dilemma. The historical evolution of technology change will not be fast enough to satisfy the demand in the market right now for better network security.

Why can't networks be both fast and secure?

The primary reason why today's optical speed networks cannot be made more secure is that bandwidth power has exceeded microprocessor power. That is, servers built around microprocessors cannot function at the speed of the fiber bandwidth already deployed (Figure 1). This so-called processor gap, or the gap between bandwidth speed and processor speed, means that either traffic must be slowed to a point where servers or network devices can perform security applications to the data, or security applications must be significantly curtailed or dropped altogether to meet network performance goals.

Network managers and today's network security devices are already struggling with the processor gap. Access control lists (ACLs) provide a good example of the problem.  When network managers turn on ACLs, these fairly simple router-based security applications can degrade router performance by up to 30%. Because of this, network managers face the Hobbesian choice of either turning ACLs off entirely (and thereby putting their network at risk) or buying two routers - one to route traffic and the other to run ACLs. Neither alternative is acceptable.

The ACL performance problem exemplifies the historical pattern of trying to solve today's network security problems with yesterday's network security technology. While service providers would obviously like to leverage their investments in existing routers and switches, a device designed for one purpose (routing or switching) cannot easily be redesigned to do another function (security applications) without sacrificing something (speed, cost, performance, etc.). Devices designed to run at megabit speeds cannot be overhauled to run at light speed. The end result is that network architects designing security solutions for today's optical networks can either run slower with current equipment or run faster with fewer applications. Neither alternative will adequately satisfy the need for optical speed network security. Technology change isn't happening fast enough to meet the needs of the market for optical speed network security. 

Are there any alternatives?

The demands of optical speed network security easily outstrip the ability of current network security products to provide 100% packet inspection with no degradation in network performance. Simply put, network security has become a bottleneck. Look at most network topologies today and you will see a complex system of point product solutions tied together with load balancers and application integration middleware. This is the result of network managers demanding best-of-breed products in an integrated network and the network security industry's focus on providing individual network security solutions. Many of the security devices in networks today were designed to address only particular layers of the network OSI stack. Virtually none offer the new benchmark for security - 100% inspection of every packet at every network layer at OC-48 speeds.

There are four critical elements to deliver optical speed network security:

• Speed: If security applications can't run at the speed of fiber, the efficiency of optical transport is lost

• Flexibility: If data-filtering rules cannot be customized, changed and inserted into the network seamlessly, the network can't adapt to changing security conditions and new attacks

• Scalability: If several different security applications cannot run on a single platform, the solution isn't a cost-effective answer

• Performance: If the product cannot examine every bit of every packet with deep level processing capability, the application is simply a "sampler" - the security equivalent of guessing.

Virtually all four criteria must be available in a product to meet the demand for optical speed network security. However, none of today's current class of network devices - application-specific integrated circuit (ASIC) based point solutions, routers and port aggregators - stacks up against all these metrics. Though each has its benefits, none offer the combination of speed, flexibility, scalability and performance required for today's optical speed networks. 

Each product class has at least one significant drawback when it comes to optical speed network security. ASICs can run at fairly high speeds. However, to do so requires that what these ASICs gain in speed, they must give up in flexibility and scalability since an ASIC is a chip manufactured for a specific purpose and once manufactured cannot be changed. Once deployed, the ASIC is immediately out-of-date until the next chip is released (usually anywhere from 12 to 18 months). For network security, ASICs are like solving today's problems with yesterday's technology, a technology that is difficult to manage, incapable of change and not easily scalable. The ASIC-based "point product" approach to network security has led to a costly, difficult-to-manage security infrastructure as well as interoperability and support nightmares.

More general networking products are also trying to add security to their core functions. New breeds of routers, switches and port aggregation devices are all attempting to displace perimeter security solutions by aggregating VPN, firewall and IDS at the transport points-of-presence (POPs). While aggregating function certainly makes both economic and network design sense, the results have been less than favorable. There is no router or switch in the market today that can perform 100% packet inspection at Layer 2-7 at OC-48 speed or better. The reason these products cannot meet the new optical speed security benchmark hinges on the basic technology architectural issues associated with each of these products. Simply put, routers were designed to route traffic, switches to switch traffic and port aggregation devices to consolidate traffic. The designs for these products were optimized for one specific function and were never intended to run high-speed security applications. 

More important, customers buy switches, routers and port aggregation devices to perform the basic functions they were designed to do. To add high computational function to a router would take more than a terabyte of memory and cost far more than the customer can pay. Port-based routing architectures are "out of gas" when it comes to the fiber-based applications world. It's not enough just to be able to connect to an OC-48 port - the product must be able to actually process the application at this speed. Port aggregation devices fall significantly short of running any security application at OC-48 speed. Products designed for one function cannot easily be reconfigured or even redesigned to perform another. 

Yesterday's security point-product solutions, designed for a previous generation of network infrastructure, are inadequate when it comes to processing security applications at light speed.  While today network providers can transport data from point to point very quickly, the processor gap means that no meaningful applications can be performed on that data without slowing the network down substantially. Unless network providers can process security applications at line speed - a minimum of OC-48 for today's optical networks - the data traversing their high-speed pipes is "running naked" and vulnerable to attack. 

What is required for optical speed network security is a new kind of platform, one purpose-built to run at the speed of the bandwidth, with the applications flexibility to allow network providers to customize their security applications to an ever changing and increasingly threatening security environment. Optical speed network security requires a new class of product, a solution that combines the intelligence of software with the speed of a switch - a device designed to look at every bit of every packet without impeding network performance.

How do we attain this new performance threshold?

To achieve this new level in network security requires a re-thinking of technology evolution. While new products have historically been driven by new chip architectures, it is time to think differently. To achieve high computation function and optical speed will not be the province of one chipset. The need for high-speed data security is now, not three years from now. We must be willing to get beyond the "chip mentality" and think in terms of a system design. We have already proved the fallacy of multiple functions in a function-specific device. We have also shown that ASICs are too inflexible to meet the needs in network security. Between the vectors of performance, processing complexity and port aggregation, something must be sacrificed. Port aggregation and speed are the province of routers and switches. Huge core routers and switches can serve thousands of ports and transport packets at speeds up to OC-768 now. Servers can process high computation security applications but cannot go very fast.

The open territory (and the market need) is for a device that can deliver high computational function at optical speed, something routers, switches, servers and ASICs cannot blend together. This new breed of product is called a packet processor.

Packet processors are a new class of device designed to perform high computational function at optical speed - exactly the kind of functionality required for optical speed network security. Combining several different flavors of chips (network processors, content addressable memory chips, classifiers, etc.), packet processors are super high-speed "application servers" designed to achieve 100% packet inspection, at layers 2-7 at OC-48 speed without degrading network performance. The ability to inspect and treat every bit of every packet in a flexible system design means that multiple security applications can run at optical speed on the same platform.

In times of crisis, often the traditional modes of thought and action do not apply. We are in such a crisis now, particularly as it relates to network security. If we wait for the next chipset or the next technology breakthrough, how much damage will have been done to America's network infrastructure? We must think differently and be willing to break the rules to win the race for securing the country's network infrastructure. The processor gap must be solved. To do so requires a concerted effort to develop the kinds of products and platforms that can withstand the demands of optical speed networking. Rather than re-configuring old technologies that cannot ever hope to meet the security challenges we face now, we should look toward developing answers designed specifically to solve the problem.

Peder Jungck is CEO of CloudShield.

Visit CloudShield online.