Securing your network is vital to your organizations livelihood, survival and future. But often, while securing the network, network performance is affected in adverse ways. Finding a happy medium between these two technologies — and very often separate IT departments — is a challenge. In this column, Paul Morville looks at what’s driving the convergence between network security and network performance and what it means to you as a networking professional.
Networking and security have always been at odds. On a fundamental level, the goal of the networking group is to rapidly move packets (the good ones) from one host to the next; the security group’s job is to stop packets (the bad ones) from getting to the next host and wreaking havoc. And between these two ideals lies an efficient and secure network. Getting to that happy medium is often a challenge.
The networking and security industries reflect this dichotomy with strong security companies and strong networking companies. Sure, the major networking vendors have bought up a slew of security companies in recent years, but we really haven’t seen much integration across those products.
But things are changing. Lately, it seems that every vendor in the industry is talking about the blending of networking and security, and we are starting to see real products that span both worlds. Some of the first forays seem more superficial and remind me of the old peanut butter cup ad (“You got your security peanut butter in my networking chocolate!”). But others are more elegant, solving real problems spanning these different domains. We’ll look at what’s driving this new convergence and what it means to you.
The crumbling perimeter
With the proliferation of VPNs, wireless access points, PDAs and mobile laptops, security professionals have been talking for some time about the death of the firewall. The firewall isn’t going anywhere soon, but it’s not the esteemed head of the security household that it once was. Attacks don’t come in through the firewall anymore — they hitch a ride in through the front door on an employee’s laptop and spread from there.
For this reason, enterprises are securing the network inside the firewall. Whereas it might have been acceptable to deploy three security devices and two network management probes on the uplink to the Internet, however, scattering this number of devices through a distributed internal network is a costly proposition. Enterprises are being forced to look for devices that bring value on both sides of the security-networking equation.
In moving to VoIP, businesses are increasing their reliance on the IP network. So when the CEO notices his calls aren’t coming in, how do you identify the origin of the problem? Is it congestion? A VoIP-based attack?
Similarly, IPTV and other video technologies are putting more of a demand on the network than ever. During the World Cup, I noticed more than a few co-workers streaming the ESPN broadcast to their desktops. One of the old jokes in security has been that if you want to block bad traffic, you just need to filter on the “Evil Bit.” Recently, Arbor Network’s CTO, Rob Malan, has been asking for a “Stupid Bit” as well. You don’t need to filter all this video and P2P traffic, but if you need the bandwidth, you could drop or shape it.
Getting the good traffic through and dropping or shaping the bad traffic is becoming increasingly complicated, begging for new tools.
Compliance has brought new attention to the internal network and a recognition that you need to watch insiders and the outside world with the same vigilance.
And finally, costs. How are you ever going to achieve secure and efficient networking if moving a packet safely from one side of the network to another requires five different security and reporting devices? At a fundamental level, this is what’s driving the blending — deploying a firewall, an IPS, Content Security, a traffic-shaping box, and traffic-reporting tools on every network segment isn’t going to scale, and no one would have enough money to buy it even if it did.
All of these trends are pushing us toward a new era of networking and security that requires tools that know the difference between a video stream and a DDoS attack, even though the end result, a congested network link, is the same. Enterprises need a networking and security control plane — a single set of integrated tools that enable the operator to ensure safe passage across a distributed network that is growing in size and importance.
Feel free to contact E-SPIN for Network Performance Monitoring and Diagnostics infrastructure and application security, infrastructure availability and performance monitoring solution.