Let me give you the punch line upfront: today's network security solutions represent not the "end game" in network security but the beginning of a new class of network security systems positioned to steadily emerge over time. On the policy-centric network, IT managers are in the early stages of the trip. My recommendation - recognize that there are fundamental shifts occurring in the role of the network and that this is a journey whose final destination continues to shift with advances in network technology.
A quick peek in the rear view mirror yields insights into the future of network security solutions. During the late 1980s corporate enterprises were just beginning to leverage the internet to help drive business results. Increased web usage brought the challenge of unwanted network access and attacks directed towards corporate resources. Security was a perimeter discipline and network security was all about keeping the bad guys outside the enterprise perimeter. Thus the birth of first generation network security devices - firewalls.
Over a short period of time however, the concept of the enterprise "perimeter" went from being fairly well defined to having little to no definition at all. With the introduction of wireless communications as well as the rapid growth of laptop device usage, the notion of the perimeter became amorphous. The perimeter security model was completely ineffective at detecting and preventing threats posed by the new, and increasingly dominant, access model of employees with laptops physically attaching and detaching from enterprise resources. Moreover, the increased reliance on the internal IT infrastructure made enterprises vulnerable to new threats such as access to unauthorized information, data leakage, viruses and other attacks that could not be characterized by the relatively simple access model of a perimeter security model, let alone cases where the threats emanated from within.
Network security thus became not only a perimeter, access-based discipline, but rather an internal, more contextual one. The key technical implication of this shift was that network security systems could no longer rely on network-level based information for their decisions, but rather had to look at the data payload itself in order to determine whether the network flow represented a threat to the enterprise systems. This, along with the increased complexity in the decision making based on the information, introduced a dramatic increase in performance demands. As a result, these "intrusion detection systems" (IDS), were deployed only as "taps" to the network, allowing IT administrators to take action based on what these systems detected.
Unfortunately, detection solutions have inherent limitations. By definition, they only inform of the threat rather than take action to prevent it. IDS systems are passive monitoring systems, relying on humans for further action. In a world of increased network traffic and corresponding increased network attacks, IT managers, already stressed with the demands of increased reliance on their resources, quickly faced an information overload of alarms and events, many of which spurious, all of which ultimately resulted in elongating reaction time and increasing risks to the network availability and survivability. In response, network administrators demanded that internal security systems take a more active role in network security. This led to the evolution of Intrusion Prevention Systems (IPS): inline devices that monitored, analyzed and took action on the traffic in real time.
Despite the seemingly evolutionary nature of IPS systems, actually delivering on the promise of real-time packet inspection represents a leap forward in complexity and challenges. IPS systems are part of the network connectivity fabric. Thus, their performance is no longer restricted to their policy function, but rather is now an integral factor in the performance of the network. Moreover, given the inherent role of IPS systems to affect network traffic, IT managers rightfully demand that IPS solutions employ effective, flexible, and dynamic mechanisms to, at the core, distinguish between good and bad traffic. Therein lies the technical challenge confronting security system vendors and IT managers developing and deploying this new generation of network security systems.
The essence of this challenge is in the fundamental shift in the role of the network infrastructure in the policy-centric network security world. While network connectivity technology is characterized by standards and stability, threat prevention and policy enforcement are characterized by continuous and dynamic change. Therefore, while network connectivity infrastructure is primarily a hardware discipline, the most suitable architecture supporting policy-centric network security is one that is software-defined and upgradeable.
Unfortunately, traditional networking elements were not designed for the demands of software execution. This collision of computing and networking represents one of the most significant paradigm shifts in network system design since the advent of the switch and router. To combine a rich policy-based system with the demands of high-speed networking requires a new type of network element. This new element must provide a high level of packet processing power to handle real-time complex analysis and action at core network speeds without introducing significant latencies. Moreover, given the inevitable increase in processing complexity and speed requirement inherent to networking, those packet processing resources must be scalable to the task at hand. Scalable, software-based computing architectures with designs rooted in the networking world are required and an emerging segment of companies combining the flexibility of general purpose computing with the demands of high-speed networking are leading the way in this new important networking segment.
So what is next on this journey? What will this new class of network elements enable and how will the role of the network security shift as this new form of networking gains ubiquity? One thing is clear: IPS is just the first milestone. With software now a first class citizen the networking world, the richness and diversity of the software world guarantees a rich network security future. We see this already in the seemingly endless list of networking applications taking advantage of this new networking model, including network access control (NAC), leak prevention, messaging security, data compliance, anti-virus and anti-spam gateways, and others. All of these point quite clearly to the fact that we are only at the beginning of the trip rather than its ending and that network security will be an exciting and dynamic place to be for many years to come.
Enjoy your journey.
- Elan Amir, president and CEO, Bivio Networks
