The events of September 11 have made security a national priority in the USA.
The drive to “keep America safe” has extended into securing our national network infrastructure. However, this challenge will not be so easy to answer as bolting cockpit doors or better passenger screening at airports. As our network technology continues to migrate from electrical to optical, we face a critical juncture – specifically there is a clear and growing gap between the capacity for optical networks to transport data and the degree to which that data can be made secure. What has been made brutally clear by the most recent network attacks (and those that will surely follow) is that without 100 percent inspection of every bit of every packet, data networking will always be vulnerable to security breaches.
Network managers have always understood the trade-off between speed and security. Most have been willing to sacrifice one for the other, depending on the priorities of their user community. Fast and safe networking has either been technically impossible to achieve or too costly for most companies to implement. But now the tables have been turned. Consumers, business and most important, the government, all demand “better network security.” And therein lies the dilemma. The historical evolution of technology change will not be fast enough to satisfy the demand in the market right now for better network security.
Why Can’t We Have Networks that Are Fast and Secure?
The primary reason why today’s optical speed networks cannot be made more secure revolves around the fact that bandwidth power has exceeded microprocessor power. That is, servers built around microprocessors cannot function at the speed of the fiber bandwidth already deployed (see Figure 1). This ‘processor gap,’ or the distance between bandwidth speed and processor speed, means that traffic must either be slowed to a point where servers or other devices can perform security applications to the data, or security applications must be significantly curtailed – or dropped altogether – in order to meet network performance goals.
Network managers and today’s network security devices are already struggling with the processor gap. Access control lists (ACLs) provide a good example of the problem. When network managers turn on ACLs, this fairly simple router-based security application can degrade router performance by up to 30 percent. Because of this fact, network managers face the Hobbesian choice of either turning ACLs off entirely (and thereby putting their network at risk) or buying two routers – one to route traffic and the other to run ACLs. Neither alternative is acceptable.
The ACL performance problem points to the historical pattern of trying to solve today’s network security problems with yesterday’s network security technology. While service providers would obviously like to leverage their investment in existing routers and switches, a device designed for one purpose (routing or switching) cannot easily be re-designed to do another function (security applications) without sacrificing something (speed, cost, performance, etc.) Devices designed to run at megabit speeds cannot be overhauled to run at light speed. The end result is that network architects designing security solutions for today’s optical networks can either run slower with current equipment or run faster with fewer applications. Neither alternative will adequately satisfy the need for optical speed network security. The point here is that technology change isn’t happening fast enough to meet the needs of the market for optical speed network security now.
Are There Any Alternatives?
The demands of optical speed network security easily outstrip the ability of current network security products to provide 100 percent packet inspection with no degradation in network performance. Simply put, network security has become a bottleneck. Look at most network topologies today and you will see a complex system of point product solutions tied together with load balancers and application integration middleware. This is the result of network managers demanding best-of-breed products in an integrated network and the network security industry’s focus on providing individual network security solutions. Many of the security devices in networks today were only designed to address particular layers of the network OSI stack. Virtually none offer the new benchmark for security – 100 percent inspection of every packet at every network layer at OC-48 speed.
There are four critical elements to deliver optical speed network security:
- Speed – if security applications can’t run at the speed of fiber, the efficiency of optical transport is lost.
- Flexibility – if data filtering rules cannot be customized, changed and inserted into the network seamlessly, the network can’t adapt to changing security conditions and new attacks.
- Scalability – if several different security applications cannot run on a single platform, the solution isn’t a cost-effective answer.
- Performance – if the product cannot examine every bit of every packet with deep level processing capability, the application is simply a ‘sampler,’ the security equivalent of guessing.
Virtually all four criteria must be available in a product in order to meet the demand for optical speed network security. However, none of today’s current class of network devices – ASIC-based point solutions, routers, and port aggregators – stacks up against all of these metrics. Though each has its benefits and it would be to the network manager’s advantage to utilize existing products for deploying security applications, none offer the combination of speed, flexibility, scalability and performance required for today’s optical speed networks.
Figure 2 below summarizes the strengths and weaknesses of these three network product groups:
Each class of product has at least one significant drawback when it comes to optical speed network security. ASICs (application specific integrated circuits) can run at fairly high speeds. However, to do so requires that what these ASICs gain in speed, they must give up in flexibility and scalability since an ASIC is a chip manufactured for a specific purpose and once manufactured cannot be changed. Once deployed, the ASIC is immediately out-of-date until the next chip is released (usually anywhere from 12 to 18 months). For network security, ASICs are like solving today’s problems with yesterday’s technology, a technology that is difficult to manage, incapable of change and which cannot scale easily. The ASIC-based ‘point product’ approach to network security has led to a costly, difficult-to-manage security infrastructure as well as interoperability and support nightmares.
More general networking products are also trying to add security to their core functions. New breeds of routers, switches and port aggregation devices are all attempting to displace perimeter security solutions by aggregating VPN, firewall and IDS at the transport points-of-presence (POPs). While aggregating function certainly makes both economic and network design sense, the results have been less than favorable. There is no router or switch in the market today that can perform 100 percent packet inspection at layer 2-7 at OC-48 speed or better. The reason these products cannot meet the new optical speed security benchmark hinges on the basic technology architectural issues associated with each of these products. Simply put, routers were designed to route traffic, switches to switch traffic, and port aggregation devices to consolidate traffic. The designs for these products were optimized for one specific function and were never intended to run high-speed security applications.
More important, customers buy switches, routers and port aggregation devices to perform the basic functions they were designed to do. To add high computational function to a router would take over a terabyte of memory and cost far more than the customer is capable of paying. Port-based routing architectures are ‘out of gas’ when it comes to the fiber-based applications world. It’s not enough just to be able to connect to an OC-48 port – the product must be able to actually process the application at this speed. Port aggregation devices fall significantly short of running any security application at OC-48 speed. The point here is that products designed for one function cannot easily be re-configured or even re-designed to perform another.
Yesterday’s security point-product solutions, designed for a previous generation of network infrastructure, are inadequate when it comes to processing security applications at light speed. While today network providers can transport data from point to point very quickly, the processor gap means that no meaningful applications can be performed on that data without slowing the network down substantially. Unless network providers can process security applications at line speed – a minimum of OC-48 for today’s optical networks – the data traversing their high-speed pipes is ‘running naked’ and vulnerable to attack.
What Is the Answer?
What is required for optical speed network security is a new kind of platform, one purpose-built to run at the speed of the bandwidth, with the application flexibility to allow network providers to customize their security applications to an ever-changing and increasingly threatening security environment. Optical speed network security requires a new class of product, a solution that combines the intelligence of software with the speed of a switch – a device designed to look at every bit of every packet without impeding network performance.
How Do We Attain this New Performance Threshold?
To achieve this new performance level in network security requires a re-thinking of technology evolution. While new products have historically been driven by new chip architectures, it is time to think differently. To achieve high computation function and optical speed will not be the province of one chip set. The need for high-speed data security is now, not three years from now. We must be willing to get beyond the ‘chip mentality’ and think in terms of a system design.
We have already proven the fallacy of multiple functions in a function-specific device. We have also shown that ASICs are too inflexible to meet the needs in network security. Between the vectors of performance, processing complexity and port aggregation, something must be sacrificed. Port aggregation and speed are the province of routers and switches. Huge core routers and switches can serve thousands of ports and transport packets at speeds up to OC-768 now. Servers can process high computation security applications but cannot go very fast.
The open territory (and the market need) is for a device that can deliver high computational function at optical speed, something routers, switches, servers and ASICs cannot blend together. This new breed of product is called a packet processor (see Figure 3).
Packet processors are a new class of device designed to perform high computational function at optical speed – exactly the kind of functionality required for optical speed network security. Combining several different flavors of chips (network processors, content addressable memory chips, classifiers, etc.), packet processors are super high-speed ‘application servers’ designed to achieve 100 percent packet inspection, at layers 2-7 at OC-48 speed without degrading network performance. The ability to inspect and treat every bit of every packet in a flexible system design, means that multiple security applications can run at optical speed on the same platform.
Packet Processors – An Answer for Optical Speed Network Security Now
In times of crisis, often the traditional modes of thought and action do not apply. We are in such a crisis now, particularly as it relates to network security. If we wait for the next chip set or the next technology breakthrough, how much damage will have been done to our network infrastructures? We must think differently and be willing to break the rules in order to win the race for securing our network infrastructure. The processor gap must be solved. To do so requires a concerted effort to develop the kinds of products and platforms that can withstand the demands of optical speed networking. Rather than re-configuring old technologies that cannot ever hope to meet the security challenges we face now, we should look towards developing answers designed specifically to solve the problem. For optical speed network security, packet processors are the answer that’s needed now.
Peder Jungck is CEO and founder of CloudShield Technologies (www.cloudshield.com).