Content

Securing the Network Edge

In the evolution of communications networks, the lines between computing and networking have become less than clear.

As someone whose background is founded in telecommunications, my view of the world is that telecom and IT is one and the same thing. After all, the omnipresent language of the network - UNIX - was developed in the mid 1960s at AT&T. At the same time, the U.S. Federal Communications Commission was considering those very issues of convergence in the telecommunications network. Through a series of inquiries known as Computer I, Computer II and so forth, the FCC pondered the role computing would play in communications networks.

The FCC was equally concerned with the monopolies posed by both AT&T and IBM, and at issue was the business of time-sharing computers across a network. The regulatory solution was a distinction between voice services (telephony) and data services. On the telephone network, computing and communications became intertwined in the mid 1970s with the introduction of mainframe computers performing the role of digital switching. In the 1980s, more computers were added to deliver services like the 800 number and the ever-profitable virtual private network (VPN) services. In fact, VPN was a boom for telecommunications carriers in the 1980s, with services like the WATS line and Centrex.

By the late 1990s, the rise of Internet protocol (IP) networks made the convergence of computing and networking a reality. Using an IP network as the base, a number of entities started adding services to the network edge as a way to increase the network's capabilities. After several years of adding edge services without repercussion, IP networks face a dilemma of operational cost and security. While it is convenient to add services at the network edge, the operational cost and security risk of doing so create a new set of diseconomies. In the long run, it will be security that will force a consolidation of services at the network edge.

Network Services

Internet protocol networks are built around computers, and the basic network element - the router - is a specialized computer running software to manage IP packet flow through the network. Additional networked applications like email, web browsing and file transfer are delivered by commercially available computing platforms, otherwise known as servers. Over time, new functionality has been added to IP networks in the form of networked applications. Each new application is a software overlay designed to work in conjunction with the services already on the network. Content distribution, caching and virtual private networks (VPN) are all software overlays on an IP network.

Virtual private networks are an interesting application, because a VPN can use a number of different technologies, some network-based and others completely independent of an IP network. The VPN discussion raises the issue of software that is implemented at different layers of the OSI model. Rather than get into a discussion of the OSI model itself, let it suffice to say that IP networks enable applications/services at Layers 4 to 7 of the OSI model. The capabilities inherent to an IP architecture cause a blurring of the distinction between networks and the applications that run on them.

The Network Edge

More important to IP networks is the evolution of a number of services and applications delivered at the edge of the public network. This edge is exploited by enterprises wishing to deliver a set of private services to enterprise users. Edge services are best exemplified by content and caching - applications used by enterprises to enhance the performance of web browsing and web-based software.

Virtual private network services are also delivered from the edge of the network. MPLS, IPsec and SSL-based VPNs are all services that originate from devices and software at the edge of the network. Other types of security follow a similar architecture, and firewalls and intrusion detection systems are commonly located in edge devices.

Edge services have led to an increase in the number of devices physically located next to public IP network connections. Secondary services have been developed to manage the performance problems introduced by all of these devices, but many of these services are moving onto a single hardware platform. And today, it is possible to purchase a VPN gateway device with firewall and intrusion detection capabilities.

More Than Just Security

Security services are not the only ones to originate at the network edge, and performance management is also very important. Performance management devices introduce their own software and management platforms at the network edge, and it is likely that performance management vendors will add VPN and firewall capabilities in the coming year.

Differing approaches and vendors will make the network edge a complex place in the coming years. Router vendors are already in the fray, as are firewall, VPN and performance management companies. The most absent group is the storage software companies, but it is only a matter of time before storage management becomes an issue at the network edge.

The Security Angle

As security professionals, we have traditionally viewed security policies as an overlay that runs in parallel with other network services. Today, that overlay has disappeared in a flurry of activity at the network edge, where security is one of many services delivered on edge devices. The biggest issue we face is the operational overhead introduced by each device in the form of management.

Management budgets aside, each new edge device has its own security requirements, and it must be actively managed and updated, or it will become a security risk. When we add devices to the network edge, we add risk, and operational budget. Information security approaches should favor minimizing the number of devices and promote the consolidation of edge software onto a single device.

Conclusion

Forty years ago, our industry pondered the merger of computing and networking. Today, the lines between the computer and the network have blurred at all levels of the OSI model. Mass adoption of IP networks has led to an explosion of semi-private services delivered at the edge of public networks. This has, in turn, led to a rapid increase in the number of devices at the network edge. Each of these devices introduces operational requirements and security risks. In the next few years, information security management will be the driving force for consolidating edge services onto common platforms and devices.

Dan Taylor founded Giotto Perspectives (www.giotto.nu) in 1998 to provide clear, concise research and analysis in the networking and managed IP services marketplaces.
 
 

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.