The network security food chain

For the last several years there has been an increased focus on network security, not only from the professionals who run the network, but also from business leaders, industry groups and government bodies. While most of this added focus has come under the banner of "customer data protection," the implementation of added controls often misses the mark because the network owners tend to fall back on the traditional strategy of "protecting the network" rather than "protecting the stuff on the network," which is really the desired outcome of the increased focus on security.

Why do networks exist in the first place?

Before looking deeper into the issue of network security, it may be a good idea to briefly remind ourselves of why networks exist in the first place. Despite the current reality of big business, and the entertainment vehicle that the network has become, at it's most basic level the network exists to enable the sharing of information between people or machines.

Assuming general agreement on the premise that "information sharing" is the reason that networks exist, we can take the logical next step that network security, at least in some measure, should focus on secure information sharing(SIS). It is telling however that the vast majority of network technologies and solutions focus on protecting the network or access to it with firewalls, access controls and the like, rather than securing the actual sharing of information.

While protecting the actual network is important, it certainly falls short of enabling secure information sharing. So how then have we come so far with network security awareness with so little focus on this critical piece? The reason is that technology limitations in encryption (widely viewed as the best approach to SIS) made it extremely difficult and operationally expensive to implement a SIS strategy.

We can think of SIS as having a hierarchy analogous to the model made famous by Abraham Maslow in his 1943 paper, A Theory of Human Motivation, with the basic needs which are easy to obtain at the bottom, and the higher order needs, which can only be met after the basic needs are satisfied, at the top.

At the very bottom of the hierarchy is "clear text," which is representative of any network traffic not encrypted. While this is not really secure at all, it is how most enterprises, financial institutions and government agencies share information. This is even true when network traffic is sent over "private" third-party networks.

The next level is basic point-to-point encryption. This method of encryption, most often secured via a virtual private network (VPN) tunnel, provides SIS but only for a specific data stream, which much be set up and torn down on a case-by-case basis.

The third layer of the hierarchy is traditional network encryption, which would provide SIS on a broad level except for some fatal flaws, which limits its usefulness (and therefore adoption) as described below.

The limiting factor with traditional encryption, usually performed within the router, is that the method of creating a security key, which is required for encryption and de-encryption, locks every pair of end points into a "binding" relationship. This requirement is not a limiting factor when a single path is set up between two endpoints (such as VPNs), but modern networks are large and are often optimized to take advantage of full mesh MPLS (layer 3) or VPLS (layer 2) topologies. It is with these network architectures that the limitations of network wide encryption reveal themselves. The three main problems/limitations are complexity, incompatibility with networking best practices, and decreased network performance/functionality. Each is discussed below. 

Increased Complexity: One of the biggest drawbacks to traditional network encryption is the increased complexity of managing the explosion of encryption keys and security associations. As mentioned above the root cause of this is the "binding" relationship between every possible pair of end points in a mesh network. Just the keys alone grow at a rate of n*(n-1), where n is equal to the number of encrypted points, usually the "edge" routers in a mesh network. This complexity increases the management burden since every router must be configured to accommodate the encryption configurations. This complexity can also become a security risk as network engineers must work through pages of router configurations to make standard adds, and moves and deletes, increasing the potential for human error. It is widely held in networking and programming circles that complexity is inversely proportional to security. It's because of this complexity that the term "brute force" is used to describe network wide encryption due to the quickly diminished returns on effort.

Incompatibility with networking best practices: In addition to the complexity issues, traditional encryption is not compatible with networking best practices such as dynamic load balancing or multicast/broadcast. Many of these best practices make the network more resilient and maximize bandwidth. However, the one-to-one nature of traditional encryption forces network owners to choose between SIS and networking best practices.

Decreased performance: While there may be some network operators willing to put up with increased complexity and the inability to efficiently network, there are very few who would justify decreased router performance. Unfortunately, this is one of the main drawbacks to traditional encryption, especially as the network gets larger. Despite the pressure to secure information, very few network owners would tolerate a broad scale de-optimization of their network to achieve it.

Over the gap

Until recently, this was the final state of the SIS hierarchy as no one had figured out a way to scale network-wide encryption. Fortunately, the gap in the SIS hierarchy has been overcome with a policy and key manager solution that scales to any size network.

This scalable policy and key solution is able to overcome all the traditional limitations of network wide encryption by removing the need for a binding relationship between the encrypted end points. This solution allows encryption and all its benefits without the need for tunnels. The net result is that encryption is no longer complex, it is compatible with networking best practices and will not negatively impact network performance. What's more, policy and key solutions are able to work over any layer 2 or layer 3 topology including full mesh, hub and spoke, and even hybrid configurations. This means that network operations can determine what network architecture works best for their particular mission, without sacrificing the ability to enable SIS.

The final layer of the SIS hierarchy puts additional intelligence into the process so that rather than encryption taking place at the network level, it can take place at the device or client level, and be based on a user's login credentials. This future state of SIS, called intelligent secure information sharing (ISIS) is not out of the realm of current technology; however, the ability to implement this type of solution is predicated on the ability of a solution that solves the management issue of network wide encryption at the node level. With this solution now available and gaining adoption, the nascent market for ISIS can now develop as well.

The challenge to implementing a network wide SIS strategy is no longer based on technical limitations. Rather, it is a matter of overcoming long held "truths" that are no longer valid. "Man can't fly," "There is a worldwide market for about five computers," and "64k should be enough memory for anyone," were once all widely held truths. Technology breakthroughs and their eventual market adoptions have shown them all to be false to the point of being laughable. It is now time to put another false truth to rest. Encryption does scale, it is economical and is the best solution for SIS both in theory and in practice.