The security challenges of life in the fast lane
10-Gigabit Ethernet (10GbE) technology represents the next major leap in network bandwidth performance and availability. 10GbE connectivity from the core to the edge of the network moves far beyond the capability of Gigabit Ethernet to efficiently and affordably carry storage, voice, video, and other business-critical applications at consistently high speeds. It's the perfect solution for data centers — with demanding applications, backbone networks, file and storage networks — and other high-performance environments. According to the Dell'Oro Group, 10GbE is today's most rapidly expanding Ethernet technology, growing 98 percent year over year. 10GbE switch port shipments exceeded 100,000 in the fourth quarter of 2006, with annual revenues topping $1 billion in 2006. [Source: Dell'Oro Group Ethernet Switch Quarterly Report]
While 10GbE is a boon for large organizations running more and more applications and pushing larger volumes of data, there are security challenges associated with making the switch. The looming question on every CIO's mind is whether they can maintain the same level of security they have been accustomed to expect from the network IPS solutions protecting their existing FastEthernet or Gigabit Ethernet networks.
For many network security solutions, performing deep-packet inspection at one to two Gbps without injecting latency, causing packet loss, or degrading security is already a challenge. Network IPS vendors are facing major hurdles in delivering network-class and carrier-class IPS platforms that are compatible with 10GbE, while providing the level of security and performance demanded by these next-generation super networks. Add to this the technology demands that accompany the introduction of Internet Protocol version 6 (IPv6). IPv6 represents the latest network-layer protocol for packet-switched internet networks, using 128-bit IP addressing instead of the 32-bit addressing used by IPv4. Organizations are quickly moving to IPV6, and many (including the U.S. government) already have mandates to transition to IPv6 by early 2008.
Over the past few years, network intrusion prevention (IPS) has had to keep pace with ever-increasing technology demands. It's now a mainstream security technology and has evolved from a perimeter-based solution to one that is now deployed deep in the core of enterprise networks. The move to next-generation 10GbE and IPv6 networks represents another exponential leap, placing even greater demands on network IPS technology.
What is required of network IPS solutions to meet the10GbE technology challenge? For one, network IPS appliances need to provide 10GbE connectivity. There is a difference between 10GbE IPS and IPS solutions delivering up to 10 Gbps performance. The latter represents an admirable achievement for network IPS. But delivering high performance alone won't do much to protect networks that have either already moved or are in the process of moving to 10GbE. Since most organizations moving to 10GbE will maintain a mixed environment of FastEthernet, Gigabit Ethernet and 10GbE, it will be most desirable to provide a combination of 10/100/1000 and 10GbE interfaces.
Next, and most importantly, network IPS solutions deployed in the network core must — just like switches and routers — be “network-class” devices, offering ultra-high performance, reliability, and best-in-class security. This poses a possibly insurmountable challenge for today's PC-based network IPS appliances. For reliability and performance, PC-based solutions are no match for ASIC-based, purpose-built platforms in high-performance, mission-critical environments. Considering that today most network IPS appliances are PC-based, it's doubtful that they'll be able to meet the stringent requirements to deliver both security and performance.
Performance or security? What's a vendor to do?
Today's highly accelerated PC-based IPS solutions may advertise high performance, but it's hard to ignore the fact that rated throughput is attained at the expense of security. Even accelerated PC-based solutions won't have the horsepower to maintain full-packet inspection at speeds of 10 Gbps, ultimately meaning dropped packets, unacceptable latency and compromised security.
Consider the consequences of trading-off security for performance. In today's dynamic threat environment, even the proposition of doing so would be firmly rejected. The consequences of blocking legitimate traffic, slowing critical business applications, and leaving yourself vulnerable to attack are far too high to ignore. And then there are the stringent demands of regulatory compliance — an issue facing nearly every enterprise. Can you afford to sacrifice performance or security?
This puts most IPS vendors in a tough position. It's not trivial to move from a PC-based architecture to a purpose-built appliance architecture. And taking advantage of acceleration technology will only go so far before security and performance is sacrificed. While many vendors work to deliver one of the two — security or performance — only those offering high-performance purpose-built solutions will effectively deliver both. The bottom line: only network-class IPS solutions will truly keep pace with securing mission-critical infrastructure in next-generation 10GbE, IPv6 environments.
So what's an organization with a super network to do? Aside from requiring network IPS platforms that deliver the goods, customers will start looking to third-party tests for confirmation when they evaluate IPS vendors. Leading independent testing and certification organizations like the NSS Group have set the bar for validating performance and protection. Reviewing the NSS Group's new Multi-Gigabit IPS certification, for example, will go a long way towards ensuring that vendors are delivering on their promises.
With performance and security representing critical attributes for IPS solutions in 10GbE network environments, large organizations will look to vendors offering network-class platforms to take the lead in delivering viable network protection solutions. Of course, performance and security alone aren't a panacea. Organizations are also looking for security solutions that are simplified, integrated, efficient and actionable, while also fitting into their overall security risk management (SRM) strategy. Today, the proposition of adding yet another security point product has been replaced with a new requirement: broad protection and organizational efficiencies that provide faster time-to-protection, faster time-to-compliance, and positive total economic impact. But that's a discussion for another day.
- John Vecchi is director of network security at McAfee