Seeking Security At The Network Edge

Today's network attackers have an almost limitless imagination when it comes to the range of strategies they use: Viruses; denial-of-service attacks; Trojans; malicious attempts to access corporate information; or threats to Web site content using Internet Protocol (IP) spoofing, man-in-the-middle or port redirection are all part of their arsenal. At the same time, the impact of such security breaches on the corporate bottom line is growing increasingly difficult to ignore.

The costs of such attacks can be enormous, ranging from the personnel and equipment needed to detect an attack to the costs associated with cleaning and restoring systems to the attack's impact on worker productivity. A recent study conducted by CSO (Chief Security Officer) magazine estimated that criminal attacks on corporate and government networks cost businesses more than $665 million in 2003.

The growing sophistication of these attacks has driven enterprises to seek higher levels of security than those provided by traditional virtual private network (VPN)/firewall products. To address such security threats, many companies are investing in new intrusion detection and prevention systems (IDS/IPS) or deep-inspection firewalls capable of analyzing the contents of a flow instead of just header information for each packet. Ideally, the new systems will help enterprises identify threats-even those hidden deep in the application headers and payload-and thereby prevent successful attacks.

In most cases, however, the new security systems can be complicated to set up and expensive to maintain. This translates into higher operating costs and capital expenses for enterprises. The rising expenses are particularly burdensome on small office/home office (SoHo) businesses and small enterprises that require the same protection from security threats as their larger competitors, but at a lower cost structure.

Moreover, the security solutions in use today typically do not scale well. As enterprises grow, service providers must add more boxes to their sites across the wide-area network, and each box must be set up and maintained. Furthermore, global security policies for mobile users are difficult and cumbersome to implement. They must be enforced either through resident software or hardware or by routing all requests through the security system at the corporate site.New security infrastructure

By moving the management of network security services to the edge of the network, service providers can solve many of these technical and business challenges. With this new architecture, they can easily enforce global security policies without deploying physical hardware and software to each remote site. Second, service providers can stop denial-of-service attacks at the access link-before they reach the enterprise. This reduces the burden on the enterprise to detect and prevent attacks and, ultimately, has a positive impact on cost for both the service provider and the customer. At the same time, the architecture scales easily, efficiently and invisibly with the enterprise. As companies grow, they simply need to negotiate a new service-level agreement (SLA), and the service provider takes care of the rest.

Just as important, the new architectural approach offers numerous business benefits to both the service provider and the customer. Under the existing infrastructure, customers incurred all the costs of additional security services as they grew in size. By moving security services to the network access point, they now share the cost of any additional hardware and software for security applications with all customers who subscribe to the service. Since the cost is now distributed across the entire customer base, enterprises realize highly attractive economies of scale.

From the service provider's point of view, this architecture offers a new and highly attractive source of revenue. Historically, service providers have been realizing a decline in revenue per bit and poor profitability for IP services. By moving security functions to the network edge, they can now offer a diverse menu of high-value security services, from traditional VPNs and Layer 2 to 4 firewalls to IDS/IPS, content filtering, and real-time virus and spam protection.

To build the infrastructure and supply the services to SoHo and small-enterprise users who typically connect to the network via digital subscriber line or cable technology, service providers will need new IP DSL access multiplexer (DSLAM) and cable modem termination system (CMTS) equipment that will incorporate these services into their chassis. Because the services will be offered on a subscription basis, a practical approach is to offer them on a security blade that would serve all ports in a chassis. Service providers can supply the same menu of services to their medium-to-large enterprise customers via higher-throughput edge routers or IP-services routers. These high-capacity systems may employ a similar services blade or, in some cases, line cards with directly integrated security technology.In addressing this new requirement, network aggregation equipment vendors face two primary obstacles. The first is performance-driven. To achieve the level of deep-packet inspection the services require, access and edge equipment developers must employ very large amounts of memory and high computational rates. Aggregate throughput rates must support not just port speeds but, in some cases, full backplane performance as well. Accordingly, blades for a DSLAM or CMTS chassis must support throughput rates of approximately 2 Gbits/second or 1 Gbit/s bidirectional. In the edge-router or IP-services router arena, through-put rates must approach 10 Gbits/s. And since the services are tied to SLA commitments, the security blades must achieve these throughput rates without sacrificing accuracy or reliability.

Finally, the new solutions must achieve this throughput and accuracy at a reasonable cost. Current solutions, which try to deliver similar levels of services by incorporating multiple ASICs on a board, are prohibitively expensive. So these next-generation solutions must be developed using high-performance, low-cost communications application-specific standard products.

Policy management

The second challenge service providers face is the need to support the comprehensive threat assessment and policy distribution infrastructure that these security applications require. The policies must be constantly maintained, updated and distributed from node to node.

Few service providers have the expertise to develop the complex infrastructure needed to manage such complex policy sets. More often, service providers will find it practical to develop partnerships with third-party security companies that have the expertise needed to manage this infrastructure.The key to preventing attacks will be the development of a class of network aggregation equipment that will let service providers integrate a broad menu of security services at the network access point in a highly efficient manner. To accomplish this task, service providers and network equipment developers will need suppliers capable of combining co-processor and packet inspection expertise with established relationships with leading third-party security solution vendors.

Mark Orthodoxou ([email protected]) is a product manager for the IP co-processor division of IDT Inc. (Santa Clara, Calif.).