Networking and security have always been at odds. On a fundamental level, the goal of the networking group is to rapidly move packets (the good ones) from one host to the next; the security group's job is to stop packets (the bad ones) from getting to the next host and wreaking havoc. And between these two ideals lies an efficient and secure network. Getting to that happy medium is often a challenge.
The networking and security industries reflect this dichotomy with strong security companies and strong networking companies. Sure, the major networking vendors have bought up a slew of security companies in recent years, but we really haven't seen much integration across those products.
But things are changing. Lately, it seems that every vendor in the industry is talking about the blending of networking and security, and we are starting to see real products that span both worlds. Some of the first forays seem more superficial and remind me of the old peanut butter cup ad ("You got your security peanut butter in my networking chocolate!"). But others are more elegant, solving real problems spanning these different domains. We'll look at what's driving this new convergence and what it means to you.
On July 12, 2001, the Code Red worm began spreading through a known vulnerability in Microsoft's IIS Web Server. Code Red was interesting for two reasons. First, it spread rapidly, infecting more than 350,000 machines in 14 hours; second, it carried a payload -- the ability to launch a DDoS attack on a pre-specified date. Code Red was one of the first widely known "blended threats."
Blended threats have since become commonplace. With worms, DDoS, Botnets, Phishing and Spyware, we're seeing more sophisticated attacks at the host and networking level as hacking evolves from a hobby to a profession.
The crumbling perimeter
With the proliferation of VPNs, wireless access points, PDAs and mobile laptops, security professionals have been talking for some time about the death of the firewall. The firewall isn't going anywhere soon, but it's not the esteemed head of the security household that it once was. Attacks don't come in through the firewall anymore -- they hitch a ride in through the front door on an employee's laptop and spread from there.
For this reason, enterprises are securing the network inside the firewall. Whereas it might have been acceptable to deploy three security devices and two network management probes on the uplink to the Internet, however, scattering this number of devices through a distributed internal network is a costly proposition. Enterprises are being forced to look for devices that bring value on both sides of the security-networking equation.
In moving to VoIP, businesses are increasing their reliance on the IP network. So when the CEO notices his calls aren't coming in, how do you identify the origin of the problem? Is it congestion? A VoIP-based attack?
Similarly, IPTV and other video technologies are putting more of a demand on the network than ever. During the World Cup, I noticed more than a few co-workers streaming the ESPN broadcast to their desktops. One of the old jokes in security has been that if you want to block bad traffic, you just need to filter on the "Evil Bit." Recently, Arbor Network's CTO, Rob Malan, has been asking for a "Stupid Bit" as well. You don't need to filter all this video and P2P traffic, but if you need the bandwidth, you could drop or shape it.
Getting the good traffic through and dropping or shaping the bad traffic is becoming increasingly complicated, begging for new tools.
Compliance has brought new attention to the internal network and a recognition that you need to watch insiders and the outside world with the same vigilance.
And finally, costs. How are you ever going to achieve secure and efficient networking if moving a packet safely from one side of the network to another requires five different security and reporting devices? At a fundamental level, this is what's driving the blending -- deploying a firewall, an IPS, Content Security, a traffic-shaping box, and traffic-reporting tools on every network segment isn't going to scale, and no one would have enough money to buy it even if it did.
All of these trends are pushing us toward a new era of networking and security that requires tools that know the difference between a video stream and a DDoS attack, even though the end result, a congested network link, is the same. Enterprises need a networking and security control plane -- a single set of integrated tools that enable the operator to ensure safe passage across a distributed network that is growing in size and importance.
What does all this mean to the networking professional?
First, you need to challenge your networking and security vendors to deliver blended functionality. Don't let them get away with pat answers: "We're a networking tool -- not a security tool." Tell them you want to buy both.
Second, get familiar with technologies such as sflow and netflow that span both networking and security domains. Flow-based approaches allow visibility and security in a large network without spending the money to instrument the whole network.
And finally, don't let your networking vendor convince you that putting a firewall in a switch means you have a blended product. Sticking a firewall inside a switch has some advantages, but it doesn't help you troubleshoot a congested link.
In the next two years, we'll see more and more blended technologies. In the meantime, good luck keeping the CEO's phone working!
About the Author: Paul Morville is Vice President of Product Management for Arbor Networks, where he is responsible for overall product strategy and execution. He has worked for Arbor since 2001 and has helped take their products from alpha-stage to award-winning, category-leading solutions. Previously, Paul held product management positions for a number of other Boston-based startups. He holds a BA in Computer Science from Tufts University and an MBA from the University of Michigan. Paul can be reached at [email protected].