Pervasive network optimization and ubiquitous security are growing ever more important, even in this economy and...
in the face of limited budgets. IT staffs are reshaping networks and data centers to meet the new agility and service needs of their organizations.
One axiomatic formulation for the functions of security is CIA – ensure confidentiality, provide integrity, protect availability. Much of this, today, centers on control of networks: admission control, behavioral analysis and ongoing access control, firewall, data-leak prevention, Web filtering, and so on.
Similar formulations and abbreviations have not yet been developed for network optimization, although the term "CAP" springs to mind – compress, accelerate, prioritize. Visibility and control are still the touchstones, though: See what is going on, and reshape it to meet the needs of the organization.
Information security and network optimization dovetail on this idea of control, and bringing the two together is powerful. Consider email spam, for example. More than one company we interviewed described an internal system of mail hosts and the havoc spam once played with it, swamping mail servers and burying real email under the tonnage of pharmaceutical, financial, and more questionable digital come-ons.
The solution, of course, was to filter out the spam before it was distributed internally. Many companies bypassed internal spam filtering, subscribing instead to third-party filters that eliminate spam before it consumes any Internet bandwidth the organization is paying for. As a result, email service performance and quality are greatly improved.
As we consider the combination of security and optimization, the first rule is: Don't optimize what you don't want to deliver in the first place. For example, why optimize delivery of an outbound packet over the WAN if it contains data (say, a credit card number) that will cause the data leak firewall to drop it? Or inbound data (say, a webpage with suspicious content) that the user's desktop firewall will block?
Packet and content filtering equal increased WAN awareness?
Control, these days, often requires peeking inside packets to look at the content of the network traffic, not just at the ports it is on or the hosts it is moving between. This is especially true in a world increasingly driven by XML messages whizzing around inside a service-oriented architecture (SOA). Higher-level content awareness is necessary when a denial-of-service attack can be mounted at an application level by traffic that from a typical firewall's lower-level perspective looks completely legitimate. On outbound traffic, data-leak protection is another problem space where content awareness comes into play.
The same may be true of network optimization. Problems are emerging, especially in SOAs revolving around applications distributed across multiple data centers that require content-awareness for proper control -- to prioritize financial audit transactions before cleaning supply reorders, for example, or customer service IM traffic above personal chats.
Thus, the second rule of secure network optimization would be: Crack open the packets only once. By bringing security evaluation together with network optimization, a secure optimization appliance could reduce overall latency and minimize what the optimization systems have to process.
The convergence of network optimization and security is driven by other factors too. There is network topology: Both security and optimization are especially effective and economical at critical chokepoints in the network, where the most traffic can be processed with the smallest number of boxes. There is IT's desire for simplicity: Fewer boxes in the comms closet, fewer vendor relationships to manage, fewer points of failure requiring redundancy solutions, fewer fingers pointed. There is market evolution: As baseline optimization folds into routing gear, optimization vendors will use security convergence as a differentiator.
Roadblocks to secure network optimization
Of course, there are problems. Security devices want to fail open – to look like a break in the wire – so nothing passes if the device dies and you know your security posture is not compromised by the failure. Network optimization devices want to fail closed – to look like wire if they stop working – so something gets through even if everything no longer can. What should a converged box do?
There are also concerns around SSL traffic streams. A device can't optimize an encrypted stream if it can't see what is inside. The only way to look inside is essentially to execute a man-in-the-middle attack, wherein the security/optimization box terminates encryption tunnels so that it can optimize the traffic inside.
This can be a touchy issue, though, both from a compliance perspective (if my guidelines say the traffic has to be encrypted between endpoints, how is this OK?) and from a privacy perspective (if I let my employees do personal stuff on my Net, is it OK for me, say, to be looking inside their banking transactions?). No one should venture down this path without a lot of serious discussion with legal advisers and auditors about the limits and implications of what they will do.
The bottom line: Look for opportunities, as with spam filtering, to let security and network optimization help each other. Expect your vendors to bring these functional lines together, as BlueLane, Cisco, Juniper, Expand, Radware and others are doing -- but don't expect the ride to be without some bumps.
About the author: John Burke is a principal research analyst with Nemertes Research, where he focuses on software-oriented architectures and management isues.