- Anish Bhimani
How do you secure gigabit-speed traffic while keeping a lid on costs? Traditional answer: You can't. But an emerging class of security solutions may change the rules of the game.
Call them security switches, intrusion prevention devices, security blades or specialty appliances. Whatever their name, it's clear that we're seeing an evolution toward dedicated hardware that optimizes security functionality into a single box, blade or chip.
Architected as rack-mountable appliances with server blades or dedicated ASICs for security service modules, security switches consolidate security-specific functions (traffic monitoring, content filtering, AAA) in custom-built devices that are easily integrated into existing infrastructures.
Is your software IDS dropping packets during heavy traffic? Plug in a customized appliance with ASICs dedicated to high-speed traffic inspection. Is e-mail a growing security concern? Drop a blade server into the rack that performs AV and spam filtering, as well as secure remote access. The point is that security switches give you the opportunity to offload, customize and modularize with the ultimate goal of improved security, better performance, reduced cost and simplified administration.
The security switch landscape of 2003 isn't unlike the firewall market of 1994. Established vendors are enhancing their products to address security threats--and there's plenty of competition from startups, with at least 20 vendors claiming a share of the space. With so many vendors, it's difficult to lump all the products into a single category. However, we can loosely classify available products into four distinct groups, based on their primary area of focus.
1. Virtual security service devices. These are true "security switches," combining the functionality of multiple security devices (most commonly firewalls, IDSes and VPNs) in a single appliance. These products allow for customized configuration within the device. For example, if you want five firewalls and 14 IDSes, or six IDS engines and two VPN servers, you can manipulate the architecture to either add muscle to a particular function or diversify the services that you wish to incorporate in a single box.
Some devices, such as Inkra Networks' Virtual Service Switch and iPolicy Networks' ipEnforcer, incorporate their own software-based solutions. Cisco Systems can incorporate a number of its security modules, including IDS, firewall and VPN, in individual blades in its Catalyst 6500 chassis.
Others, such as Crossbeam Systems' X40, support existing security products such as Check Point Software Technologies firewalls and Internet Security Systems intrusion detection engines, on individual blades within a single chassis that plug into a common backplane.
2. Application-specific firewalls. The majority of the offerings in this space focus on securing Web and e-mail traffic.
Most Web-server gateway appliances start with hardware-based packet inspection that's optimized for HTTP traffic, and are coupled with SSL acceleration, load balancing, a Web proxy and other related components. This class of products includes Gilian Technologies' G-Server, Nauticus Networks' N2000, NetContinuum's NC-1000 and Array Network's Array-SP.
E-mail firewall appliances, such as BorderWare's MXtreme and CipherTrust's IronMail, roll up several mail-specific security functions into one point solution: AV, antispam, malformed message filtering, message encryption, authentication and more. BorderWare also offers gateways for DNS management and document filtering.
3. Security zone switches. Taking a cue from network switches, these products take a VLAN approach to security, since it's not always possible to physically separate systems on networks, and workgroups are often ad hoc in nature. Zone switches allow organizations to assign systems within a given zone, applying common security policies and encrypting traffic so that other systems on the same physical network can't see it. Think of it as a secure VLAN and VPN rolled into one. Products offering this feature include Ranch Networks' RN5 and RN20, as well as NetContinuum's family of solutions.
4. Customizable security gateways. These products bear some resemblance to Web and e-mail firewalls. However, they allow for customizable packet inspection of multiple applications, while continuing to provide additional protection against lower-layer attacks.
Products in this category include Top Layer Networks' Attack Mitigator IPS, Symantec's Security Gateway, Network Associates' IntruShield and TippingPoint's UnityOne appliances.
A Lot in Common
Looking at the above list, you could come to a conclusion that this class of products includes everything but the kitchen sink. The fact is, everyone has a slightly different definition of what constitutes a security switch. However, despite the differences in functionality, there are a number of common characteristics that help define these devices as a class.
Custom chipsets. Security operates at every layer of the OSI model. While network security appliances enhance traffic throughput, they aren't designed to improve the performance of security apps.
On the other hand, almost all security switches use some form of customized silicon (some based on reprogrammable FPGA technology, others based on custom ASICs), with each processor dedicated to a specific security module.
Customized silicon allows much of the security processing to be handled in hardware. By moving the processing into hardware, the product is able to perform detailed inspection, filtering and logging at wire speeds (upwards of 4 Gbps).
TCP and SSL termination. One of the major problems with current firewalls is their inability to monitor SSL-encrypted traffic or filter based on application-level content. To address this, security switches terminate the TCP or SSL session (similar to proxy-based firewalls), decrypt and disassemble the packet, inspect it, and take action as necessary. The switch then reassembles and reencrypts the packet for transmission. Previous generations of firewalls couldn't muster the performance required for this functionality, but custom hardware gives these devices the muscle to get the job done.
Deep packet inspection. A security switch's ability to terminate the TCP and SSL sessions enables a robust feature--application-layer filtering or "deep packet inspection." While previous products were limited primarily to port and address filtering, deep packet inspection enables filtering of known application-based attacks. For example, the appliance can inspect traffic for poorly formed cookies, buffer-overflow and stack-override attempts, SQL injection attacks and other threats that rely on HTTP- (or other protocol-) specific syntax.
Looking ahead, as Web services become more prevalent, the ability to filter XML or SOAP content will greatly improve security switches' functionality.
Multiple services on a single box. Aside from security features, most switches also incorporate certain network functionality. This generally includes some combination of load balancing and automatic failover to provide increased availability and redundancy. In addition, some products allow for dynamic reconfiguration of the device. For example, you could set a rule to reconfigure an IDS blade as a firewall, or a firewall as an AV device to address traffic patterns and system failures.
Moreover, with switches combining the functionality of multiple security devices--firewalls and IDS; Web caching, proxy and firewall, event management and reporting become critical. These switches also include a common management backplane, allowing security managers to manage disparate devices from a single console and see cross-correlated events logged by each device.
Security Switches in Your Infrastructure
A common question asked about security switches is whether they should be viewed as replacement technology or a supplement to the existing security infrastructure.
While most of these products provide a superset of security features already deployed within most organizations, it's difficult to imagine any reasonably sized company would completely replace its existing infrastructure with a new, relatively unproven (albeit powerful) technology. Thus, most organizations choose to adopt a defense-in-depth model, with a security switch working hand-in-hand with existing firewalls and IDSes. In this scenario, the goal is to phase out old solutions over time.
In other cases, organizations already entering a replacement cycle are swapping traditional, aging security products for multipurpose switches. Virtual service switches, such as Crossbeam's, make their business case largely on reduced TCO and accelerated ROI. You'll have to crunch the numbers to determine if that makes sense in your organization.
Although many organizations feel that the perimeter is reasonably secure with existing solutions, very few feel comfortable with their internal controls. Given that most products in this space tout their ability to provide strong security at wire speeds, it makes sense to deploy them internally (and, in the case of Web-based application firewalls, as close to the application server as possible), where the bandwidth is greatest.
It's hard to question the value of high-speed, high-performance security solutions. However, this is a nascent technology, fractured among more vendors than the market will bear. With products priced in the high five figures, it's difficult to imagine a strong adoption rate in the near term.
Make no mistake, though, this class of products is here to stay. Yankee Group's Matthew Kovar recommends that security appliance vendors "make the transition to a security services switch architecture, or exit the market quickly...position the company to be acquired and look for new jobs."
Gartner is somewhat less dramatic, claiming that by the end of 2004, sales of inline intrusion prevention devices" will outpace network-based IDSes.
About the author:
Anish Bhimani is CISO at JP Morgan Chase. He is coauthor of Internet Security for Business (John Wiley & Sons, 1996).