Smart Networking

When the hardware gets smart

The processing power advantage enjoyed by dedicated hardware based on Application Specific Integrated Circuits is being employed for handling security functions beyond cryptography, writes Ponkumar Venkatesh.

Ponkumar Venkatesh

Empowerment doesn’t seem to be restricted to corporate circles, as network equipment manufacturers are joining the fray by entrusting greater responsibilities to traditional packet-pushers like routers and other networking devices. Routers come with built-in firewalls, inline intrusion prevention (IPS) and VPN accelerator functionality and switches which ensure that a connecting endpoint complies to specific security policies before they grant network access. These represent some of the standard network devices now made smart by embedding security functionality. While the processing power advantage enjoyed by dedicated hardware based on Application Specific Integrated Circuits (ASIC) has always been acknowledged, it is now that this power is being channelised to perform security functions beyond cryptography. Apart from the obvious manifestation of these new found avenues to expend processing power as multi-function security devices, some security aware network hardware contributes towards enforcing a defence-in-depth strategy by collaborating with various endpoint security solutions.

Cryptography is still one of the significant contributions of networking hardware towards enhancing the overall security posture of an organisation. Be it protecting inter-branch office communication or providing remote access to the corporate network to the travelling workforce, the IPSec functionality offered by network equipment like routers have always come handy. Even with overwhelming bandwidth demands, these network equipment are able to cope with the processing power requirements by offloading the cryptographic functionality to specialised network security processors.

Today, the emphasis is on incorporating application-aware firewall and intrusion prevention functionality in edge network hardware.

Greater risk

With business requirements that necessitate granting access to enterprise applications to users connected to the Internet and increased dependence on Web applications to interface with customers and partners, greater risk to sensitive business information is posed by attacks at the application level. A typical Web application flaw such as SQL injection exploited in conjunction with other weaknesses could sometimes jeopardise the security of an internal host completely bypassing all existing perimeter defence. Further, popular security technologies like firewalls and intrusion detection systems woefully fall short of the requirements when it comes to application level exploits. Although application proxies are capable of performing sanity checks pertaining to standard and well-known protocols such as SMTP or FTP, they typically do not focus even on popular application level attacks such as semantic injections. Whereas network intrusion detection systems turn a blind eye to encrypted traffic which is tantamount to stating that they are incapable of analysing requests that deal with sensitive data. As a result, there is emphasis on the inspection of application layer payload in order to defeat data driven attacks at the application level.

Decrypting traffic

Parsing and classifying incoming packets is the most processor-intensive portion of network-processing even when compared to SSL or IPSec implementation and traffic and policy management. The situation is aggravated since detection of application layer attacks not only necessitates deep packet inspection but in the majority of cases the typical functionality of a proxy is to decrypt incoming traffic prior to inspection and reconstruct the same post-analysis. Obviously, the processing power requirements are beyond those of standard server hardware running a typical operating system. Specialised security processors capable of performing wire speed decryption and encryption coupled with a classification co-processor to aid in packet inspection could be a viable solution. Within an appliance, these specialised processors form part of distinct optimised data paths that segregate computational tasks wherein cryptography, content inspection and generic packet processing are executed in parallel by the appropriate processors. Such a distributed processing architecture ensures acceptable throughput in spite of processor-intensive security functionality. Incorporating such processors in edge network devices renders the application payload analysis inline as opposed to the typical network intrusion detection system thereby providing the functionality of an intrusion prevention system at the first point of entry into the network.

Array of functions

Leveraging the processing power advantage provided by ASICs, edge network hardware can today perform a multitude of security functions ranging from cryptography, Web and e-mail content inspection, network-based anti-virus functionality and packet filtering including stateful inspection. Although the array of security functions handled by edge network hardware has taken perimeter security to the next level, network equipment manufacturers have not discounted the significance of a defence-in-depth architecture. They have released updates to the software running on network appliances that enable these appliances to collaborate with various endpoint security assessment tools to lock down remote and local access to corporate network. These routers and switches, with enhanced security intelligence, communicate with endpoint security solutions like anti-virus software and host-based policy compliance assessment tools to deny access to non-compliant endpoints characterised by policy violations such as outdated virus signatures and missing security patches. Such non-compliant endpoints are generally funneled into distinct VLANs where the user can either manually update the security configuration or have such changes automatically enforced on the endpoint prior to moving the endpoint into the main network.

The proactive isolation of vulnerable and non-compliant endpoints ensures that such hosts do not become sources or targets of worms and virus infections. However, quarantining non-compliant desktops into specific VLANs with degrees of limited access serves only as a coarse-grained access control mechanism. Greater granularity can be obtained by assigning a configurable, pre-defined network identity to potentially unsafe endpoints thereby providing provisions for a tighter access control than what is possible in case of restrictive VLANs. Regardless of how non-compliant endpoints are treated, this collaboration of network appliances with endpoint security software deployed on clients almost results in each switched Ethernet port serving as a security gateway into the corporate network. As a bonus, in a majority of the cases an investment made in existing security software deployed on clients does not get wasted, as network equipment manufacturers are increasingly tying up with many of the major players in the endpoint assessment space to ensure communication between their appliances and popular endpoint security solutions.

Presently, the collaboration between network appliances and endpoint security solutions is focussed on ascertaining the endpoint’s compliance in order to gain admittance to the corporate network. However, the original intent could get defeated if subsequent to getting connected to the corporate network, a laptop user connects to a USB device containing infected files. It is anticipated that future enhancements will focus on the endpoint assessment being a continuous process mandating continued compliance to endpoint security policy for retaining connectivity to the corporate network.

The million dollar question pertains to the viability and appropriateness of this marriage of security with networking technology. While integrating security with networking technology definitely comes across as beneficial to small and medium enterprises owing to the obvious cost advantages, it may not be preferred to dedicated network gear when there is a demand for high throughput. Moreover, there are enterprises that subscribe to the school of thought that advocates ‘let routers route and switches switch.’ Some of these enterprises may even have distinct and dedicated teams to handle their security and network infrastructure and consequently, may not be keen to embrace the notion of integrated security. However, it is this segmented approach to security and functionality that has traditionally been and continues to be the biggest impediment to effective security implementation. The myriad security flaws that affected the initial implementation of the TCP/IP protocol suite were because the Internet was not designed with security in mind.

Right from the start

Even today, most application developers exhibit total apathy towards security and are focussed on getting the requisite business functionality correct. It is this approach of ignoring security during design and incorporating it as an afterthought that has resulted in ineffective security implementation and constant cycles of security updates. Ideally, the term functionality should be explicitly redefined to mean delivering the requisite business requirements in a secure manner. While integrating security in networking gear is a step taken in the right direction, there exists the acknowledged tradeoff between security functionality and performance to be contended with. Employing ASICs with distributed processing architecture can help in embedding security functionality in networking gear while ensuring acceptable throughput.

Ponkumar Venkatesh is Manager, Ernst & Young. He can be reached at ponkumar.venkatesh@in.ey.com