In a crossover world, performance and security converge to give fast, secure apps

Mainstream applications are increasingly adding top-end security features

Mainstream applications are increasingly adding top-end security features

To date, security and performance devices have been two separate - often directly opposed - species, born out of two different camps, from the product and supplier perspective alike.

Certainly, where the bigger players are concerned, there has been some crossover, but still the separation has been largely in place. But for how much longer?

Well-established security devices such as firewalls have become mainstream, commodity products - offered by both pure security companies and by the likes of Cisco, 3Com and many others from the general networking world. But now, what have been considered as specialist security devices, such as intrusion detection systems, are also being integrated into the mainstream.

Take, for example, the Cisco Integrated Service Router, which combines routing and VoIP functionality with a complete set of security features, including not just the regular firewall and - increasingly - virtual private network (VPN), but also an intrusion prevention system.

The system is modular in design, so these features can be beefed up on an as-needed basis, from the standard issue versions you get in the box. This is part of what Cisco calls its self-defending network security strategy.

The idea is, quite simply, to marry classic router functionality with real security features, not tick-box items, but the genuine article, embedded directly inside the routers. A shape of things to come?

At the appliance level, companies such as Bluecoat and Equiinet have been combining cache engines with VPN, anti-virus filters and other security functions. And the world of wireless Lan has itself also been busy combining performance and security features.

Earlier this year, the Broadband-Testing labs looked at a number of WLan products from Trapeze, Symbol and Hewlett-Packard. They all included intrusion detection system-esque rogue access point/user detection, alongside multiple authentication and user control filters, in addition to the Ethernet-based performance features.

Madge Networks is another example of a WLan supplier pulling specialist security tools such as IDS into the wireless world. But how does this kind of product compare with what has been offered from the likes of Juniper (NetScreen) over the past couple of years?

According to Martin Malina, CEO of Madge, there is a certain level of headline integration of a minimal set of features such as rogue AP detection into standard infrastructure products.

However the reality of the situation is that these would be fine to plan into greenfield installations, but not easy to do post-installation or during the middle of long-term roll-out.

So how useful are they in the real world? "IDS and rogue AP detection are phrases being used to describe very different functionality across the industry. Many offerings are incomplete or lacking major functionality in order to guarantee true intrusion detection," Malina said.

He believes that proactive intrusion detection requires specific technology, but combining this with basic infrastructure is not always possible and customer requirements are often for more than just the simple features themselves.

Monitoring multi-supplier, multi-band WLan installations is not always possible with the integrated approach.

For example, a .11g deployment will come with an expensive supplement to detect .11a and more than likely will not detect Bluetooth, he said, despite there having been well-publicised instances of phone and PDA hacking via Bluetoooth.

So, it seems that, for a technology user, it is important to differentiate between what amounts to suppliers paying security lip service and what can really be of value. But the trend is there for all to see.

At the same time, up in the heady heights of Layer 7 networking, there seems to be an increasingly strong resemblance between the products that are termed "traffic management" devices and those that are pure security devices, such as IDS and IPS products.

On the surface that may not appear to be so, but once you dig beneath and look at how these products are primarily engineered - to carry out deep packet inspection and make decisions on what they find, based on a series of rules - they are actually very similar in concept.

Looking at the direction that the Layer 7 traffic management devices have taken over the past 12 months, devices are now selling that work at the applications layer, optimising web traffic in both directions across the device, but in a secure fashion.

For example, they can use secure tunnelling in the form of an SSL VPN and support https/SSL-based access to whatever lies either side of the device with SSL termination at the device or endpoint.

Equally they can identify and block denial of service (DoS) or distributed DoS attacks. More than this, they can identify virus patterns and signatures to filter out potential infected packets. Yet these are not defined as security products.

For example, the NetScaler Application Delivery Accelerator - the name implies pure performance orientation - includes SSL VPN encrypt, protect and accelerate application delivery, and has integrated DDoS defence mechanisms for Syn Flood, Tear Drop, Land, Fraggle, Zombie connection, Ping of Death and SNMP attacks. Packet filtering, authentication, authorisation and auditing options are equally numerous. And this is an entry-level product.

Similarly, Zeus' ZXTM traffic management product, which we tested recently, not only offers these kinds of security defence features but the ability to inspect a packet to any level of detail, change any content and apply almost any rule to govern its future behaviour.

This bodes well for any kind of security application. It means that ZXTM becomes a true security device as well as an intelligent traffic management and performance accelerator.

F5 Networks' latest range of Layer 7 products that, again, we have recently examined, adds a whole new spectrum of security-oriented features to what is still classed as an application/traffic management device.

One example is resource cloaking. There is a lot of information about your network passing across the internet in headers that can provide valuable information for network "terrorists".

For example, web servers return status codes based on the page request status - such as "403 - access is forbidden" and often include details about the web server application software, which is in clear text. To nullify this, F5's Big-IP product can be configured to block response headers or portions of the headers which contain information about the web server, important libraries, or the language the application was written in, for example.

Marc Willebeek-LeMair, chief technology officer of intrusion prevention specialist TippingPoint, believes the market is at the inflection point of a fundamental change in networking.

"In next-generation networks, security is embedded within the infrastructure, where inline devices filter out bad traffic from the good. This requires highly specialised purpose-built hardware in order to perform effectively at multi-gigabit speeds. The first incarnation of this security and network convergence manifests itself in what is being called an intrusion prevention system," he said.

TippingPoint's own Unity One product is such an example, being placed not just at the perimeter of networks where traditional security products reside, but deep within the core of networks, exactly where Layer 7 traffic management switches are deployed.

And they are no longer pure security devices. Mission-critical traffic and delay-sensitive traffic like VoIP can be prioritised, while less important traffic can be throttled back by Unity One. This is called performance protection but sounds suspiciously like Layer 7 traffic management. The crossover is all but complete.

What the products have to offer

Cisco ISR (Integrated Service Router)
Combines routing and VoIP functionality firewall and VPN

Bluecoat and Equiinet
Combine cache engines with VPN, anti-virus filters

Trapeze, Symbol and Hewlett-Packard
Include rogue access point detection, multiple authentication control filters, plus Ethernet-based performance features

NetScaler Application Delivery Accelerator
Performance tool, includes SSL VPN encryption, and integrated DDoS defence

Zeus ZXTM traffic management
Performance plus security defence tools including the ability to inspect a packet to any level of detail

Tipping Point
Unity One resides where Layer 7 traffic management switches are

F5 Networks
Big-IPcan be configured to block broadcast of protocol or server configuration data


Steve Broadhead, Broadband-Testing
Steve Broadhead runs Broadband-Testing Labs, a spin-off from independent test organisation the NSS Group.  

Author of DSL and Metro Ethernet reports, Broadhead is now involved in a number of projects in the broadband, mobile, network management and wireless Lan areas, from product testing to service design and implementation.

Read more on IT architecture