Creating the completely encrypted network

The prevailing view of current security technology holds that building more security into the global networks is simply too expensive right now for most applications. Existing security solutions are unable to scale with infrastructure growth and provisioning and routing more traffic through encryption filters will simply slow down the already-overburdened infrastructure of routers and switches.

However, the prevailing view is wrong. In fact, using silicon security solutions that are available today, it is possible to encrypt 100 percent of the traffic moving across all public and private networks and leave enough headroom in the systems to encrypt all the traffic that will be moving across them in the future. Not only is this technically possible, it is necessary. What is holding things back is a matter of cost and performance, or, more precisely, the mistaken conclusion that they are the bottlenecks.

Cost is a critical concern for deploying security within the Internet. Data center managers of most e-commerce sites that need to improve security will choose to add more servers to handle the Secure Socket Layer (SSL) transactions in their massive data centers, rather than spend between $2000 and $5000 for an SSL acceleration card. These managers trade off scalability and performance in the process, because the best solution is just not cost-effective.

Performance, which equates to scalability and flexibility, is another concern. System managers around the world are forced to make compromises as they balance the cost of a system and its performance. While software-based security technology is the least expensive, it doesn't scale, and doesn't offer the performance to support the highest performing networks. Dedicated hardware, such as SSL accelerators and stand-alone VPN encryption systems, are more expensive, but even these can become choke points on the network if they are not deployed correctly.

As a result, cost sensitive VPN solutions are often implemented in enterprise networks, which secure only the minimum amount of bandwidth. Later, when customers wish to expand their WAN interface to the Internet, they typically must replace their entire VPN solution in the process.

There is also a concern regarding the "deployment burden" associated with security. The set up and actual encryption of data for secure transmission is only one aspect of the requirements placed on network equipment for handling security. The processing power required to enable the security protocol through the encapsulation and manipulation of security headers and the IP packet itself, sometimes called the "IP tax," has been the responsibility of the system's host processor. Security processors in the past were simply algorithm accelerators used for the extensive calculations associated with deploying VPN and SSL. The burden of deploying security was left to the system developer.

Now, imagine a shift in the prevailing attitude. Instead of deploying encryption technologies only where they seem necessary, imagine that it will be implemented at every level of the network. The result: all data traffic, everywhere at all times will be protected.

Every PC will be able to encrypt data going out and data going in. Every service provider will be able to protect its traffic. All traffic on every web server will be secure, not just for e-commerce transactions. Traffic coming in and out of corporate networks will be completely protected. And finally, all security will be transparent to the network. Data will pass through a filter or a security screen to enable transparent security without causing the network to slow down and become the bottleneck.

Contrary to popular opinion, this is not an impossible dream. Today's security processors, are addressing all of these concerns - cost, performance, transparency — and are enabling OEMs to provide solutions that can make this dream a reality. These solutions are scalable to the requirements of the access points where security is being deployed.

And where are these access points? On the client side, security technology built into each device (PCs, handhelds, cell phones, PDAs ) must have enough performance to support a single user at line rates that are typically in the megabit range. Today's software solutions are more than adequate for supporting dial-up, wireless and even broadband connections.

At the edge of the network, there will be a range of robust security solutions. Depending on the number of users, and the amount of data being sent, corporate networks required a higher performance security solution to support multiple T3 and OC-3 connections. With the growing adoption and deployment of gigabit networks, corporate enterprises are planning to support Gigabit data rates as soon as possible.

Managed service providers and data centers see much high volumes of traffic entering their networks. As aggregation points for many different data streams, MSPs provide the ideal location to implement security solutions. The availability of OC-48 security solutions that are cost effective and transparent to the network is enabling OEMs to build equipment for this segment.

Secure data at all access points is critical; once the packets are safely encrypted, they can continue on their way at whatever speeds are used throughout the network. To support this requirement, security processors need to scale in performance, with the ability to encrypt and decrypt data at full duplex gigabit through OC-48 data rates, even when handling small packets (64-bytes). The performance rates must also be calculated from the clear text side, meaning that the data rate, not the line rate, can be maintained on the cipher-text side as well.

Security processors also must be able to support multiple configurations. OEMs want the flexibility to place security at different places within the data flow architecture. Some will choose the in-line approach where the security processor sits physically between the MAC/Framer and Network Processor. Placing the protection device directly into the data stream guarantees that every packet received or on its way out will be protected.

Others may choose to centralize security and give all data streams access to the resource when security is required. Here, security can be a separate blade hanging off the system fabric or a side-car to a network processor. In either scenario, implementation of security should be straightforward.

100% assurance

Security must not burden the performance of the network when processing the security protocols (SSL and IPsec). To ensure a 100% encrypted Internet, security processors must be responsible for handling all packet and record manipulations specific to securing IP traffic. Data path processors do not have the horsepower to handle the processing of this overhead along with the rest of its duties classifying, routing and managing IP packets. Through on chip programmable micro engines, security processors provide this deep packet inspection and manipulation to ensure that systems maintain the necessary data rates.

Too expensive? No. Every PC already has this capability built into the web browsers -- it's just not used all the time. However, this vision of the network will require the carriers and Web hosts to deploy more security systems.

The silicon component that adds encryption to line cards today costs in the $300 range. To make it affordable at this level, these chips need to come down significantly in price, to levels comparable to the other components on the line cards, such as MACs and PHYs. If the security chips were in the $50 to $75 range, adding encryption to every line card would be a much more compelling feature.

At current levels of deployment, lowering prices from $300 to $75 makes no sense. But, in a world where encryption is ubiquitous, the volumes would be dramatically different. Instead of selling them by the thousands, chip vendors would see encryption chips sold for every port, every server, every system - a gain of millions and millions of units.

At those volumes, it is easy to imagine pricing levels comparable to the other components that also ship in the same huge volumes. Encryption everywhere could be affordable. This is somewhat of a Catch -22 situation, because the prices won't come down until volumes are much greater, and the volumes can't grow until prices fall. However, the point to consider is that the fabless ASIC model will work in this environment as cost and yield targets from leading fabless foundries like UMC and TSMC are as competitive as any world class fabrication facility. Volume will drive pricing, it's as simple as that.

Hardware based security acceleration PC cards are selling in the $2-$4000 range today. Ensuring that every server in a Data Center can support 100% of its e-commerce traffic will require a different type of business mind set from security vendors; namely one that reaches a price point where it doesn't make sense for Server OEMs not to provide SSL as a standard Web Server feature. $500 retail price points are reachable today in this regard. It's not inconceivable for the accelerator card to follow the path of the Ethernet NIC cards business. The 4-5M Entry Level Web Servers expected to ship out by 2005 indicate that the volume portion of pricing equation remains strong.