In-Depth

Can Networks Defend Themselves?

Just think of it: routers and switches no longer need separate firewalls, IDS/IPS appliances, or other security technologies to shield themselves from attacks. Fewer boxes to maintain, fewer management systems to support—what’s not to like? As it turns out, plenty.

• By Rich Weiss
• 12/06/2005

Can enterprise networks effectively defend themselves? Some networking equipment vendors think so and have promoted the idea for several years. It’s an attractive pitch: routers, switches, and other networking gear will no longer need separate firewalls, IDS/IPS appliances, or other security technologies to shield themselves from attacks. Rather than managing various security products from multiple vendors, you’ll put all your effort (and trust) into managing the built-in protection mechanisms in one vendor’s network infrastructure. Fewer boxes to maintain, fewer management systems to support—what’s not to like?

Network self-protection is a great marketing concept because the phrase implies that effective security can be achieved without the cost of a separate security overlay. But is it a vision or a mirage? To answer this question, consider two possible network self-defense strategies.

The first strategy involves incorporating most security logic into network equipment operating systems and applications. In this scenario, security isn’t an overlay—it’s an inseparable element of a device’s networking software.

The challenge with this approach is the same one that Microsoft faces in trying to build security into an operating system that consists of tens of millions of lines of code. The countless security flaws that Microsoft developers inadvertently allow into Windows do not reflect poorly on their skills. Rather, they demonstrate that even the best software developers in the world will inevitably overlook flaws in their huge, complex programs. The same can be said of the outstanding engineers who design router and switch operating systems.

If vulnerabilities in networking device software are inevitable, is it a good idea to rely exclusively on security functions within that software? Networking software development and security software development are very different disciplines, so great networking code can contain not-so-great defense technology. This may explain why networking innovation and security innovation have almost always come from different vendors with distinct core competencies and focuses.

Another way to implement network self-protection is to add a comprehensive set of security defenses to networking boxes but keep them logically separate from the networking code. The security and networking functions can cooperate the way the best security and networking solutions do today, while avoiding the single-point-of-failure problem in the first strategy. As before, you benefit from having less security hardware to maintain.

Is this scenario really that different from how you implement enterprise security today? In both cases, you manage protection mechanisms that are overlaid on networking functionality and work closely with it. Administration of multiple built-in self-protection mechanisms might or might not be as efficient as the unified enterprise-security management available from a pure security vendor. The main difference is that network self-protection could restrict your freedom to choose overlay security solutions. You’d be committed to a single vendor’s networking and security overlay technologies, whether its security capabilities met your needs or not.

It’s not a cool marketing concept, but the principle of protecting networks using a defense-in-depth strategy, that has stood the test of time. Security layers that are independent of network hardware are not subject to a single point of failure. They can also be chosen based on their effectiveness and fit with your environment rather than being dictated purely by your network equipment purchases. Unless you’re willing to accept substantially more risk in exchange for the potential convenience of network self-defense, you should continue to put the best available security technologies between attackers and their targets.