Security Will Become Computationally Less Expensive

We are already witnessing the fact that security is becoming less expensive. Hardware cryptography chips are now available in smaller routers, network interface cards (NICs), and devices. As of this writing, you can purchase a NIC, which does hardware Triple DES (3DES) encryption for less than $100. Although this reduction in computational complexity doesn't solve the identity and other management issues that impair widespread crypto use, it does mean that your options as a security architect will expand. Basic stateful firewalls will soon have hardware acceleration in many devices as well. Although the management issues remain, it is very likely that core technologies such as firewall, crypto, and intrusion detection can be done without impacting the forwarding performance on an end system or a router/switch in the not-so-distant future.

The impact of this change will be significant. Both end-system and network vendors could offer new ways of securely building networks that are not possible today. However, with these new networks come new challenges. Take crypto, for example. If in the near future all traffic on a campus network were encrypted, what would that mean for traditional secure networking devices such as firewalls or intrusion detection systems (IDS)? If all traffic were encrypted, it would look the same to these devices, and no additional inspection would be possible. This would leave the security of an end host in the hands of that end host only. See the axiom on confidentiality and security discussed in Chapter 1, "Network Security Axioms," for additional information.

In a best-case scenario, hardware-based security processing will free the IT industry from worrying about basic issues such as performance and will allow it to focus on the more difficult problems of attack identification and mitigation. This will be possible because some of the substantial resources used to improve performance in security capabilities can be reallocated. This will allow security vendors to focus on making networks more secure rather than playing catch up with networking gear to retain the same level of performance. Additionally, integrating the security functionality into the network (once it is available at wire speeds) might very well eliminate the need for special-purpose security devices in some cases. However, remember that simply having the ability to install a security capability into a network device doesn't mean it should be done. See the platform discussion in Chapter 7, "Network Security Platform Options and Best Deployment Practices," if you need a refresher on these concepts.