Your network is public--live with it!

Stop trying to think of your network as a private space. Your problem is not keeping people out, but limiting them once they are in.
Written by Peter Judge, Contributor
COMMENTARY--A network manager's job consists of keeping the network running, and keeping it secure. People should be able to do the things they need to (and are allowed to), and other people should be kept out.

But that job has been quietly getting more complex. There are wireless LANs on your corporate network (whether you know about them or not), and remote access has exploded, as people with broadband are connecting in through VPNs. Legitimate corporate users are tunnelling in through firewalls, and connecting up with devices that you never knew about.

All of which makes it harder and harder to maintain a solid boundary between the corporate network and the outside world, the legitimate user and the non-legitimate one. If a visitor connects to your wireless LAN, he is a hacker, right? Unless he is a visitor with permission from the local manager to connect out to check email, or a third party's worker logging to his corporate network to download some technical support documentation.

Traffic coming through your firewall that you can't monitor is bad, right? Yes, unless it is encrypted VPN packets tunnelling to the LAN for routine e-mail and office work.

The realization is dawning that the boundary cannot be kept rigid anymore. "The network boundary is fractal," said Whitfield Diffie, inventor of public-key cryptography, and now Sun Microsystems' security guru. As befits a mathematician, he was expressing in mathematical terms the ever-increasing complexity of the edge of the corporate network.

Hewlett-Packard puts it in terms that are more business-like--and more frightening to the network manager. "The enterprise network will become a public network," says John McHugh, HP's vice president and general manager for HP's ProCurve networking business. By which he means: "If you don't regulate the presence of various people on your network, it will happen anyway, unregulated."

The answer is to make every port authenticate the users who plug into them--an ability that the 802.1x standard now allows. Adding a wireless access point doesn't open up the network then, even if it is done without the network manager's knowledge. Anyone connecting in through that access point has to authenticate to the ports it is attached to.

Surprisingly enough, making this step has other benefits beyond security. It turns out to allow the network to support other things that you might want it to do. For instance, visitor networks should be easier to set up. Traffic can be separated with VLANs. If the user only has a guest certificate, then they only get access to the public Internet.

Putting authentication at the edge of the network also paves the way for things such as mobility and convergence (of voice and data traffic). It is only worth handling voice traffic on the IP network if you can guarantee the performance end-to-end.

Authentication at the edge sorts out what traffic will be used for, right at the outset, so performance can be monitored and guaranteed.

If users are authenticated at the port where they are, then this can be used with IP telephony to realize the dream of the phone extension that follows you wherever you go, including to your home broadband connection.

It all makes a lot of sense, not least to the network vendors who finally get to sell some extra functionality that might actually be used.

For the last several years, functions have been silting up on network switches, without much evidence that many of them are actually used. Fast Ethernet and Layer 3 switch ports have become the norm, although the speed and traffic management--apart from making each other redundant (if the network is that fast, who needs to manage the traffic?)--are comparatively rarely used. This is because of the management overhead, and the fact that users and applications are not authenticated at the lower layers of the network, so it is almost impossible to distinguish the frames which should go fastest.

There have been efforts to sling functions onto switches. In the past years, users have been ready to pay a little extra for something they don't need, just in case they do need it sometime, especially if it sounds cool and advanced.

Those days are past, and people will go for cheaper products unless the extra features are actually useful--and usable.

Placing more intelligence at the edge seems like a good way to work towards that. It may well move some previously leading-edge technology into the mainstream. Vendors like HP and Enterasys are making a bid to do this--although the sales message is perhaps a tricky one to live with.

"What we've done to boost security also makes convergence boring and safe enough to implement," is not the stuff of great headlines. But it might be what is needed to keep users buying network technology, even in these difficult times.

Editorial standards