Over a series of blog submissions, I plan to look at the challenge of implementing security through a set of different lenses. The lens I will employ today is one of compute power – specifically the amount of compute power it takes to implement protection against a broad array of possible threats in a network device.
Given infinite compute capacity, one could take every flow of traffic encountered on the network and play it back (in a sandbox) against all versions of software which might end up on its receiving end. If one of the sandboxes sustains damage, we’d know that the flow is potentially dangerous (though it may involve no malicious intent and may not actually cause any damage on the particular system which is the flow’s recipient). Given that we must make do with only finite compute capacity, we will need to apply more brain and less brawn to this problem.
The security technologies which can prevent a flow from reaching a certain destination can be broadly categorized as follows (sequenced from coarsest and computationally cheapest to finest grained and computationally most expensive):
It’s not worth wondering which security technology you need – each is a tool in a tool chest and limiting your selection of tools puts you in the awkward situation not unlike trying to assemble a grill for your labor day picnic with only a hammer in hand.
Discussing a wide range of topics impacting enterprises and data center security.