Network futures: dumb and fast, or smart and self-defending?

The human immune system is being invoked more and more as a metaphor for how ICT networks should work. Cisco CEO John Chambers regaled RSA 2006 delegates last month with a story of how his company’s self-defending network concept is inspired by human biology. Others are more sceptical. Evan Kaplan, CEO of SSL VPN supplier Aventail spoke about this development to Brian McKenna, for Infosecurity, at RSA in San José.

At this conference the metaphor of the human immune system has been used quite a bit. The title of your talk at this conference is ‘Dumb versus Smart Networks’, which implies you don’t buy into this analogy. Would that be right?

I’d say that it’s in a bunch of people’s best interests to characterize the information security problem that way. So, you have this idea of the body fending off attack, red blood cells heading to the scene of the infection, antibodies kicking in, and so on. Now, the body is a super smart thing that is set up to defend itself in ways we cannot even understand. So, the idea of computer networks developing an auto-immune system is an attractive idea. But there is nothing we have done in computing that matches the engineering of the human body. For example, artificial intelligence systems offer poor imitations of the brain.

But it’s in Cisco’s interests to create and promote that metaphor, because they want keep upgrading routing and switched infrastructure to do more and more. It’s a bit like if I’ve got pink sunglasses then all the world looks pink. If I’m a network manufacturer all the world looks like a network waiting to happen.

However, that is an uneconomical and flawed model, and it is distinctly out of place with where things are going.

To be more specific — and I’d say this even if I were not the CEO of Aventail — it’s the internet approach to these problems versus a duplication of the old PSTN/private telephone approach. The economics are more compelling to use shared public infrastructure. And even if they were not, the economics of the workforce – mobility teleworking and so on, mean that the bulk of connections are going to come from public infrastructure.

The self defending network is the ‘Star Wars’ of our time — in the sense of the missile defence project that never got anywhere, not the movie sequence. It’s monolithic, it pretends to be open networking, but it is not. It’s all about vendor lock in. It’s got so much homogeneity that it is more vulnerable. And it is expensive.

How expensive do you believe it to be? Can you illustrate that?

Okay, functionally what I want to do is have a well defended corporate perimeter Keep the territory you need to defend small – as in the game Risk.

Look at ebay, or Google, or Amazon. They don’t look at the network in the underlying security context. They always assume the network is insecure. Amazon simply don’t want you on their network. Why would they? They want you using their application, protected by SSL.

If 85% of your connections are over public infrastructure where is the bang for the buck in building more private infrastructure?

At Aventail, we have inverted our own network. Everyone is on the company SSL VPN all the time. There are three things you need to be able to do, security wise. You need to know who is connecting – so we believe very much is strong authentication. You need to be able to do fine-grained application access control. And you need to determine what state the actual device is in, and control its access. With those three things you can create many permutations of conditional access.

So what would you say to Cisco?

I’d say make sure that the switches and routers don’t fail and make it go faster. Do security products by all means, but don’t make them network aware. Don’t make them have to know what the Cisco router is thinking.

They are doing what Microsoft has done, where the operating system becomes so monolithic that it takes three years to get a roll of it. It is like shipping an airplane shipping an OS, today. IOS is becoming the same. The likes of Aventail or F5 exist to do a lot of these things more efficiently at the higher layers.

The lower in the network stack you rare, the slower change should be.
I want a faster, dumber network. The self defending network sounds awesome. Everyone wants a network that works like the human body. But you know what? I’d settle for a network that works like a highway.

Evan Kaplan co-founded Aventail, along with Chris Hopen, chief technology officer, and Derek Brown, engineering manager, in 1996. Kaplan is president, CEO and chairman of the company.