Network security to move toward "complete packet inspection"

jam,” said Kay.

What is required, said Kay, is a new approach which embeds security in a pervasive manner throughout the entire network, in such as way that one can have the situational awareness necessary to respond instantly to threats or problems, and contain the damage before it spreads into the entire network. To make this possible requires a new technology — which Kay referred to as “complete packet inspection” — which has only recently become available, in the form of a breakthrough chip, based on a novel algorithmic “fabric” invented by cPacket, the company Kay heads. What cPacket has done, explained Kay, is to develop an economical chip that performs both header and payload inspection of every packet, every bit, at 20 gigabits per second. This new silicon technology results in a 10-to-1 improvement in packet processing speeds, at about one-tenth the costs. The resulting 100-to-1 improvement in cost-performance permits situational awareness and rapid response to be integrated pervasively into the network infrastructure, right down to the port level, without introducing the complexity, cost, or performance bottlenecks that characterize current technologies. Kay said that the chips were designed for ease of integration into pre-existing network equipment designs while having the flexibility to be the foundation of any future security feature. “There are just three ports,” said Kay, “input, output and duplicate.” This permits a “bump in the wire” model which allows the six-watt chip to be dropped, for example, into switches and line cards, even at individual ports, with but minimal disruption. Control can be in-band or out-of-band. Moreover, the chip uses a zero programming, template-based model to invoke the unified header parsing and regular-expression searches in the payload that it is uniquely capable of. “Provisioning is as simple as filling in a form on a browser,” said Kay.

All this means, concluded Kay, is that there is now a means for network equipment manufacturers to provide cost-effective, easy-to-use network visibility and response based on complete packet inspection, which is both suitable and economical for pervasive deployment throughout the network, and not just in expensive, high-end products. “There’s a new sheriff in town,” said Kay.

Kay’s company offers a chip which can serve as the foundation of the new security approach, but Kay’s insight into network security needs goes beyond promoting his company’s products. Kay made his remarks at a seminar entitled “Embedded Network Security Design” hosted by the Linley Group, on 13 September.