Aggregation is inevitable

12 Jun , 2007  

DNS on your router? Yes. Richard Bejtlich who has a great blog over at TaoSecurity posted about it yesterday. As Richard notes, Cisco routers have been DNS-capable for the last year or so, though probably many don’t know it. There’s actually a site that describes various uses of router-DNS combination, such as having a router cache and forward DNS requests for devices within a DMZ. One of Richards concerns about combining these and other services is the potential security risk of one compromised service providing access to other services on the same device or box. The obvious solution is the one we’ve largely followed to date; apply separation of duties on different boxes.

Consolidation, functional aggregation, or convergence; regardless what you call it, this is already happening. Sure, there will always be reasons to have specialized boxes but the trends are all pointing in the opposite direction. Because of trusted relationships between devices and networks, even specialized or single function boxes still pose a very significant risk if compromised within the network.

Richard’s basic position, if I’m adequately summarizing it here, is that businesses without the sophistication or expertise will place a greater reliance on converged devices. That be the case but I believe different causes are creating this result, not lack of sophistication. In many cases, it may just the opposite. Let’s look at some of the drivers around convergence.

  • Managability – Less devices, less vendors, less disparate technology simplifies management. Smaller business have less infrastructure needs. Larger enterprises want ways to both standardize equipment at remote and smaller offices, and drive down the management costs (including people) needed to service, monitor and maintain infrastructure across the organization. Convergence helps achieve that goal.
  • Economics – While networks, computer equipment and security are all vital to maintaining a functioning business, the cost to operate and manage the infrastructure is an overhead cost. Convergence helps reduce costs by simplifying network complexity, and taking advantage of the lower cost equipment in the UTM, UNP, multi-function devices, and increasingly, general purpose computing Intel/AMD technology (both in appliances and with off-the-shelf hardware.)
  • Resources – Hardware is a delivery mechanism, not the end result. Why have five boxes if I can have two? Why have two if in this situation one meets the needs? We’ve grown up in a networking paradigm where a box does a function. What more functions – add more boxes. From a security view it makes sense; separation of duties reduces risk. But it’s the underlying software, whether burned into a chip, loaded from a flash drive, or brought in from a disk drive, that delivers the services. The hardware is the speeds, feeds, and operating platform for those services.
  • Disassociation of hardware and software – We’re coming to the realization that for most applications, the binding of services performed by software to a specific hardware platform makes just as little sense in the network as it does in the data center. Sure, switches need lots of switch ports because of the port density requirements to fulfill their role in aggregating network traffic. But does a router, firewall, DNS or other network services really have to be bound to a single piece of hardware? In most cases, not really. Matter of fact, it is a significant limiting factor because increasingly it is unnecessary to bind them together. To support the networks of the future, these bonds must be broken and even Cisco recognizes this, though it is yet unclear if they will truly make this transition "to software" successfully.

I’m not saying that Richard is wrong, necessarily, just that there are other factors at play here. Some I’ve listed above. As the network gets pushed further and further out, as the perimeter dissolves into many micro-perimeters, and as the network reaches out and interconnects more of the world we live in, economics and scale changes the game on us. Make it easier. Drive down the life cycle cost. And deliver more. Make it viable for new communities to deliver and manage these services. Those are the laws of progress that will help make convergence inevitable.


3 Responses

  1. Rob Lewis says:

    That obvious solution that we’ve largely followed to date; apply separation of duties on different boxes is primarily why we have networks that are full of silos and stovepipes, unable to assure secure data hand-offs to those that require access and hindering optimum business data flow.A better solution, now that it is available, is to use TOS/MLS solutions to ensure domain separation and digital separation of data at a vary granular level, as well as to provide additional protection for the network should a trusted device become compromised.

  2. Corbin says:

    It will be nice to me. Isnt it? Who think else, give me a call.

  3. Ariel says:

    yes, converged network technology is already happening and companies must start to get on board or they will be left in the dust.

Comments are closed.