Optimization and Security: A Tricky Combination
Network optimization and security should be ideal bedfellows, since they both aim at what is the central target for IT and network administrators: To provide users with fast, seamless applications and services while assuring the security and integrity of the data that goes across the network.
However, the two can often be at odds. The kinds of practices necessary for optimization — data compression, load balancing, dynamic routing etc. — can mess with some of the functionality needed for security, such as the deep data packet inspection needed for intrusion prevention. Likewise, encryption doesn’t match up well with latency mitigation.
Basically, it’s “a difficult little dance,” said John Burke, an analyst with Nemertes Research. Compression, for example, requires stripping recurring data out of a file, so that you don’t end up sending the same size text or data file across the network hundreds of times a day. However, the optimization appliances that would do that can’t work on encrypted files.
Consequently, where optimization and security devices sit on the network becomes critical, because if you have to decrypt and then re-encrypt files two or three times on their passage across the network, traffic will slow down and negate many of the optimization efforts.
“So, you have to take into careful consideration which appliance encrypts its own traffic, and which things you are looking at encrypting somewhere downstream from the appliance itself using some sort of proxy servers or encrypting gateway,” Burke said.
Also, organizations should be mindful of more straightforward practices, which are often ignored.
“Clean data of junk before you encrypt it, for example, so that the package is as small as possible before you ship it out,” he said. “That will greatly help with optimization efforts.”
The legacy equipment that many agencies have in place can have difficulties with network optimization, if precautions are not taken. Static routes, for example, can be hard-coded into a firewall, so that they don’t depend on continual trust updates from an external source. With dynamic routing, it’s easier for attackers to mislead the firewall.
Dynamic routing also introduces asymmetries into the traffic flow, which many firewalls will block by default, causing network outages.
When agencies first start thinking about network optimization, they should tackle such issues as latency, jitter and loss of data packets, said Michela Menting, cyber security senior analyst with ABI Research. However, what might work well enough in an on-premise local area network (LAN) -- such as traditional stateful firewalls, IDS/IPS devices and so on -- don’t do so well in a wide area network (WAN) setting.
Industry has been catching up with the need for technology to address these concerns. Next generation firewalls, for example, are application-aware and those do work well in the WAN.
“But the solution needs to be balanced with application level intelligence,” Menting said, “[because] looking too deeply into each [application’s data] risks increasing latency.”
A number of vendors are offering security, networking and WAN acceleration and optimization in a single piece of hardware. Some of these are sold as managed devices, and include features like IPS, virtual private networks and anti-malware, along with optimization tools such as data compression, routing and application performance.
Virtual appliances can also provide a form of optimization, and are often cheaper than buying physical devices. But they are slightly less effective because they are not truly integrated with other devices in the network.
“In essence,” Menting said,” it can be a challenge. Organizations will have to decide on a case-by-case basis how to define the balance between best optimization and security.”