Three axioms will drive the future of enterprise networking: Moore’s Law, Metcalfe’s Law and Petreley’s Law, which I will define for the first time here.
Gordon Moore, co-founder of Intel, originally stated in 1965 that the number of transistors per square inch in integrated circuits would double every year. It turned out to be more like every 18 months in practice, and Moore blessed a revision of his law to adapt to reality. Ethernet inventor Bob Metcalfe stated in his law that the usefulness of a network increases at a rate in proportion to the square of the number of users on that network.
I would like to propose a new law to complement these others: the security of any corporate network is inversely proportional to the number of systems administrators on the network.
Metcalfe’s Law trumped Moore’s Law in importance the moment that companies connected to the Internet. One could see evidence of this as users stopped screaming for more powerful PCs and instead started demanding more bandwidth.
That doesn’t mean Moore’s Law is no longer relevant. If you restate Moore’s Law as “Processing power is cheap, and it keeps getting cheaper,” Moore’s Law still has a very important part to play, even if users no longer care as much about the speed of the main CPUs on their desktops.
One way to address security is to encrypt information before you pass it to the network. We normally associate encryption with a performance hit because it’s CPU-intensive, but Moore’s Law allows us to do encryption in network interface card hardware at decreasing costs. As processing power continues to get cheaper, network interface card vendors have added hardware-assisted IPSec encryption as a checklist item.
The problem is that many of you are probably taking advantage of these features only if your company has implemented a virtual private network (VPN). But there’s no reason why anyone should be sending plain-text information, let alone plain-text passwords, over the Internet anymore. Encryption needs to graduate from VPNs and Secure Sockets Layer-enabled Web sites and become the standard for communications over the Internet.
I would also like to see automatically negotiated data compression protocols become part of Internet communications standards. That would make hardware-assisted data compression eventually become a checklist item for future network interface cards. In many cases, this could increase data throughput and therefore result in a perceived increase in bandwidth, regardless of your physical connection to the Internet. It may be a hard sell to get someone to buy a computer because the CPU runs 100 MHz faster, but it would be easy to sell anything that increased perceived bandwidth (hint, hint, Intel Corp. and 3Com Corp., to name but two network interface card vendors).
One company that seems to have a clue in this regard is SSH Communications Security in Palo Alto, Calif. It has several products and proposals that combine compression with the IPSec protocol in both hardware and software. SSH also has other interesting technologies, such as one that lets you use IPSec along with network address translation (NAT). NAT is a technique that lets you connect several clients on your network to the Internet simultaneously without having to give each of them its own public IP address. IPSec doesn’t currently support NAT, but SSH has managed to add the capability without violating the IPSec standard.
Now to throw the monkey wrench into the works: Petreley’s Law. Stated again, the security of any corporate network is inversely proportional to the number of systems administrators on the network. The crucial question, therefore, is how many systems administrators does your company have? Care to take a guess? Three? Ten? Fifty?
Bzzzt. If you work at a large company that puts a Windows PC in the hands of every user, then you have thousands of systems administrators. Windows still gives user applications write access to system files, which means any user who accidentally downloads a virus or Trojan horse provides the malicious program with systems administrator privileges.
This isn’t the case with most other operating systems, including Linux, BSD, Solaris and other Unix variants. In Unix, a user is a user and any program he runs can have only the privileges that are assigned to him. Think about that when you make plans to lock down security for your enterprise network.
Nicholas Petreley is a computer consultant and author in Hayward, Calif. He can be reached at [email protected]