GET TECHNOLOGY RIGHT

IT Strategy Guide
Network
Security
inside

Introduction 2
NAC vs. NAP 3
Big Picture Security 5
The Great Intrusion Prevention Debate 10
Federation Takes Identity to the Next Level 13
Manage Network Access Without Cutting Productivity 14
Password Protection: A Constant State of Insecurity 15
Building the Intelligent Network 17

Compliments of:
 Network Security
Introduction
how do you secure your downtown office? you
don’t let unauthorized people wander past the lobby with-
out an escort or a ID badge. In other words, you quarantine
people you don’t trust.
How do you protect your network? Perhaps the same ap-
proach would work: isolating traffic, even if it originates
inside the firewall, unless the user and network device are
recognized and authorized.
While the devil can be in the details, a security scheme
requires looking at the forest as well as individual trees. Af-
ter all, robust protection needs more — a lot more — than
just a firewall and anti-virus software. Today’s multifaceted
threatscape requires a carefully planned and coordinated
security event management and incident management ap-
proach. The big-picture answer to the big-picture security
question: Integration. We’ll show you how, and why.
We’ll also examine two of today’s most controversial
topics in network security: intrusion prevention systems
(IPS) and federated identity management. Is IPS technol-
ogy a point solution, or a central part of a security scheme?
Is federated identity management the best way to handle
large-scale user authorization in an increasingly collabora-
tive world, or is it a security loophole waiting to trap an un-
wary IT department? It’s a tough question.
More tough questions about security often come from
line-of-business managers and executive who want a se-
cure network but can’t afford any impact on employee pro-
ductivity. If technologies like NAP/NAC, IPS and federated
identity cut off users or LAN segments, what happens when
that goes wrong? While isolating users who might have a
virus might seem like a good idea, it might also prevent
people from getting their work done. Striking a balance
between productivity and security is a difficult but critical
Copyright © 2006 InfoWorld Media Group. All rights reserved.
See the full selection of InfoWorld “IT Strategy Guide” reports at http://www.infoworld.com/store/.
I N F OWO R L D I T S T R AT E G Y G U I D E
task when it comes to locking down your network, and the
answer will depend a lot on your company’s priorities and
policies.
Despite the typical emphasis on LAN security, your em-
ployees are also exposing your company to risk every time
they use a password-protected Web portal, or log onto e-
mail from a hotel room using a non-encrypted connection,
or even surf from a public WiFi hotspot. The enterprise is
an a constant state of insecurity, largely due to bad pass-
word policies – not just in choosing them, but in enforcing
policies that only allow the encrypted transmission of plain
text passwords. Bad, bad, bad… password sniffing is fast,
easy, and dangerous. What are you going to do about it?
What it all comes down to is building an intelligent net-
work that is proactive in regards to issues like reliability,
scalability, performance and security. From application di-
rectories to intelligent switches to XML message brokers,
there’s a lot that your network can do to help solve today’s
biggest IT problems. We’ll close out this IT Strategy Guide
with a discussion of network intelligence, and how it can
make you smarter. i
— Alan Zeichick

 Network Security
NAC vs. NAP
it all started with the blaster worm in august
2003. That disastrous epidemic proved once and for all
that boundary gateway protection alone is a failed security
strategy. Since then, beginning with broader adoption of
host-based personal firewalls, vendors
have been cooking up host-based schemes to harden
the “soft, chewy” center of the network. The most inter-
esting battle over how end-point defense should proceed
is between Cisco’s NAC (Network Admission Control) and
Microsoft’s NAP (Network Access Protection).
Both NAC and NAP fall under the rubric
of Network Access Management, aka end-
node quarantining, which assures that com-
puter nodes are securely configured — with
a firewall, anti-virus software, up-to-date
patches, and so on — before they are given
normal or continuing access to the network.
Otherwise, they’re quarantined.
Cisco currently leads the field with its
NAC platform. To work, NAC requires Cisco
products. All NAC-compliant end point and
application server solutions, such as anti-virus, firewall,
and so on, must communicate with the freely available,
often embedded Cisco Trust Agent client software to de-
termine compliance. NAC also requires NAC-aware Cisco
network access point equipment and the proprietary Cisco
Secure Access Control Server.
Microsoft’s NAP is at an earlier phase. The NAP server will
be a core component of future Windows server versions,
but cost and licensing has not been decided. NAP requires
a NAP server (to be released only on the next server product
release), a NAP client (XP Service Pack 2, Vista, or Server
2003), a quarantine server (Microsoft Internet Authentica-
tion Services), and one or more policy servers. NAP works
by controlling access via DHCP leases, VPN quarantine,
802.1x, or IPSec with x.509 certificates. Although NAP is not
I N F OWO R L D I T S T R AT E G Y G U I D E
yet available outside of beta testing, many vendors have al-
ready pledged support.
The risks of choosing one platform over another could be
significant. NAC is potentially a more secure solution be-
cause end points can be secured at network layer 1 through
layer 3, but it requires a Cisco network device (Cisco may
eventually allow other network device vendors to join the
NAC family). In theory, Cisco can easily extend NAC beyond
Microsoft products, but only Windows clients are support-
ed currently.
NAP could debut at minimal cost. Windows XP Service
Pack 2, with an update, can be a NAP client. As with Micro-
soft’s current Network Quarantine Access Control offering,
NAP could be offered as a free server component. NAP could
come along at no additional cost as customers regularly
update their Windows servers. NAP doesn’t require propri-
etary hardware, but at the same time, that lack of reliance
means a slight increase in the possibility of malicious code
being transported around a NAP-enabled network than
around a network employing Cisco’s solution.
NAC and NAP are in their infancy. Many vendors sup-
port both platforms, but most network administrators will
be forced to align themselves into one camp or the other
to ease central management. Cisco and Microsoft have
pledged interoperability and have even licensed each other

 Network Security NAC vs. NAP

APIs, but the details are not forthcoming.

During the NAC vs. NAP wars, a third option has emerged:
The Trusted Computing Group (infoworld.com/3166) TNC
(Trusted Network Connect) initiative. TNC’s architecture
theoretically functions in the same way the other two solu-
tions do but without the proprietary requirements. Micro-
soft and Cisco have pledged support, but unless customers
demand TNC compatibility, why would the two titans ex-
pend effort on an initiative that threatens their interests?
Even if you’re not considering a network access manage-
ment solution now, investments now may well lock you
into one scheme or the other in the future. i
— Roger A. Grimes

I N F OWO R L D I T S T R AT E G Y G U I D E 
 Network Security
Big Picture Security
there was a time when cutting-edge network
security meant a firewall on your perimeter and anti-virus
software on the desktop. No longer. With the advent of poly-
morphic Internet worms, application-layer attacks, Trojan
horses, adware, spyware, and wireless hacks, the network
security picture is more complicated than ever.
The multifaceted threatscape, coupled with a raft of
new federal data security regulations, has driven network
administrators to devote more rack space and money to
security point products such as IDSes, IPSes, vulnerability
scanning tools, application-layer firewalls, gateway anti-vi-
rus and anti-spam products, and identity and access man-
agement tools.
To bring order to the chaos of point products, some com-
panies have begun offering SEM (security event manage-
ment) or SIM (security incident management) technology.
Originally intended to manage the glut of alerts and advi-
sories spit out by IDSes and firewalls, SEM/SIM products
are evolving into complex system management tools that
monitor a wide range of products and supervise everything
from vulnerability information to attack management and
patching.
“Sign me up,” you say? Not so fast, caution security-indus-
try analysts and experts. Security management products
are still in their infancy, and the bromide they offer isn’t for
everyone. Moreover, big changes may be in the works as
more and more security products move to standards-based
platforms. That means enterprises that think they need se-
curity management technology in-house may end up tak-
ing a costly detour if they don’t already have a firm grasp of
their IT security needs.
Security Data Glut
It’s difficult to find an IT security expert who doesn’t es-
pouse the need for security management tools. “People
I N F OWO R L D I T S T R AT E G Y G U I D E
are being buried by data,” says Lance Braunstein, execu-
tive director at Morgan Stanley. “You’ve got this bucket
of firewall logs, router logs, IDS logs — megabytes of
data a minute.”
Managing that data is a pressing issue for network and
system administrators, who are presented with unique
challenges based on the size of their enterprises. “I can’t
think of any other application that requires me to look at
gigabytes of data in real time,” Braunstein says. The volume
of data — approximately 10MB per minute at Morgan Stan-
ley — makes any intelligent analysis harder, he adds.
SEM technology promises to tame that data by central-
izing, correlating, and prioritizing log data from various de-
vices, presenting it via sophisticated visualization features
that make it easy for network admins to spot security vul-
nerabilities and evolving attacks.
Typically, SEM products work by gathering log data and
logged events from the devices they support. The informa-
tion is stored in files such as text-based system logs and
SNMP traps, which are notifications generated by network
devices of significant events, including startups, reboots,
and authentication failures.
Because different products record logs and events in dif-
ferent ways, that information must be translated — or nor-
malized — into a standard format used by the SEM device’s
correlation engine. Depending on the product being used,
information capture and translation may be performed by a
software client, or agent, residing on the monitored device
or transmitted in raw format to a central collection point
where it is normalized.
“You can have two different types of IDS products — say
Snort and Cisco. Both can detect a buffer overflow. But
Snort might call it ‘xyz,’ whereas Cisco calls it ‘wpq,’ but it’s
the same attack,” says Larry Lunetta, vice president of mar-
keting at SEM vendor ArcSight.

 Network Security Big Picture Security
Surveying the Threatscape
Companies such as ArcSight and netForensics offer hard-
ware and software that connect the dots between different
sets of security data, while supporting large deployments
and sporting sophisticated security data capture, correla-
tion, and visualization features.
netForensics’ nFX product uses a network of collector de-
vices spread throughout a company’s enterprise to gather
security data from devices, normalize the data, and aggre-
gate events. It then forwards this information to a central
correlation engine, where as many as 20,000 types of mes-
sages are boiled down to approximately 100 event types in
nine event categories, says Patrick Guay, vice president of
product management and marketing at netForensics.
Guay likens the company’s architecture to a pyramid,
with security devices making up the broad base. Informa-
tion is passed up and refined at each stage until it is pre-
sented to operators at a SOC (secure operation center) or
NOC (network operation center).
After data has been filtered, netForensics’ visualization
features display and highlight trends and events such as
worm outbreaks — showing which machines were infected
and what other systems were infected as a result. That al-
lows administrators to react more quickly than they could
just by sifting through individual logs, cutting off access to
infected systems, and applying patches where necessary.
ArcSight’s product relies mostly on software “smart
agents” to capture logged events and alerts from devices
it manages by extracting detailed information from them,
categorizing each event, and noting the source of the at-
tack. That information is then encrypted and sent to the
ArcSight Manager, a central server that stores the normal-
ized data in an enterprise database and applies specific fil-
ters and correlation rules to the events.
As does netForensics’ nFX, ArcSight normalizes security
data — boiling down diverse information into a common
set of 200 fields — and uses sophisticated graphics to dis-
play network status information on a console. Network ad-
ministrators can link to data retrieved from other security
systems such as network vulnerability scanners.
I N F OWO R L D I T S T R AT E G Y G U I D E
Big Players Move In
Computer Associates and IBM have also invested heavily
in SEM technology in recent years, expanding the reach of
their respective Unicenter and Tivoli network management
suites. These companies are adding value to existing capa-
bilities — including identity management, access manage-
ment, configuration management, and user provisioning
— through integration with SEM components.
For example, IBM’s Tivoli Risk Manager collects and fil-
ters information from more than 100 point security devices
through standard SNMP or Web services events or through
customized events created using tools provided by IBM,
says Arvind Krishna, vice president of security and provi-
sioning development at IBM Tivoli.
In addition, the company’s Tivoli Security Compliance
Manager automates software vulnerability scans on net-
works and compares the results of those scans to network
security policies. Information collected from those prod-
ucts is then displayed, along with data from other network
devices, on the Tivoli Enterprise Console.
Similarly, CA has been focusing development attention
on its eTrust Security Command Center, which aggregates
and correlates security data from other eTrust components,
such as the eTrust Vulnerability Manager, or with third-par-
ty security products. The Command Center communicates
directly with CA’s Unicenter system management software,
passing alerts and status information back and forth to an
organization’s network operations team, says Toby Weiss,
CA’s senior vice president of product management.
The newest version of the Command Center will extend
the reach of eTrust. It will add tighter integration with
eTrust Network Forensics — a CA product that allows or-
ganizations to capture all their network traffic for foren-
sic analysis — and eTrust 20/20, a product that integrates
physical and IT security systems to correlate anomalous
behavior.
Consolidating Defenses
The increasing interest in integrated SEM among security
vendors of all sizes is just one symptom of a larger move-

 Network Security Big Picture Security

ment to combine a number of distinct but closely related Taking the Long View
security technologies — such as patch management, vul- As it stands, products with that level of integration are still
nerability management, and incident management — that several years away. But companies are beginning to pull to-
have gained wide adoption in the enterprise in recent gether some key pieces — such as connecting the findings
years. of vulnerability scans with security alerts and intelligence
The drive for greater integration also stems from a range on software and hardware asset values — so that compa-
of new federal and state regulations covering data integrity nies can prioritize threats to critical systems.
and privacy, such as Sarbanes-Oxley and California’s SB1386. “Say you have a system in an area sensitive to the Sar-
“You have a number of regulations that have emerged that banes-Oxley regulations, like a general ledger,” ArcSight’s
say, ‘You have to be looking for bad things in your environ- Lunetta says. “If you’re in the last two weeks of the quar-
ment, and when you notice them, you
have to tell us about them and imple- Security Central
ment best practices,’ ” says John Sum- Security management platforms aggregate threat information from
mers, global director for managed se- myriad devices across the organization and consolidate it into reports
and real-time dashboardlike displays.
curity services at Unisys.
What’s needed is a fusion between
SEM or SIM products and data on asset External threat
criticality — coupled with integrated warning networks
functions such as identity and access
management, user provisioning, change Aggregation and
correlation engine
and configuration management, and
software patch management. IDS/IPS
One IDC report called for a higher de- Notifier
Agent data
gree of integration between system and manager
security management products, which
would help centralize control over net- Firewall

works, require fewer IT staff members Security

to manage, and allow administrators to
better understand the relationship of
security events to network availability,
Server logs
among other benefits.
Such a system could allow intelligence
about a new security vulnerability that
accompanies a software patch to be automatically linked to
network policy management systems and be tested against
existing ACLs (access control lists) used by firewalls and
routers to thwart attacks, Morgan Stanley’s Braunstein
says. “Then all that information is logged, and you can do
something intelligent with the logs. That’s the real Holy
Grail: a fully automated security lifecycle,” he says.
management
console
Security incident
database
Knowledge
database
Security management platform
ter and [ArcSight’s] analytics detects a highly threatening
attack, it’s going to recognize it as a high-priority event —
and also something associated with Sarbanes-Oxley — and
coach you to take steps to deal with it.”
Lunetta calls that adding “business relevance” to SEM,
a level of intelligence that a wide range of products now
promise. ArcSight, netForensics, Network Intelligence, and

I N F OWO R L D I T S T R AT E G Y G U I D E 
 Network Security Big Picture Security

OpenService all offer SEM technology that performs asset
correlation.
As for the hoped-for union of systems management and
SEM/SIM products, companies today can enjoy some of the
benefits of converged systems and security management,
depending on which technology vendors they choose. BMC
Software and Hewlett-Packard have partnered with secu-
rity vendors in order to integrate security technology into
Remedy and OpenView, respectively.
For example, Symantec said its DeepSight Alert Ser-
vices and Incident Manager would integrate with BMC’s
Remedy Help Desk and Action Request system, as part of
BMC’s Business Service Management program. The union
would allow internal IT and security teams to communi-
cate more efficiently and to resolve security incidents and
vulnerabilities.
In pursuing its partner approach to OpenView, HP looks
at the system management platform as “a framework where

In Search of Security Event Management Standards

integrating SEM (security event management) technology with existing security and system
management infrastructure can be a hair-raising experience. Security point products such as IDSes, anti-virus gateways,
and vulnerability scanners tend to use proprietary formats for reporting, recording network events, and issuing alerts.
And the standard formats that do exist — such as SNMP and syslog files — are limited in what they can convey.
Today, SEM vendors get around the limitations by relying on custom plug-ins or software agents for each security or
system management product they want to interact with. For example, Computer Associates has more than 100 integra-
tion kits that allow its eTrust Security Command Center to digest data from third-party security software. Most vendors
also offer tools or services to integrate information from unsupported products or custom software applications.
To simplify integration and management, universally accepted standards are required so that network end points,
security products, and system management platforms can speak a common language. “An event’s not meaningful if we
can’t define it. We need a well-defined schema and standards so that any system can generate an auditable event, then
have [another system] receive it, classify it, store it, and do analysis,” says Arvind Krishna, vice president of security and
provisioning development at IBM Tivoli.
“The day we open Web services interfaces to these [security] devices, everything becomes a lot easier because I
don’t need to agree with you about what an event is,” Krishna says. Although such standards have yet to reach the
drawing board, industry partnerships are attempting to force security products, networking infrastructure, and
clients to play nice.
Trusted Computing Group Trusted Network Connect: A proposed standard for creating an open architecture, Trust-
ed Network Connect seeks to promote end-point standards for communicating the status of operating system updates,
anti-virus and IDS signatures, and application patches. Participating vendors include Foundry Networks, InfoExpress,
Juniper Networks, McAfee, and Symantec.
Cisco Network Admission Control: This program is part of Cisco’s Self-Defending Network strategy and pairs the com-
pany with security stalwarts such as Computer Associates, IBM, McAfee, Symantec, Trend Micro, and the latest member,
Microsoft. The program is designed to build bridges that allow security products to communicate directly with Cisco
routers, switches, and access-control servers.
Microsoft Network Access Protection: A policy-enforcement platform for Windows Server, Network Access Pro-
tection will create a uniform method of determining the “health state” of a computer attempting to access a network.
Computer Associates, Extreme Networks, Hewlett-Packard, Juniper Networks, McAfee, Symantec, and Trend Micro are
on board. — P.R.

I N F OWO R L D I T S T R AT E G Y G U I D E 
 Network Security Big Picture Security
many different types of information are collected,” says
Tony Redmond, vice president and CTO of HP’s security
program office. “We’re fully aware that there are companies
who have well-developed [software] suites, but we’ve said,
‘Let’s go put our innovation elsewhere and reward the hard
work that our partners have done.’ ”
Rather than add new SEM features and interface layers
to OpenView, HP is content to let third-party vendors be
sources of data to OpenView, which can digest the handful
of significant events that emerge from millions of alerts.
Technology from vendors such as ArcSight, e-Security,
and netForensics can exchange information with Open-
View through software plug-ins, allowing OpenView to ab-
sorb events generated by those SEM products and enabling
the SEM products to recognize network or system manage-
ment events that originate in OpenView. Similarly, netFo-
rensics’ products can send alarms that will be registered in
OpenView systems.
Inching Toward Interoperability
But the level of integration between SEM/SIM products
and systems management platforms is not uniform, lim-
iting customers’ choices. So, whereas ArcSight counts HP
OpenView as a “platinum enterprise partner” and offers
some integration with that system management platform,
potential ArcSight customers who use Unicenter or Tivoli
will have to travel a rougher road to integration, Lunetta
says.
CA’s Weiss says that his company has produced more than
100 integration kits to link third-party technology products
to its eTrust platform and offers a toolkit for customers to
integrate custom applications with eTrust.
But organizational conflicts, rather than technical gaps,
may be the biggest obstacle to greater integration of secu-
rity management and systems management technology,
says Chris Christiansen, vice president of security products
at IDC. “You’ve got lots of people who have based their en-
tire careers in certain areas, and they’re not anxious to give
that up,” he says. For example, systems management staff
are reluctant to give up control of automatic configuration
and patch deployment to systems run by security manage-
ment groups.
I N F OWO R L D I T S T R AT E G Y G U I D E
“If you’re a sys admin, you’re going to be territorial about
the systems you manage,” Morgan Stanley’s Braunstein says.
“You don’t want lots of people with root or enable [privileg-
es].” Although they might not be able to simply merge net-
work security and network operations groups, companies
can improve the way these groups manage systems and the
data they generate, making central control and automatic
provisioning more than just a pipe dream.
Security From All Sides
Fiscal austerity is one of the main motivations for consoli-
dating security functions, as enterprises look for ways to
manage their network without adding head count. “Com-
panies just don’t have the budget to hire people at the rate
that they’re adding new hardware,” netForensics’ Guay
says. “The days of having separate IDS and firewall support
teams are gone.”
For companies interested in better network security man-
agement but wary about making a major IT investment
amid so much change, MSSPs (managed security services
providers) offer an appealing option. Such services offload
the difficult management and integration problem to secu-
rity experts and allow companies to aggregate security in-
formation from hundreds or thousands of security devices,
providing better information on emerging security threats.
In the end, however, there’s no silver bullet for the se-
curity management problem. All-encompassing SEM so-
lutions work for some organizations but not others. “To
some extent, the multiplicity of answers is applicable to the
complex nature of the problem. Some people might see [se-
curity management] as a chaotic situation, but others just
see multiple ways of getting to the same solution,” IDC’s
Christiansen says.
For companies exploring SEM/SIM technology, IBM’s
Krishna advises a measured approach. “People try to do too
much,” he says. “It’s like trying to juggle 50 balls. We tell our
customers, ‘You can do all these hundreds of things, but
let’s be focused and do two. We’ll get those under our belt,
then do two more.’ ” i
— Paul Roberts

 Network Security
The Great Intrusion Prevention Debate
no security topic generates more spirited
debate than intrusion prevention. Deployed on the edge
— and increasingly, deep inside — the network, IPSes (in-
trusion prevention systems) purport to identify and stop at-
tacks before they start based on constantly updated threat
profiles. In this Point/Counterpoint, InfoWorld pitted Marc
Willebeek-LeMair, CTO and Chief Strategy Officer of 3Com’s
security division, TippingPoint, against Martin Roesch, CTO
and founder of Sourcefire (and the inventor of Snort).
TippingPoint’s Willebeek-LeMair is bullish on the su-
preme effectiveness of his IPS approach; Sourcefire’s Roesch
positions IPSes, which his company also sells, as just one
component of an integrated network defense system. The
clash of these two partisans reveals much about the state of
network protection and the rivalry between hardware and
software security vendors.
Marc Willebeek-LeMair: To understand what an IPS is,
you need to grasp the problem it aims to solve. Today’s cy-
berthreat environment is increasingly severe, compounded
by the growing number of vulnerabilities that are discov-
ered weekly, the emergence of new types of attacks (such
as blended threats and spyware), the shrinking time be-
tween vulnerability discovery and exploit development, the
propagation speeds of automated worm attacks, and the
dissolving network perimeter.
IT security teams are overwhelmed, and traditional point
solutions such as firewalls, anti-virus software, and IDSes
are inadequate protection by themselves. The threat land-
scape is further exacerbated by the challenges involved in
applying patches in a timely manner, and also by organiza-
tions that cannot enforce patch management — universi-
ties, ISPs, and so on. What’s needed is a new type of security
element that pervades the network and automatically pro-
tects organizations from a broad variety of attack types and
from all potential points of attack — inside or out.
I N F OWO R L D I T S T R AT E G Y G U I D E
Martin Roesch: Marc, you’ve done a great job of defining
the threat environment. But the in-line network IPS as it’s
implemented and deployed today provides only the most
basic capability to actually address the problem. In-line IPS
is positional and can only block based on threats it has a
prior knowledge of or basic thresholds in flood-style DoS/
worm traffic. Inline IPS requires the attacks and attackers
to transit predefined choke points on the network in order
for it to perform its task.
Clearly, if we are to address the pervasive threat environ-
ment, then we need a pervasive system that allows us to not
just block things we know about crossing discrete points
on the network, but one that can also enforce network se-
curity policy by managing and reducing exposure to attacks
in the first place. Blended threats require blended security
systems that have more remediative options.
In-line intrusion prevention is a step in the right direc-
tion, but I believe that the infrastructure itself can be or-
chestrated effectively to provide a much broader capability
than just point defense in the face of a pervasive threat.
MWL: While I agree with your assertion that the infra-
structure can be orchestrated to provide more comprehen-
sive protection, I do not agree that IPS is simply a point de-
fense. Unlike a firewall, IPS is not being deployed just at the
perimeter, but throughout the entire network to protect
the core as well as internal segments. To meet the stringent
networking requirements (latency, throughput, reliability)
that these core and internal network locations demand,
state-of-the-art IPSes are based on purpose-built custom
hardware like other network infrastructure devices such as
switches and routers.
These systems offer powerful filtering capabilities that
can do much more than simply blocking “predefined net-
work patterns” as a reaction to known exploits. Leading-
edge IPSes support a filtering language that can express
10
 Network Security The Great Intrusion Prevention Debate
complex conditions to detect both known and unknown
exploits. These filters go beyond legacy string-matching
signatures and are sometimes referred to as anomaly filters
or vulnerability filters. They are designed to protect against
any attack — known or unknown — that is crafted to ex-
ploit a particular vulnerability.
A key component to an IPS system is the filter-update
service that comes with it. The service, measured by the
timeliness, accuracy, and comprehensiveness of new fil-
ters, provides automated protection against threats as they
emerge. This proactive security is unique to IPS and is a
game-changing tool.
Today’s IPS systems are deployed as an overlay architec-
ture onto existing networks. Soon, however, IPSes will be
integrated within switch and router elements to provide
the embedded infrastructure security you speak of. In ef-
fect, networking and security are converging. The new net-
work node will offer the same packet-routing/switching
functions of today’s networks but add a layer of intelligence
that decides not only where a packet must go, but whether
it should go at all. Networks will become much more dy-
namic than they are today by continuously adapting to fil-
ter out unwanted traffic based on old and new threats.
MR: All marketing claims notwithstanding, IPS technolo-
gy is not proactive. A “filtering language” exists to predefine
the conditions under which something is considered to be
suspicious or malicious, therefore it is deterministic and
based on foreknowledge of either how the protocol “should”
work or based on knowledge of existing exploits against
that protocol. What “leading-edge IPS filter languages” do
is not substantively different than what we’ve been doing
with the open source Snort engine (which can operate in
IDS or IPS mode) for years now; we are also capable of de-
tecting unknown exploits via both our rules language and
protocol analyzers.
I’ll leave it for the reader to figure out if it’s a good idea
to tear down network sessions automatically because a
protocol decoder decided that a field size was larger than
a guy in a lab thought it “should” be based on his limited
understanding of the protocol and his limited exposure to
the various clients and servers that implement it. Because
in-line network IPSes have one analysis/response method
and one practical position of deployment in order to bring
I N F OWO R L D I T S T R AT E G Y G U I D E
their primary enforcement capability to bear, they are by
definition point solutions no matter how deeply into the
network you deploy them, just as firewalls are point solu-
tions even though they are typically deployed deeply into
today’s networks.
True proactive security would be able to do more than
just identify the conditions under which an attack is occur-
ring — it would be a pervasive layer of intelligence overlaid
on the network that could understand the network com-
position and enforce policy by properly orchestrating the
capabilities of multiple disparate technologies as well as
its own native detection and blocking capability. Relying
solely on the timely updating of a signature service in order
to have coverage presupposes that all possible attack vec-
tors can be intercepted and all variations of an attack can
be defined and detected before a compromise results. Not
to mention that the signature collection would have to be
comprehensive enough to cover every device, platform and
application in your network.
Practically speaking, this is a pretty thin layer of protec-
tion, because it has to handle client- and server-side attacks,
random file formats and e-mail attachments, encryption,
segmentation, custom applications, and arbitrary proto-
cols that your hardware-based protocol analyzers cannot
know how to interpret beyond a simple regular-expression-
analysis capability. True proactive security means you must
block identifiable threats as well as enforce security policy
so as to reduce exposure in the first place — in addition to
detecting change that indicates compromise independent
of threat detection. A proactive security solution should
also be able to defeat a threat emerging from any point on
the network, not just pre-identified ingress/egress points.
Most IPS companies ignore these points, leading end-us-
ers to believe that traditional, stand-alone IPS technology
is capable of proactively protecting assets throughout the
network, even though they have no context about the sys-
tems they are trying to protect. This positioning is not only
false; it’s unfair to the end-user.
MWL: To be as polite and as succinct as possible: You are
simply misinformed. I would strongly recommend you take
a closer look at the state-of-the-art IPS. You’d be surprised
to find several significant differences from your perception
and reality.
11
 Network Security The Great Intrusion Prevention Debate
Very accurate filters can be written based on vulner-
ability information, not exploit information. That is the
definition of proactive protection: customers are protected
before the attack (exploit) exists in time and space. These
filters precede the existence of an exploit and proactively
protect against any exploit targeting that vulnerability. You
are, however, correct that writing good filters takes exten-
sive research, requires very sophisticated skills and testing,
and is an enormous differentiator between the various IPS
solutions that exist today.
It’s typical for software-solution vendors to misrepresent
a hardware solution as fixed and inflexible. Again, this is
misinformation or, in the best case, laziness. Reality is that
any hardware design — for example, a CPU — consists of
hardware building blocks like the arithmetic control unit,
the floating point unit, or another component that special-
izes in accelerating a particular operation. Specialization
does not stop it from being programmable or flexible. A
common, simplistic, and naïve perspective of IPS imple-
mentation would assume that each protocol is hard-coded
into the hardware. State-of-the-art systems don’t do that at
all. They boil down the problem into building blocks that
are much more general and serve to accelerate processing
for the specific task at hand.
Beyond vulnerability filters, IPSes use network profiling
to characterize a particular network environment to de-
termine what is “normal” behavior in that environment.
Deviations from what is normal (without any knowledge of
an exploit or vulnerability) can be alerted on, blocked, or
throttled. Protection based on deep understanding of base-
lines and changes in network behavior is proactive by any
definition.
Intrusion prevention has reached the point where the
technology has been tested extensively and is now broadly
deployed by hundreds of Fortune 500 customers worldwide.
Talk to them. Start at the very top of the list.
When we pioneered IPS in 2002, IDS vendors unanimous-
ly claimed it was impossible. Most were quick to point out
that false positives and latency would adversely impact the
network. Ironically, these problems were created by inferior
implementations of IDS products. Today every single IDS
vendor offers an IPS. The problem is, not all IPSes are cre-
I N F OWO R L D I T S T R AT E G Y G U I D E
ated equal, and indeed most of the shortcomings you high-
light are true for the vast majority of these products, but
not all. Second, it is common practice for naysayers to pick
a corner case scenario that cannot be caught by today’s IPS
products and to ignore the other 99 percent of cases that
are fully covered.
MR: Misinformed? Please. Sourcefire, with the broader
Snort community, invented the techniques for identifying
threats targeting an underlying vulnerability — as opposed
to simple exploit signatures. Regarding the hardware-vs.-
software debate, knowing the performance of our IPS prod-
ucts on today’s advanced network platforms — near-zero
latency at up to 8 gigabits — while also knowing that we
can adapt infinitely more quickly and cost-effectively than
hardware-based approaches certainly allows me to sleep
much better at night.
When Sourcefire questioned those who declared IDS
dead, it wasn’t because we saw no value in the blocking
function. It was because we knew that the blocking func-
tion could never be 100-percent effective. Your acknowl-
edgement of the need for behavioral anomaly detection
argues that exact point. Leveraging persistent awareness of
network assets — their composition, behaviors, vulnerabil-
ities, and change — is at least as important as inspecting
the traffic targeting those assets. So rather than simply fol-
lowing the herd, Sourcefire has both embraced IPS — one
of our products won Best Intrusion Solution at this year’s
RSA show — while also recognizing the limitations of any
filtering technology in the broader landscape of network
threat.
When the final chapter on this debate is written, I am
confident that intrusion prevention will mean much more
than just IPS. i
12
 Network Security

Federation Takes Identity to the Next Level

when clients of advertising giant ogilvy & Microsoft and IBM’s Web Services (WS-*) architecture, and
Mather want to collaborate on budgets or watch rough SAML (Security Assertion Markup Language), formulated
cuts of commercials, they’re likely to log on to the compa- by OASIS.
ny’s network and do it online. The process speeds delivery “Companies are accepting that they will have to deal with
and saves travel costs, but it can also add a big security and a mix of standards,” says IDC analyst Sally Hudson. “Most
regulatory burden. major vendors can accommodate all three of the standards
Before deploying IDM (identity management), Ogilvy at some level.”
found itself managing user names and passwords for more Mike Neuenschwander, research director for the Burton
than 23,000 external users, in addition to the company’s Group, says most IDM vendors appear to be converging
13,000 employees, says Andres Andreu, technical director on SAML 2.0 for single sign-on, but provisioning and Web
of Web engineering and applications for the firm. The so- services standards remain less well defined. He’s quick to
lution Ogilvy turned to was identity federation (infoworld point out, however, that when making the leap to identity
.com/2227). federation, the biggest challenges lie in a different kind of
In September 2004, Ogilvy rolled out IBM TFIM (Tivoli interoperability.
Federated Identity Manager) to manage both internal and “The real barriers aren’t technological,” Neuen-
external access to its network. TFIM helped to relieve the schwander says. “They’re working out the agreements
management burden from Ogilvy’s IT staff by allowing and legal contracts to set up trust relationships across the
clients to maintain their own user directories. Using fed- organization. That tends to take more time than deploy-
eration, client networks seamlessly exchange identity data ing the technology.” i
with Ogilvy’s, based on one of three major identity federa- — Dan Tynan
tion standards.
Andreu says Ogilvy is currently federated with three big
clients, representing roughly half of the agency’s external
users. He expects nearly all of its clients to join the feder-
ated network eventually.
Using a federated access system also reduces Ogilvy’s bur-
den under Sarbanes-Oxley. “If we were still storing data for
those three clients, we’d have to become part of their com-
pliance process,” says Andreu. “Now we only have to make
sure the transfer mechanism for credentials is secure.”
Still, if implementing identity internally is not a trivial
task, taking the next step by moving to a federated system
is even more challenging. Any enterprise hoping to bring
more than one or two partners into federation would have
to embrace all three major standards — Liberty Alliance,

I N F OWO R L D I T S T R AT E G Y G U I D E 13
 Network Security

Manage Network Access

Without Cutting Productivity
one of the newer features in centrally ment architecture, called NAP (Network Access Protec-
managed client security solutions provides the ability to cut tion), will be compatible with the efforts of Cisco and its
off offending clients, or even entire LAN segments, from the partners.
rest of the network. On one hand, this feature implies that Meanwhile, for government organizations and other se-
computers or groups of computers would undergo a sort curity-conscious groups, point solutions aren’t a luxury but
of constant triage to determine whether they were too sick a necessity. The risks of letting malicious code run amok
to survive on the enterprise network. On the other hand, through your network are simply too great. I’d say that you
it suggests that an automated system would be deciding can safely assume that truly effective quarantines will soon
whether an entire group of users might be cut off from the become a standard network security feature. i
world because it thought there was a security violation. — Wayne Rash
You can see the obvious issue: How do you isolate com-
puters infected with viruses or worms, or that simply aren’t
sufficiently protected, without preventing people from get-
ting their work done and affecting the productivity of the
organization? That’s the conundrum of quarantine, and it’s
a puzzle that will be with us for a while.
In case you wondered, the future is firmly on the side of
increased network access control. If offending machines
aren’t removed from the network, the whole network will
suffer. And endpoint security vendors — each of which is
trying by one means or another to lock out offending ma-
chines — aren’t the only heavyweights addressing the prob-
lem.
Cisco’s NAC (Network Admission Control) initiative
(which includes McAfee and Trend Micro as partners,
among others) is a means by which a security monitor can
alert a router that there’s a badly behaved computer on
the network. The problem might be anything from out-of-
date anti-virus software to an active outbreak of Slammer
worms. In any case, the management software will direct
the router to isolate the segment with the problem, pro-
tecting the rest of the network.
Software to support this capability is spreading rapidly,
and it’s a safe bet that plenty of others will continue to fol-
low suite, especially considering that Microsoft has signed
on to support NAC, promising that its own policy enforce-

I N F OWO R L D I T S T R AT E G Y G U I D E 14
 Network Security
Password Protection:
A Constant State of Insecurity
for the past few months an acquaintance of
mine has been sniffing various public wireless and wired
networks around the world, looking to see what plain text
passwords are visible. It was an eye-opening experiment.
She used a bunch of different tools, but mostly Cain. At
the moment, it collects 18 different passwords or password
representations, including plain text passwords sent over
HTTP, FTP, ICQ, and SIP protocols, and will automatically
collect the user’s log-in name, password (or password rep-
resentation), and access location.
Other than a few simple validity reviews and summary
counts, my friend doesn’t look at the log-in names or pass-
words, and she deletes any collected information after ob-
taining the counts. She hasn’t used ARP (Address Resolu-
tion Protocol) poisoning or done anything other than to
count plain text passwords passing by her traveling laptop’s
NIC when she’s in a hotel, airport, or other public network.
Although some — including me — might question her
ethics, the information she shared is useful in understand-
ing our true state of insecurity.
She said about half the hotels use shared network me-
dia (i.e., a hub versus an Ethernet switch), so any plain text
password you transmit is sniffable by any like-minded per-
son in the hotel. Most wireless access points are shared me-
dia as well; even networks requiring a WEP key often allow
the common users to sniff each other’s passwords.
She said the average number of passwords collected in
an overnight hotel stay was 118, if you throw out the 50 per-
cent of connections that used an Ethernet switch and did
not broadcast passwords.
The vast majority, 41 percent, were HTTP-based pass-
words, followed by e-mail (SMTP, POP2, IMAP) at 40 per-
cent. The last 19 percent were composed of FTP, ICQ, SNMP,
SIP, Telnet, and a few other types.
As a security professional, my friend often attends secu-
I N F OWO R L D I T S T R AT E G Y G U I D E
rity conferences and teaches security classes. She noted
that the number of passwords she collected in these venues
was higher on average than in non-security locations. The
very people who are supposed to know more about security
than anyone appeared to have a higher-than-normal level
of remote access back to their companies, but weren’t using
any type of password protection.
At one conference, she listened to one of the world’s fore-
most Cisco security experts as his laptop broadcast 12 dif-
ferent log-in types and passwords during the presentation.
Ouch!
The high prevalence of HTTP-based passwords can prob-
ably be attributed to HTTP-based e-mail solutions. If you
have or use an HTTP-based mail system, sniff the traffic to
see if log-in credentials are sent in clear text. If you’re lucky,
the e-mail system uses HTTPS for log-ins and authenti-
cation, or uses password hashes or some other respected
technique. On a good note, many popular e-mail portals
such as Hotmail, Googlemail/Gmail, and Yahoo!Mail do
not send plain text passwords by default.
Unfortunately, e-mail protocols such as POP3, IMAP, and
SMTP send plain text log-in names and passwords by de-
fault. Just like FTP, the user name is preceded by the identi-
fier USER and the password is preceded by the word PASS.
A password sniffer could define their capture filters to look
only for packets with those identifiers, maximizing the
number of passwords captured.
Make sure your company is not a victim. Most e-mail
clients and e-mail servers allow the plain text password
option to be disabled. For instance, in Exchange/Outlook
combinations, simply enabling “Encrypt data between Mi-
crosoft Outlook client and Microsoft Exchange Server” in
Outlook 2003 or “Secured Protected Access (SPA)” in previ-
ous Outlook versions will disable plain text password use.
Another interesting issue my friend noticed was how
15
 Network Security Password Protection

many HTTPS-enabled Web sites did not implement SSL

correctly — users’ log-in names and passwords were be-
ing sent in clear text. This included communications to re-
motely accessed security devices, portals, and firewalls.
The lesson here is never to trust the browser’s padlock
icon when connecting to a new Web site or protected de-
vice. Sniff yourself and confirm. I did this last year and dis-
covered my awesome anti-spam appliance’s SSL connec-
tion wasn’t working.
My friend noticed that if SNMP was detected, the default
public and private community strings were used almost 100
percent of the time. She also found passwords to people’s
TiVos, online poker games, and online chatting communi-
ties. What disturbed her was that often these personal pass-
words were identical to the user’s corporate passwords.
Many network administrators conduct password audits
on their network, but those audits are often directed at
cracking weak password hashes for log-in accounts. If you
want to know your true state of security, sniff your remote
traffic heading across the Internet or coming across the
wire from roaming or home users. If you have to use ser-
vices or protocols that use plain text passwords, use a VPN
tunnel of some type between source and destination.
I counseled my friend to stop her password sniffing ways,
as it could only lead to trouble. She said she had stopped a
few months ago because she found the idea of how many
plain text passwords were being passed around, especially
by security professionals, just too stressful and disturbing.
I agree with that: If you’re a security person, sniff your own
network traffic the next time you go out of town to make
sure you aren’t leaking any credential information. i
— Roger A. Grimes

I N F OWO R L D I T S T R AT E G Y G U I D E 16
 Network Security
Building the Intelligent Network
the days of the fat, dumb pipe, are over. servers
applications, and storage have been shouldering the intel-
ligence and security burden for too long. It’s time for the
network infrastructure itself to add some smarts. After all,
when it comes to intelligence, the real beauty of the net-
work is that it touches everything.
“The network is the one common element across the in-
frastructure,” says Rob Redford, vice president of marketing
for Cisco Systems. “If it had more capability to look more
deeply inside application traffic, it would give us a better
idea of what is being transacted and what information is
flowing where, and it could play a more active role in help-
ing organizations meet their business objectives.”
But what does network intelligence mean? According
to Gartner research vice president Mark Fabbi , it’s mostly
about application awareness or what he calls “application
fluency.”
“An application-fluent network knows not only what ap-
plication is running; it also has knowledge of the syntax
and semantics of the application and the elements of the
transaction,” Fabbi says. “And it knows who is connecting,
how they’re connecting, and with what device.”
The network already provides some intelligence today,
say the infrastructure vendors, but mostly it’s on a piece-
meal basis, with scores of specialized devices targeting
local security, performance, and application issues. In the
next five years, however, we may see a lot of these pieces
come together, producing managed networks that are more
intelligent from end to end.
“If you’re consolidating lots of servers and applications,
you really have to start optimizing the delivery of traffic
back out,” Fabbi says, adding that this is particularly true
in an environment that favors browser-based applications.
“These applications put a tremendous burden on the un-
derlying network protocols and servers. Generic network
design simply doesn’t work.”
It Pays to Think Smart
“Throwing bandwidth at the problem doesn’t solve the fun-
damental global network performance issue today, which
I N F OWO R L D I T S T R AT E G Y G U I D E
is latency,” says David Willis, a Gartner senior analyst. “In
cross-continental WANs, round-trip time can be as high
as 50ms to 75ms, compared to 10ms on a LAN, while in a
global network it could reach more than 250ms. When you
consider that a single Web page can require as many as 10
or 20 different requests and responses, and then multiply
that by thousands of Web pages and users with different
connections and devices, you get the picture.”
Gartner estimates that in typical global networks running
Web-based applications, WAN latency, not bandwidth, can
be responsible for 50 percent to 95 percent of the total ap-
plication delay. But performance isn’t the whole story.
“On day zero of a new worm, software and IPSs that rely
on signatures don’t know anything about it,” says Brice
Clark, worldwide director of strategic planning for HP’s
ProCurve networking line. The network infrastructure can
be a complementary layer of defense that detects traffic
anomalies and halts malware propagation using rate limit-
ing and connection delay.
Jason Needham, product manager at F5 Networks,
says the network is also a good place for user authenti-
cation and authorization. “If I’m a financial institution,
it’s OK to do authorization at the application server. But
wouldn’t I rather block unauthorized users before they
get to the door?”
The proliferation of XML and SOA promises to magnify
performance and security issues. XML is verbose and inef-
ficient, bringing new security issues. In fact, Cisco, HP, and
vendors of network-based XML acceleration and security
devices, such as Sarvega and Reactivity, will tell you that
the network could offload a lot of XML processing, transla-
tion, and security from beleaguered servers. It could even
take over some of the classic application and data-integra-
tion burden.
A New Networking Direction
The move toward network intelligence is actually coming
from two directions: Leading the charge on one path are
the established giants, while specialty vendors are march-
ing up another front.
17
 Network Security Building the Intelligent Network
HP’s Brice Clark describes his company’s ProCurve Adap-
tive EDGE architecture as a two-pronged approach. “You
start with intelligence at the edge, where it needs to be lo-
cated to support mobility and next-generation applications.
Command comes from the center, configuring the network
continuously on the fly based on the identity of the user, the
application, the connection, and the device.”
The ProCurve IDM (Identity Driven Manager) enables the
application of security, access control, QoS, VLAN enroll-
ment, and performance settings based on the authenticat-
ed user or group of users, including their locations, the time
of day, and other factors. HP has also incorporated optional
intelligent capabilities for its ProCurve 5300 series switch-
es, including WLAN client authentication, WLAN access-
point-to-access-point connection handoff, virus throttling,
and encryption — features that were formerly offered only
in dedicated WLAN switches.
Clark says the next step will likely be deeper packet in-
spection to recognize applications and apply policies ac-
cordingly, even triggering packet-processing applications
hosted in the switch, based on the user, device, or applica-
tion.
“You can transcode a video stream for a PDA on the
switch, rather than at the server or encrypt a financial
I N F OWO R L D I T S T R AT E G Y G U I D E
transaction,” Clark says. “The network is good at packet
processing. Servers and operating systems aren’t.”
Cisco, on the other hand, has a three- to five-year plan
for what it calls Application-Oriented Networking. The
company will provide AON blades for its Catalyst data-
center switches, as well as branch office routers that can
actually read application-to-application messages (such as
purchase orders) and route them intelligently according to
predefined policies. So, for example, a $50 order could be
routed to a different server or get a different quality of ser-
vice than a multimillion-dollar order would.
AON blades will also be able to take on much of the inte-
gration and translation normally performed by application
middleware, thanks to partnerships with integration play-
ers like TIBCO Software and IBM, as well as integrated XML
processing, translation, and security functions.
Cisco’s Redford also points out that the ability to inspect
and route messages will lead to better visibility into trans-
actions, resulting in improved security, compliance, and
business-intelligence capabilities. AON will also offer load
balancing, caching, and compression services. Although all
these services could slow down network traffic to some ex-
tent, Redford claims that the benefits would include much
improved application performance and significantly lower
18
 Network Security Building the Intelligent Network
integration costs (because any integration changes would
be made on the switch, rather than across all the various
interacting systems).
Smaller Vendors, Specialized Gear
The networking giants, however, aren’t the only game in
town. Smaller players in the load-balancing Layer 4 to 7
switch market, which include F5, FineGround, NetScaler,
Radware, and Redline, offer products they call ADCs (ap-
plication-delivery controllers) or WOCs (WAN Optimiza-
tion Controllers). Many of these vendors have already been
involved in application intelligence for several years and
claim to have the corner on that kind of expertise.
“We’re the only ones that can inspect the entire flow, head-
ers, and payload in both directions,” says F5’s Needham.
ADC boxes sit in the data center in front of banks of serv-
ers. Originally they provided application load balancing
and health checking, but over time their capabilities have
grown to include off-loading communications-specific
tasks, which general-purpose operating systems don’t do
well, according to Joe Skorupa, research director at Gart-
ner. Many ADCs off-load functions like SSL termination
and acceleration and TCP setup and shutdown, and they
provide transaction security, application firewalls, caching,
and compression. Often, these devices can be fine tuned to
optimize the performance of specific back office applica-
tions, such as SAP, and can monitor and troubleshoot indi-
vidual transactions.
“F5’s hardware has the ability to watch a request come in
and, if the transaction fails, it can trap the error, send the
message to the server administrator saying, ‘This transac-
tion failed to this client from this server at this time, and
here’s the code,’” Skorupa says. “Then it replays the transac-
tion with another server. The user never sees the error.”
Vendors such as Allot Communications, Expand Net-
works, Packeteer, and Peribit Networks market WAN op-
timization controllers, which sit on the network at both
the corporate headquarters and remote offices and use
compression and TCP-acceleration tricks to overcome la-
tency and other problems on the WAN. Skorupa says that
the functions of these boxes will eventually be incorporated
into ADCs and branch office routers. You can read more
I N F OWO R L D I T S T R AT E G Y G U I D E
about WAN optimization appliances in “Wide-area Slow-
down” (infoworld.com/2950).
Still another group of hardware and chip vendors are
concentrating on the XML and Web-services space, work-
ing to incorporate the XML processing capabilities cur-
rently available in specialized XML processing appliances
from such players as Reactivity and Sarvega.
Multiple Strategies
In fact, the range of product offerings from smaller ven-
dors was compelling enough that the major networking
vendors launched a buying spree, with Cisco acquiring
FineGround, Juniper engulfing Redline Networks and
Peribit Networks, and Citrix scooping up NetScaler. But
there’s still plenty of room for innovation outside the tra-
ditional networking vendors.
Whether network intelligence will eventually rest in
switches or as an overlay of specialized devices depends on
to whom you talk. The appeal of incorporating these fea-
tures into existing switches is obvious, but networking ven-
dors have had trouble keeping up with the features offered
by specialized appliance vendors in the past.
“Five years ago many people predicted that Packeteer
would die because Cisco would take over much of its func-
tionality,” says Gartner’s Willis. “But it is still very much
around. Changes in applications are faster than Moore’s
Law and the specialized box companies are often better
at keeping up.”
Gartner’s Skorupa agrees. “You can put a blade in a
switch, but that alone is not compelling,” he says. “You
have to ask yourself whether buying an integrated prod-
uct gives you more benefit than a standalone solution
with more features.”
For now, it makes sense to take a targeted approach
that solves the specific problems you’re trying to solve,
with an eye on how initiatives like HP’s Adaptive EDGE
and Cisco’s AON develop. Application-level standards are
another piece missing from the puzzle. But despite the
hurdles yet to overcome, the intelligent network train is
definitely out of the station. It’s just not clear what its
final destination will be. i
— Leon Erlanger
19