Network Computingwww.networkcomputing.com

Therefore, rather than put up point products, such as firewalls and virus scanners, to guard against some perceived risk or respond to an intrusion, you need to build security into your IT infrastructure from the ground up.

Your security stance must be driven by business requirements, not technological needs. The first step is to analyze risk as it pertains to your business plan. You'll have to focus on your most valuable assets first and then work downward. Once you understand the risks, you can begin to implement security products and strategies effectively.

Besides controlling access inbound and outbound (you are restricting outbound traffic, right?), network security, when built to meet business needs, lets you provide services to customers over the network in a safe, secure, reliable manner. It's a process that needs to be attended to daily, but the payoff is increased customer confidence in your organization as a safe place to do business. Having a Web page defaced, a credit-card database posted to a Web site, or your weak cookie encryption exposed on Bugtraq (www.securityfocus.com) or another public mailing list does not inspire customer confidence. And while you can never be 100 percent secure, striving for that high mark ensures you'll get closer to the goal.

The building blocks for network security vary, depending on what you're trying to accomplish. Firewalls form the cornerstone of any security implementation, and for the most part, their security feature lists have flattened out over the past year or so. We expect this trend to continue, because there are limits to what the technology can do. Firewall vendors are looking to enhance products' raw performance, high availability, failover and load-balancing.

The ASP market is poised to explode in this decade, and security vendors want a piece of that pie. ASPs must provide secure, reliable, high-bandwidth, low-latency connectivity, and that means firewalls will have to pass high-volume traffic quickly. There are two ways to accomplish this: The first is to use bigger, faster hardware devices to overcome processing overhead. But this method has limitations; solutions based on monolithic hardware are tied directly to performance advances in hardware. If performance enhancements are slow to arrive, so will be your ability to scale upward. The second path is load-balancing, or distributing the connections across a firewall farm. Load-balancing requires special processing, either through dedicated load-balancing hardware or via policy and state replication among the firewalls. A load-balanced firewall farm will always offer better scalability, because more firewalls can be added as needed. It will also provide much needed redundancy; if one firewall fails, the load will be distributed among the remaining firewalls.