Linley on Linux

Linley Gwennap

Issue #88, August 2001

Extra, extra, read all about it.

Everyone likes their privacy, but how much are they willing to pay for it? Today, there is little privacy on the Internet, but new chips are emerging that will allow users to protect their information for little or no extra cost.

Two security standards are predominant on the Internet: SSL and IPSec. The former is built into most browsers, providing secure web transactions. IPSec creates virtual private networks (VPNs) that enable users to access remote databases securely.

Both standards use encryption to protect sensitive data from sniffers, snoopers and intruders. Until last year, the US government blocked the export of strong encryption technology, but the government has since relented. Today, the biggest barrier to the widespread use of encryption is the massive computation required to encode and decode messages. If encryption were not computationally difficult, codes could be easily broken. Fortunately, most modern PC processors have enough horsepower to encrypt messages on a broadband internet connection, or even a slow Ethernet connection. The problem is the server, which must handle messages from a large number of clients at once. These servers are typically operating at Fast Ethernet (100Mbps) speeds or higher.

To break this bottleneck, companies have turned to dedicated encryption hardware, such as VPN boxes or SSL cards. These units typically use specialized security chips that perform encryption calculations much more quickly than standard CPUs.

Today's security chips, however, are not very fast, so a high-end VPN or SSL system may combine several of these expensive devices, along with their support hardware, to achieve top speed. As a result, a high-end VPN box sells for hundreds of thousands of dollars.

But help is on the way. Greater interest in security has spurred new companies to enter the market for security chips; we now count ten companies in this market, with more on the way. Most of the chips last year came from Hifn, a spin-off of the software-compression vendor Stac. But chip giants Intel, Motorola and Philips are jumping into this market as well. Competition encourages innovation. Not surprisingly, much of this innovation is coming from small companies such as Chrysalis-ITS, SafeNet and Securealink as well as startups such as Corrent, NetOctave and BlueSteel, now the security division of Broadcom. As a result of this competition, by the middle of next year we will see security chips operating at 10Gbps, able to serve the fattest pipes in the network infrastructure.

This speed is more than 100 times faster than that of the best security chip available at the beginning of last year, a phenomenal increase. Compared with the standard pace of Moore's Law, we have compressed ten years of progress into just over two years. It will take some time for the new, faster chips to become common in systems, but by next year, we should see systems with the performance of today's high-end VPN boxes selling for just a few thousand dollars.

In fact, once encryption gets this cheap, it won't even be in separate boxes; these superfast chips can be included on every line card in every networking system. ISPs will offer a security service to their users at a minimal cost, perhaps as little as $1 per month. At this price, most people will be able to secure their daily e-mail, web surfing and other on-line activities. Some analysts predict that, by 2004, as much as half of the traffic on the Internet will be encrypted.

In many cases, this will occur with little or no impact on applications. As part of the IP standard, IPSec works at Layer 3 in the network stack, below the application layer and below even TCP. Once the operating system establishes a secure link between two sites (for example, your PC and a corporate server), all traffic between these two sites is encrypted and decrypted without any impact on the application.

SSL is a higher-layer protocol that must be directly managed by the application. But since it is already built into the browser, any services accessed through the browser can take advantage of it. The onus is on webmasters to implement more of their site on secure servers. As the cost of security falls, entire sites can be secured.

The trick to using IPSec is to make sure it is included in the operating system. Linux users can take advantage of FreeS/WAN, a well-regarded open-source implementation of IPSec. Most Linux distributions, however, do not include FreeS/WAN, although this may change as encryption becomes more popular. In contrast, IPSec is a standard feature in Windows 2000. As the cost of security chips falls, the Linux community needs to be ready. Developers, distributors and end users should make sure their systems can take advantage of inexpensive encryption hardware.

Founder and principal analyst of The Linley Group, Linley Gwennap (linleyg@linleygroup.com) has recently completed a new report, “A Guide to Security Processors” (http://www.linleygroup.com/npu/).