Pushing intelligence - but only the right intelligence - to the edge of the network is the only way to build networks that are rich in functionality yet also secure. That's the view of Bill Johnson, director of R&D for HP's ProCurve networking division, and a key movers behind HP's adaptive edge architecture (AEA).
"Doing security, QOS and access control in the core is the wrong place," he says. "We would assert that the core is going to become less sophisticated in some ways. It needs to be very high speed, with lots of redundancy and routing capability, but it doesn't need to do sophisticated access control. The fabric is just there to make sure that packets arrive reliably."
The change is down to how access to the network is controlled, whether that is access for an authorised user, a visitor or even a PC virus. Johnson likens security in the core to leaving the front door open, but putting a lock on your fridge.
"The shift is customers want to control access to the network, before it was control of access to data so it was done in the data centre. It's a subtle semantic shift but it is fundamental," he says.
"There's lots of legacy systems around, built on having rich functionality in the core. The world doesn't revolve around the core now, though - it needs to revolve around policies, and IT managers should not have to manage boxes, they should ignore them." The aim, he says, should be to define an access policy and then have that automatically pushed out to the various edge devices.
He adds that, in this context, the WAN is also the edge of the network, so it too needs security, traffic management and so on.
These ideas are not exclusive to HP by any means - Cisco has its Self Defending Network strategy, and others such as Enterasys and Extreme have also stressed the advantages of controlling access at the network edge, on a port by port level.
One other area of edge security that Johnson highlights is HP's new virus-throttling software, on which he holds one of the patents. This works by watching for anomalous and virus-like behaviour, such as a node trying to make connections many times more often than usual, and it needs to be at the edge because if the burst isn't stopped there, it will congest the network at the very least.
"The next stage is you're going to see even more security policies, more integration of intrusion detection - you'll see the infrastructure playing a more active role, as with 802.1X," he says.
He adds that wireless switches really have shown the way forward here, and says it is now time to apply similar ideas to wired connections too. That cannot be done via a wireless-type appliance though, as it means mirroring all the traffic, which might be fine for relatively slow wireless links, but not for faster wired connections.
"The switch is the only place where you are aware of all the traffic," he says, hence the need to add the intelligence there, as with HP's new access control module for the ProCurve 5300xl switch.
"We're not done yet," he adds. "The integration of wired and wireless with continue, and the infrastructure needs to escalate along with the perpetrators."