Network security will be one of the next areas for virtualisation, reckons Scott Lucas, the director of product marketing at Extreme Networks. The aim, he says, is to move away from applying security at specific places in the network, and instead make it available throughout.

However, that relies on the network infrastructure becoming intelligent enough to call upon its security resources - and that's a bet that Extreme has placed in developing switches capable of running applications and exchanging data via XML.

"The question is whether it's better to integrate security with the network or overlay it on a commodity infrastructure," says Lucas. "Our position is that the network is the the most pervasive part of your infrastructure, so you can deploy security everywhere instead of having to decide where to deploy the overlay."

The scheme that Extreme has come up with allows its switches to call on resources such as an IDS or a NAC device, passing suspect traffic over and then taking whatever actions are needed. For this approach to succeed long term, standards are needed, but Lucas says these are still evolving.

"We are still very early in the process of seeing standardisation," he says. "Standardisation tends to depend on the chip guys - they are not driving it yet, though. We have a custom chipset.

"XML is mostly for data exchange now. It is very much leading-edge for security - we are using it for network management and operational data. We added XML to our [switch operating system] XOS, then introduced our centralised security resource, Sentriant."

The one standard that is working already is 802.1X, he adds: "802.1X is one of the first ideas of how to distribute enforcement through the network. We use it to do network access control."

Bringing others on board
Extreme has already persuaded a number of other companies to follow its approach, including ISS, whose Proventia IPS can enforce session blocks on the switch. Another is StillSecure, which provides network access control and uses DHCP and 802.1X to quarantine suspect clients, and a third is CipherOptics which allows the network to call for data flows to be encrypted.

"It's policy-based cryptography, so you can avoid encrypting trivial or already-encrypted traffic," Lucas says. "For example, it can encrypt by protocol, IP address, etc. We use our Clearflow processing engine in the switch to redirect flows needing encryption.

"Our key is the ability to detect a new flow, not every network can do that," he adds. "Virtualising security resources separates their physical implementation from the way it's experienced. For example, IDS usually happens across a very specific physical boundary, now it can called in across the network fabric, so it is becoming a network service."

One reason for taking the latter approach is de-perimeterisation - as the LAN and the WAN blur into each other, and as users become more mobile via wireless networks and the like, there are fewer and fewer perimeters to work with.

"Statistics suggest 80 percent of attacks come from within the network - that's mostly not hackers on staff though, it's malware on laptops," says Lucas. "But the big thing is reach - you can push security capabilities all through the network.

"The second thing is more subtle - you get availability benefits too. If you had an IDS between A and B, you can overwhelm it or it could be compromised, so that's a risk. With virtualised security, you can do more load balancing, and it also helps avoid the problem of a compromised box."

He acknowledges that in order to spread security through the network, you do need to make the switches more capable, for example enabling them to run agents or even applications, and that this raises security issues of its own, as well questions of compatibility - hence the need for standards.

"You have to harden the OS if you run applications on the switch, also we don't let just anyone run apps on our switches," he says. "But we are now beginning to show people how an open architecture can help. Potentially it's doing in software what Cisco and others would do in blades.

"The unique capability of the network stems from its pervasiveness, so why not take advantage of that? Networks have huge amounts of under-used processor horsepower to engage with these activities."

And of course he hopes that, if virtualised security takes off, it will highlight the differences between the likes of Extreme and the suppliers of more generic network infrastructure. "You do need an enterprise-grade network," he says. "You can't do this with a commodity network."