Concealment is a potentially worse problem yet, particularly because it is generally caused by the user, not the invader. At the point where they must undergo inspection, many packets today have their payloads scrambled in some fashion that makes them unavailable for inspection.
"All browsers today can handle compressed data, for instance," said Bromhead. "So the top sites-the ones that carry the most traffic-are using compression to keep their throughput up. I saw a recent study that said at the top sites, 29 percent of the traffic was compressed data."
That means the inspection site either has to be able to scan compressed data for patterns-a quite difficult task-or must decompress the packet payloads before scanning. "But decompression all by itself can cause a performance hit of 20 times on these boxes," Bromhead warned.
Eventually it may become necessary to scan secure packets as well, which may force security checkpoints to participate in key exchange and to decrypt packet data in transit.
A potentially even more complex problem than spam and viruses is emerging in outgoing traffic. Increasingly, organizations are creating policies to prohibit certain kinds of information from leaving the organization's network. Whether it be trade secrets or personal e-mail, such data is generally so loosely defined that it challenges even the most flexible scanning. Yet policy enforcement, as the job is known, could be one of the biggest drivers in reshaping the access network in the next few years.
Discover the benefits of scalable backbone and network services for application and cloud providers.
Network automation is gaining momentum. Here's how you can drive this powerful technology to its full potential.
Subsea cable alternatives can provide a level of comfort for those concerned about disruptions. Realistically, they will continue to play a small, but critical role in the short term.
