But the packet-switched environment into which all communications is moving has unnerving similarities to the U.S. mail system, where authorities are having difficulty finding the outbreaks of anthrax contamination, identifying the differences between those outbreaks and other common contagious diseases, tracing back the mail to the distribution centers and then back to the original source.

Similarly, the problem of security in a network environment has to do with sender and receiver identification, authentication, tracking and privacy. In an IP-based packet network, said Russel Dietz, chief technology officer of Hifn Inc. (Los Gatos, Calif.), the problem is even more complicated than the one faced in the postal service's "snail mail" network. It is as if each envelope had been opened and each page, section of a page, or each paragraph on each page, individually sent out for delivery by different routes and brought together at some point near the destination for final delivery. Because of the diffused method of delivery, it's hard to tell what centers each page was sent through, who and what handled it and where it was delivered next.

"As limited as it was in providing the kind of information delivery infrastructure we are now building, the traditional PSTN [public switched telephone network] did have the advantage of relatively rock-solid security," said Tom Riordan, general manager and vice president of the MIPS processor division of PMC-Sierra Inc. (Santa Clara, Calif.). "You knew that when you called a number you would get a telephone location associated with the receiver, it was relatively easy to track the path by which the signals went to that location and you knew the identity with relatively certainty of the person or device at the other end."

Such limitations of IP networking have long been known, said Joseph Wallace, product line manager for Broadcom Corp.'s security products business unit (Irvine, Calif.), and the industry has devoted an extraordinary amount of technological expertise toward such issues. A constellation of companies has come into existence to provide the means to identify, detect and eliminate computer viruses and worms. And while significant security holes — in intrusion detection, fault tracking and identification and network-wide fault tolerance and resilience — still must be filled, the real barrier before Sept. 11 had been the willingness of companies to invest in enhanced security and deal with the complications it might entail.

Much of the ini-tial investment in additional security is going into encryption/decryption technology, which focuses mainly on maintaining privacy for both individual e-commerce transactions and corporate virtual private networks as they move large amounts of data from office to office over the Internet. But, said Chuck Sannipoli, PowerPC network architecture manager at IBM Corp.s' microelectronics division (Raleigh, N.C.), when combined with other technologies and network functions, broader security issues can be addressed.

In simplest terms, the new encryption/decryption mechanisms provide the equivalent of what an express mail service like FedEx provides as an alternative to regular mail: increased security and privacy, authentication, identification and tracking.

"It was not that major corporations and organizations were not willing to make investments" said Felix McNulty, vice president of marketing at network software developer Teja Technologies Inc. (San Jose, Calif.). "It was that they were hedging their bets." Rather than system- or company- or networkwide investments in increased security, only those areas perceived as critical to the company were protected. And rather than instituting the best that money could buy, companies invested much more judiciously, buying the best that is affordable.

Moreover, said Bruno Couillard, chief technology officer at Chrysallis-ITS Corp. (Ottawa), while most companies had clearly committed to totally securing their enterprises and the e-commerce connections they maintained, they were doing so on long range two-, five- and 10-year plans, listing security high on the priority list but seldom above cost and performance.

Despite that, before Sept. 11, estimates for the total size of the security market at the systems level were exhibiting growth despite the surrounding datacom/networking market's ongoing slump. Security services were expected to exceed $17 billion by 2004, with an annual growth rate of 25 percent, according to International Data Corp. In virtual private networks alone, according to a study from Infonetics Inc., hardware system and board sales were expected to grow from $2 billion in 2001 to $3.5 billion by 2004.

In the aftermath of the Sept. 11, said Syed Ali, president and chief executive officer at Cavium Networks Inc. (San Jose), there is no reason to scale down such projections, because they are narrowly focused on security solutions that protect the integrity of internal corporate data transmitted in bulk via virtual private networks and that of the e-commerce portals through which customers buy products and want to be sure that each transaction is secure.

That's been achieved for corporations mainly through encryption/decryption and security standards such as IPSec and for consumers by the Secure Sockets Layer (SSL) specification.

IPSec is a flexible industry-standard framework for secure IP networking of bulk data transmissions using virtual private networks (VPNs). It provides authentication, integrity and privacy for IP datagrams or IP packets (units of data transmitted over a TCP/IP network that contain source and destination addresses and data).

Netscape Corp.'s 10-year-old SSL protects single client/server transactions. Developed on Netscape's ground-breaking graphical Web browser, it uses an encryption/decryption scheme called the Diffie-Hellman Key Exchange to establish a secure communication channel between a Web consumer and a server, even if the two have never communicated before.

In terms of broader security issues, protecting the networks and systems from attacks by hackers and possible cyberterrorists, most companies, said Kishore Jotwani, vice president of marketing at network processor software supplier LVL7 Systems Inc. (Cary, N.C.), still depend on after-the-fact protection using sophisticated virus and worm detection software and intrusion-detection programs. They are also taking advantage of higher levels of integration and new memory alternatives to change the security boundaries within which critical data and password information is exchanged internally, from software to hardware, from Internet data center to individual servers, from server to board, and ultimately as the technology allows it, down to the chip level.

"I don't think that in the aftermath of Sept. 11 companies in terms of practical implementation are moving much beyond their initial efforts and thinking in broader terms," he said, "although the terrorist attacks and the obvious sophistication with which the terrorists have made use of the Internet and World Wide Web to communicate and coordinate have certainly raised awareness. "

What is preventing companies so far from moving beyond immediate security concerns, he said, is mainly a matter of performance and cost. "Security in the context of encryption/decryption is an expensive solution," said Dietz. "Implemented in software, which is the common procedure, imposes a significant hit on performance both at the server and the router level. And when you add on other important and complementary security functions to the job of encryption and decryption you have a truly monumental processing problem."

Cavium's Ali said these other important security functions include:

Insuring the integrity of the message to learn whether anyone has altered the data enroute;

Identifying and authenticating both the sender and receiver to be certain this is the person I expected to communicate with;

Preventing repudiation, in which someone denies transmitting or receiving a communication).

To simply do encryption and decryption involves manipulation and calculation of extremely large and numerous matrix arithmetic calculations. Adding authentication of identity and making it difficult for a sender to repudiate a message requires the additional 2,048-bit modular arithmetic calculation of these same tables, while maintaining the integrity of the message in transit adds more than 512 thirty-two bit additions per 64-byte processed block of data. "We are talking huge numbers, here," said Ali. "Very quickly, companies are finding that doing such functions in software using a general-purpose processor can very quickly bring a site to a total shutdown."

A general-purpose processor like those used in a typical server VPN application capable of handling 1,000 nonsecure Web page requests per second, he said, can only handle some 15 or fewer secure requests. A firewall that can process 1,000 Mbits/second of normal traffic can handle only about 50 Mbits/s or less of secure data, a twentyfold reduction in throughput.

Despite the huge computational load imposed by software add-ons for IPSec and SSL, said LVL7's Jotwani, in the aftermath of Sept. 11 customers are calling for more of them in their servers, routers and switches. "Although these are only partial solutions in terms of breadth and limited in terms of performance, they see implementing software on top of their existing hardware as a good first step toward a more all-encompassing solution."

Until recently, said Linley Gwennap, principal analyst for the Linley Group, Inc. (Mountain View, Calif.) and author of the recently published Guide to Security Processors, the initial hardware solutions were incredibly expensive and deployed only in key areas. For example, he said, six months ago the cost of a typical IPSec board-level solution for just one 2.5-Gbit/s OC-48 connection was about $70,000. "With new solutions incorporating next-generation security processors, boards and line cards are now available offering comparable solutions for about $300," he said. "Given the large number of competitors in the market, I fully expect that prices will drop even further."

And with lower cost, such technology will proliferate farther out into the network infrastructure. "As the costs come down, I think you will see corporations thinking more broadly in terms of their security, beyond just protecting their e-commerce and VPN portals," said Ali. Eventually, costs will be such that it will be economically possible to incorporate a high level of security on each and every router and switch line card. "With security coming essentially 'free' on each board, you will see the migration of such solutions out of the enterprises and at each end of a server-to-server or server-to-client connection into every node in the network," he said.

Even before Sept. 11, the projections of market growth for both hardware and software solutions to security appeared optimistic. "Before Sept. 11," said Ali, "I thought some of these projections were somewhat overstated. In the aftermath I think they will be right on, especially as appropriate hardware solutions become available."

According to a recent Gartner Group Security Processor report, the security IC market in both servers and routers/switches is expected to grow from just under $100 million worldwide to almost $400 million a year by 2005. Ali said that study considered potential applications in VPN, SAN, wireless and video on demand. Looking at a broader market including SSL as well as broad application in virtually every router and switch, Cavium's own study, he said, projects growth of just under $200 million this year to just over half a billion dollars a year by 2005.

This is the market opportunity that has the dozen or so security chip vendors scrambling to come up with solutions that satisfy not only today's concerns but those of tomorrow, as network bandwidth increases. In the race to become the de facto standard, old-line semiconductor companies — Analog Devices, IBM Microelectronics and Motorola, for example, vie with a range of newer, smaller companies, including early players like Hifn Inc., as well as Cavium, NetOctave, Broadcom, Corrent, LayerN, and nCipher,

Two broad technical solutions — look-aside and flow-through — now exist, Gwennap said. Many current-generation devices are of the look-aside type in which the security processor is in the control plane of the network processor. "From the point of view of the silicon vendor the look-aside architecture is much easier to fabricate, requires fewer transistors and [is] quicker to get to market," he said. "From the system-designer point of view, the look-aside approach is not easy to incorporate into existing designs, requiring new boards and system configurations. But it is cost-effective, even with a system redesign."

In addition, in router and switch implementations in particular, the look-aside security processors must operate faster than the line speed of the network processor with which it is working. "As data packets into or out of a router or switch they must be routed through the security processor, which has to impose a set of operations over and above those normally performed by the network processor in the data plane," said Gwennap. "So if the application requires a network processor capable of operating at 1 or 5 or 10 gigabits/s, the security processor must operate at some incremental speed higher than the network processor."

In the flow-through approach, the security processor resides in the data plane just before or just after the network processor, so it need "only" operate at the same line speed as the latter. But because it acts as a pre- or post-processor for the network processor, it must now take over some of the ancillary management and control functions, such as classification, normally handled by the network processor, increasing its complexity, making it much more expensive to design and fabricate. "The advantage to a system designer is that unlike the look-aside approach, implementing such a design, or scaling up its performance is simply a matter of popping one IC out and stuffing a new one into the same slot," he said.

In Gwennap's view, the flow-through approach will ultimately dominate in present applications and shows the most promise in proliferating into the network infrastructure. "Those older companies who were in the market with the easier-to-fabricate look-aside designs are no doubt shifting their research efforts to the flow-through," he said. Long-term, he expects much of network security to migrate to one of the other devices in the network processor architecture, depending on fabrication technology advances. "The architecture of the security processors is as complex as the network processors they are designed to complement on the line cards, so it would be difficult and very expensive to implement all of these functions onto a single device," he said. The two options open to chip vendors is to either migrate some functions to the various processor functions in the control and data planes or to wait until the process technology is available to integrate it all onto one chip. "Aside from the complexity, the integration will be easier with a flow-through architecture than with a look-aside."

See related chart