Comment Articles

Keeping PCs safe will strain their resources

David Berlind ZDNet.com

Published: 22 Sep 2003 15:25 BST

Who really needs a 2 or 3 GHz computer with 512MB of memory? Now that I'm working on a review of a 1.6 GHz 512MB ThinkPad T40, I see from the CPU usage meter in Windows Task Manager that I'm not even making this system break a sweat. Will anything ever come along to absorb our computers' spare horsepower? The answer is: probably yes. And then some.

More and more malicious infiltrations are finding their way past the perimeter security or, worse, are inside jobs perpetrated by someone who was thought to be trusted. If there's one class of applications that's on the verge of a demand swing, one that will require significant horsepower at most if not all network endpoints -- - be they desktops, notebooks, handhelds servers, or otherwise -- - it's security.

The best-designed security solutions will involve measures deployed close to the application execution and communication endpoints deep inside those perimeters. Why? Ask yourself this question: Whom can you trust? Your answer determines the list of endpoints with which all communications and connections can be allowed and should be secured. More importantly, the endpoint that needs securing is not just the physical system itself. Even that is too close to the perimeter and, like firewalls, creates a single physical barrier to multiple resources when outside processes or people typically don't need access to more than one of those resources. For example, should someone with the authority to send you an instant message also have access to the documents on your hard drive?

Most experts I talk to agree that security will ultimately involve encryption and that the encrypted links won't be only between machines, but also between processes For many, the idea of Web services -- where software components that talk to each other can be in the same or different systems -- brings home this notion of where the endpoints are and how deep into a system the encrypted channels must penetrate.

It isn't difficult to imagine a couple of different encryption-based security models for application-to-application communications. For example, two physical systems could establish an encrypted session using version 6 of the Internet Protocol (IPv6). Within that encrypted tunnel, the communication taking place between applications residing on both systems could also be relying on their own encryption agreement. Or, since IPv6 expands the available number of addressable entities on the Internet to a limit that an additional populous planet couldn't tax, perhaps every single process capable of establishing a link to another process (on the same or separate systems) is assigned its own IPv6 address and is therefore maintaining its own IPv6-based encrypted communications.