Today's networks must support an ever-growing community of Internet and mobile users that demand access to a broad variety of network resources, including voice, video and data applications provided over the network. At the same time, networks have come under an increasing number of cyber-attacks that not only compromise the security of network resources but also prevent access by legitimate users. As a consequence, there are enormous pressures on network administrators to provide bulletproof security and foolproof access control, while at the same time delivering high availability voice-quality connections that are easy to manage, so that no matter what type of method is used to access the network, whether it be wired or wireless, private information and network resources remain secure.
The difficulties associated with securing a network have existed ever since computer networks were first introduced. Over the years a variety of techniques have been employed to provide network security. Some of these techniques are applied to communications between network nodes, i.e., at the edge of the network, whereas others are applied to communications between connection points, i.e., at the core of the network. A network node generally refers to an end point for data transmissions, such as a computer workstation, wireless access point (AP), or application server, whereas a connection point generally refers to an intermediate point in the network, such as a router, hub, or a switch.
A common approach to securing a network is to add security devices to the network as in-line devices that work independently of the network infrastructure. There are several disadvantages to this approach. One problem is that a failure of the in-line security device causes a disruption to the network. Another is that it requires the security devices to be inserted into the network on as many links between the network nodes and connection points as possible to get the greatest benefit of security protection. Adding a sufficient number of in-line devices to the network is prohibitively expensive. As a result, security devices are typically only added to critical parts of the infrastructure, leaving other parts of the infrastructure vulnerable to attack. Similar problems exist in the enforcement of other kinds of policy enforcement besides security enforcement.