Tracking Your Visitors
As the number of edge points increases, the firewall's filter tables become too complex. Ultimately, the idea of keeping the outside world out will have to be abandoned, and when that happens, enterprises need to completely shift their notion of security and add visitor counters: * First, let the world come in but watch for unacceptable behavior. Museums permit the public to visit and look at the exhibits, but guards and cameras monitor what the public is doing in the rooms. Similarly, the intranet needs remote "cameras" that can watch user actions and patterns. * Second, the organization will need to protect its assets at a much finer granularity. Just as we no longer inhabit walled cities, but instead lock our homes, the enterprise intranet will need to remove its firewalls and instead protect individual files, machines and users. These stratified levels of protection will change how security is viewed over the next few years. Most important, it will mean managing many more security elements. New servers, such as transaction processing and digital cash processors, will join existing and enhanced authentication, proxy, replication and access servers on both the leading and trailing edges of intranet-Internet boundaries. On the plus side, however, many of today's concerns about security, reliability, remote management and uniformity of Web presence will be solved by emerging Web-security technologies. It is tempting to skip the analysis of boundary traffic and just bundle it all into a big fat pipe. After all, isn't adding more bandwidth the solution for most of our industry's ills? A recent procurement for global Internet services is a case in point. One of the bidders argued that content should be kept on a single Web site in the United States, trunking access to Europe and Asia withOC-12 (624-Mbps) circuits, rather than distributing the content locally to those regions. Either way, users would access the firm's Web pages through their local ISPs. The question became whether 624 Mbps could beat the speed of light over the oceans, and the answer, of course, was no. Distributing the content to the regional sites could give users from 25 to 50 percent faster response times retrieving a typical Web page. There are two lessons here: Don't bet against laws of nature, and don't chicken out on intranet-Internet traffic analysis. Determining the bandwidth needed at the intranet-Internet boundary is a critical planning step. It may seem impossible to predict intranet traffic growth, but don't give up before trying. In fact, the process is straightforward and not overly complex (see "Internet Traffic Sizing Model"). It is less important to get exact results than it is to do some basic sizing of current requirements andmake estimates about the future. If you analyze many sites and project the behavior of users and applications over time, you will also understand the conditions under which it becomes impractical to supportyour enterprise's current boundary with a single circuit into the Internet.
| 
