The average medieval castle featured layers of defense. Multiple wall rings were constructed so that there was no single intrusion point. However, these walls could be rendered useless by that most unpredictable of enemies: the insider - a spy within the castle walls who helped the intruder gain access. But what ultimately did in the castle era was the trebuchet, a sort of catapult on steroids which not only allowed the enemy to pound castle walls from a safe distance, but also to hurl flaming objects or diseased pigs over the walls. That ended the focus on building perimeters around castles as the major line of defense.

We're going through a similar security shift now in our networks, and I can't help but see the same evolution occurring. But while castles had decades to refine their security systems, most network growth has occurred within the last few years, and security technology has been scrambling to keep up.

Add VoIP to the network and you bring in an entirely new security problem. VoIP is more susceptible to denial-of-service (DoS) attacks than data applications because of its QoS requirements. Secure solutions are needed to protect against voice spam, phone number spoofs, theft of services and other threats as yet unknown. What's worse is that when you add voice components to the data network, they become susceptible to the same threats as the data network such as switch, router and software vulnerabilities.

Even more unnerving is the recent publicity regarding VoIP and 911 calling problems. A distributed DoS attack on a VoIP phone could prevent someone from dialing 911 in an emergency. That's a lawsuit you don't want to be on either end of.

Intrusion-prevention systems (IPS) not only address data threats and DoS attacks, but also can address VoIP vulnerabilities that have been discovered in Session Initiation Protocol and H.323 implementations. Because of their high throughput and low latencies, customers are increasingly putting IPSs at their network core to protect against worms, viruses, Trojans, DoS attacks, spyware and VoIP threats.

However, in the vein of "You can't be too rich or too thin," you can't be too secure or too wary. More proactive measures are needed to nip problems before they appear on the network. Security needs to be closer to the client.