Security-oriented switches go mainstream
It's not an option anymore.
By Phil Hochmuth, Network World | Network World US | Published: 00:00, 15 May 2006
Vendors are continuing to blur the line between security and network infrastructure products, with Cisco, Extreme, Enterasys and Foundry all developing protection-oriented switches and routers.
Analysts and users say security is too important to have as just a service bolted onto a switched or routed network; intrusion-detection and -prevention systems (IDS/IPS), VPN, encryption and other services need to be woven into the fabric of network gear.
Cisco is launching several upgrades to its 7200 Services Aggregation Router, a device usually deployed in the main office of an enterprise, which can tie together Cisco Integrated Service Routers (ISR) in hundreds of branch sites. It is built to handle OC-3 and higher channellised T-1 and T-3 links.
A new Network Processing Engine G2 (NPE-G2) doubles the routing performance of previous NPE blades, Cisco says, with a faster processor and more memory. This allows the box to take on more IOS-based security functions without choking throughput. The greater capacity is meant to accommodate faster boxes that may run in enterprise branches, if customers recently upgraded to more powerful ISRs on the other end.
For site-to-site and remote access VPNs, Cisco is scheduled to launch the VPN Services Adapter, which allows a 7200 router to process IPSec VPN traffic three times faster than a box running only IOS VPN services, the company says. Encryption standards supported include Triple Data Encryption Standard and Advanced Encryption Standard, with 128- to 256-bit key encryption.
To fill larger WAN pipes with the added processing power, Cisco is introducing a third module - the Port Adapter Jacket Card, which can add as much as 50 percent bandwidth to the router, Cisco says. This module adds a seventh service card slot to the device, which could be plugged with another channellised dual T-3 or another OC-3 connection into the router.
"There are a ton of these out there," regarding the 7200 router, says Zeus Kerravala, a Yankee Group analyst. "Anything that extends the life of these routers is good for investment protecting to customers." For branch offices, "the ISR has been one of the best-selling products Cisco has ever had; with this whole concept of branch office consolidation, these upgrades to the 7200 make sense.
Extreme and Enterasys are expected to announce plans to integrate IDS/IPS and other security features into their network gear, while Foundry plans to announce a massive-scale data centre switch with packet tracing and secure routing features. Meanwhile, Cisco is focusing on the WAN, with an upgrade to its 7200 router that boosts VPN, firewall and overall WAN routing throughput and performance.
Enterasys is putting its Dragon IDS/IPS modules into its Matrix N Series backbone switches. The new Dragon-based daughtercards fit into expansion slots in individual 10/100/1000Mbps line cards on switches and do not require users to sacrifice a slot in the chassis, the vendor says.
Enterasys is late to the game of plugging IDS/IPS features directly into a core switch - Cisco has done this for several years, and recently Nortel announced such support. But one observer says Enterasys' approach - putting daughtercards on individual switch blades instead of one central processor - may be superior.
"The Enterasys design is more elegant" than Cisco's integrated IDS/IPS blade for the Catalyst 6500, says Jon Oltsik, a senior analyst at the Enterprise Strategy Group. Cisco's IDS blade occupies a chassis slot, and traffic must pass through the switch backplane to be processed by the blade. "You have an expensive card taking up expensive real estate inside and throttling bandwidth - not a good combination."
The Extreme plan
Extreme plans to announce partnerships with Internet Security System (ISS), CipherOptics and StillSecure - IDS/IPS, data encryption and network access control (NAC) vendors, respectively. Users of any of these three companies' products will soon be able to extend security functions to Extreme switches in the LAN core and edge, the vendor says.
With ISS, Extreme has developed a protocol that passes information between ISS IDS/IPS appliances and switches running the XML-based ExtremeXOS switch operating system. An ISS device sitting in a central location would communicate with all Extreme switches on a LAN, tapping into traffic flow data on switches. Flows of suspicious traffic that trigger an ISS box would create a series of alert messages between the Extreme switches and ISS device, ending with the shutdown of the port on which the bad traffic was detected.
Extreme and ISS are expected to show this package at Interop, with the products planned for release later this year. The development work between ISS and Extreme is not exclusive. In addition, other vendors are expected to be testing similar approaches with switch-based IPSs.
With CipherOptics and StillSecure, Extreme is re-branding the security vendors' encryption products and integrating them with Extreme's Sentriant security traffic management appliance, which was announced at Interop 2005.
CipherOptic's endpoint-to-endpoint data encryption device sets up secure transmission between two or more users. Extreme says its ExtremXOS switches (working with the Sentriant appliance) will detect traffic requiring encryption - based on preset policies - and call in the CipherOptics box to scramble the bits. Interoperability will be similar with StillSecure: Extreme switches will trap unauthenticated users at the switch level while the StillSecure device examines the client machine for security compliance. The Extreme switch will then admit or deny access based on result of the StillSecure NAC device's scan.
Focusing on the data centre, Foundry is expected to announce its NetIron MLX-32, which takes aim at 10G Ethernet port-density leader Force10 Networks. The device supports as many as 256 10G Ethernet connections, 1,280 Gigabit Ethernet ports or a mix of the two with a 7.68Tbps switch fabric. MPLS, IPv4 and IPv6 are supported on all ports.
"In the data centre and backbone, we're seeing even medium-sized enterprises moving toward 10G," says Bobby Johnson, Foundry's CEO. "It makes economic sense and it takes any conversation about bandwidth [issues] off the table" for advanced services, such as VoIP, video and centralised corporate applications.
Besides high bandwidth, Foundry is highlighting several data centre security features in the MLX-32. These include Unicast Reverse Path Forwarding (URFP) and Multi-Virtual Router Forwarding (Multi-VRF). URFP lets a switch check the source and destination address in each packet against Layer 3 route tables in the device to prevent packet spoofing, Foundry says.
Multi-VRF lets users create virtual routing domains inside a box. These domains, similar to Layer 2 virtual LANs, segregate traffic flows. Users also can install external firewalls (external to the box) or internal access control lists to regulate what traffic is shared among virtual router segments, Foundry adds.