The demand for advanced networking capability, including increased security, has prompted a closer look into the underlying network architectures which deliver this advanced functionality. HP is one of the leading suppliers of networking infrastructure and Mark Hilton, EMEA Marketing Manager for ProCurve Networking by HP, sat down with the ITP Report to discuss what makes ProCurve so popular and how it is keeping clients’ networks secure.
For some time ProCurve has spoken about its Adaptive EDGE Architecture (AEA). Many network suppliers talk about edge functionality. How is your AEA different from other vendors approaches to networking?
The ProCurve Networking Adaptive EDGE Architecture (AEA) departs dramatically from the prevalent networking paradigm, which forces companies to adopt and manage a ‘network of networks’ in which features are afterthoughts or exist in isolation. Instead, the AEA encompasses a holistic, comprehensive view of the network and distributes intelligence to the edge, where users connect.
The main tenets of the AEA are ‘control to the edge’ with ‘command from the centre.’ These two tenets are achieved because intelligence, defined as the ability for the network to respond and react, is located at the edge where users and resources connect with the network. At the same time, the policies and rules governing the network’s intelligence reside conveniently and centrally in the hands of the network administrators. It is this dynamic configuration of the edge (control to the edge) from the management centre (command from the centre) that enables automation of functions including network security. This automation is essential for reducing both the costs and the complexity of the network.
You mentioned network security as one of the areas AEA addresses. Can you elaborate on how AEA relates to network security?
ProCurve’s security vision and strategy, which we call ProActive Defense, delivers a trusted network infrastructure that is immune to threats, controllable for appropriate use and able to protect data and integrity for all users. A unique aspect of our ProActive Defense vision and strategy is that it addresses both security offence and defence at the same time and, most importantly, at the network edge. This combined offense and defense is possible only because ProActive Defense is based on Adaptive Edge Architecture principles, which drive intelligence to the network edge while retaining centralised control and management.
Which specific areas does your strategy address and why do you call it ProActive Defense?
The first step in network security is to realise the importance of combining the offense and defense into a single comprehensive system in the same way a successful football team would combine these elements. That’s where we get the name. You need to be Proactive through NAC-related technologies by controlling who has access to which parts of your network and you need to be defensive by recognising that your network may be subject to both intentional and unintentional damage by those to whom you’ve granted access. We focus on something we call network immunity and secure infrastructure to provide these defensive elements.
Together, the three pillars of Access Control, Network Immunity and Secure Infrastructure work to secure the network while making it easier for companies to comply with and verify compliance for regulatory and other requirements.
Network access control (NAC) is a hot notion but also fragmented and incomplete at the moment. Where do you see this trend going?
NAC is the buzz in the industry today. It really is the opportunity for the networking vendors to begin to integrate security solutions into their offerings. Historically, security solutions have been provided by security vendors with host-based software or drop-on products.
So where is it going? The evolution towards a standards-based implementation is one. Architecturally, Microsoft’s NAC (called network access protection, or NAP), Cisco’s NAC and TNC are all very identical. They differ in some of the protocols and things that are used to carry the security information. So clearly the industry is moving towards a common set of standards-based components for that solution.
The other thing that’s very important to recognise is that NAC solutions are typically very difficult to deploy. There are lots of moving parts and IT departments are struggling with how to get this effectively deployed. There is an acknowledgement that today you can’t control every device out in the network. In most cases, these guys don’t even know what’s out on their network so how can they enforce that there’s a piece of software down on that device that they can go and query to see if it’s up to date.
So the NAC architecture you’ll see more of will be comprehensive in managing all the different types of access. Anything from an uncontrolled user, like an IP phone, to a device that has an agent built into it. The NAC solutions have to take into consideration all of those environments. And you want to have a single pane of glass where you can manage network policies.
Today, we are doing all these network policies to enforce who’s on the network and there’s a huge automated system in doing that. If you log in, the switch support gets configured and all that happens automatically.
But in order for IT departments to have confidence in that, they need to build a trusted infrastructure. It is necessary to have all the switches as fully trusted devices and authenticated with one another to create this domain that’s truly impermeable. It also has to be highly available.
Which NAC standards today address the establishment of trust between switches?
There is an 802.1 standard focused on link encryption, the MACSec (the 802.1AE Media Access Control Security) encryption. And there’s a standard called 802.1AR, which deals with device identity.
With 802.1AE and 802.1AR, it means that we can create a trusted infrastructure in a plug-and-play fashion, so we’ll be able to take a ProCurve product out of the box, plug it into the network, and that box already has credentials built into it. It can automatically authenticate to its peer switch and then you can bring up an encrypted link and now all the traffic, spanning trees and routing protocols, will be fully protected.
What we’ll have is a hardened network that’s closed loop.
What else is ProCurve looking to do in the area of security?
We are looking at how you also integrate more of the threat management that you see today in, say, universal threat management (UTM) devices, putting firewalls, antivirus, IDS/IPS down onto the switches. For example, an antispam type device is involved in scanning e-mail. If you have to funnel all your network traffic through this box, just so that it gets to pick out the e-mails, you are going to have a huge bottleneck in the middle of the network.With the ProCurve network you can detect the e-mail as it is coming in. For example, you can detect which traffic needs to wrapped up, tunneled and shot at the anti spam device and the rest of the traffic doesn’t need to go through that.
This antispam now scales and is shared by every network edge.
Are you saying that UTMs are too cumbersome?
We’re not saying that UTMs are too cumbersome but rather that its position in the network topology may not be as effective as it should be. If you put a UTM in the core of your network, it is like putting a security guard in the middle of a building. Everybody has got to come in to the building to get checked, but you’ve already penetrated the network.
What you really needed was a UTM on every port. While that’s expensive and hard to manage today, that’s what ProCurve has always focused on, which is how do we simplify, integrate and automate these things.
With our recent Network Immunity (NI) announcement we can leverage the depth of a UTM or IDS/IPS with the breadth of the edge functionality we have in our edge switches. We use sflow and our virus throttling technology to do a first pass check on data coming it. Then if an anomaly is detected we can mirror the data, even across a WAN if needed, to a deep packet inspection device, like a UTM. The NI SW module coordinates, and automates the whole thing. A port can be shut down, rate limited or directed to a quarantine VLAN based on the Network Behaviour Anomaly Detection (NBAD) software we’ve deployed as part our Network Immunity solution. We are partnering with key UTM suppliers to ensure the complete solution is bullet proof. This approach is perfectly in keeping with ProCurve’s goal to simplify the operation and increase the return on investment of our customers’ networks.