HP has an alternative to the many security appliances that combine firewall, intrusion detection and VPN functions: Just put a single blade in the vendor's ProCurve switch and be done with it.
HP has an alternative to the many security appliances that combine firewall, intrusion prevention and VPN functions: Just put a single blade in the vendor's ProCurve switch and be done with it.
How we tested HP ProCurve Threat Management Services
In this exclusive Clear Choice test, we assessed the HP ProCurve Threat Management Services zl module (TMS) in terms of its features, usability and performance. What we found is a well-designed, easy-to-use implementation that packs most common security functions into a small form factor.
The TMS lacks some newer security features, such as reputation filtering, and its forwarding performance can charitably be called modest. But for network managers facing budget constraints (and that's virtually all of them, these days), the TMS represents a viable way to add security without adding more boxes.
The TMS is a single-slot blade for HP's ProCurve 5400zl and 8212zl modular switches. It supplies three security functions: stateful firewall, intrusion prevention system (IPS) and VPN concentrator. We tested the TMS in a ProCurve 5406zl chassis.
Multipurpose security devices are nothing new, but it's unusual to see all three functions in one switch module. For example, Cisco's ASA 5500 multifunction security appliances are not integrated into Cisco's switches.
And Cisco sells separate firewall and IPS security blades for its Catalyst 6500 switches, but those are higher-end devices with bigger performance numbers and bigger price tags.
Ubuntu under the hood
The TMS is powered by Ubuntu Linux running on a 2.2-GHz Intel Core 2 Duo "Merom" CPU and 4GB of RAM. Those are laptop specs, not surprising considering the TMS' small size. This engine is plenty fast for screening traffic on most Internet connections but, as we'll see in performance testing, it won't necessarily keep up with LAN traffic from numerous switch ports.
Configuration can be done through a Web-based GUI or the command-line interface (CLI). Initial virtual LAN (VLAN) setup must be done on the switch rather than the TMS. Network architects will need to think carefully about which segments to protect: The TMS currently supports a maximum of 19 VLANs, though HP says an increase to 250 VLANs is expected soon. (The switch can continue to support far larger numbers of VLANs, but their traffic won't be protected by the TMS.)
Once switch setup is complete, the TMS handles all tasks for traffic it protects, including IP routing as well as security monitoring. The TMS supports Open Shortest Path First and Routing Information Protocol routing as well as its security functions.
The Web GUI design is clean and intuitive. Firewall, IPS and VPN modules are clearly laid out, and common configuration tasks require a minimum of switching between tabs. We did find a few minor fit-and-finish issues. For example, an IPS signature conflicted with management HTTPS access (corrected by disabling that signature) and the GUI doesn't show when IPS policies are bound to firewall rules.
For firewall configuration, HP follows the common practice of defining security zones, assigning groups of interfaces into those zones and then defining access rules on a per-zone basis. While it’s simple to set up individual rules via the Web GUI, it was easier still for us to paste the roughly 250 rules we used for testing into the CLI. Activation was instantaneous.
The TMS is a true application-layer gateway, something we verified by configuring a rule allowing HTTP traffic and then hitting it with non-HTTP packets destined to TCP Port 80. Because they were not part of any valid HTTP session, the firewall correctly dropped these packets.
The IPS function combines signature- and anomaly-based threat detection. Curiously, the anomaly-based controls are binary: All anomaly checks are either always on or off, depending on whether the IPS is enabled. In contrast, signatures can be individually enabled and disabled. Always-on anomaly checking is a good thing, though presumably it has some performance cost.
The signature library comprises nearly 5,000 entries grouped into a dozen vulnerability categories such as backdoors, viruses, malware, and recon attacks. HP offers a subscription service to update signatures.
The VPN concentrator function focuses mainly on setting up IPSec tunnels, though the TMS also supports generic routing encapsulation (GRE) tunneling using firewall rules. It also supports layer-2 tunneling protocol (L2TP) in conjunction with IPSec.
In performance and security testing, we assessed the TMS both as a firewall and combined firewall/IPS. Due to time and hardware constraints, we did not test two other TMS features: High availability and IPSec-based VPNs.
We evaluated TMS performance with stateless UDP and stateful TCP tests. UDP testing produces best-case numbers, but TCP testing is a far better predictor of performance in enterprise settings (see story "Going faster with UDP").
For TCP tests, we used the Spirent TestCenter traffic generator to measure HTTP forwarding rates, both with and without attacks present; connection setup rate; and concurrent connections.
HTTP forwarding rates are a measure of how fast users get their Web content. In firewall-only mode, the TMS moved Web traffic to 500 simulated users at around 1.677Gbps.That's lower than the 3Gbps claimed on the TMS's data sheet, probably because that number was obtained with UDP. Since TCP traffic is stateful, the firewall consumes more cycles keeping track of each connection.
When we tested with the TMS configured as a firewall and IPS, HTTP transfer rates fell to 1.206Gbps, around 28% slower than in firewall-only mode. This IPS performance penalty is not unusual; in fact, it's consistent with prior Network World tests.
Our final rate test involved HTTP traffic blended with an attack from the Spirent TestCenter application. We used a variation on the well-known Code Red attack against Microsoft's IIS Web server on the principle that any IPS should be able to block it. As a twist, we used a Code Red variant that seeks to cloak itself within a stream of malformed Unicode characters.
Commendably, the HP blade recognized the cloaking effort for what it was and dropped attack traffic before Code Red could install itself. The IPS correctly logged the attack while forwarding HTTP traffic at 1.138Gbps, or around 6% slower than the same test without attacks. However, the actual performance cost is really only 4%, since attack traffic comprised 2% of the total.
Bottom line: When handling Web traffic from 500 users, maximum rates will range between 1.138G and 1.677Gbps. That's less than the capacity of two gigabit Ethernet ports – and the TMS slots into a chassis that may contain dozens or hundreds of ports. Clearly this could be a bottleneck, at least when protecting high-speed flows inside the enterprise.
At the same time, many of the TMS's security features are intended to protect Internet-facing hosts – and few enterprises have WAN circuits running at gigabit-plus speeds. So, even though the TMS is a modest performer relative to the switches that house it, it may well be adequate depending on the traffic rates it handles.
HP says higher rates are possible by using up to four TMS modules in a switch chassis and assigning separate security zones to each chassis, but we did not verify this.
Forwarding rates are only one measure of performance. We also examined connection setup rate and concurrent connections. For enterprises with e-commerce and other transaction-based applications, connection setup rate often is more important than forwarding rate.
As a firewall, the TMS set up 18,000 new connections per second (cps), easily exceeding HP’s claim of 15,000. As a firewall and IPS, the security blade set up around 7,000 cps, around 2.5 times slower than the firewall-only rate.
Our final performance test measured the maximum number of connections the firewall can track at any one time. This is a key metric for large server farms and transaction-processing applications. HP says the TMS can handle up to 600,000 concurrent TCP connections.
The TMS came close to that figure, with an average of 569,000 connections established in firewall mode and 574,000 connections in firewall/IPS mode. In a few other test trials, the firewall/IPS number was around the same or slightly lower. In any event, connection capacity is one measure where intrusion prevention extracts no higher cost.
Rather than pure performance, integration of multiple security functions is the TMS's major feature. It's a good choice for network professionals looking to add multiple security functions into the switched and routed infrastructure, especially where adding yet another box isn't an option.
Newman is president of Network Test, a benchmarking and network design consultancy. He can be reached at email@example.com.
Newman is also a member of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to >www.networkworld.com/alliance.
Network World gratefully acknowledges the support of Spirent Communications, which made this project possible. Spirent supplied its Spirent TestCenter traffic generator/analyzer and layer 2-7 test applications for this project. Spirent employees also offered engineering and logistical support, including Chuck McAuley, Brett Wolmarans, Mike Jack, Bob Paull, and Doyle Yeager.