Demanding business applications have Cisco and rival HP ProCurve featuring their network behavior analysis strengths
By Brad Reese on Mon, 12/17/07 - 9:42am.In today's networking environment companies that purchased Cisco switches 5 to 8 years ago are usually not upgrading to newer switches for more bandwidth.
Instead, they are upgrading to deploy features which will allow them to better manage the traffic utilizing their network infrastructure.
Why?
Because their business applications are demanding it.
Technologies such as PoE, Network Behavioral Analysis, QoS, Latency Protection and NetFlow are often at the top of the important features list.
Not to be excluded, open standards, technical support, etc. are near the top as well.
Frequently, a company will only consider purchasing Cisco either because of vendor loyalty or even perhaps that remote possibility a CCIE may be trying to protect his or her turf.
Related Story:
| Network World | Why it's time to break out of the 'Cisco-is-the-only-vendor-for-me' mindset |
Either way, once CIOs catch their breath from Cisco sticker shock, they often set out looking for switch alternatives.
Gartner says it isn’t always smart to stick with the incumbent vendor.
Gartner is promoting the consideration of alternative vendors in their new report explaining the Vendor Influence Curve, which suggests that savings might be greater than 25%.
"Large vendors (such as Cisco Systems) will have you believe that nearly anything they put their names on should be part of the network," said Mark Fabbi - Gartner vice president and distinguished analyst.
"However, this isn't an appropriate approach to ensure the network will best meet the needs of your organization — technically or financially."
Network Behavioral Analysis without NetFlow or sFlow:
In a previous Network World Cisco Subnet Blog, the Cisco framework for Network Behavioral Analysis (NBA) was highlighted.
Today HP Procurve is making inroads into the enormous Cisco switch customer base having engineered a considerable amount of Network Behavioral Analysis technology into its switch line.
As noted in that previous blog, Cisco supports NetFlow but largely omits it as part of their NBA solution.
Similarly, HP ProCurve supports a NetFlow competitive technology called sFlow, which is also missing in action as part of their NBA solution.
Why?
Because signatures and proprietary algorithms are often out-of-date.
Current methods to stop propagation of malicious agents rely on the use of signature recognition to prevent hosts from being infected.
However, latency between the introduction of a new virus working into a network and the implementation and distribution of a signature-based patch or new behavioral algorithm can be significant.
Within this period, a network can be crippled by the abnormally high rate of traffic generated by infected hosts.
In line Network Behavioral Analysis (NBA) Systems or NetFlow appliances from vendors such as Mazu Networks, Lancope and Arbor Networks watch packets and analyze NetFlow and tout NBA abilities.
However, the companies producing the hardware (e.g. Cisco & HP ProCurve) recommend switches to perform NBA.
It seems that NetFlow and sFlow lack critical information to be effective in this space and should be utilized for other tasks such as traffic analysis routines.
For this reason, they may not be as effective at stopping attacks as the vendor would like you to believe.
Nevertheless, they do enhance security.
Companies can’t stop all viruses and worms, but they can treat them.
Viruses, worms and the like will make it onto the corporate network.
You can bet on it.
Security administrators can only do so much to protect the electronic jewels of a business.
Best practices and reasonable protective measures are really all that can be done.
Overzealous security measures can stifle a company and can be costly to maintain.
Luckily, threats have behaviors.
On average, a person will contract dozens of cold viruses over their lifetime.
Most of us know that a person can never have the same cold twice, but the symptoms of a second cold may be nearly or exactly the same as a previous cold.
A stuffy nose, sore throat, congestion, itchy eyes, etc.
These are behaviors of the common cold.
Tylenol sells 2 to 3 different medicinal products to help a person deal with the symptoms of a cold until the human body can remove the virus completely.
Luckily, most computer network viruses are like the common cold and exhibit consistent behaviors (they scan the network, they launch denial of service attacks, etc).
Cisco, HP ProCurve and others have put technology like Tylenol on their switches that can deal with these abnormal behaviors in a way that allows the network to continue operating until the network administrator can eradicate the computer virus from the network.
 "We have Layer 2 virus-throttling built right into our switches. So we have already integrated the offensive and defensive features together at the edge ports," said Paul Congdon - CTO of HP ProCurve.
"Historically, security solutions have been provided by security vendors with host-based software or drop-on products." "We are looking at how you also integrate more of the threat management that you see today in, say, universal threat management (UTM) devices. So putting firewalls, antivirus, IDS/IPS down onto the switches." |
HP Procurve Switches have the following features for Advanced Threat Detection:
 |
BPDU Filtering and BPDU Protection - protects the network from denial of service attacks that use spoofing of BPDUs. |
|
|
Connection rate filtering and throttling technology detects hosts that are trying to create a large number of outbound IP connections on an interface. Messages can be sent to the NMS and the switch can throttle or drop the traffic on the interface. |
|
|
When throttling or blocking is enabled, penalty periods can be configured which must expire before traffic will be allowed from a host. After the penalty period, the traffic is reevaluated by the switch. |
|
|
DHCP Snooping - protects the network from common DHCP attacks such as address spoofing and repeated address requests. |
|
|
Dynamic ARP Protection - protects your network from ARP cache poisoning. |
|
|
Connection-Rate ACLs create exceptions or special policies for individual or groups of hosts (including TCP and UDP protocols). They are based on in bound traffic and help prevent false positive alarms. Sensitivity or filter modes can be altered as well to help prevent false positives. |
|
|
Instrumentation Monitor - helps identify a variety of other common attacks by generating alerts for detected anomalies on the switch. |
|
|
Selective enabling allows administrators to decide which ports to enable the above technology. |
| Benefits include: | |
|
|
Behavior based operation that does not require identifying details unique to the code exhibiting the work like operation. |
|
|
Handles unknown worms because recognizes behavior and not looking for specifics which require signature updates. |
|
|
Protects network infrastructure by slowing or stopping (i.e. mitigate) IP traffic from hosts exhibiting high connection rate behavior (e.g. the throttle was able to stop the W32/Nimda-D work in less than one second). |
|
|
Allows network and individual switches to continue to operate, even when under attack. |
|
|
Provides event log and SNMP trap warnings when worm like behavior is detected. |
|
|
Gives IT staff more time to react before the threat escalates to a crises. |
 "We selected the HP Procurve line of switches for our network and the NBA features have added great value. Another layer of security gives us additional peace of mind. The reliability, feature set, and warranty HP provides for their Procurve line makes it hard to beat. The switches have been rock solid and the support has been as good as Cisco's, for a fraction of the price," said Scott Chapiewsky - Synamon Corporation. |
What about the legacy gear?
How do companies gain the benefits of NBA on legacy switches that don’t need to be upgraded?
This can be done a couple of ways:
One
Using NetFlow on routers or switches, analyzers can watch for behaviors and trigger SNMP sets which can disable interfaces on switches or routers; they can also make access list changes, etc.
Vendors such as Plixer and Lancope provide NetFlow analyzers which can do this.
However, unless you own Enterasys switches or high end Cisco Catalyst 6500 switches, you won’t have NetFlow capabilities and the mitigation can get a bit more difficult if the algorithms rely on the NetFlow from routers to make changes to the switches.
What about sFlow?
Unfortunately, although HP Procurve supports sFlow, often times the packet sample rate isn’t frequent enough to make reliable mitigation decisions via NBA.
Two
If you have a star configuration in the network where several switches or routers connect to a central device, NetFlow switches acting as probes can be inserted (i.e. in line) into the network.
Non NetFlow capable switches then plug into the NetFlow switch (e.g. Enterasys).
Loaded with the NetFlow information, NBA can occur and ultimately corrective action can take place closer to the ingress of the attack.
Related Story:
| Network World | NBA: Your last line of defense |
NetFlow Probe for Legacy Networks
 "The Enterasys Matrix N-Series switches collect NetFlow statistics for every packet in every flow without sacrificing performance based on the nTERA ASIC capabilities. Whether the network is operating at 10/100/1000, Gigabit or 10 Gigabit speeds – the NetFlow data can be leveraged for performance management and network behavioral analysis to ensure the confidentiality, integrity and availability of information," said Trent Waterhouse - vice president marketing for Enterasys. |
You don’t have to turn to Cisco
 Clearly Cisco is the market leader in the switch and router market. However, Cisco's time may have come to pass as the only reliable vendor. Competitors like HP Procurve have as many and in some cases more impressive features than the Cisco giant.
In a survey of 180 medium and large enterprises buying LAN switches, Infonetics Research of Woburn, MA found that "larger organizations will be more likely to go with a HP ProCurve than a 3Com," said Matthias Machowinski - Infonetics directing analyst - enterprise voice and data. |
How have today's demanding business applications made you look at switch vendors?
Related Stories:
- About Brad Reese on Cisco
Brad Reese cofounded BradReese.Com Cisco Refurbished, which enables affordable Cisco networks globally by assuring customer satisfaction with guaranteed one year warranties on both Cisco Repair as well as Refurbished Cisco.
Don't be shy, contact Brad Reese online or call him at 646-827-1130.
Most Discussed Posts
- On The Web
-
Network World, Inc
The Connected Enterprise