Skip Links

Network World

Brad Reese

Demanding business applications have Cisco and rival HP ProCurve featuring their network behavior analysis strengths

By Brad Reese on Mon, 12/17/07 - 9:42am.
Newsletter Signup

In today's networking environment companies that purchased Cisco switches 5 to 8 years ago are usually not upgrading to newer switches for more bandwidth.

Instead, they are upgrading to deploy features which will allow them to better manage the traffic utilizing their network infrastructure.

Why?

Because their business applications are demanding it.

Technologies such as PoE, Network Behavioral Analysis, QoS, Latency Protection and NetFlow are often at the top of the important features list.

Not to be excluded, open standards, technical support, etc. are near the top as well.

Frequently, a company will only consider purchasing Cisco either because of vendor loyalty or even perhaps that remote possibility a CCIE may be trying to protect his or her turf.

Related Story:

Network World Why it's time to break out of the 'Cisco-is-the-only-vendor-for-me' mindset

Either way, once CIOs catch their breath from Cisco sticker shock, they often set out looking for switch alternatives.

Gartner says it isn’t always smart to stick with the incumbent vendor.

Gartner is promoting the consideration of alternative vendors in their new report explaining the Vendor Influence Curve, which suggests that savings might be greater than 25%.

The Vendor Influence Curve: Finding the Right Balance

"Large vendors (such as Cisco Systems) will have you believe that nearly anything they put their names on should be part of the network," said Mark Fabbi - Gartner vice president and distinguished analyst.

"However, this isn't an appropriate approach to ensure the network will best meet the needs of your organization — technically or financially."

Mark Fabbi

Network Behavioral Analysis without NetFlow or sFlow:

In a previous Network World Cisco Subnet Blog, the Cisco framework for Network Behavioral Analysis (NBA) was highlighted.

Today HP Procurve is making inroads into the enormous Cisco switch customer base having engineered a considerable amount of Network Behavioral Analysis technology into its switch line.

As noted in that previous blog, Cisco supports NetFlow but largely omits it as part of their NBA solution.

Similarly, HP ProCurve supports a NetFlow competitive technology called sFlow, which is also missing in action as part of their NBA solution.

Why?

Because signatures and proprietary algorithms are often out-of-date.

Current methods to stop propagation of malicious agents rely on the use of signature recognition to prevent hosts from being infected.

However, latency between the introduction of a new virus working into a network and the implementation and distribution of a signature-based patch or new behavioral algorithm can be significant.

Within this period, a network can be crippled by the abnormally high rate of traffic generated by infected hosts.

In line Network Behavioral Analysis (NBA) Systems or NetFlow appliances from vendors such as Mazu Networks, Lancope and Arbor Networks watch packets and analyze NetFlow and tout NBA abilities.

However, the companies producing the hardware (e.g. Cisco & HP ProCurve) recommend switches to perform NBA.

It seems that NetFlow and sFlow lack critical information to be effective in this space and should be utilized for other tasks such as traffic analysis routines.

For this reason, they may not be as effective at stopping attacks as the vendor would like you to believe.

Nevertheless, they do enhance security.

Companies can’t stop all viruses and worms, but they can treat them.

Viruses, worms and the like will make it onto the corporate network.

You can bet on it.

Security administrators can only do so much to protect the electronic jewels of a business.

Best practices and reasonable protective measures are really all that can be done.

Overzealous security measures can stifle a company and can be costly to maintain.

Luckily, threats have behaviors.

On average, a person will contract dozens of cold viruses over their lifetime.

Most of us know that a person can never have the same cold twice, but the symptoms of a second cold may be nearly or exactly the same as a previous cold.

A stuffy nose, sore throat, congestion, itchy eyes, etc.

These are behaviors of the common cold.

Tylenol sells 2 to 3 different medicinal products to help a person deal with the symptoms of a cold until the human body can remove the virus completely.

Luckily, most computer network viruses are like the common cold and exhibit consistent behaviors (they scan the network, they launch denial of service attacks, etc).

Cisco, HP ProCurve and others have put technology like Tylenol on their switches that can deal with these abnormal behaviors in a way that allows the network to continue operating until the network administrator can eradicate the computer virus from the network.

Paul Congdon"We have Layer 2 virus-throttling built right into our switches. So we have already integrated the offensive and defensive features together at the edge ports," said Paul Congdon - CTO of HP ProCurve.

"Historically, security solutions have been provided by security vendors with host-based software or drop-on products."

"We are looking at how you also integrate more of the threat management that you see today in, say, universal threat management (UTM) devices. So putting firewalls, antivirus, IDS/IPS down onto the switches."

HP Procurve Switches have the following features for Advanced Threat Detection:

BPDU Filtering and BPDU Protection - protects the network from denial of service attacks that use spoofing of BPDUs.
Connection rate filtering and throttling technology detects hosts that are trying to create a large number of outbound IP connections on an interface. Messages can be sent to the NMS and the switch can throttle or drop the traffic on the interface.
When throttling or blocking is enabled, penalty periods can be configured which must expire before traffic will be allowed from a host. After the penalty period, the traffic is reevaluated by the switch.
DHCP Snooping - protects the network from common DHCP attacks such as address spoofing and repeated address requests.
Dynamic ARP Protection - protects your network from ARP cache poisoning.
Connection-Rate ACLs create exceptions or special policies for individual or groups of hosts (including TCP and UDP protocols). They are based on in bound traffic and help prevent false positive alarms. Sensitivity or filter modes can be altered as well to help prevent false positives.
Instrumentation Monitor - helps identify a variety of other common attacks by generating alerts for detected anomalies on the switch.
Selective enabling allows administrators to decide which ports to enable the above technology.
Benefits include:
Behavior based operation that does not require identifying details unique to the code exhibiting the work like operation.
Handles unknown worms because recognizes behavior and not looking for specifics which require signature updates.
Protects network infrastructure by slowing or stopping (i.e. mitigate) IP traffic from hosts exhibiting high connection rate behavior (e.g. the throttle was able to stop the W32/Nimda-D work in less than one second).
Allows network and individual switches to continue to operate, even when under attack.
Provides event log and SNMP trap warnings when worm like behavior is detected.
Gives IT staff more time to react before the threat escalates to a crises.
Scott Chapiewsky"We selected the HP Procurve line of switches for our network and the NBA features have added great value. Another layer of security gives us additional peace of mind. The reliability, feature set, and warranty HP provides for their Procurve line makes it hard to beat. The switches have been rock solid and the support has been as good as Cisco's, for a fraction of the price," said Scott Chapiewsky - Synamon Corporation.

What about the legacy gear?

How do companies gain the benefits of NBA on legacy switches that don’t need to be upgraded?

This can be done a couple of ways:

One

Using NetFlow on routers or switches, analyzers can watch for behaviors and trigger SNMP sets which can disable interfaces on switches or routers; they can also make access list changes, etc.

Vendors such as Plixer and Lancope provide NetFlow analyzers which can do this.

However, unless you own Enterasys switches or high end Cisco Catalyst 6500 switches, you won’t have NetFlow capabilities and the mitigation can get a bit more difficult if the algorithms rely on the NetFlow from routers to make changes to the switches.

What about sFlow?

Unfortunately, although HP Procurve supports sFlow, often times the packet sample rate isn’t frequent enough to make reliable mitigation decisions via NBA.

Two

If you have a star configuration in the network where several switches or routers connect to a central device, NetFlow switches acting as probes can be inserted (i.e. in line) into the network.

Non NetFlow capable switches then plug into the NetFlow switch (e.g. Enterasys).

Loaded with the NetFlow information, NBA can occur and ultimately corrective action can take place closer to the ingress of the attack.

Related Story:

Network World NBA: Your last line of defense

NetFlow Probe for Legacy Networks

NetFlow Probe for Legacy Networks

View short NetFlow Tutorial

Trent Waterhouse"The Enterasys Matrix N-Series switches collect NetFlow statistics for every packet in every flow without sacrificing performance based on the nTERA ASIC capabilities. Whether the network is operating at 10/100/1000, Gigabit or 10 Gigabit speeds – the NetFlow data can be leveraged for performance management and network behavioral analysis to ensure the confidentiality, integrity and availability of information," said Trent Waterhouse - vice president marketing for Enterasys.


You don’t have to turn to Cisco

Matthias MachowinskiClearly Cisco is the market leader in the switch and router market. However, Cisco's time may have come to pass as the only reliable vendor. Competitors like HP Procurve have as many and in some cases more impressive features than the Cisco giant.

In a survey of 180 medium and large enterprises buying LAN switches, Infonetics Research of Woburn, MA found that "larger organizations will be more likely to go with a HP ProCurve than a 3Com," said Matthias Machowinski - Infonetics directing analyst - enterprise voice and data.

How have today's demanding business applications made you look at switch vendors?

Related Stories:

Network World Cisco Flexible NetFlow expert Mike Patterson, Denial of Service (DoS) attacks can be accurately diagnosed
Network World Q & A with network behavior analysis software expert - Adam Powers
Network World Cisco’s NetFlow vs. Inmon’s sFlow: Which will prevail?
Network World Developed by Cisco, NetFlow reporting morphs into hyper-competitive industry
Network World Cisco customers have been kept in the dark about the extremely powerful NetFlow-NBAR technology combination
Network World Cisco invention NetFlow appears missing in action as Cisco invests into the network behavior analysis business
Network World Are you taking advantage of NetFlow and IP SLA?
Network World Appealing to CCIEs, hardware vendors copy Cisco's CLI and NetFlow to get into Cisco accounts
Network World NetFlow Tracker hits triple home run for Cisco VARS and their enterprise Cisco customers
Network World NetFlow or sFlow: which is the open standard?

Contact Brad Reese
http://www.BradReese.Com

Welcome, visitor. Register Log in
Advertisement:
About Brad Reese on Cisco

Brad Reese cofounded BradReese.Com Cisco Refurbished which offers one year warranties on Cisco Refurbished and Cisco Repair.

Contact Brad Reese

Archives
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
Categories
A government official in possession of a large corporate stockholding while that corporation is subject to administrative rulings by that same government official
After contacting Cisco
Agito adds that its enterprise fixed mobile convergence (eFMC) platform enables low-cost in-building voice coverage
Agito introduced Agito for BlackBerry
Agito's BlackBerry smart phone functionality for Cisco VoIP
Agito's RIM BlackBerry support announcement
An assortment of communications companies
Andreessen plans to watch what companies Cisco acquires
Andreessen sees as the next market transition
As a matter of Cisco policy
Back in April the CCIE Security track changed
Black Hat attack on Cisco's network admission control (NAC)
Boas also led an educational session at the Gartner Security Summit
Boas shares his insight on the most prevalent threats to the enterprise network
Bragging about Cisco's ability to catch market transitions
Brings enterprise VoIP over WiFi for dual-mode BlackBerry smartphones
But neither felt it as bad as Cisco did
Can Cisco VARs profitably match HP ProCurve pricing on a deal-by-deal basis?
Careers
Chairman and CEO of Cisco China - Jim Sherriff
Cisco
Cisco CEO John Chambers has never been shy
Cisco Chief Technology Officer Padmasree Warrior
Cisco NAC design flaws that the folks at Black Hat so alarmingly described
Cisco VARs no longer have enough margin left to profitably match HP ProCurve pricing
Cisco has held this share position since CY02
Cisco has produced a new CCIE count
Cisco is celebrating its 25th anniversary this year
Cisco is the revenue-leading vendor overall with 38% of total network security appliances and software in 1Q09 (down 2.8 points from 4Q08)
Cisco might do very well with the Flip
Cisco offer price-matching discounts to existing customers in order to equal ProCurve prices
Cisco only counts your CCIE number once
Cisco released its new worldwide CCIE count
Cisco's executive biographies web page
Cisco's loss of market share has in itself become the networking industry's newest market transition
Compromised the Cisco agent installed on the end system
Confirmation testimony before the U.S. Senate noteworthy
Customer-proven best practices of network access control (NAC)
Data Center
Didn’t RIM already support voice over WiFi?
Doesn’t RIM’s Ascendent acquisition give them this?
Douglas Gourlay - Vice President of Cisco Data Center Solutions
Douglas Gourlay is as sharp as a tack and one of the most impressive people I've ever had the honor of collaborating with on Cisco stories
Dual CCIE #18532 Routing and Switching/Security - George Morton
Dual-mode BlackBerry smartphones
Enables BlackBerry to be integrated into corporate PBXs and Unified Communications systems
Enterasys NAC is agent-less assessment based on a network scan
Enterasys security expert Dennis Boas
Enterasys uses multiple criteria beyond end system health assessment to assign and limit access granted to an end system
Enterprise concerns about the financial and management aspects of NAC
Enterprises that have standardized on the BlackBerry platform
Exactly what's causing everybody to quack?
Famous networking industry journalist
Flexible options with Enterasys NAC
Flip video below of Chambers' doing his quacks
Flip video of Cisco CEO John Chambers performing his duck quacks
Further details on why Cisco has lost market share in network security
Giving every existing Cisco customer a discount
Gourlay was featured just 7 days earlier in the Cisco Data Center Networks blog story
Gourlay's office is located at Cisco's nearby headquarters in San Jose
HP ProCurve continues to win business and gain market share
HP ProCurve is calling the shots now
HP ProCurve is whacking Cisco in its most vulnerable spot
HP ProCurve pricing on a deal-by-deal
HP ProCurve will take 20% off its list price
Half the smartphones in use in the US today are BlackBerry devices
Hogtied by Cisco's new committee culture
How Cisco was working overtime AGAINST the Buy America provisions of the $7.2B broadband stimulus fund
I can still see those wishing to cash out selling to Cisco
I have worked for a handful of telecommunications companies of varying sizes
I voted for President Obama seeking change
If you trade-in your Cisco equipment
Independent companies operating in Silicon Valley able to out innovate Cisco
Interesting CCIE news from around the world
Is Cisco likely to innovate? No
Its been proven that a government official can be bribed with free dinners
Jeff Wilson - network security analyst at Infonetics Research
Joel Bion - Senior Vice President of Cisco's Product Resiliency Research
Juniper and Check Point are second and third with 10.4% and 9.5% respectively
LANs / WANs
Larry Strickling is confirmed as the new Administrator of the National Telecommunications and Information Administration (NTIA)
Last month Cisco missed the multiple CCIE numbers
Made by Strickling during his March 19
Manny Rivelo - Senior Vice President of Cisco's Development Organization
May 2009 vs. June 2009 Worldwide CCIE Count Comparison
Mobile features integrated into the BlackBerry
My previous government service at the FCC provide me a unique background for the position of Assistant Secretary
My source suggested Gourlay had left Cisco
Network security vendor Enterasys
Not only among the Cisco workforce
Not too many senior executives are around from Cisco's early days
Now it appears the Internet is quacking too
Omitted the years of Cisco service for both John Morgridge and Richard Justice because they are no longer full-time Cisco executives
Only 66% of all applicants who passed were for the CCIE Router and Switch track
Only one CCIE is a member of Cisco's 59 strong senior executive team
Out innovate Cisco simply because they have no desire to be acquired
Pacific Rim CCIE numbers didn't change over the last 39 days
Pejman Roshan - Chief Marketing Officer of enterprise fixed mobile convergence (eFMC) vendor Agito Networks
Ponemon Institute reported
Post a comment to Cisco's blog that contains a link to your duck quacking video
ProCurve wants to make all Cisco customers aware of this offer
ProCurve’s momentum and market share gains
R & S + Security this year as the most popular dual CCIE track
R & S + Service Provider was 49% of the successful attempts for dual CCIE
RIM offers only data services over WiFi on their dual-mode smartphones
Responsible for Cisco's IOS Software
SMB
Security
Security mechanisms are used to validate the integrity and authenticity of the Enterasys agent for all server/agent communications
Security sales will come back for Cisco
Showed that Stickling owned a large Cisco stock position
So we had 251 new CCIEs
Subject of Cisco's senior executive team came up
The CEO of Cisco quacked
The Cisco workforce quacked
The IOS 12.4 track with ISR routers is slowing down the Security CCIE track
The National Telecommunications and Information Administration (NTIA) granted Cisco its coveted Buy American Exception
The average tenure would be of the 61 executives listed on Cisco's Mount Rushmore
The best duck call will win a new Flip Mino HD from John Chambers
The change in the CCIE Security track has had a major impact on new security CCIEs
Tremendous benefits HP ProCurve provides by offering the best value
Vice President and General Manager of HP ProCurve - Karl Soderlund
VoIP / Convergence
We build our culture at Cisco around catching market transitions
We can confirm that Doug Gourlay is no longer with Cisco and we wish him well in his future endeavors
We're also now starting to see the CCIE Wireless track
We've experienced a new low for CCIE Security track
What exactly has Agito Networks announced this week?
What's your take on the implications of the new worldwide Cisco CCIE count?
What's your take on why Douglas Gourlay left Cisco and where do you think he will land?
Which had Gourlay inviting guests to Cisco Live in the following video
Which video quacks you up the most?
While Cisco salivates over 30 to 50 new market adjacencies
Why does Cisco lack pricing flexibility?
Why is cellular-only PBX and UC integration incomplete?
Why the Enterasys NAC solution is doing so well
Why the Enterasys NAC solution is in such high demand
Wireless / Mobile
Without ducking my question
Would you back the technology vision of Marc Andreessen
You too will understand why duck quacking has become such an overnight sensation
On The Web
Twitter