Switches taking on new security roles

Security innovations being built into switches are attracting attention from buyers who not long ago focused primarily on feeds and speeds.

Network executives say they need all the help they can get to cope with today's threats. They are eager to use new switch-based security schemes - such as the ability to quarantine viruses and enforce policies - being touted by Alcatel, Cisco and Enterasys Networks, among others. In the forefront:

• Alcatel next month is expected to introduce its Automated Quarantine Engine switch technology that works with intrusion-detection systems (IDS) to isolate worm-infected machines for remediation purposes.

• Cisco says this summer it will enable its Catalyst switches to defend against worms and distributed denial-of-service (DoS) attacks.

• Enterasys recently introduced its Automated Security Manager, which provides policy-based control on its switches through help from IDS; and this month the company will expand its quarantine mechanism through use of information from scanners and anti-virus policy enforcement.

When the Blaster worm crippled the campus network at Abilene Christian University in Texas a year ago by getting scores of infected student computers to scan wildly, the IT staff concluded that it needed more tools.

"We thought we had the perimeter secured at the Internet, but when the students connected up to the campus LAN they introduced the Blaster congestion," says Arthur Brant, network administrator at the university, which has 6,000 students and faculty on its network. "Prior to this event, our mentality was that the untrusted portion was outside on the Internet. But we realized what we needed to do was to protect ourselves from the students and the students from themselves."

With no way to enforce software patch updates - worms typically infiltrate desktops and servers through unpatched vulnerabilities - Abilene Christian employed an approach that calls for its campus LAN switches to play a more prominent security role.

The university's Alcatel OmniSwitch 6600 switches now are set up to stop students deemed to have infected PCs from gaining full access to the campus LAN until they remedy their computers' problems.

This is being done by sharing with the Alcatel OmniVista switch management console the intrusion-detection alerts about worms that the university's Snort-based network sensors generate.

The university deployed the sensors inside the campus network to watch for signs of worm attacks - such as a computer "spewing out port scans," Brant says - to identify the source and alert the Alcatel OmniSwitch management console of the worm outbreak. OmniVista is set up to automatically quarantine the infected machine by isolating it on a special virtual LAN (VLAN).

"Once a student is kicked over to the quarantine VLAN, there's a secondary server that says, 'you've been quarantined.' It offers anti-virus or virus-removal tools as an option for remediation, as well as a contact to call in the IT department for help," Brant says.

Alcatel's Jean-Luc Ronarch, director of security strategy, says the company next month formally will introduce the quarantine capability that Abilene Christian is beta-testing. General availability in the OmniVista management console is expected later this fall. He says it will require no changes in Alcatel switches themselves.

"What we're doing is creating a link between intrusion detection and the VLAN to bridge them together," Ronarch says.

Tom Burns, senior vice president and general manager of Alcatel's infrastructure business, says Alcatel expects to detail this summer how its switches also can take on more policy-enforcement policing activities through interaction with VPNs and firewalls.

Last month at NetWorld+Interop, Alcatel demonstrated how Sygate policy-enforcement software could be used to validate whether a user's computer had the appropriate anti-virus and firewall. The Sygate desktop agent could share that information with OmniVista for the purposes of network quarantine. Though not yet generally available, Alcatel says it hopes to add interaction with Sygate's software for quarantine as well.

Customers say they're inclined to prefer switches that can help them in their security tasks.

"When you buy and build infrastructure, it's not just about speeds and feeds anymore," says Vincent Cottone, vice president and director of infrastructure financial services firm Eaton Vance in Boston.