How Nortel wants to upgrade switch security

Nortel's 2006 Ethernet switch roadmap centers on security and resiliency. The vendor will introduce the ability to run firewall and IDS filtering on every port of its flagship ERS 8600 (when outfitted with a Service Delivery Module). Also on tap is an upgrade to Nortel's Split Multi-Link Trunking, a proprietary fast-failover technology for connecting backbone switches. Here, Sanjeev Gupta, director of Nortel's Ethernet switching business, dives into some of the details behind these technologies with Network World Senior Editor Phil Hochmuth.

How is processing firewall and IDS traffic on a per-port level an improvement over past capabilities on the ERS 8600, or other competitive switches that use application service modules

?

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Nortel's 2006 Ethernet switch roadmap centers on security and resiliency. The vendor will introduce the ability to run firewall and IDS filtering on every port of its flagship ERS 8600 (when outfitted with a Service Delivery Module). Also on tap is an upgrade to Nortel's Split Multi-Link Trunking, a proprietary fast-failover technology for connecting backbone switches. Here, Sanjeev Gupta, director of Nortel's Ethernet switching business, dives into some of the details behind these technologies with Network World Senior Editor Phil Hochmuth.

How is processing firewall and IDS traffic on a per-port level an improvement over past capabilities on the ERS 8600, or other competitive switches that use application service modules

?

If every packet has to go to a centralized module, then you're performance is limited by the processor speed and the capability of that module. This is not totally new for us - we had this capability with our Alteon switches. Now we're just extending this into the 8600. Now you have distributed firewall processing on every port in the 8600 switch. This boosts the capacity of the switch exponentially. Every port can be fully secured.

Why would you need firewalls or IPS/IDS running on every switch port? Where would you deploy such a box?

This would be deployed in the data center. A typical data center has routers, firewalls, a switch layer, another firewall layer, then an application switch layer, then another layer of switches for server aggregation. This entirely collapses the firewall and switching layers.

Even in internal corporate networks, people are looking for firewalling on different levels. So maybe you don't firewall at the wiring closet, but in the core, where a lot of traffic is being aggregated, you can firewall different networks: your guest network, human resources, finance, the engineering network and so forth.

Why use firewalls to separate network segments as opposed to segregating them with virtual LANs? When you do VLAN based separation, you have to go to a router at some point to do inter-VLAN routing. This eliminates the need for that. This gives a tighter security mechanism that is less complex to set up and manage.

Does deploying IDS and firewalls in datacenter switches introduce more complexity into an already complicated environment? Usually IDS and firewalls run in separate boxes found at the edge of the enterprise.

Automation is one way [to simplify IDS/IPS deployment on the ERS 8600]. What users can do is categorize alarms. You can set policies that say, if one type of alarm comes up, automatically set a firewall policy in the Checkpoint firewall to block that port or reduce bandwidth on that port. Now its automatic. The user sets policies, and the network becomes active in blocking all threats, rather than a user having to intervene every time. This has done with a standards-based approach through integration with CheckPoint's Open Platform Security [OPSEC, a standard for interfacing with CheckPoint firewalls]. The intrusion prevention system can talk to the checkpoint firewall to set policies depending on what users only set up once.