Foundry adds Snort to LAN switch

Snort would be integrated into Foundry's IronView Network Manager 2.0.

In July, Foundry Networks is expected to make available an upgrade to its LAN switch/WAN router network management software that adds the widely used open source Snort intrusion-detection and -prevention system to the product.

The integration of Snort into Foundry's IronView Network Manager (INM) 2.0 could help customers with Foundry-based LANs, wireless LANs or WANs detect intrusive network traffic and block access on a port level.

INM is Foundry's network-management and device-configuration tool, which runs on Windows-based servers. The software can be used to make widespread upgrades to any Foundry device on a network, as well as to monitor and troubleshoot Foundry gear. The software also acts as an sFlow collection node. Foundry's sFlow technology - which has been released as an IETF standard - runs on all Foundry network products. The technology is embedded in Foundry hardware and lets users capture massive amounts of packet header information by sampling headers from traffic flows and forwarding the information to an sFlow collector - an INM server.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

In July, Foundry Networks is expected to make available an upgrade to its LAN switch/WAN router network management software that adds the widely used open source Snort intrusion-detection and -prevention system to the product.

The integration of Snort into Foundry's IronView Network Manager (INM) 2.0 could help customers with Foundry-based LANs, wireless LANs or WANs detect intrusive network traffic and block access on a port level.

INM is Foundry's network-management and device-configuration tool, which runs on Windows-based servers. The software can be used to make widespread upgrades to any Foundry device on a network, as well as to monitor and troubleshoot Foundry gear. The software also acts as an sFlow collection node. Foundry's sFlow technology - which has been released as an IETF standard - runs on all Foundry network products. The technology is embedded in Foundry hardware and lets users capture massive amounts of packet header information by sampling headers from traffic flows and forwarding the information to an sFlow collector - an INM server.

By sampling packet headers, instead of just mirroring or forwarding all packets to an inspection device, sFlow lets the switches report on network traffic flows without taxing the devices or adding overhead to network bandwidth. The data collected from sFlow-enabled switches can show Layer 2-7 data, such as a packet's origin and destination, application traffic type, and other information, and give users a detailed view of what is going on in various traffic flows on the network.

In INM 2.0, Snort scans through packet headers and network traffic payloads to identify as many as several thousand known attack signatures and warning signs of a network intrusion - from basic SYN/ACK attack methods to the latest phishing intrusions. Running Snort on the INM server lets the IDS/IPS software analyze traffic on virtually every Ethernet and WAN port on the network, Foundry says, because Snort is inspecting sFlow data, which is a statistical representation of all traffic flows.

If Snort finds a match to an attack signature in any of the sFlow data, the INM server is programmed to take several actions. An alert can be sent to administrators via INM's e-mail alerting tool. Snort-enabled INM servers can be configured to isolate suspicious traffic flows onto a secure network segment, using virtual LAN technology.

The amount of bandwidth available to a user whose activity is detected by Snort also can be squeezed down through rate-limiting features in Foundry ASICs, or the port can be blocked completely. Release 2.0 will be available in July for $10,000, Foundry says.

Salem Community Hospital in Ohio, runs a complete Foundry LAN infrastructure and uses INM to manage and configure all the gear. Brian Cartwright, network administrator at the hospital, says he likes the centralized administration features of INM, as well as its built-in sFlow collection capabilities. Having Snort built into INM 2.0 will be helpful, he says, because the hospital already runs Snort on a separate server, which is just one more device taking up room, electrical power and network bandwidth on the LAN.

Read more about security in Network World's Security section.