Cisco blade boosts security control

Cisco this week released a new Supervisor module for the Catalyst 6500 switch, aimed at injecting traffic security at the wiring closet layer of a LAN.

Slideshow: Take a closer look at Cisco's latest, plus what competitors have in store
Biotech firm plans all-Catalyst 6500 net

Cisco's Supervisor Engine 32 with Programmable Intelligence Services Accelerator (PISA) is a blade for Catalyst 6500 switches deployed in wiring closets. The vendor says the device can provide in-line packet inspection for all traffic flows at the LAN edge without introducing latency. The blade can filter out, or squeeze down, bandwidth of undesirable applications such as peer-to-peer. It can also reserve bandwidth for critical protocols for VoIP or enterprise applications, the company says.

The Supervisor Engine 32 PISA is a 32Gbps switch fabric for Catalyst 6500s deployed in wiring closets and connecting large groups of users to a corporate LAN. (While usually associated with the LAN core and data center, Catalyst 6500s are used in wiring closets in about 25% of the product's installed base, Cisco estimates). The module includes Layer 2-7 packet processors, which can inspect traffic and block or divert harmful traffic flows, such as viruses and worms. It also can rate-limit traffic for non-essential applications, such users' personal instant messaging or VoIP applications (AOL, Googletalk, Skype and so on). Cisco says its new blade does these tasks without introducing any latency in the path between the LAN edge and the rest of the network.

The Supervisor Engine 32 PISA is being examined at PDL BioPharma, a Freemont, Calif.-based biotech company, which is considering the blade for the LAN that will go into a new facility currently under construction. PDL BioPharma uses some Catalyst 6500s in its wiring closets, but will expand this to all wiring closets in the new facility, says Luis Chanu, global network & security architect, at PDL BioPharma.

"The main thing we're looking at getting out of the new PISA modules is the flexible packet matching," he says. The ability to allocate specific types of bandwidth for certain applications would be a benefit. Security is another one, he adds. "If there is a virus outbreak it would be really nice to utilize flexible packet matching to isolate the virus, or maybe throttle it back to protect the network."

The network at PDL BioPharma has a constant stream of data from its research labs, which use disk space and CPU power on machines all over the LAN to process and store data produced by the company's research. This is another area the company could utilize the PISA technology, Chanu says. "We'd like to mark that data at a lower priority then our standard end-user desktop traffic," he adds.

Cisco switch users have deployed access control lists (ACLs) for traffic filtering or blocking in the past, but that method does not go deep enough to identify new types of applications. Cisco's Network Based Application Recognition (NBAR) technology in IOS has also been used in the past to accelerate or block certain traffic types. Cisco says the new Supervisor blade provides more advanced filtering than ACLs, and better performance than NBAR technology.