Skip Links

Review: HP blade takes a stab at Cisco

ProCurve security blade integrates firewall, IPS, VPN

By , Network World
October 05, 2009 12:07 AM ET

Network World - HP has an alternative to the many security appliances that combine firewall, intrusion prevention and VPN functions: Just put a single blade in the vendor's ProCurve switch and be done with it.


How we tested HP ProCurve Threat Management Services
Archive of Network World tests

In this exclusive Clear Choice test, we assessed the HP ProCurve Threat Management Services zl module (TMS) in terms of its features, usability and performance. What we found is a well-designed, easy-to-use implementation that packs most common security functions into a small form factor.

The TMS lacks some newer security features, such as reputation filtering, and its forwarding performance can charitably be called modest. But for network managers facing budget constraints (and that's virtually all of them, these days), the TMS represents a viable way to add security without adding more boxes.

The TMS is a single-slot blade for HP's ProCurve 5400zl and 8212zl modular switches. It supplies three security functions: stateful firewall, intrusion prevention system (IPS) and VPN concentrator. We tested the TMS in a ProCurve 5406zl chassis.

Multipurpose security devices are nothing new, but it's unusual to see all three functions in one switch module. For example, Cisco's ASA 5500 multifunction security appliances are not integrated into Cisco's switches.

And Cisco sells separate firewall and IPS security blades for its Catalyst 6500 switches, but those are higher-end devices with bigger performance numbers and bigger price tags.

Ubuntu under the hood

The TMS is powered by Ubuntu Linux running on a 2.2-GHz Intel Core 2 Duo "Merom" CPU and 4GB of RAM. Those are laptop specs, not surprising considering the TMS' small size. This engine is plenty fast for screening traffic on most Internet connections but, as we'll see in performance testing, it won't necessarily keep up with LAN traffic from numerous switch ports.

Configuration can be done through a Web-based GUI or the command-line interface (CLI). Initial virtual LAN (VLAN) setup must be done on the switch rather than the TMS. Network architects will need to think carefully about which segments to protect: The TMS currently supports a maximum of 19 VLANs, though HP says an increase to 250 VLANs is expected soon. (The switch can continue to support far larger numbers of VLANs, but their traffic won't be protected by the TMS.)

Once switch setup is complete, the TMS handles all tasks for traffic it protects, including IP routing as well as security monitoring. The TMS supports Open Shortest Path First and Routing Information Protocol routing as well as its security functions.

The Web GUI design is clean and intuitive. Firewall, IPS and VPN modules are clearly laid out, and common configuration tasks require a minimum of switching between tabs. We did find a few minor fit-and-finish issues. For example, an IPS signature conflicted with management HTTPS access (corrected by disabling that signature) and the GUI doesn't show when IPS policies are bound to firewall rules.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News