Protected by the network gear

Some switches and routers now can identify, prevent or at least lessen the effect of security threats, but interoperability, performance and management are sticking points.

As you mop up after the latest worm attack and chat with your network infrastructure vendors, talk inevitably will turn to preventive and protective measures. Chances are, your vendors will encourage you to secure every switch and router, making your infrastructure gear part of the layered security approach you are taking toward security under the new data center.

You just never know when or where software will be waylaid by its next vulnerability, the vendors will say. As such, they'll argue, switches and routers should be smart enough to be your helpmates - able to recognize and halt buffer overflows, quarantine infected or unknown clients or help push out patches.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Cisco has the NAC In the holding cell Mining switch security Network vendor plans

As you mop up after the latest worm attack and chat with your network infrastructure vendors, talk inevitably will turn to preventive and protective measures. Chances are, your vendors will encourage you to secure every switch and router, making your infrastructure gear part of the layered security approach you are taking toward security under the new data center.

You just never know when or where software will be waylaid by its next vulnerability, the vendors will say. As such, they'll argue, switches and routers should be smart enough to be your helpmates - able to recognize and halt buffer overflows, quarantine infected or unknown clients or help push out patches.

That's a particularly logical gambit in discussions of zero-day attacks, in which the hacker games begin the same day that the software vulnerability is publicized. But just as experienced shoppers know that you never ask a tire salesman if you need new tires, so do enterprise network executives understand that they must do their homework when vendors push security frameworks. That means, of course, pushing back - and hard - to make them prove their claims of performance, interoperability and management.

Still, zero-day attacks highlight a continuing enterprise challenge: the drawbacks of the hard-shell/soft-center architecture created by traditional network security designs. Such designs might make the perimeter harder than nails, but that won't stop a rogue internal user or a corrupted download from making a shambles of the whole network, says Timon Sloane, director of product management at Extreme.

Preventing the network infrastructure from turning to mush is behind gear vendor's latest strategies such as Cisco's Self-Defending Network, Enterasys Networks' SecureNetworks, Extreme's Clear-Flow and Nortel's Unified Security Framework. Everybody wants to make sure their network equipment can help identify, prevent or at least lessen the impact of security threats.

Cisco has the NAC

Cisco has its Network Admission Control (NAC) program for using network infrastructure devices to prevent the spread of viruses and worms. NAC, which Cisco defined with the help of anti-virus vendors Symantec and Trend Micro, falls under the Self-Defending Network umbrella.

As a start, Cisco offers Cisco Security Agent (CSA). The CSA software, which runs on user clients and enterprise servers, authenticates users and provides policy-based access. If users have not updated their desktops with the latest patch for Microsoft's Internet Explorer or don't have the latest virus' digital signature files, the CSA would quarantine the non-compliant devices or restrict access.

With this effort is a focus on tougher security for VPNs. Cisco has extended link-layer encryption to IPSec- and Secure Sockets Layer (SSL)-based VPNs. Previously available only for SSL VPNs, link-layer encryption ensures the security between every two endpoints that an IP tunnel traverses from origin to destination. Each link might use a different encryption key or algorithm.