HP lays out ProCurve NAC plan

HP offering could have management edge over those from Cisco, Nortel, analyst says.

By year end, ProCurve by HP will have a fleshed-out NAC portfolio to check devices before they are admitted to networks, assign and enforce their access rights as they join networks and monitor their behavior to restrict them if they misbehave.

All this will be managed under ProCurve’s PCM-Plus management platform, giving customers a single interface to set NAC policies rather than jumping from one management application to another as would be the case with a NAC appliance sold by a third party.

Much like Cisco, Nortel and other switch vendors, ProCurve is piecing together its full NAC line using many different components, but ProCurve’s promised unified management gives the company a leg up, at least temporarily, says Rob Whiteley, an analyst with Forrester Research.

“It’s critical to have a single set of knobs and levers that you tweak,” says Whiteley. “That’s not unique to ProCurve,” in that all the vendors seek unified management.

But ProCurve’s reputation for integrating management of new gear indicates that when the NAC bundle is all available by the end of the year, the company likely will lead competitors in management for awhile. “Six to 12 months from now everyone will be on par,” he says.

With its NAC push, ProCurve is leveraging its position as the number-two vendor of enterprise-class LAN switch ports, behind Cisco.

HP's networking arm shipped more Layer 3 and Gigabit Ethernet LAN switch ports in 2006 than well-known enterprise switch vendors such as 3Com, Extreme, Foundry and Nortel, according to Synergy Research Group.

And while Cisco completely dominated the market with 71% of worldwide LAN switch revenue, HP was also the runner up on that score, with over 4% of the market.

Two NAC products

To fill out its NAC profile, ProCurve is announcing two products this week starting with ProCurve NAC 800, an appliance that evaluates the security posture of endpoints trying to get onto corporate networks. It also triggers 802.1x port enforcement on network switches.

This is ProCurve’s answer to pre-admission NAC, the practice of checking endpoints for operating system patches, antivirus software and the like before they are allowed onto networks. If devices pass pre-admission NAC scans, it means they are less likely to contain malware that can harm networks.

In combination with NAC 800 client software, the device can check for operating system patches, antivirus software, what applications are running on the device and registry settings. If the device comes up short of meeting set policies, NAC 800 can keep it off the network until the policies are met.

NAC 800 works in conjunction with ProCurve’s existing Identity Driven Manager (IDM) that authorizes devices as they enter the network, defining what resources they have access to. So working together the two products scan devices for the proper configuration and also assigned appropriate access rights.

ProCurve’s second new NAC product is ProCurve Immunity Manager, software that draws on multiple network devices to gather data about traffic and analyzes it for anomalies. This is a way to find machines that may have been infected when they were admitted to the network and may pose a threat.

When Immunity Manager finds traffic that violates network policies, it can shut down the traffic at the switch port where the device is attached. It can lock down the MAC address of the port, switch the device to a quarantine VLAN or shut the port down altogether.

Immunity Manager can also refer suspect traffic to other intrusion detection and prevention platforms for deeper inspection to determine whether it really represents a threat.

Immunity Manager requires that switches support sFlow, the standards-based traffic-monitoring capabilities in routers and switches. The immunity platform also gathers traffic data from other network devices such as firewalls and intrusion detection gear.

Whiteley says that if the evolution of NAC follows that of other ProCurve lines, expect to see the separate NAC hardware offered also as blades that fit into switches and if that becomes popular, that are baked into custom chips. Offering that variety may improve popularity of the equipment.

“Some people don’t appreciate more appliances; some people don’t like more stuff in their switches,” he says. “But as long as ProCurve gets the management set first, it doesn’t matter.”

Immunity Manager is scheduled to be available June 1 and run from $5,000 for 50 licenses to $29,000 for unlimited licenses. NAC 800 is available in the third quarter and the price hasn’t been set yet.

Joe Thielen, IT manager at the Hain Celestial Group in Boulder, Colo. (of the "Celestial Seasonings" tea brand), plans to take a look at the ProCurve NAC technologies. With his company's entire LAN and WLAN based on ProCurve gear, Thielen says that adding NAC and security features from the same vendor makes sense. "Security is definitely a priority for us ... so we'll be evaluating the ProCurve NAC and security products when they become available, " he says.

Learn more about this topic

HP's ProCurve unit biting into Cisco?

Why doesn't HP break off its ProCurve business?

HP’s ProCurve exec talks business directions

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)