Switches taking on new security roles

Security innovations being built into switches are attracting attention from buyers who not long ago focused primarily on feeds and speeds.

Network executives say they need all the help they can get to cope with today's threats. They are eager to use new switch-based security schemes - such as the ability to quarantine viruses and enforce policies - being touted by Alcatel, Cisco and Enterasys Networks, among others. In the forefront:

• Alcatel next month is expected to introduce its Automated Quarantine Engine switch technology that works with intrusion-detection systems (IDS) to isolate worm-infected machines for remediation purposes.

• Cisco says this summer it will enable its Catalyst switches to defend against worms and distributed denial-of-service (DoS) attacks.

• Enterasys recently introduced its Automated Security Manager, which provides policy-based control on its switches through help from IDS; and this month the company will expand its quarantine mechanism through use of information from scanners and anti-virus policy enforcement.

When the Blaster worm crippled the campus network at Abilene Christian University in Texas a year ago by getting scores of infected student computers to scan wildly, the IT staff concluded that it needed more tools.

"We thought we had the perimeter secured at the Internet, but when the students connected up to the campus LAN they introduced the Blaster congestion," says Arthur Brant, network administrator at the university, which has 6,000 students and faculty on its network. "Prior to this event, our mentality was that the untrusted portion was outside on the Internet. But we realized what we needed to do was to protect ourselves from the students and the students from themselves."

With no way to enforce software patch updates - worms typically infiltrate desktops and servers through unpatched vulnerabilities - Abilene Christian employed an approach that calls for its campus LAN switches to play a more prominent security role.

The university's Alcatel OmniSwitch 6600 switches now are set up to stop students deemed to have infected PCs from gaining full access to the campus LAN until they remedy their computers' problems.

This is being done by sharing with the Alcatel OmniVista switch management console the intrusion-detection alerts about worms that the university's Snort-based network sensors generate.

The university deployed the sensors inside the campus network to watch for signs of worm attacks - such as a computer "spewing out port scans," Brant says - to identify the source and alert the Alcatel OmniSwitch management console of the worm outbreak. OmniVista is set up to automatically quarantine the infected machine by isolating it on a special virtual LAN (VLAN).

"Once a student is kicked over to the quarantine VLAN, there's a secondary server that says, 'you've been quarantined.' It offers anti-virus or virus-removal tools as an option for remediation, as well as a contact to call in the IT department for help," Brant says.

Alcatel's Jean-Luc Ronarch, director of security strategy, says the company next month formally will introduce the quarantine capability that Abilene Christian is beta-testing. General availability in the OmniVista management console is expected later this fall. He says it will require no changes in Alcatel switches themselves.

"What we're doing is creating a link between intrusion detection and the VLAN to bridge them together," Ronarch says.

Tom Burns, senior vice president and general manager of Alcatel's infrastructure business, says Alcatel expects to detail this summer how its switches also can take on more policy-enforcement policing activities through interaction with VPNs and firewalls.

Last month at NetWorld+Interop, Alcatel demonstrated how Sygate policy-enforcement software could be used to validate whether a user's computer had the appropriate anti-virus and firewall. The Sygate desktop agent could share that information with OmniVista for the purposes of network quarantine. Though not yet generally available, Alcatel says it hopes to add interaction with Sygate's software for quarantine as well.

Customers say they're inclined to prefer switches that can help them in their security tasks.

"When you buy and build infrastructure, it's not just about speeds and feeds anymore," says Vincent Cottone, vice president and director of infrastructure financial services firm Eaton Vance in Boston.

Eaton Vance has deployed 12 Enterasys Matrix switches and wants them to play a bigger role in helping the firm comply with regulatory demands such as Sarbanes-Oxley. One new Enterasys switch-management product module, called the NetSight Atlas Automated Security Manager (ASM), will provide a way for Eaton Vance IDSs to process alerts at a Matrix management console and, as an option, automatically instruct a Matrix switch to shut down ports or other actions.

Eaton Vance has tested ASM in a lab and soon will put it into production use. Although Cottone is not ready to automate across the board, he says there are circumstances - such as when a worm attack begins at 2 a.m. - in which he would automate the process to shut down ports until IT staff could get a handle on the problem. He sees most major switch vendors moving toward a greater integration of security capabilities. "The whole industry is going this way," he says.

The Enterasys ASM also can isolate a worm-infected machine into a VLAN using the Enterasys Dragon IDS, says Bill Clark, the switch vendor's senior director of product management. Enterasys later this month expects to detail an expansion of its policy-based quarantine methodology by also showing how ASM can make use of information from vulnerability-assessment tools and anti-virus policy enforcement software to quarantine users that violate security policies.

Cisco, which already offers intrusion-detection and firewall modules for its Catalyst switch line, expects to add the capability for switches and routers to detect and block distributed DoS attacks later this summer that would be based on technology gained through acquisition of Riverhead Networks.

In addition, by working with Trend Micro, Cisco plans to add the ability to block worms directly through Catalyst switches in the fall.

Cisco also is working with anti-virus vendors Network Associates, Symantec and Trend Micro to include a way to quarantine users who don't have the required anti-virus or patch updates, in way similar to Alcatel's approach.

The first fruits of that effort, called Cisco's Network Admission Control program, are expected next month. Customers say it's important for Cisco to plot out this kind of road map for its switches.

"It really matters to us," says Dan Maloney, assistant director for network services, infrastructure and clinical engineering at hospital system Baystate Health System in Springfield, Mass.

Baystate uses the Cisco 6513 switch with the IDS capability at its core. Any added security-prevention benefits that Cisco can integrate into its switches is welcome, Maloney says. He says he now expects switches to provide security functions and how they do that will influence his buying decisions.

Sometimes switches gain fans simply because they make security chores easier.

Siemens Medical Systems in Malvern, Pa., maintains a WAN with about 100 Ethernet switches, all in the Cisco Catalyst series, and dozens of applications for use by customers. The company's IT department last year began monitoring network quality and application use by plugging in the Network Associates Distributed Sniffer appliance at various switches.

William Griswold, network manager at the medical equipment manufacturer, says his company added the Apcon 144-port IntellaPatch cross-connect switch in its data center because it makes the network sniffing process much easier.

"I had to dedicate a Sniffer to each of the 18 Cisco Systems 6500 Series Layer 3 series switches by hard-wiring them to the chassis to do the data capture," Griswold says. He saw he was faced with buying more Distributed Sniffer appliances for 80 other Cisco switches, including the Catalyst 1900, 2000, 3000 and 4000 series.

Instead of buying more Sniffer appliances, Griswold purchased the Apcon switch, into which he plugged the monitor interface of Distributed Sniffer early this year. The switch can mirror data coming in and out of one Cisco span port to another so Siemens can capture the needed Sniffer data across the 80 Cisco switches through Apcon. "[The Apcon switch] dramatically increased our ability to support this network," he says.

Apcon says other types of network analysis equipment, such as the Fluke OptiView Workgroup Analyzer, can work similarly using IntellaPatch.

Third-party vendors also are getting on the switch-and-security bandwagon.

Set to be announced this week, Arbor Networks' third version of its PeakFlow X appliance for monitoring and analyzing traffic flows will be capable of blocking unwanted traffic by directly instructing Cisco Catalyst 6 switches what steps to take to limit network services for desktop users, servers and printers.

This type of blocking is based on IP address and ports. It would be used at the start of a worm outbreak or DoS attack, or when other threats are spotted, says Rob Malan, Arbor's CTO. Some blocking rules also could be applied after a major vulnerability is made public before a worm exploit appears.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2004 IDG Communications, Inc.