Many customers have asked me when looking at network switching manufacturers, who has the best security solution for my network? Rather than posting a very long story and having everyone bash me for my views, I took it to the people who build the switches. That's right, we sent each major manufacturer a list of 10 questions that customer ask me on a consistent basis. Below are the companies who replied to me and will be part of this multi post story:
HP ProCurve, Enterasys Networks , Juniper Networks , Foundry Networks
A few companies did not give us a reply those companies were:
Cisco, Nortel, 3Com, Force 10, Extreme Networks
I would like to thank each company that took the time to give our readers more information on their security solutions for network switches. This week we are going to start with Enterasys Networks and a special thanks to Trent Waterhouse for answering these questions below. We have made no changes any of the answers provided.
Trent Waterhouse is VP of Marketing for Enterasys. His bio is online at: http://www.enterasys.com/company/executive-team/waterhouse.aspx
1. Why is the vision for your switch security solution better than other vendors?
Enterasys offers built-in proactive security protections on every wired and wireless connection we make - other vendors take the more costly and operationally burdensome bolt-on approach to security. The first thought Enterasys has when we are designing a new product is how we can embed the security in all aspects of the hardware and software. Enterasys was the initial innovator in embedded network security; and we have delivered key aspects of embedded network security before the rest of the market. The Enterasys Secure Networks architecture automatically senses and responds to infrastructure threats, limits access based on user/application role, and automates compliance activities with internal and external policies and regulations.
Enterasys Secure Networks ensure the confidentiality, integrity, and availability of IT services and the business users that rely on them - without sacrificing performance. Thousands of enterprises, government agencies and educational institutions in more than 70 countries worldwide rely on our convergence, connectivity and compliance solutions to deliver business-oriented, policy-based visibility and control of individual user and application priority and security.
Our architecture is designed to make it easy for an enterprise to ensure success by answering the following questions:
- Can you easily deploy and operate your network security?
- Can you automatically enforce your policies anywhere and everywhere?
- Can your network dynamically react to threats against your IT assets?
- Can you automatically produce important audit and compliance information?
2. Do you feel that open standards are best for security solutions and how does it play in your solution?
Yes, open standards and automated solutions that truly leverage them are absolutely the best approach. Enterasys' open-architecture interoperability solutions, built on industry standards, protect existing financial and knowledge investments while ensuring market competition that lowers costs. Enterasys is focused on the management and security of networks to lower operating costs and protect an organization's reputation and business processes. Enterasys was the first networking company to embrace multi-vendor visibility and control through network management software nearly two decades ago; and we remain committed to industry standards and multi-vendor interoperability today. The reality is that every organization's network is made-up of multiple vendors - so Enterasys delivers advanced security, visibility and control software that manages across multiple vendors and operating systems. An example of an Enterasys multi-vendor, open security solution is Enterasys Distributed Intrusion Prevention which contains threats at the edge access points into the network, regardless of whether it is Enterasys or third party networking gear deployed.
3. What is the most important security feature of your solution?
Enterasys Secure Networks align the network with business requirements through "What you need is what you get" policies that ensure only the right users have access to the right information from the right place at the right time. We take your paper policies and enable them to be enforced real-time throughout the entire network. Policy is defined centrally leveraging your existing directory privileges and then enforced in a distributed manner on every port in the network. Enterasys policy capabilities are granular such that each conversation (flow) for each type of traffic for a given user or device can have a specific set of security and QoS priority privileges to improve visibility and control without sacrificing performance while lowering operational costs and assuring always-on reliability.
Unlike traditional technology-oriented port and VLAN ACL-based methods that our competition calls "policy", with Enterasys you don't need to configure policies on a box-by-box basis using complex CLI commands in a very specific order of operations. An intuitive GUI enables you to define the policies once, and regardless of the number of moves, adds or changes, have those user and application policies enforced automatically across the entire network. In a sentence, Enterasys makes end-to-end security and priority easy to configure and maintain without requiring a lot of network operations money, time or people.
4. Why is your Network Access Control solution an important part of your security solution?
Compliance needs and liability issues are driving organizations to have visibility and control over exactly who connects to their network and what privileges they have once connected. The recent SAFE Act in Congress imposes fines of $300,000 if somebody does something inappropriate or illegal when using your network. This potential liability means organizations need to know who/what is connected to their network as well as have some controls over what can or cannot be done once connected; and thus the need for Network Access Control (NAC). Enterasys NAC scalability has been proven at Bethel University (11,000 users), European Investment Bank (3,000 users), UNC Chapel Hill (35,000 users), and University of Bern (30,000 users).
Enterasys NAC can be deployed in-line at the distribution layer of the network or out-of-band in the core for wired or wireless networks. Interoperability with Microsoft NAP and the Trusted Computing Group's TNC has been proven. It works with third party switches from Cisco, HP, Nortel and others to avoid forklift upgrades of your current networking equipment. It is delivered as an external appliance or embedded into Enterasys Matrix N-Series switches.
Pre-connect security posture assessment capabilities are available (agent or agent-less) while authentication is performed via 802.1x, web portal or MAC address. Post-connect continuous threat analysis and containment is provided through intelligent integration with Dragon IDS/IPS and the Dragon Security Command Console network behavioral analysis (NBA) and security information management (SIM) solution to deliver dynamic intrusion response, automated enforcement of acceptable use policy, and proactive protection against zero-day threats.
5. How does mobility security play into your security solution and why is it better than other vendors?
Enterasys embraces user mobility as security/policy privileges follow a user or device automatically as they move around the wired or wireless infrastructure. From a mobile device perspective, Enterasys offers wireless location services while supporting mobile voice and video communications. Mobility also extends to data centers where virtualized application servers can dynamically move from one physical host to another (think VMware's Vmotion) and you need the security and QoS privileges to follow the virtual machine automatically in real-time. The Enterasys Secure Networks for Virtual Data Centers solution assures the connectivity and compliance of virtualized computing and storage.
6. How does your security solution adapt to a customer changing environment?
Enterasys networking solutions address changing customer environments in 2 key ways - tactically and strategically. The tactical needs, such as automating move/add/change activity, is addressed by Enterasys policy (authentication and authorization) which is defined once and each user, application or device will get what it needs (and only what it needs) in terms of security and priority.
Strategically, the reality is that nothing works without the network these days. It connects everything - going beyond traditional computing and storage, to now include phones, cameras, printers, copiers, badge access readers, etc. As things move and change, the role of Enterasys is to ensure that the network is a security visibility and control point to complement existing endpoint security mechanisms as another layer in a defense in depth strategy. Our team of researchers and technology partners are working hard every day to keep pace with the continuously evolving threat landscape.
Our approach has been and continues to be validated by our enterprise customers. Recently, a prominent industry analyst firm was speaking with the Enterasys customer advisory board. When he asked them if they were using VoIP, most of them said yes. When he then asked them if they had to upgrade their network to accommodate VoIP, every one of them said "no", that there was no need. Enterasys policies automatically discover, classify, prioritize and secure voice communications from Avaya, Cisco, Nortel, ShoreTel and Siemens - just to name a few.
7. So a company can save money on existing equipment, how does your switch security solution work with a customer's SIM,NAC, IDS, Anti-Virus or general network management tools that are from different vendors?
While Enterasys offers our own management, IDS/IPS, NAC, NBA and SIM technologies, we can also integrate our automated security incident response mechanisms to use information from third party IDS/IPS, NAC, NBA and SIM vendors to take action against third party networking equipment from Cisco, HP and all the other networking vendors. Enterasys NetSight Automated Security Manager (ASM) is what enables us to secure any network from any vendor.
8. Customers are now looking at VOIP and Convergence security, which starts at the switch. Why is your solution better than other vendors?
Not only is Enterasys able to discover, classify, prioritize and secure VoIP and other unified communications technologies...we are unique in that our IDS/IPS solution (Dragon) is able to analyze and secure convergence protocols such as SIP, H.225, H.245, and H.323. Enterprises worldwide want to ensure the same reliability, quality, manageability, mobility and security of the traditional PBX with new voice-over-IP (VoIP) and unified communications solutions. The Enterasys Secure Open Convergence solution delivers a way to sense and automatically respond to security threats against the IP telephony infrastructure; enforce network access control policies; and comply with regulations for monitoring and safety. Also, Enterasys Policy enables our switches to automatically recognize when a vendor's VoIP gear is connected to the network and the appropriate security and priority attributes are dynamically applied. No administrator intervention is required.
9. Customers want proactive security so problems are taken care of in real time, does your solution fix problems in real time, how does it work and why is it better than other vendors?
The Enterasys Matrix N-Series include proactive zero day threat protection through flow setup throttling and policies of least privilege. These least privileges policies, sometimes referred to as Acceptable Use Policies, are key to proactively preventing inappropriate access, protocols and services which are the root cause of many security incidents on a network. In addition, the Enterasys Distributed Intrusion Prevention solution, with integrated network behavioral analysis and threat/vulnerability signatures further enable the detection and proactive prevention of attacks while also immediately containing the threat source. The Dragon IDS/IPS, NBA and SIM capabilities all integrate with each other and Enterasys Network Access Control to automatically sense and respond to threats in real-time.
Another feature that makes Enterasys response better is that it allows for variable actions. You aren't restricted to an "all or none" approach, which is critical for addressing security issues while maintaining business operations. For example, when a threat is identified using Enterasys Dragon IDS/IPS, that threat can be contained like others vendors through VLAN quarantine; but unlike other solutions, the threat can also be contained by limiting bandwidth or lowering QoS priority specific to an individual user or device. None of the other users on that switch or port or VLAN are affected - just the offending node.
Enterasys protects networked resources by removing an attacker's ability to continue an attack or to mount a new attack while containing threats and vulnerabilities. Once a "bad" user is detected, they are blocked from access on all ports throughout the entire networked infrastructure automatically. This takes away the attackers ability to move around the network in order to continue attacks and it is done without requiring administrator action.
10. In the next five years what switch security solution will customers have to deal with and how is your company looking to the future?
Where we are headed in the future is to leverage the intelligence, automation and integration of our hardware and software to optimize network operations through identity-based networking. We envision a time when networks will be self-healing and self-securing without requiring human intervention. We also see a future where on-demand traffic management will ensure IT supply can meet business demands. In the near term, you'll see switches that can perform deep packet inspection all the way up to Layer 7 for security purposes and data leakage prevention. Network security will evolve beyond access control to also include content control.