Who has the best Security Switch Solution for your network? We asked major manufacturers, Part Three- ProCurve Networking

Many customers have asked me when looking at network switching manufacturers, who has the best security solution for my network? Rather than posting a very long story and having everyone bash me for my views, I took it to the people who build the switches. That's right, we sent each major manufacturer a list of 10 questions that customer ask me on a consistent basis. Below are the companies who replied to me and will be part of this multi post story:

HP ProCurve, Enterasys Networks, Juniper Networks, Foundry Networks (See Part 1: Entersys, and Part 2 Juniper Networks.)

A few companies did not give us a reply those companies were:

Cisco, Nortel, 3Com, Force 10, Extreme Networks

I would like to thank each company that took the time to give our readers more information on their security solutions for network switches. This week we are going to look at ProCurve Networking and a special thanks to Mauricio Sanchez, ProCurve Chief Security Architect for answering these questions below. We have made no changes any of the answers provided.

Questions answered by:

Mauricio Sanchez, ProCurve Chief Security Architect

1.     Why is the vision for your switch security solution better than other vendors?

ProCurve's ProActive Defense for a trusted network infrastructure is a bold new vision for network security that combines both "offense" and "defense" simultaneously. With ProActive Defense, the network provides access control that can provide the appropriate level of access for different users. It has been tested to detect and respond to many types of network attacks and is designed to protect data and integrity for all us

Unlike competitors, ProCurve's approach has been to develop intelligent security at the edge of the network where users and devices connect. ProCurve provides integrated security and centralized management within a unified wired and wireless network.  

2.     Do you feel that open standards are best for security solutions and how does it play in your solution?

Yes, we believe that an open standards approach is the best approach for solving security problems.  ProCurve has led the industry in offering 100-percent standards-based and interoperable products. Customers can expand and augment their ProCurve network as business needs evolve, rather than having to start from scratch or be locked in to and limited by proprietary solutions and service contracts.

3.     What is the most important security feature of your solution?

The most important security feature in our solution is not a feature per say, but our approach to the network security problem. We integrate security capability into the network fabric. ProCurve switches and access points help prevent security breaches, monitor behavior, and apply security policies to maximize network availability.

            Several examples of our integrated security approach include:

1. ProCurve switches and access points implement packet firewall capabilities that together with Identity Driven Manager (IDM) allow enforcement of dynamic per-user location and time based access policies.

2. ProCurve switches and access points provide flexible user authentication schemes through their support for MAC-based, Web-based (Web Auth), or 802.1X authentication capabilities.

3. ProCurve switches and access points offer Intrusion Detection Service (IDS) features, such as detection of ARP attacks, excessive login/authentication failures, abnormally high IP addresses counts, anomalous number of MAC address counts/learns/moves.

4. ProCurve switches and access points provide Intrusion Prevention Services (IPS) features, such as Virus and ICMP throttling, rogue DHCP prevention, dynamic ARP protection, BPDU filtering and blocking.

5. ProCurve switches and access points implement sFlow data sampling to gain comprehensive network visibility from layer 2 (datalink) to layer 7 (application) to identify excessive bandwidth consumers, top talkers and protocol attacks.

6. ProVision switch ASICs have re-programmable deep packet inspection engines that are used for packet filtering, firewall and per-user ACLs and in future can be programmed with new security applications.

7. Most ProCurve switches include sophisticated end-to-end data checking, such as embedded memory error detection and ECC (Error Correcting Code) for external memory, to maintain the highest levels of data integrity.

4.     Why is your Network Access Control solution and important part of your security solution?

Network access control is on e of the three important components of our ProActive Defense security vision.  NAC is the offensive component to protect the network against unauthorized access, which can be devastating to a business.  Our approach to NAC is based on our Adaptive Edge architecture that calls for control to the edge and command from the center.  Control to edge means that we rely on the significant intelligence present at the edge of the network - the LAN, WLAN or WAN edge - to enforce dynamic network access policy.  Command from the center means that all access policies are centrally managed and then enforced dynamically by the edge network device that a user or device connects to. 

Besides the network infrastructure itself that forms the enforcement layer for NAC, the management components that make up our access control solution are:

1. ProCurve Manager Plus - is the foundation of the ProCurve Command from the Center management architecture and provides a robust platform for easily managing network infrastructure devices securely and consistently. ProCurve Manager Plus is a secure, advanced Windows-based network management platform that allows administrators to configure, update, monitor, and troubleshoot ProCurve devices centrally with easy-to-use information-rich screens.

2. ProCurve Identity Driven Manager - adds policy based network access rights in order to secure a network from unauthorized users and devices while providing appropriate network access for authorized users. ProCurve Identity Driven Manager dynamically configures security and performance settings based on user, device, location, time, and client system state.

3. ProCurve Network Access Control 800 - combines a RADIUS-based authentication server and the ability to validate the integrity of the systems connecting to the network, allowing network administrators to secure the network from unauthorized users and systems that pose a threat to the network resources..

5.     How does mobility security play into your security solution and why is it better than other vendors?

ProCurve mobility solutions are an extension of a secure, unified network. Wireless connectivity doesn't require a separate network. It's an extension of an existing one. Regardless of how users connect, the network behaves the same. Users get the same consistent manageability and security when connecting to the network across wired or wireless access. Administrators manage their networks with common tools and applications that work across both wired and wireless infrastructure.

ProCurve mobility solutions tightly integrate with access control systems helping manage the risk of unauthorized access to network. Security threats are addressed at the edge of the network without allowing the potential threats to enter the network in the first place. The intelligent network edge enforces security policies at the point of entry. Network devices provide detailed visibility to proactively address security threats anywhere on the wired and wireless infrastructure. Implement consistent security policies by applying same policies across wired and wireless access while avoiding duplication and without compromising the integrity of the policies. Our solutions offer flexibility to enable varying levels of secure access to guests.

6.     How does your security solution adapt to a customer changing environment?

Our security solutions can adapt to a customer's changing environment because they are based on our Adaptive Network philosophy.  The foundation for ProCurve's business model is the Adaptive Networks vision that delivers networks that are adaptive to users, applications and an organization's needs. ProCurve empowers companies to spend more time meeting business goals and less time worrying about their networks.

The Adaptive Network is ProCurve's vision for the future. It is a vision in which networks are adaptive to users, applications and an organization's needs. Adaptive Networks enable businesses to implement IT solutions that turn their networks into strategic assets. ProCurve's mission is to offer its customers standards-based, cost-effective products that help fortify security, increase productivity and reduce complexity in the enterprise.

Adaptive Networks build on ProCurve's current architectural blueprint for the enterprise network, the Adaptive EDGE Architecture (AEA). The AEA enables "control to the edge" with "command from the center" by locating intelligence - the ability for the network to respond and act - at the network edge, where users and devices connect. The AEA enables network administrators to retain control over the policies and rules governing the network's intelligence. AEA is crucial to the network's ability to adapt to changing business needs.

7.     So a company can save money on existing equipment, how does your switch security solution work with a customer's SIM,NAC, IDS, Anti-Virus or general network management tools that are from different vendors?

If a customer's existing security investment supports industry standards, then our security solutions can be integrated into those solutions.  ProCurve has led the industry in offering 100-percent standards-based and interoperable products. Customers can expand and augment their ProCurve network as business needs evolve, rather than having to start from scratch or be locked in to and limited by proprietary solutions and service contracts.

8.     Customer are now looking at VOIP and Convergence security, which starts at the switch. Why is your solution better than other vendors?

ProCurve is a leader in this area, helping drive multi-user and multi-role network access control authentication...and in addition, working with many of the leading IP telephony vendors getting these capabilities as well as LLDP-MED onto their product roadmaps.

As the following independent NetworkWorld four month product review testing highlights, ProCurve received essentially the same score as Cisco for less than 1/2 the cost:



Convergence and multi-vendor interoperability is changing the game, with bigger differences starting to appear between switches...especially at the edge.

9.     Customers want proactive security so problems are taken care of in real time, does your solution fix problems in real time, how does it work and why is it better than other vendors?

Our ProActive Defense security vision has a defensive component, Network Immunity, that is meant to specifically deal with real-time threats.   A customer can deploy network immunity capabilities by taking advantage of our Network Immunity Manager.  The ProCurve Network Immunity Manager is a plug-in for ProCurve Manager Plus that detects and automatically responds to threats, such as virus attacks on the network.  This security management tool monitors devices across the network for internal network attacks and allows administrators to set detection and response security policies. It leverages security and traffic-monitoring features built into ProCurve switches with the ProVision ASIC, such as sFlow, Virus Throttle, and remote mirroring technologies, and it performs NBAD (Network Behavior Anomaly Detection) to detect attacks.

10.   In the next five years what switch security solution will customers have to deal with and how is your company looking to the future?

Network security devices that exist today as standalone boxes/solutions will become extinct.  The capabilities offered by current standalone security devices will be integrated into the network infrastructure.  Security functions such as firewalls, comprehensive intrusion prevention and detection, and VPN encryption will be intrinsic capabilities of future network infrastructures.

The advantages to network administrators of this integration will be significant.  Because they will no longer have to deal with a separate network and security layer, administrators can avoid the cost, performance and management tradeoffs now demanded by standalone security devices.

In addition, network security will be increasingly standards-based.  For ProCurve, this trend will require no adjustment in our product strategies, because ProCurve's commitment to and leadership in the standards realm - particularly in the areas of network security - is one of our primary values.

The set of standard defining a deployable secure network infrastructure environment include (but are not limited to):

  • IEEE 802.1AR - Secure Device Identity
  • TCG Trusted Platform Module
  • IEEE 802.1AE - MAC Security
  • IEEE 802.1af - Authenticated Key Agreement
  • IETF EAP Key Framework

Important end-point assessment standards to watch for include IEEE 802.1X, TCG/TNC specifications, IETF RFC 3580, RFC 4675, RFC 4849, IETF Network Endpoint Assessment (NEA), TCG TNC (Trusted Network Connect) and Microsoft Network Access Protection (NAP).

Link security protocols include IEEE 802.1X-2004, IEEE 802.1ae, IEEE 802.1af and IEEE 802.11 TGi.  There are also AAA transport protocols, authentication protocols, policy provisioning, server and client APIs, and a number of other security-related standards that are or will be important to your network.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)