Who has the best Security Switch Solution for your network? We asked major manufacturers, Part Four- Foundry Networks

Many customers have asked me when looking at network switching manufacturers, who has the best security solution for my network? Rather than posting a very long story and having everyone bash me for my views, I took it to the people who build the switches. That's right, we sent each major manufacturer a list of 10 questions that customer ask me on a consistent basis. Below are the companies who replied to me and will be part of this multi post story:

HP ProCurve, Enterasys Networks, Juniper Networks, Foundry Networks (See Part 1: Entersys, Part 2 Juniper Networks and Part 3 ProCurve Networking.)

A few companies did not give us a reply those companies were:

Cisco, Nortel, 3Com, Force 10, Extreme Networks

I would like to thank each company that took the time to give our readers more information on their security solutions for network switches. This week we are going to look at ProCurve Networking and a special thanks to Val Oliva, Director of Product Strategy for Foundry Networks for answering these questions below. We have made no changes any of the answers provided.

Security Switch Questions

1. Why is the vision for your switch security solution better than other vendors?

Our security solution deployed in our network products is better than other vendors because it combines all of the following:

  • Hardware-based Embedded Network Metering using sFlow

sFlow or RFC 3176 is available in all of Foundry's products, giving our customers network visibility and network traffic metering in hardware. Having it avialable in all of Foundry's products ensures that a consistent networking security solution is deployed.

This technology is also leverage in other network management facet such as capacity planning, network troubleshooting, and performance management.

  • Open-based Security Solution

For network-wide security monitoring and prevention, our customers can use sFlow with various IPS package from freeware packages like SNORT, ARPWatch or Ethereal to high-end, zero-day anomaly products such as Arbor and Lancope. Giving this flexibility allows our customes to balance financial with security level required.

Combining these products with Foundry IronView Network Manager, customers can take automatic and immidiate actions such as turning a port(s) off, configuring an ACL to the port(s), rate limiting network flows on port(s), or moving network flows to a "monitoring" VLAN for further analysis of the attack.

  • Complete Embedded Security Solution

Included in the Foundry's products are key embedded security solutions that can stop an attack at the network equipment level, and not just network-wide. In addition, the embedded security includes solution that performs "Secure, Ondemand, Policy Assignments".

Foundry's products include key features such as the following:

  • o Root and BPDU Guard
  • o Dynamic ARP Inspection, DHCP Snooping, IP Source Guard
  • o Policy-based Routing and ACLs
  • o 801.1X and MAC authentication with dynamic VLAN assignment
  • o Concurrent 802.1X and MAC authentication activation per port

2. Do you feel that open standards are best for security solutions and how does it play in your solution?

Open standards is always best in any networking requirement such as switching, security, and others. Standards are key in ensuring that the customer gets products that work well together, even across vendors.

For example, Foundry's networking products work with Microsoft's (MS) Network Access Protection (NAP) flawlessly. With MS's NAP, users connected to a Foundry product can be authenticated using 802.1X in MS's Network Policy Server (NPS), assigned to the right VLAN (again, using MS's NPS), and a user's traffic can be accounted using sFlow.

3. What is the most important security feature of your solution?

All of our security solution is equally important and being able to enable them together delivers the complete network security solution.

4. Why is your Network Access Control solution and important part of your security solution?

NAC is important and in Foundry's solution it allows us to deliver "Secure, Ondemand, Policy Assignment". What makes us differ from other vendor is that our NAC solution combines sFlow to deliver user-based (or 802.1X username) traffic accounting.

5. How does mobility security play into your security solution and why is it better than other vendors?

Because mobility security uses 802.1X, our solution becomes consistent with mobility.

6. How does your security solution adapt to a customer changing environment?

sFlow, because it delivers the packet information and the packet, gives complete network visibility of the network traffic. This network visibility is required by zero-day anomaly solution.

7. So a company can save money on existing equipment, how does your switch security solution work with a customer's SIM,NAC, IDS, Anti-Virus or general network management tools that are from different vendors?

Foundry has launched a partnership program that enables our products to work with best-of-breed security solutions. This enables our customers to pick from a variety of security solutions that fits their need.

8. Customer are now looking at VOIP and Convergence security, which starts at the switch. Why is your solution better than other vendors?

Foundry's VoIP and Convergence solution is better than other vendors because it combines the following:

  • Highest density of full Class 3 in a chassis and fixed product

Foundry's FastIron SX 1600 supports up to 384 full Class 3 ports with redundant PoE power supply, giving customers the highest density and high availability VoIP and Convergence solution.

Foundry's FastIron GS with two redundant removable power supply can support up to 48 full Class 3 ports. With one power supply, the FastIron GS can support up to 48 ports each with 10W for PoE output or PD usage.

  • Open-based VoIP and Convergence Solution

Foundry's solution includes support of key VoIP vendors such as Mitel, Avaya, Seimens HiPath, and ShorTel. Included as well are closed-VoIP vendors such as Nortel and Cisco.

  • Complete Security Solution

See answers to question #1.

9. Customers want proactive security so problems are taken care of in real time, does your solution fix problems in real time, how does it work and why is it better than other vendors?

We have a solution called IronShield 360 that proactively resolves network security problems that occurs in a customer's network. IronShield 360 combines the following:

  • sFlow to give the "analyzer" always-on and network-wide visibility
  • Signature-based solution like SNORT or Zero-day Anomaly IPS package like Arbor or Lancope to find and detect the problem
  • IronView Network Manager to inoculate or remove the problem

10. In the next five years what switch security solution will customers have to deal with and how is your company looking to the future?

In the next five years, customers will be demanding higher speed networking and the security solution must work in those environment. Snooping, a big element in network attacks, needs to stopped and encryption is going to be required.

IPv6 is also on the horizon in the next five years and security solution, including VoIP and Convergence solutions, must support IPv6.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)