The new network switch

The traditional LAN switch is poised for an extreme makeover, and the focus is decidedly on brains, not beauty.

Next-generation switches will not only feature embedded intelligent security functions, such as firewall, intrusion-detection systems (IDS), intrusion-prevention systems (IPS) and SSL VPN, but also the ability to handle a variety of application optimization duties, such as Web acceleration, server load balancing/buffering and WAN optimization.

For IT executives, the real questions are: How integrated will these functions be, and when will they offer a performance level and price that make it worth the upgrade?

“The true next-generation switches won’t be coming in the next year,” says Joel Conover, principal analyst for enterprise infrastructure at Current Analysis. “You might see it as a module, but it won’t be part of every switch port everywhere. It’s too expensive, it’s too processor-intensive and it’s too special-purpose.”

But during the next 24 to 36 months, real changes will start to make their way onto next-generation switching platforms, he says. “At that point, you’ll see a lot of the security processing, like the deep packet inspection, move right onto the line cards,” he says. “You’ll probably see a new generation of line cards that fit into existing switches that add a much deeper level of understanding as to what’s going on in the network.”

Go with the flows

This deeper level of understanding within the device goes by a variety of names depending on the vendor – 3Com’s control blade, Cisco’s application-aware networking, Juniper’s application fluency and Enterasys’ context networking.

But what it really means is vendors are working to make the switch better able not only to examine packets and deliver them appropriately, but also examine whole application streams, or flows of packets, and take appropriate action on them. This capability can then be leveraged for better security or application performance, experts say.

“Switches and routers of the future will be aware of the conversation flows and not just the individual packets,” says John Roese, CTO of Enterasys. “Their concern will not be just if this packet is good or bad. It’s more whether this sequence of packets do not fit the overall conversation, and if there are anomalies, to be able to take corrective action on that.”

The end of the appliance conga line

These new sets of features fall into two distinct buckets: security and application optimization, both of which are handled now by a bevy of network appliances.

The problem is that appliances tend to be purchased by different groups within the organization – for example, the server group for load balancing or Web acceleration, the security group for firewalls and IDS, or the network group for VPN.

“Someone may put in a compression device for the Web servers, but what if you have a similar service running on your switch?” says Abner Germanow, program manager for enterprise networks at IDC. “Those two devices may end up in conflict with each other.” This can lead to political battles that have nothing to do with technology (see “Politics sometimes trumps technology”).

Appliance creep also can create management nightmares, especially in remote branch offices. “In the branch office, you start to see what a lot of people refer to as the conga line of appliances,” Germanow says. “Consolidating those appliances into a switch or a smaller number of devices makes sense from a management and technology perspective.”

Performance anxiety

But it’s likely that stuffing all this appliance-type technology into the switch also will produce a hit on performance.

“It absolutely affects performance,” says Doug Gourley, director of marketing at Cisco. “That becomes the perennial trade-off – do you want to create the most services-ripped line card in the world that has lower performance? Or do you want to create something that’s all raw speed and density, with no services? Or do you strike a balance in the middle, and where is that?”

Cisco gives customers a broad choice of switch-based functionality, as well as a broad choice of where to implement it. “So in the core areas of the network, you might see things that are designed for raw unbridled performance, while at the edge of the network, where users, applications, services, firewalls and other networks join, you may want a rich layer of services while maintaining a very acceptable performance level,” Gourley says.

Because Cisco switches use the same basic platform and services modules, whether at the core, the distribution layer or the wiring closet, users can swap out functionality as their needs change, he says.

The approach is based on blades that fit into a switch chassis, not on actual embedded technology. In the future, Cisco hopes to bring some technology, such as IDS/IPS and deep packet inspection, down to the line card, Gourley says.

“This is where we’re heading,” he says. “If you look at data-center security, people deploy firewalls, server load balancers, SSL-termination devices. Whereas in the past, you might have had multiple services modules together, and a network manager would have to configure how they interoperated and what order they would hit, we see that becoming more like a single line card that offers multiple capabilities for the multiple services being leveraged.”

Cisco also sees those services becoming common and integrated at the port level. “A good example might be something like deep packet inspection,” which would enable switches to examine HTTP headers and XML schemas to route them appropriately, Gourley says. This is what Cisco is moving toward with its Application-Oriented Network (AON) technology.

“But AON is a couple more orders of magnitude beyond the security elements that we’ll see in the immediate next-generation switches,” Current Analysis’ Conover says.

Approaches vary

Others take a different approach to the price/performance conundrum. For example, Enterasys is integrating its Dragon IDS/IPS and network-based anomaly detection directly on its N-series switches, capabilities that should be available early this year. But instead of sending all network traffic through the embedded device, Enterasys says the switch first determines whether traffic is suspect and sends that traffic only for deeper packet inspection.

Roese says this is an interim step until the next generation of silicon makes it more cost-effective and practical to run deep packet inspection on all traffic.

“In our N-Series, we have this concept of accelerator cards that essentially allow the system to redirect specific traffic that meets a particular threshold to a deep packet-inspection engine, to something that can do IDS and IPS and network-based anomaly detection,” he says. This is done via policies that consider a variety of factors, including identity, role in the organization and location. When something in the traffic flow goes beyond a policy threshold, only then is it kicked out to the IDS/IPS functionality, he says. “Since there’s a performance mismatch between that accelerator and the critical path, that’s a crucial difference.”

The overlay method

Others say the wise way to add the new intelligence and functionality is as an overlay or add-on to the existing switch network.

For example, 3Com plans to add what it calls a control plane to the switch network, which will function between the underlying connectivity plane and the overlying application plane. It will be offered either as an appliance for non-3Com networks, or as a separate blade module for a 3Com switch. Using its TippingPoint IPS technology, the control plane will offer access control, attack control and application control by examining traffic via deep packet inspection and making intelligent determinations about how best to deal with it.

“The key is that the control plane should be implemented seamlessly between the application and connectivity plane, requiring no changes to either,” says Marc Willebeek-LeMair, 3Com CTO.

“It’s a migratory path most networking folks are comfortable with,” he says of the blade form factor. “Plus, with this overlay approach, it’s easy to roll back. In a fail-over condition, it can revert to just acting like a wire, or a fiber.”

It may still produce a switch bottleneck, which is a problem 3Com is aware of and addressing. “Internal connection points are much higher speed than say, one WAN connection point, which may be 1M to 10Mbps,” Willebeek-LeMair says. “Internal points are in the gigabit per second range. Today, we have a 5Gbps model and are working toward higher-speed models of our intrusion-prevention technology, and that same technology is what we will use for this control plane technology.”

Juniper is taking a similar tack by providing a raft of technologies using an overlay approach. It’s focusing on providing both security and application optimization technologies within the network – but outside of the device. Instead, it is using appliances that add new functionality to traditional security gear.

For example, Juniper’s DX box, usually situated in the data center, adds Web-acceleration features it got from its purchase of Redline Technologies to its current SSL VPN box. Juniper also now provides WAN-acceleration technology it acquired from Perabit to its SSL VPN and firewall boxes.

“So you get a multiplicative benefit by being able to have all the solutions combined on a platform. And it offers the best in performance,” says Mike Banic, director of product marketing at Juniper. It all comes without having to add new technologies to the stable underlying switch architecture, he says.

Improving policy enforcement

Beyond form factor, price and performance, this added intelligence requires robust policy management and enforcement schemes, something all the vendors are addressing head-on.

This is because once traffic and application flows are identified, policies can be built that automate how the switches handle security anomalies or different application needs. Suspect traffic can be throttled back and given a lower amount of bandwidth, or in some cases, be dropped altogether.

Similarly, policies can be built so that critical applications, such as VoIP or financial applications, can be given priority and ensured optimal bandwidth, while less critical applications are relegated to what’s left over.

Vendors say these policies, when combined with intelligent switches, will be more user-friendly and easy to implement than the policies from the old QoS days.

“The idea is to say I can describe a set of behaviors for a salesperson, and once I’ve done that, it encompasses what models of service they get, what quality they get, what bandwidth they get, what security parameters and so on,” Enterasys’ Roese says.

“But it’s abstracted as a policy for a salesperson and then can be applied over any technology. Policy is really a weakness in the industry these days, because unfortunately, a lot of the policy definitions lack any kind of abstraction. People confuse things like ‘configure the [virtual] LAN to do the quarantine role.’ That’s not a policy – that’s a VLAN configuration,” he says.

“Policy is hard,” Germanow agrees. “When considering these approaches, you have to know what kinds of policies you are really talking about, how granular can you get and what does that really mean? Are you talking about just building lots of VLANs, or is it something more than that? Right now, your mileage may vary.”

Be an enabler

Because this new intelligence isn’t likely to appear completely embedded in LAN switches for a while, users looking to upgrade their switches need to be cautious.

“If we make the assumption that the technologies around application delivery, security, mobility and voice traffic on the network are going to continue to evolve very rapidly, you have to take a step back,” Germanow says. “Each of those areas has its own political structure, and it may have its own budgets outside of the networking budget. The networking group needs to go to each of those areas and figure out how to enable them, beyond the classic networking success metrics of uptime and performance.”

The idea is that the network is migrating from being a best-effort infrastructure to a mission-critical infrastructure. “That’s a fairly big sea change,” he says.

“If you’re buying new switching equipment, the trick is to look at that as an over-arching mission, as opposed to how do I get a cheap port or keep the network up. It should be focused more on how do I help other entities within IT be successful,” he adds.

The decisions you make around the LAN switches that you buy clearly play into that, he says.

Cummings is a freelance writer in Massachusetts. She can be reached at jocummings@comcast.net.