How Nortel wants to upgrade switch security

Nortel‘s 2006 Ethernet switch roadmap centers on security and resiliency. The vendor will introduce the ability to run firewall and IDS filtering on every port of its flagship ERS 8600 (when outfitted with a Service Delivery Module). Also on tap is an upgrade to Nortel’s Split Multi-Link Trunking, a proprietary fast-failover technology for connecting backbone switches. Here, Sanjeev Gupta, director of Nortel’s Ethernet switching business, dives into some of the details behind these technologies with Network World Senior Editor Phil Hochmuth.

How is processing firewall and IDS traffic on a per-port level an improvement over past capabilities on the ERS 8600, or other competitive switches that use application service modules

?

If every packet has to go to a centralized module, then you’re performance is limited by the processor speed and the capability of that module. This is not totally new for us – we had this capability with our Alteon switches. Now we’re just extending this into the 8600. Now you have distributed firewall processing on every port in the 8600 switch. This boosts the capacity of the switch exponentially. Every port can be fully secured.

Why would you need firewalls or IPS/IDS running on every switch port? Where would you deploy such a box?

This would be deployed in the data center. A typical data center has routers, firewalls, a switch layer, another firewall layer, then an application switch layer, then another layer of switches for server aggregation. This entirely collapses the firewall and switching layers.

Even in internal corporate networks, people are looking for firewalling on different levels. So maybe you don’t firewall at the wiring closet, but in the core, where a lot of traffic is being aggregated, you can firewall different networks: your guest network, human resources, finance, the engineering network and so forth.

Why use firewalls to separate network segments as opposed to segregating them with virtual LANs? When you do VLAN based separation, you have to go to a router at some point to do inter-VLAN routing. This eliminates the need for that. This gives a tighter security mechanism that is less complex to set up and manage.

Does deploying IDS and firewalls in datacenter switches introduce more complexity into an already complicated environment? Usually IDS and firewalls run in separate boxes found at the edge of the enterprise.

Automation is one way [to simplify IDS/IPS deployment on the ERS 8600]. What users can do is categorize alarms. You can set policies that say, if one type of alarm comes up, automatically set a firewall policy in the Checkpoint firewall to block that port or reduce bandwidth on that port. Now its automatic. The user sets policies, and the network becomes active in blocking all threats, rather than a user having to intervene every time. This has done with a standards-based approach through integration with CheckPoint’s Open Platform Security [OPSEC, a standard for interfacing with CheckPoint firewalls]. The intrusion prevention system can talk to the checkpoint firewall to set policies depending on what users only set up once.

The amount of failover time you’ve shaved off of Split Multi-Link Trunking – from .83 seconds down to 70 milliseconds – seems too small for anyone to notice. Where would this infinitesimal amount of time matter?

It matters to any customer who has voice or video traffic. If a user is running video applications, any outage – whether it’s four seconds, one second or half a second – they will see a disruption, a momentary blink, in the video stream. This [improved version of SMLT] will prevent that. This will be important as more users roll out more multimedia applications. As for VoIP, this provides business grade voice with no disruption at all.

As the user of storage over IP becomes more prevalent, users will want to avoid any disruption in network flows. During network disruptions, retransmissions can occur with Ethernet. This lower-latency version of SMLT will prevent miscorrelation of data on storage systems if users are doing storage backups over Ethernet, or if servers are accessing [storage area networks] over high-speed Ethernet. (See diagram).

How were these improvements in SMTL performance made? Faster hardware, software or both?

With the 4.1 release, users get a daughter card for the 8600’s switch processor. Basically we’ve put faster processors in it. When you get down to it, convergence time is about how fast the switch can process packets.

More specifically, we’ve optimized the timers in the SMLT code, in terms of how long the switch takes to re-converge network links. The main part of the optimization is in how we’ve prioritized SMLT traffic over other traffic types on the switch. But the faster hardware, is obviously also a key to it.