Enterasys delivers switch-based security

Enterasys Networks this week is scheduled to announce capabilities on its LAN edge switches that will let administrators effectively cut off virus-infected or virus-vulnerable machines trying to access corporate resources.

Enterasys Networks this week is scheduled to announce capabilities on its LAN edge switches that will let administrators effectively cut off virus-infected or virus-vulnerable machines trying to access corporate resources.

The vendor’s Trusted End-System Solution (TES) technology combines Enterasys hardware with client- and server-based endpoint assessment software from Zone Labs and Sygate to let each switched Ethernet port act as a security gateway into an enterprise network.

TES works with Zone Labs’ Integrity products and Sygate’s Secure Enterprise software suite, in conjunction with Enterasys Matrix C-, E- and N-series and wiring closet switches. This system also is tied closely to Enterasys’ Netsight Atlas Policy Manager, which is a server-based network policy management suite used to set up network profiles and policies for end users and to define what resources they can access.

Enterasys earlier this year announced the ability for its Policy Manager to enforce access rules on switches, based on alerts from the vendor’s Dragon intrusion-detection system (IDS) products.

TES comes on the heels of Cisco’s announcement of router-based support for its Network Admission Control (NAC) technology, which uses client anti-virus software partner products to help enforce remote network access on Cisco routers. Cisco also said it would support switch-based port blocking via NAC in 2005. Alcatel also has a switch technology in the works for quarantining worm-infected machines into a secure virtual LAN (VLAN). Nortel’s BayStack switches also can utilize IDS and anti-virus technology from third-party vendors to block unsafe clients.

This trend in network switch technology is based on increasing user demand for tools to lock down LANs.

“We need a way to push security policies out to [LAN] edge switches and do it in a way that doesn’t require as much manager intervention,” says Mike Hawkins, associate director of networking at the University of North Carolina, Chapel Hill.

Alcatel OmniStack, Cisco Catalyst and Enterasys Matrix switches are deployed in real-world environments through the flagship UNC campus, which supports 50,000 users, and has 75,000 Ethernet LAN ports and 400 wireless LAN access points, Hawkins says.

“We have a particularly nasty network, he says, “in the sense that we have users coming online with a lot of bad stuff.” This includes unpatched Windows machines and virus-infected PCs. “Not one solution will hit all the things we need to hit.”

UNC is looking to augment its current IDS, anti-virus and security appliance infrastructure with an intelligent LAN edge switch that can provide port-level security to connected users. Hawkins says that so far, Enterasys is ahead of the game.

Enterasys’ TES technology uses client software from Sygate or Zone Labs to audit every corporate PC or laptop attaching to the company. When logging on, an assessment server from either of the two vendors provides a first line of defense, even before clients obtain Layer 2 network access or an IP address from a Dynamic Host Configuration Protocol server.

This approach is similar to what Alcatel, Cisco and Nortel have announced as future plans. Regarding Cisco’s NAC push, “this is not a me-too announcement from Enterasys,” says Abner Germanow, a research director at IDC.

Cisco and Alcatel have outlined plans to secure networks by quarantining potentially dangerous users with VLAN technology on their respective LAN switches. Enterasys ties network enforcement to its Policy Manager product, which can provide a finer level of network access authentication and privileges, according to the company.

Instead of denying all access to dangerous users or shunting them into a quarantine VLAN bucket with limited network access, TES can assign a pre-defined network identity to potentially unsafe clients, according to John Roese, CTO at Enterasys. He says this method is easier to deploy and manage because it does not require setting up special VLANs on a network. Also, assigning user-based policies allows for a tighter level of control than the admit/deny/quarantine approach competitive switch makers are adopting, he says.