By Simon Duddy
Split personality|~||~||~|The rush among switch vendors to stick security feathers in their hats has ruffled the enterprise market in the region. These new security hardened products are to be welcomed but how far is the enterprise prepared to accept speeds and feeds players as a genuine force in the security arena?
The push from switch vendors in the last few years to build robust security solutions has been one of the more dramatic, if predictable, trends in the networking business. These vendors have kept their ears very close to the ground and in response to CIOs and CEOs consistently placing security at the top of their list of priorities, they have elevated security to the top of their agendas.
This has resulted in a quickening of internal development on security and, more visibly, a flurry of acquisitions, including Juniper buying Netscreen, 3Com acquiring TippingPoint and Cisco snapping up Protego Networks.
This activity has been bearing fruit for some time, notably in the form of Cisco’s Network Admissions Control (NAC) initiative. This integrates security policy into the LAN and with it businesses can identify devices that attempt to access the network, denying those that are unauthorised. To its credit, Cisco has been working very closely with antivirus and other security vendors in this initiative to make the technology as standards-based as possible.
However, Cisco is not the only networking player active in this area. Last month, Network Middle East covered Extreme’s release of the Sentriant product, which while collaborating with Extreme’s core switches, brings traffic analysis into the network.
Furthermore, 3Com last week announced a new line of switch products featuring similar technology culled from its recent acquisition of intrusion specialist TippingPoint.
These switch vendors have been quick to point out that the benefit of having security inspection integrated into the switching infrastructure is that it can scan traffic without slowing it down. In contrast, standalone intrusion prevention devices and blades typically have to slow traffic down to around 1Gbytes/s to inspect it thoroughly. With 10Gigabit networks becoming more prevalent, the switch vendors are hoping to hijack the market by offering protection at line speed.
This is a bold move but before customers leap in with the switch vendors on this, they should carefully assess the actual performance of these systems. Traditionally, IT managers have been conditioned to expect that the faster the throughput is, the less thorough the inspection will be. If these new products seem too good to be true, that may well be because they are.
Customers need to look carefully at the marketing speak and ascertain whether the 10Gigabit throughput is maintained with full inspection going on, or at some reduced strength ‘lite’ version.
Customers should also look at the compatibility of the solution. If it only works with same vendor kit, it will be of little use in a heterogeneous environment, as the network is only ever as fast, or as safe, as its slowest or weakest link.
The standalone security appliance vendors, such as SonicWall and ISS, have most to lose from switch players muscling in on their action and have not been slow to retailiate, saying that infrastructure vendors are only in it for the money.
The argument goes that security is a more dynamic market than infrastructure with products changing more frequently and that switch players are building security into products to allow them to speed up their sales cycles.
ISS also recently claimed that if network people are left in charge of security considerations, it would be like putting the fox in charge of the henhouse The vendor sees network people focused on speed and sees this thinking as difficult to reconcile with the need for stringent security.
There is certainly room for security on switches but end users have to be careful in considering switching products with security features as they can have far-reaching implications for their security policy.
The security policy must be central and any infrastructure buys must fit into it, rather than the other way around. It’s a bit like a football team signing a gifted but erratic player. He might be brilliant but he will disrupt the rest of the team. And if there is any part of the enterprise IT setup that MUST be regarded as a team effort, it is security. At the end of the day, if a security product or solution isn’t a team player then it should be left in the changing rooms.||**||