HP makes push for network stability

These days, network stability means more than just making sure links are available and the proper routes are in place. A single workstation on a network segment can easily wreak havoc following a virus or worm infection, as continuous attempts to infect neighboring systems consumes enormous bandwidth on the LAN — and eventually the WAN or Internet circuit.

Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft Free IT resource Attend the SOA Executive Forum: Breaking SOA Bottlenecks SOAExecForum.com/may2007 Sponsored by InfoWorld HP ProCurve Access Control Security Solution Hewlett-Packard, hp.com Good  7.8 criteria score weight Performance 8 30% Configuration 8 20% Management 8 20% Scalability 7 20% Value 8 10% Cost: $28,011 as tested, with the PCM+/IDM 1.6 suite, a 420wl AP, 7203dl Secure Router, 760wl Integrated Access Manager, ProCurve 600 RPS, ProCurve 5304xl modular switch with one 24-port 10/100 module, 24-port 10/100 PoE module, four-port 10/100/1000 module, Access Controller XL module Platforms: Windows management UI Bottom Line: HP has accomplished much in the integrated ProCurve security architecture, but the end-to-end buy-in might prove to be rather steep. The virus-throttling feature is well-done, but the ProCurve switching hardware platform is simply long in the tooth and needs an overhaul. About our Reviews and Scoring Methodology

Many vendors are trying to solve this access-control problem, generally by pushing 802.1x link authentication, which requires authentication to a central directory to connect to the network in the first place. This can greatly increase the security on an internal network, but it requires more moving parts and user interaction to be functional.

To combat this situation, HP is touting the newest tools in its ProCurve switching line, including active virus-throttling and identity-driven access controls. The hardware-heavy solution is rather daunting in scope and requires HP gear throughout the network, but some of its parts can be divorced from the overall package and used in conjunction with network hardware from other vendors. Overall, ProCurve Access Control Security Solution may be a sign of good things to come.

Piece by piece

HP sent me a rackful of ProCurve gear to evaluate, including the ProCurve 5300xl modular switch with a Gigabit Ethernet blade and a 10/100 PoE (power over Ethernet) blade, a ProCurve 760wl wireless access controller, a ProCurve 7203dl WAN router, and the ProCurve 420wl wireless AP.

Taken as a whole, ProCurve Access Control Security Solution is impressive. The 5300 provides eight half-width slots for line cards, with a single slot used for the management blade. The 10/100 PoE blade in the 5300 is rather odd, requiring the ProCurve 600 RPS (Redundant Power Supply) to provide juice to the network ports. Apparently it’s impossible to provide enough power to the PoE blade through the 5300 chassis itself, so HP fitted this blade with a front EPS (External Power Supply) power connector to bump up the available wattage. It works, but is less than attractive and can cause cable management headaches, especially in a fully populated chassis.

The 5300xl series is available in a few different chassis flavors. I tested the 5304xl, a four-slot 5300xl chassis. Each slot can be populated by a variety of blades, such as the 24–port 10/100 blade or the four-port 10/100/1000 blade.

The 5304xl has a 38.4Gbps switching fabric and a top end of 24mpps (million packets per second). These numbers are rather light for a core layer-3 switch, and the blade count and port density are also limited when compared with chassis-based switches from the competition, such as Cisco’s 4500 or 6500 series and Foundry Networks’ BigIron switching family.

The wireless side of the equation is handled by the ProCurve 760wl, tasked with providing security policy management and configuration as well as policy enforcement across the whole wireless network. The 760wl is built around a FreeBSD core, and thus is really a server with an internal hard disk. This is an Achilles’ heel when it comes to fault tolerance, but the 760wl can be implemented in an active/passive fail-over configuration to mitigate risk of failure. Configuration and management of the appliance is accomplished via ProCurve Manager, which allows admins to oversee the whole network.

The heart of the Access Control Security Solution, however, lies in the ProCurve SAMIDM (Secure Access Management/Identity Driven Management) server component. HP has boiled down 802.1x authentication into a layer on an existing RADIUS server and wrapped the whole thing in a Windows GUI. ProCurve SAMIDM handles common policy creation and application, giving you the ability to define policies based on an identity that exists in a central directory.