HP makes push for network stability

Hardware-heavy ProCurve Access Control Solution a step in the right direction

These days, network stability means more than just making sure links are available and the proper routes are in place. A single workstation on a network segment can easily wreak havoc following a virus or worm infection, as continuous attempts to infect neighboring systems consumes enormous bandwidth on the LAN — and eventually the WAN or Internet circuit.

Many vendors are trying to solve this access-control problem, generally by pushing 802.1x link authentication, which requires authentication to a central directory to connect to the network in the first place. This can greatly increase the security on an internal network, but it requires more moving parts and user interaction to be functional.

To combat this situation, HP is touting the newest tools in its ProCurve switching line, including active virus-throttling and identity-driven access controls. The hardware-heavy solution is rather daunting in scope and requires HP gear throughout the network, but some of its parts can be divorced from the overall package and used in conjunction with network hardware from other vendors. Overall, ProCurve Access Control Security Solution may be a sign of good things to come.

Piece by piece

HP sent me a rackful of ProCurve gear to evaluate, including the ProCurve 5300xl modular switch with a Gigabit Ethernet blade and a 10/100 PoE (power over Ethernet) blade, a ProCurve 760wl wireless access controller, a ProCurve 7203dl WAN router, and the ProCurve 420wl wireless AP.

Taken as a whole, ProCurve Access Control Security Solution is impressive. The 5300 provides eight half-width slots for line cards, with a single slot used for the management blade. The 10/100 PoE blade in the 5300 is rather odd, requiring the ProCurve 600 RPS (Redundant Power Supply) to provide juice to the network ports. Apparently it’s impossible to provide enough power to the PoE blade through the 5300 chassis itself, so HP fitted this blade with a front EPS (External Power Supply) power connector to bump up the available wattage. It works, but is less than attractive and can cause cable management headaches, especially in a fully populated chassis.

The 5300xl series is available in a few different chassis flavors. I tested the 5304xl, a four-slot 5300xl chassis. Each slot can be populated by a variety of blades, such as the 24–port 10/100 blade or the four-port 10/100/1000 blade.

The 5304xl has a 38.4Gbps switching fabric and a top end of 24mpps (million packets per second). These numbers are rather light for a core layer-3 switch, and the blade count and port density are also limited when compared with chassis-based switches from the competition, such as Cisco’s 4500 or 6500 series and Foundry Networks’ BigIron switching family.

The wireless side of the equation is handled by the ProCurve 760wl, tasked with providing security policy management and configuration as well as policy enforcement across the whole wireless network. The 760wl is built around a FreeBSD core, and thus is really a server with an internal hard disk. This is an Achilles’ heel when it comes to fault tolerance, but the 760wl can be implemented in an active/passive fail-over configuration to mitigate risk of failure. Configuration and management of the appliance is accomplished via ProCurve Manager, which allows admins to oversee the whole network.

The heart of the Access Control Security Solution, however, lies in the ProCurve SAMIDM (Secure Access Management/Identity Driven Management) server component. HP has boiled down 802.1x authentication into a layer on an existing RADIUS server and wrapped the whole thing in a Windows GUI. ProCurve SAMIDM handles common policy creation and application, giving you the ability to define policies based on an identity that exists in a central directory.

Calling on the virus cops

First on the testing block was the virus-throttling feature. This is implemented on the 5300xl itself, and occurs at a router boundary, not within the switching hardware.

At the core of this solution is dynamic ACL (access control list) generation based on network usage patterns. If a system on one network segment breaks the rules and begins attempting connections to hundreds of hosts on the network (as it would if infected with a virus), the router will drop in an ACL, preventing access to and from that IP address, effectively throttling — shutting down — that system. The 5300xl then sends alerts to admins so they can locate and repair the offending system.

This ACL generation is curious, as the resulting ACL lines aren’t present in the configuration, and references to blocked hosts are only visible via the manager application. It is very configurable, however: Admins set virus-throttling policies to permit access to specific hosts and TCP ports. The policies will be adhered to even when the switch throttles a system.

For instance, a user in HR can be allowed access to internal applications and databases while the switch is dynamically blocking all other traffic to and from the user’s system. This requires that ProCurve 5300xl layer–3 switching exist at the core of the network, but the edge switching hardware can be from any vendor. Thus, it’s possible to implement the virus-throttling feature on an existing non-HP network, but any core layer–3 switches will need to be replaced by the 5300xl, which may not be realistic for budgetary and political reasons.

Under lock and key

With this solution’s identity-driven management, admins can dictate specific network utilization policies based on user authentication via RADIUS attributes and the 802.1x protocol.

As with any 802.1x implementation, the authentication and authorization back end is RADIUS with hooks into a central directory. In the case of ProCurve Identity Driven Manager, all the RADIUS services are housed within the server-side component, which works with an existing RADIUS server such as Microsoft’s IAS (Internet Authentication Service) or Funk Software’s Steel-Belted RADIUS.

These tools boil down the requisite 802.1x/RADIUS attribute configuration tasks to a relatively simple point-and-click GUI. This level of access control has been possible for quite a while, but the integration management tools in HP’s solution make it easier to implement. Unfortunately, they also make access control slightly less configurable due to the simplified abstraction of core RADIUS attributes.

HP is truly engaged in the drive to provide a high degree of security and management at the network edge. ProCurve Access Control Security Solution isn’t there quite yet, given its preference for end-to-end HP equipment and high price. Nevertheless, HP’s work on open-standards infrastructure components is laudable, and it truly seems to have a desire to wrestle this access-control beast on behalf of network admins everywhere. If HP succeeds, the results should be outstanding.

InfoWorld Scorecard
Configuration (20.0%)
Management (20.0%)
Scalability (20.0%)
Performance (30.0%)
Value (10.0%)
Overall Score (100%)
HP ProCurve Access Control Security Solution 8.0 8.0 7.0 8.0 8.0 7.8