HP makes push for network stability
Hardware-heavy ProCurve Access Control Solution a step in the right directionFollow @pvenezia
The heart of the Access Control Security Solution, however, lies in the ProCurve SAMIDM (Secure Access Management/Identity Driven Management) server component. HP has boiled down 802.1x authentication into a layer on an existing RADIUS server and wrapped the whole thing in a Windows GUI. ProCurve SAMIDM handles common policy creation and application, giving you the ability to define policies based on an identity that exists in a central directory.
Calling on the virus cops
First on the testing block was the virus-throttling feature. This is implemented on the 5300xl itself, and occurs at a router boundary, not within the switching hardware.
At the core of this solution is dynamic ACL (access control list) generation based on network usage patterns. If a system on one network segment breaks the rules and begins attempting connections to hundreds of hosts on the network (as it would if infected with a virus), the router will drop in an ACL, preventing access to and from that IP address, effectively throttling — shutting down — that system. The 5300xl then sends alerts to admins so they can locate and repair the offending system.
This ACL generation is curious, as the resulting ACL lines aren’t present in the configuration, and references to blocked hosts are only visible via the manager application. It is very configurable, however: Admins set virus-throttling policies to permit access to specific hosts and TCP ports. The policies will be adhered to even when the switch throttles a system.
For instance, a user in HR can be allowed access to internal applications and databases while the switch is dynamically blocking all other traffic to and from the user’s system. This requires that ProCurve 5300xl layer–3 switching exist at the core of the network, but the edge switching hardware can be from any vendor. Thus, it’s possible to implement the virus-throttling feature on an existing non-HP network, but any core layer–3 switches will need to be replaced by the 5300xl, which may not be realistic for budgetary and political reasons.
Under lock and key
With this solution’s identity-driven management, admins can dictate specific network utilization policies based on user authentication via RADIUS attributes and the 802.1x protocol.
As with any 802.1x implementation, the authentication and authorization back end is RADIUS with hooks into a central directory. In the case of ProCurve Identity Driven Manager, all the RADIUS services are housed within the server-side component, which works with an existing RADIUS server such as Microsoft’s IAS (Internet Authentication Service) or Funk Software’s Steel-Belted RADIUS.
These tools boil down the requisite 802.1x/RADIUS attribute configuration tasks to a relatively simple point-and-click GUI. This level of access control has been possible for quite a while, but the integration management tools in HP’s solution make it easier to implement. Unfortunately, they also make access control slightly less configurable due to the simplified abstraction of core RADIUS attributes.
HP is truly engaged in the drive to provide a high degree of security and management at the network edge. ProCurve Access Control Security Solution isn’t there quite yet, given its preference for end-to-end HP equipment and high price. Nevertheless, HP’s work on open-standards infrastructure components is laudable, and it truly seems to have a desire to wrestle this access-control beast on behalf of network admins everywhere. If HP succeeds, the results should be outstanding.
Read more about networking in InfoWorld's Networking Channel.