Hong Kong Computer Society - enterpriseinnovation.net
Hong Kong Computer Society - enterpriseinnovation.net
Hong Kong Computer Society - enterpriseinnovation.net
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
TECHREVIEW<br />
HP blade takes a stab at Cisco<br />
ProCurve security blade integrates firewall, IPS, VPN<br />
By David Newman, Network World (US)<br />
HP has an alternative to the many<br />
security appliances that combine<br />
firewall, intrusion prevention<br />
and VPN functions: Just put a single<br />
blade in the vendor’s ProCurve switch<br />
and be done with it.<br />
We assessed the HP ProCurve Threat<br />
Management Services zl module (TMS)<br />
in terms of its features, usability and<br />
performance. What we found is a welldesigned,<br />
easy-to-use implementation<br />
that packs most common security functions<br />
into a small form factor.<br />
The TMS lacks some newer security<br />
features, such as reputation filtering, and<br />
its forwarding performance can charitably<br />
be called modest. But for <strong>net</strong>work<br />
managers facing budget constraints, the<br />
TMS represents a viable way to add security<br />
without adding more boxes.<br />
The TMS is a single-slot blade for<br />
HP’s ProCurve 5400zl and 8212zl<br />
modular switches. It supplies three security<br />
functions: stateful firewall, intrusion<br />
prevention system (IPS) and VPN<br />
concentrator. We tested the TMS in a<br />
ProCurve 5406zl chassis.<br />
The ProCurve 5406zl chassis<br />
Multipurpose security devices are<br />
nothing new, but it’s unusual to see all<br />
three functions in one switch module.<br />
For example, Cisco’s ASA 5500 multifunction<br />
security appliances are not<br />
integrated into Cisco’s switches. And<br />
Cisco sells separate firewall and IPS<br />
security blades for its Catalyst 6500<br />
switches, but those are higher-end devices<br />
with bigger performance numbers<br />
and bigger price tags.<br />
Ubuntu under the hood<br />
The TMS is powered by Ubuntu Linux<br />
running on a 2.2-GHz Intel Core 2<br />
Duo “Merom” CPU and 4GB of RAM.<br />
Those are laptop specs, not surprising<br />
considering the TMS’ small size. This<br />
engine is plenty fast for screening traffic<br />
on most Inter<strong>net</strong> connections but<br />
won’t necessarily keep up with LAN<br />
traffic from numerous switch ports.<br />
Configuration can be done through a<br />
Web-based GUI or the command-line<br />
interface (CLI). Initial virtual LAN<br />
(VLAN) setup must be done on the<br />
switch rather than the TMS. Network<br />
architects will need to think carefully<br />
about which segments to protect: The<br />
TMS currently supports a maximum of<br />
19 VLANs, though HP says an increase<br />
to 250 VLANs is expected soon.<br />
Once switch setup is complete, the<br />
TMS handles all tasks for traffic it protects,<br />
including IP routing as well as<br />
security monitoring. The TMS supports<br />
Open Shortest Path First and Routing<br />
Information Protocol routing as well as<br />
its security functions.<br />
The TMS is a true application-layer<br />
gateway, something we verified by configuring<br />
a rule allowing HTTP traffic<br />
and then hitting it with non-HTTP packets<br />
destined to TCP Port 80. Because<br />
they were not part of any valid HTTP<br />
session, the firewall correctly dropped<br />
these packets.<br />
The IPS function combines signatureand<br />
anomaly-based threat detection. Curiously,<br />
the anomaly-based controls are<br />
binary: All anomaly checks are either<br />
always on or off, depending on whether<br />
the IPS is enabled. In contrast, signatures<br />
can be individually enabled and<br />
disabled. Always-on anomaly checking<br />
is a good thing, though presumably it<br />
has some performance cost.<br />
The signature library comprises nearly<br />
5,000 entries grouped into a dozen<br />
vulnerability categories such as backdoors,<br />
viruses, malware, and recon attacks.<br />
HP offers a subscription service<br />
to update signatures.<br />
The VPN concentrator function<br />
focuses mainly on setting up IPSec<br />
tunnels, though the TMS also supports<br />
generic routing encapsulation<br />
(GRE) tunneling using firewall<br />
rules. It also supports layer-2 tunneling<br />
protocol (L2TP) in conjunction<br />
with IPSec.<br />
52 <strong>Computer</strong>world <strong>Hong</strong> <strong>Kong</strong> Nov 2009 www.cw.com.hk