Hong Kong Computer Society - enterpriseinnovation.net

More documents

Recommendations

Info

TECHREVIEW HP blade takes a stab at Cisco ProCurve security blade integrates firewall, IPS, VPN By David Newman, Network World (US) HP has an alternative to the many security appliances that combine firewall, intrusion prevention and VPN functions: Just put a single blade in the vendor’s ProCurve switch and be done with it. We assessed the HP ProCurve Threat Management Services zl module (TMS) in terms of its features, usability and performance. What we found is a welldesigned, easy-to-use implementation that packs most common security functions into a small form factor. The TMS lacks some newer security features, such as reputation filtering, and its forwarding performance can charitably be called modest. But for network managers facing budget constraints, the TMS represents a viable way to add security without adding more boxes. The TMS is a single-slot blade for HP’s ProCurve 5400zl and 8212zl modular switches. It supplies three security functions: stateful firewall, intrusion prevention system (IPS) and VPN concentrator. We tested the TMS in a ProCurve 5406zl chassis. The ProCurve 5406zl chassis Multipurpose security devices are nothing new, but it’s unusual to see all three functions in one switch module. For example, Cisco’s ASA 5500 multifunction security appliances are not integrated into Cisco’s switches. And Cisco sells separate firewall and IPS security blades for its Catalyst 6500 switches, but those are higher-end devices with bigger performance numbers and bigger price tags. Ubuntu under the hood The TMS is powered by Ubuntu Linux running on a 2.2-GHz Intel Core 2 Duo “Merom” CPU and 4GB of RAM. Those are laptop specs, not surprising considering the TMS’ small size. This engine is plenty fast for screening traffic on most Internet connections but won’t necessarily keep up with LAN traffic from numerous switch ports. Configuration can be done through a Web-based GUI or the command-line interface (CLI). Initial virtual LAN (VLAN) setup must be done on the switch rather than the TMS. Network architects will need to think carefully about which segments to protect: The TMS currently supports a maximum of 19 VLANs, though HP says an increase to 250 VLANs is expected soon. Once switch setup is complete, the TMS handles all tasks for traffic it protects, including IP routing as well as security monitoring. The TMS supports Open Shortest Path First and Routing Information Protocol routing as well as its security functions. The TMS is a true application-layer gateway, something we verified by configuring a rule allowing HTTP traffic and then hitting it with non-HTTP packets destined to TCP Port 80. Because they were not part of any valid HTTP session, the firewall correctly dropped these packets. The IPS function combines signatureand anomaly-based threat detection. Curiously, the anomaly-based controls are binary: All anomaly checks are either always on or off, depending on whether the IPS is enabled. In contrast, signatures can be individually enabled and disabled. Always-on anomaly checking is a good thing, though presumably it has some performance cost. The signature library comprises nearly 5,000 entries grouped into a dozen vulnerability categories such as backdoors, viruses, malware, and recon attacks. HP offers a subscription service to update signatures. The VPN concentrator function focuses mainly on setting up IPSec tunnels, though the TMS also supports generic routing encapsulation (GRE) tunneling using firewall rules. It also supports layer-2 tunneling protocol (L2TP) in conjunction with IPSec. 52 Computerworld Hong Kong Nov 2009 www.cw.com.hk
TECHREVIEW Test results In performance and security testing, we assessed the TMS both as a firewall and combined firewall/IPS. Due to time and hardware constraints, we did not test two other TMS features: High availability and IPSec-based VPNs. We evaluated TMS performance with stateless UDP and stateful TCP tests. UDP testing produces best-case numbers, but TCP testing is a far better predictor of performance in enterprise settings. HTTP forwarding rates are a measure of how fast users get their Web content. In firewall-only mode, the TMS moved Web traffic to 500 simulated users at around 1.677Gbps. That’s lower than the 3Gbps claimed on the TMS’s data sheet, probably because that number was obtained with UDP. Since TCP traffic is stateful, the firewall consumes more cycles keeping track of each connection. When we tested with the TMS configured as a firewall and IPS, HTTP transfer rates fell to 1.206Gbps, around 28% slower than in firewall-only mode. This IPS performance penalty is not unusual; in fact, it’s consistent with prior Network World tests. Our final rate test involved HTTP traffic blended with an attack from the Net Results HP ProCurve Threat Management Series ZL module HP, www.hp.com Score: 3.8 Pros: Combines firewall, VPN and IPS in one blade, easy to use, high TCP scalability Cons: Low forwarding rates; fit and finish bugs in UI Scoring Key: 5: Exceptional; 4: Very good; 3: Average; 2: Below average; 1: Subpar or not available Spirent TestCenter application. We used a variation on the well-known Code Red attack against Microsoft’s IIS Web server on the principle that any IPS should be able to block it. As a twist, we used a Code Red variant that seeks to cloak itself within a stream of malformed Unicode characters. Commendably, the HP blade recognized the cloaking effort for what it was and dropped attack traffic before Code Red could install itself. The IPS A well-designed, easy-to-use implementation that packs most common security functions into a small form factor correctly logged the attack while forwarding HTTP traffic at 1.138Gbps, or around 6% slower than the same test without attacks. However, the actual performance cost is really only 4%, since attack traffic comprised 2% of the total. So, even though the TMS is a modest performer relative to the switches that house it, it may well be adequate depending on the traffic rates it handles. HP says higher rates are possible by using up to four TMS modules in a switch chassis and assigning separate security zones to each chassis, but we did not verify this. Forwarding rates are only one measure of performance. We also examined connection setup rate and concurrent connections. For enterprises with e-commerce and other transaction-based applications, connection setup rate often is more important than forwarding rate. As a firewall, the TMS set up 18,000 new connections per second (cps), easily exceeding HP’s claim of 15,000. As a firewall and IPS, the security blade set up around 7,000 cps, around 2.5 times slower than the firewall-only rate. Our final performance test measured the maximum number of connections the firewall can track at any one time. This is a key metric for large server farms and transaction-processing applications. HP says the TMS can handle up to 600,000 concurrent TCP connections. The TMS came close to that figure, with an average of 569,000 connections established in firewall mode and 574,000 connections in firewall/IPS mode. In a few other test trials, the firewall/IPS number was around the same or slightly lower. In any event, connection capacity is one measure where intrusion prevention extracts no higher cost. Rather than pure performance, integration of multiple security functions is the TMS’s major feature. It’s a good choice for network professionals looking to add multiple security functions into the switched and routed infrastructure, especially where adding yet another box isn’t an option. 3 Newman is president of Network Test, a benchmarking and network design consultancy. He can be reached at dnewman@networktest.com www.cw.com.hk Nov 2009 Computerworld Hong Kong 53
Page 1 and 2: viewpoint Should IP addresses const
Page 3 and 4: c o n t e n t s November 2009 Cover
Page 5 and 6: www.cw.com.hk Nov 2009 Computerworl
Page 7 and 8: Nov 2009 Computerworld Hong Kong 7
Page 9 and 10: ‘Maximize IT Efficiency in Virtua
Page 11 and 12: Sponsored Feature Phoenix TV deploy
Page 13 and 14: www.cw.com.hk .com.h mhk Nov 2009 C
Page 15 and 16: Sponsored Feature Since 90% of the
Page 17 and 18: HKCS: 40 years COVERSTORY gramming
Page 19 and 20: With Compliments of Jardine OneSolu
Page 21 and 22: apidly escalated and the bank upgra
Page 23 and 24: With the Compliments of www.cw.com.
Page 29 and 30: ICL mainframes formed the core of g
Page 31 and 32: HKCS: 40 years Broad impact Interes
Page 33 and 34: HKCS: 40 years COVERSTORY to date:
Page 37 and 38: HKCS: 40 years COVERSTORY www.cw.co
Page 39 and 40: Sponsored Feature Kingdee’s ERP s
Page 41 and 42: Sponsored Feature Fuji Xerox‘s S
Page 43 and 44: year alone can justify its Windows
Page 45 and 46: Virtual Office: The Benefits of an
Page 47 and 48: A Computerworld HK event 9 November
Page 49 and 50: WHO SHOULD ATTEND Vice Presidents,
Page 51: threat—according to researcher CN
Page 55 and 56: For enquiries, please call Connie Y
Page 57 and 58: VIEWPOINT CHARLES MOK Should IP add
Page 59 and 60: Hong Kong’s Source of IT Insight

Hong Kong Computer Society - enterpriseinnovation.net

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?