3 Questions: Protect switches and routers

Embedding security functions into switches and routers controls capital cost.

By Terry Sweeney

With John Roese, CTO of Enterasys, a vendor of network infrastructure equipment, which has undertaken an effort to equip its switches and routers with additional layers of security.

This interview originally appeared in the IT Business Edge weekly report on Fortifying Network Security. To see a complete listing of IT Business Edge weekly reports or sign up for this free technology intelligence agent, visit

Question: There's been a lot of discussion about protecting more than the perimeter of enterprise networks. And while everyone agrees in principle that more security is better, there is the reality of budgets and even some questions about practicality. Does it really make sense to protect all your switches and routers?

Roese: In our approach to secure networking, we are focused on embedding the functions into the switches and routers rather than adding additional components. That controls the capital cost of expanding security to the infrastructure so that the difference between doing it and not doing it is minimal (in fact, many of our secure network solutions cost less than our competitors' insecure solutions).

The second expense is more important, though, the operational expense. One of the huge differences Enterasys has is that for the past 10 years we have focused on simplifying the management of this type of system so that the operational cost is generally lower than even a competitor's insecure network. An example: Through our NetSight Atlas policy manager, the rules of a very large system of network devices can be controlled and changed with a single action even when multiple types of devices are present. This "one click equals 1,000 actions" approach has allowed big customers of ours (50,000- to 100,000-node networks) to manage and operate very advanced secure networks with lower numbers of IT people than our competitors need for substantially smaller and less sophisticated systems.

An alternative approach such as Cisco's CNAC requires that the IT group put software on every desktop system to even begin to secure the network (at a much less functional level than even our simplest solutions). The cost of the agents (free to hundreds-of-dollars per PC) and the administrative cost to deploy and manage end-systems software are huge and, we believe, a barrier to adoption, vs. our approach with secure networking where we typically see a decrease in overall operational cost once deployed.

Question: Some vendors envision a triangulation of sorts among intrusion detection, the network, and infrastructure systems to improve upon network security. Can this really be done without adding significant overhead, both in terms of personnel and technology?

Roese: Yes, our Dynamic Intrusion Response Solution allows the IDS systems to detect anomalies, and then talk to the policy management systems that then locate the offending station down to the ingress port, where policy is then adjusted to enforce the predefined or selected action to suppress, isolate, or eliminate the security breach. The additional overhead is in preconfiguring desired dynamic behaviors, but the saved overhead far outweighs this in that no longer do you need to manually interact between IDS and policy or manually locate the offending station, or manually exert policy changes to react. In fact, the Dynamic Intrusion Response can react in seconds to threats detected; manual processes typically take hours of valuable IT staff time.

Question: Apart from Enterasys security solutions, where do you advise customers to spend on locking down their systems and achieving a good ROI in less than 18 months?

Roese: There are many areas that have value. We think that one big one is to decide on and implement a standard method of digital identity. This usually involves directory services and some kind of credential method such as RSA tokens, X.509 certificates, or even biometric identity or smart cards. While this is a big project, it is huge in impact. Once they have a clear common digital identity, they can use it for the operating systems, applications, and network needs related to privacy, access control, and security. Beyond this area, we always encourage customers to spend time on the human aspects or social engineering elements of security; develop a good security policy in HR and educate your employees on proper security methods and usage.

Editor's Picks