Baking security into switches

A new switch does present the opportunity to deliver new functionality. But to do so, that switch must be built on new hardware that has greater capabilities native to the switch

Last month, I read about Juniper entering the switch market for the first time and Cisco introducing a new set of data center switches. I'm wondering how these new switches support the idea of building more security into switches?

Both those introductions were well covered by the industry, including in two articles by Network World: (Cisco, Juniper lead switching splash and Juniper's EX: Switch vendors sound off).

The Juniper announcement was widely anticipated, since rumors of it had been swirling for more than a month. And Cisco's news was also expected, with many in the industry looking for the company's data center switches to debut.

Since ConSentry ended up making a switch announcement in a similar timeframe, we had the chance to talk to many industry analysts and some channel partners about all the switching news that hit at once. Many of these folks had anticipated increased security, control, and other advanced functionality to be in these switches - particularly the Juniper switches - so some industry watchers expressed disappointment at the lack of advanced functionality.

What many of these analysts noted was the fact that these switches, particularly the Juniper switches, were built on the same basic hardware infrastructure that switches have been built on for several years. This limitation meant the switches were unable to offer differentiated functionality. For instance, analyst Zeus Kerravala compared both the Cisco and Juniper announcements on his blog, noting that without a compelling feature set, Juniper will face a challenge in attracting new customers based just on the company's switches.

The question is very appropriate, since a new switch does present the opportunity to deliver new functionality. But to do so, that switch must be built on new hardware that has greater capabilities native to the switch. As seems to be the case with Juniper last month, a company can clearly introduce a new switch that's still built on an old architecture and that therefore offers no meaningful differentiation.

The bigger challenge is to deliver switches built on a new architecture - one that fundamentally changes the feature set of the switch. What are some key differences to look for in a new architecture that could enable a switch to offer more built-in security and control? Look for an architecture based on programmable rather than fixed hardware. That big change enables the switch to keep pace with security, control, and other features that are changing on the LAN all the time.

Also look for specific embedded security and control features vs. relying on external or overlay products. A switch, for example, that can automatically learn users' roles in an organization and apply access policies based on those roles. This design requires the switch to actively communicate with the identity store to learn users' roles and to have sufficient processing horsepower to apply policy that incorporates user identity, role, application, and destination.

Another industry analyst, Jim Metzler, discusses these kinds of capabilities, based on an architecture he calls intelligent switching, as being at the forefront of a new generation of switches. He explains what that next-gen switch looks like in detail in his white paper here.

So yes - a new switch does present the opportunity for new capabilities for your organization, but it has to be built on new architecture vs. the decade-old legacy architecture that's still the foundation of even some of the industry's newest switches today.

Jeff Prince is CTO, ConSentry Networks.

Join the newsletter!

Error: Please check your email address.

More about CiscoConSentryJuniper Networks

Show Comments