Recent announcements by all the once-and-future leaders of the network switch market have made it clear: In order to support the business, networks need to be more intelligent. That intelligence starts in the switch.
Last week's major switch product announcements from Cisco Systems Inc. and Juniper Networks showed that building a faster switch isn't the key to building a better switch. More and more vendors are introducing intelligent network switches with strong security functionality built into them. Other types of functionality are clearly on the way.
"I think the roadmap of all switching vendors is to build more and more functionality into the switch," said Zeus Kerravala, vice president of Boston-based Yankee Group. "People have been saying for years that network switching would eventually become a commodity, and it hasn't. The network vendors have done a good job of building more functions into the switch."
Kerravala said intelligent switches offer network managers the ability to scale services such as network security and application control.
"It's just so much easier to scale these services out of the network than it is on an application-by-application or server-by-server basis," he said. "For instance, running antivirus on the network scales very well. You can roll that out over a large scale by having it built into the network. Whereas, if you have to deploy it at every desktop, that takes a lot more work."
Vendors are taking differing approaches to building these intelligent switching technologies. Some offer overlay control systems that work with an existing network infrastructure. Other vendors, such as ConSentry, are offering intelligent switches with network access control and application management technology built right into the architecture of their switches. The overlay approach is obviously cheaper, but Kerravala said the embedded approach taken by ConSentry and some other vendors has its advantages.
"I think the approach of having [security functionality] built into the product makes more sense than having it as an overlay," he said. "To me, it provides better performance and better scalability. You get a better price performance. It's easier to manage than having it be on one set of infrastructure versus two."
By introducing intelligent switches into the edges of his network at the Milpitas, Calif., storage technology vendor Adaptec Inc., global network and telecom manager Lou Owayni is reducing network management overhead while providing more robust service and flexibility for his end users.
Owayni's 1,000-person company began introducing ConSentry's intelligent LANShield switches to the edges of its network last November. Adaptec is slowly rolling it out to all 11 of its global sites. The rollout is part of a major network refresh that was spurred in part by a move to IP telephony. The ConSentry switches are replacing old Cisco switches that used to reside at the edge of his network, but the network core is still Cisco technology, Owayni said.
LANShield switches integrate the concept of identity, such as user and role, into the switch architecture. This allows network managers to create and enforce policies through the switches to improve security and performance.
"Almost all enterprises have this data, they just have no way of taking that data and using it as a way to enforce policy on a network," said Jeff Prince, CTO and co-founder of ConSentry. "We've integrated a way to identify users and devices and attach a role. We've also added a layer for application workflows and a destination concept. All this can be used to define policy and create visibility."
At Adaptec, Owayni has reduced his overhead by integrating his LANShield switches with his Active Directory. "Today, I have multiple points of entry into my network," he said. "I have multiple technologies that I have to administer or have my people administer in order to add a user or remove a user when they come in or leave the environment."
Owayni says the intelligent switching solution will simplify network administration. "If a user is terminated or leaves the company, as soon as we disable that Active Directory account -- since the intelligent switch can understand that this token is no longer valid -- that user cannot come in through the VPN nor through wireless nor through wired or through any which way they want."
The ConSentry switches have allowed Owayni to offer his company's engineers more flexibility with what they do on the network without compromising security and network performance.
"We're a manufacturing company and we're an engineering company," he said. "We have a lot of engineers that need to do certain things that might not be kosher on our network. So we have separated production from the lab environment. With the ConSentry switches, it's a much easier and robust way of doing it. Engineers are testing new stuff. They're doing transfers of huge files and testing applications between sites. The engineers are testing to break things in order to see if our products can go out on the market. They're doing things that I really don't want to have mixed up with my production network.
The ConSentry switches can identify a user as an engineer. No matter where that engineer is and what device he is using, the switches recognize him and his role and automatically restrict what parts of the network he can touch. Thus, the engineer can continue with his work without threatening parts of the company that can't afford to be touched by his experiments.
Owayni said one of his main issues when upgrading his network was IP telephony.
"We wanted a platform that was capable of recognizing IP traffic, segregating IP traffic based on tagging, and be[ing] robust enough to get that traffic, because with a converged network both data and voice are going over the same network," he said. "One of the things that ConSentry gave us is the ability to integrate voice. We can facilitate and prioritize voice traffic because it's real-time within the switch itself."