Changing demands on local area networks (LANs) are forcing enterprises to push features and functionality from the core to the edge. Intelligent edge switches are becoming much more important as network managers try to support complex demands for mobility, guest access and virtualization.
"A lot of the common thought processes [in the past] around network design wereto put the higher-value stuff in the data center core, and as you moved out to the edge, that was where you put less intelligent, less valuable switches," said Zeus Kerravala, vice president at Boston-based research firm Yankee Group. "If you look at what's happening to the network today, where the boundaries are [more complex], the number of devices – both physical and virtual – that have to connect to the network is increasing."
In the past, dumbed-down edge switches worked just fine for enterprises that had uniform methods of access for employees. Most users had similar endpoint devices that plugged into a LAN port at the office. Everyone had a simple user profile, and only internal employees needed network access. That's all changing now. Mobile devices are everywhere in the enterprise, and new applications and devices are cropping up all the time on the LAN.
Kerravala pointed to hospitals, where medical devices are connecting directly to the edge. In factories, manufacturing equipment is connecting to the network as well.
"Couple that with the growth of virtualization, where in theory you can have any application moving across the network at any time, [and] the intelligence that has been in the data center has to be pervasive across the network," he said.
Network access control demand drives intelligent edge switches
ConSentry Networks of Milpitas, Calif., has been trying to capitalize on this nascent demand for intelligence at the edge. Originally a network access control vendor, ConSentry has shifted its business model toward building what it calls "context-aware switches," or edge switches that have access control and security capabilities written directly into them.
Recent research sponsored by ConSentry offers up data that supports the notion that the edge switches need to have some of the security and management capabilities that have traditionally been handled from the core. In a survey of 200 U.S. and British IT managers, 64% of respondents said they need to improve control over general user access across the company, and 66% said that the proliferation of new devices and applications is making it harder for them to audit the network. Ninety-three percent said they increasingly have to manage users who have multiple network IDs and profiles, while 83% said these multiple profiles are forcing them to review network control measures.
Managing access rights to the LAN is also becoming quite complex. Forty-six percent of respondents said they need to support guest users, and 38% said they need to enable auditors or other short-term contractors to access LAN resources. Another 47% said they need to be able to work with outsourced suppliers and customers through the LAN.
Furthermore, cross-functional groups within the enterprise are creating far more complexity in access rights management. A CIO, for instance, will have one set of access rights to applications and data in his capacity as the manager of IT. He might also be the member of a boardroom management team that has a second set of access rights. Being able to manage both of those sets of access rights becomes critical at the edge as enterprises place a higher emphasis on mobility and collaboration.
"What drove people to network access control initially was centered around guests, contractors and outside people coming into the network," said Jeff Prince, ConSentry's CTO. "That still marks high in terms of drivers. But the top driver now is really coming back to internal groups in the organization – cross-functional groups. We think that 'LAN sprawl' is making this much harder to provision. People are connecting in so many different ways, and how do you go about controlling their access? You've got wired and wireless access, local and remote. People connecting in lots of different ways, and [enterprises] are really struggling with how to get a unified security policy that spans all those different ways of connecting."
Intelligent edge switches: Baked-in security
Network nodes, particularly edge switches, need to participate more in their own security, according to David O'Berry, director of IT systems and services at the South Carolina Department of Probation, Parole and Pardon Services.
"I call it centrally distributed computing," O'Berry said. "Instead of a hard perimeter, you have a bunch of perimeters. Every node out on the network has to be concerned about what's going on around it.
O'Berry's organization has been 95% mobile capable for about four years now, and he's moving toward 100%. Most of his workforce now has nonstandard methods for connecting to the network.
"Ninety-five percent of our nodes are Lenovo tablets, so what you have is people going all over the place and doing all these different things, which should increase productivity," he said. "But the nontraditional means of access is pretty significant. So you're seeing this huge amoeba of connectivity all over the place. If you clamp down on it to the point that you know you're OK, you'll disconnect everyone from the network, and nobody will be getting any work done."And leaving all of the security function and decision making to the network core isn't necessarily the best strategy, he added.
"You have these huge core-layer boxes, and you have to do this correlation somewhere else and then make a decision," O'Berry said. "And that's milliseconds that we don't have to spare sometimes."
Users replace that old edge switch with a little intelligence
Networks will have to see improved silicon in their hardware so that edge switches can get powerful enough to handle critical access decisions. Vendors are improving in this area, but there's still a need for more, he said. In the meantime, O'Berry is currently replacing his legacy ProCurve edge switches with smarter edge switches from Juniper Networks that will help him better manage access to the LAN.
"We're going with Juniper switches, which have headroom to grow," he said. "Juniper has pushed UAC [unified access control] into individual edge switches, so each switch can take on port configuration based on whatever profile we push out to them. It's almost like you can begin to do DLP [data loss protection] or white-listing, but it's down at the switch level, and you never have to worry about someone downloading a worm and exposing you before you can do anything about it."
The need for intelligent edge switches extends beyond security and access control to network management and performance management as well, Kerravala said.
"The ability to export Netflow or Sflow [from edge switches] to different management applications so that you can track virtual appliances across the network is important," he said. "Once you start dealing with vMotion, you start moving virtual workflows across the network. You need to be able to track those changes, and you need the edge switches to talk to management tools."
Let us know what you think about the story; email: Shamus McGillicuddy, News Editor