Hewlett-Packard has high hopes for the lowly switches at the edge of corporate LANs.
Under a new strategy the company has unveiled, the network could be secured and a user's access to network services and resources could be personalised all the way from the device where a PC or other client device meets the network, HP said.
Companies can also prioritise voice conversations and video sessions all the way across the network using HP edge switches that can recognise types of traffic that need special treatment.
HP worldwide director of strategy and business planning, Brice Clark, said this kind of capability traditionally had been located on relatively expensive devices at the core of a LAN. HP wanted to let companies easily define network rules and enforce them on affordable hardware.
"It's almost an inside-out reversal of how we've thought about networks traditionally," Clark said.
Two key pieces of the strategy are RADIUS (Remote Authentication Dial-In User Service) technology for authenticating users and the IEEE 802.1x standard for port-based access control.
A central database will provide the brains in the architecture, holding information about what groups the user belongs to and what resources he or she should be able to access. When a user logs in to the network, the switch will get information from the central database that is then translated into specific network commands that the switch uses to configure the port.
Clark said HP already offered an AAA (authentication, authorisation and accounting) server that could be used for these profiles, but the information also could be attached to an Oracle human resources database. That might make it easier to change an employee's privileges upon hiring, transfer or resignation.
The system could be implemented on many different kinds of databases as long as they support RADIUS and 802.1x, he said.
With network privileges enforced at each port, unauthorised users were cut off right at the edge of the network, Clark said. In addition, administrators would be able to set up special profiles for visiting partners or customers who wanted to use the LAN but shouldn't see everything on it.
The idea was to shift from giving users network rights based on where they are, such as at a certain port where the PC is always plugged in, to giving them rights based on who they are - even if they were accessing the network from a remote location.
Forrest Research analyst, Vijay Bhagavath, said LAN switching has become more complicated with the need to give many different kinds of users secure access to the LAN from any location.
"Security has to be designed into the network's architecture," Bhagavath said. "The best place to design security and mobility is the edge of the network."
Port-based access control helped prevent DoS (denial of service) attacks because it would not let a stream of unauthorised packets clog the part of the network between the entry port and a firewall, he said.
HP's plan for traffic prioritisation could help medium-sized enterprises by giving them the infrastructure to integrate voice calling into the data network, Massachusetts-based analyst at IDC, Paul Strauss, said. For example, a computer telephony system in a distributed organisation could make it much easier for employees to make calls. However, quality of service was the key.
"You can hear any delays, so it has to be prioritised," Strauss said. "It has to be built into the system and provided relatively inexpensively," Strauss said.