Foundry Networks this week launched several lines of security-focused switches aimed at locking down desktop LAN ports, enterprise edge and WAN connections, and data center server links.
Foundry says its SecureIronLS LAN switches use features such as Snort intrusion detection, Layer 2 port authentication and traffic monitoring to secure internal LAN connections. This could allow enterprises to deploy security technology closer to end users without adding additional gear to the network, the vendor says. On the network edge, SecureIron perimeter switches can add load balancing and traffic offload for network firewalls, the vendor says.
Foundry is also launching three ServerIron switches for Web server farms and data centers that can add traffic acceleration and protection against the misuse and hacking of Web-based applications, Foundry says.
The SecureIronLS switches include the SecureIronLS 100 and SecureIronLS 300 series. The SecureIron 100 series includes a version with 24 ports of 10/100Mbps Ethernet and one with 48 ports. Both switches are intended for wiring closets, and both have two-port Gigabit small form-factor pluggable (SFP) uplinks to connect to an aggregation or LAN core layer. The 300 series includes a 16-port 10/100/1000Mbps switch with dual Gigabit SFPs, and a 32-port 100/1000Mbps box with dual 10-Gigabit Ethernet uplinks. The SecureIronLS 300 series is targeted at LAN aggregation, providing security services for downstream Layer 2 LAN switches in wiring closets, Foundry says.
An LAN aggregation-layer deployment of the SecureIronLS 300 series is planned at California (near San Diego), with the goal of adding port-level security for more than 1,700 end users attached to the LAN.
"The SecureIron will give us the equivalent of a firewall on every LAN port," says Thomas Ting, senior systems engineer for the casino. Four SecureIronLS switches will aggregate traffic from dozens of Foundry Layer 2 switches in wiring closets, and provide 802.1x-based security and port authentication, as well as traffic anomaly-detection capabilities to every traffic flow coming from the LAN edge to the aggregation layer, Ting says.
With a large Foundry infrastructure already in place, Ting says Cisco's Network Admission Control (NAC) architecture would have been costly to implement, since most edge and aggregation layer switches would need to be replaced. Ting says he also considered NAC-based appliances that attach to a network. But upgrading his aggregation-layer switches to SecureIronLS, with this capability built in, ended up being easier to manage.
The SecureIronLS switches can be used to shut down end-user connections or quarantine them into a secure VLAN segment if anomalous behavior is detected on a port or if authentication fails. Foundry says the switches can work with third-party anti-virus and remediation server products and architectures, such as Symantec and Sygate's security products and Microsoft's Network Access Protection architecture. By supporting third-party PC-agent and remediation server software, the Foundry switches can block PCs from accessing a LAN if the machine's anti-virus or operating system patches or software do not meet minimum requirements set by network administrators.
Products competing with the SecureIronLS include Cisco Catalyst 3750 switches with NAC-enabled features, as well as NAC-capable switches from Enterasys, Alcatel and Nortel.
The perimeter security versions of the SecureIron include the SecureIron 100 and SecureIron 300. These devices are designed to sit at the enterprise edge, close to Internet or WAN connections, and provide firewall load-balancing for high-availability firewall configurations. When working with older firewall gear that may get bogged down when running multiple services, the SecureIrons can offload features such as network address translation (NAT), access control lists (ACL), and URL filtering. The SecureIron 100 series can process 1Gbps of Layer 4 traffic inspection, and 350Mbps of Layer 7 inspection. The 300 series can handle 4Gbps of Layer 4 inspection, and 1Gbps of Layer 7 inspection. (Layer 4 inspection involves some NAT and anti-DoS attack functions, and Layer 7 inspection handles URL filtering and some application-level ACLs).
Products competing with SecureIron perimeter devices include security load-balancing switches from Cisco, Nortel and Radware.
The SecureIronLS 100 series LAN switches start at US$15,000, while the 300 series starts at US$25,000. The SecureIron 100 series perimeter devices start at $13,000, and the 300 series starts at US$25,000. The perimeter devices are available now, and the LAN switch devices will be available in August.
Foundry is also launching the ServerIron 350-Plus, ServerIron 450-Plus and ServerIron 850-Plus chassis switches, targeted at large server farms and data center deployments -- especially for servers hosting customer-facing Web applications, such as financial, e-commerce or government customers. The three-, four- and eight-slot chassis, respectively, use the same management module and fabric technologies, which are capable of handling up to 350,000 Layer 4 connections per second, and up to 120,000 Layer 7 connections per second, with a total application throughput of 12Gbps, according to Foundry. The vendor says the Layer 4, Layer 7 and total application switching capacity metrics are each 30 percent higher than the previous-generation ServerIron switches.
Besides the performance boost, Foundry is also adding Web application firewall capabilities to the ServerIron's TrafficWorks operating system. The Web application firewall can detect misuse of data input fields in Web-based forms and portals, as well as cookie encryption, server cloaking and prevention of other unauthorized actions in a Web-based application.
The TrafficWorks OS can be configured to recognize certain fields in a Web-based form, such as input boxes for Social Security numbers or credit-card numbers, or a name/address field. The switch can detect when illegal characters are entered (i.e., numbers in the name field, or alphabetic characters in numeric-only fields) and block the transaction. The switch can also encrypt all outgoing cookies sent by a Web server, which could help prevent malicious users from employing cookie-based information as a tool for attacking a Web site, Foundry says. Plus, the switch software can detect if illegal SQL commands are being entered in a Web field -- a method sometimes used by hackers to illegally access a back-end database through a Web page.
Web application firewall capabilities are also included in data center switches and application front-end devices from Cisco, F5, Citrix (Netscaler), Juniper (Redline), and Radware.
The ServerIron 350-Plus and ServerIron 450-Plus chassis start at US$35,000 with 10/100/1000Mbps line cards sold separately. The ServerIron 850-Plus costs US$39,000 without line cards. The TrafficWorks OS with Web application firewall features is a free add-on to the operating system, which comes with the base chassis. All three chassis are available now.