Topics:
Analytics : Security
New ProCurve Threat Module: Flexibility Requires Planning
The Threat Management Module can support up to 3Gb/s firewall throughput and 300Mb/s IPSec VPN using AES encryption. The capacity for Firewall and VPN are more than adequate for protecting WAN connections, but may pose a potential bottle neck for internal use. In particular, the firewall function is designed to be used between internal zones, or regions of your network, and 3Gbps could be overrun quickly. VPN functionality is targeted for LAN to LAN VPN over a wide area network and should be sufficient for most installations. The 300 Mb/s limit poses a significant bottleneck for VPN over the LAN so if internal encryption is needed a separate VPN appliance will be needed. Otherwise, you can wait for 802.1X-REV and 802.1AE, which standardize key management and network encryption, to be finalized and deployed in products. Jennifer Jabbusch, CISO of Carolina Advanced Digital, a network design and consulting firm, who is familiar with ProCurve’s product line points out that the Threat Management Module doesn’t process all the traffic traversing the switch, only the traffic that is sent between zones through the module, so the interzone traffic load may be far less than the total switch traffic. Jabbusch notes that deploying the Threat Management Module does require redesigning your network topology since instead of a physical choke point, a firewall with a limited number of interfaces through which traffic funnels through, the Threat Management Module can support many more interfaces--any interface on the switch. The increased flexibility, if you are careful with capacity planning, is pretty useful. The Threat Management Module lists for $16,999 for firewall and VPN services. Adding IPS, with a capacity of 1.5 Gb/s, tacks on an addition $2,600 to the price bringing the total to $19,599, which includes one year of IPS signature updates. Subsequent three year updates list for $9,399. The bundled functionality comes at an attractive price compared to purchasing a firewall, VPN, and IPS separately were each appliance can start at $10,000, but the capacity of the Threat Management Module is relatively low considering the port density of the 8212 and 5400 switches. Four Threat Management Modules can be added to the system and managed through ProCurve Immunity Manager in clusters or individually. The additional modules can be use for active/passive HA or simply to add capacity. Module installation is pretty flexible depending on your needs. In addition, the Threat Management Module can be partitioned into zones so access is controlled as it crosses internal boundaries in the network. Don’t confuse zone access control with ProCurve NAC solution, however. The zone based access controls are really designed to act more like network firewalls rather than providing fine grained user based access controls. « The Palm Pre Costs Less To Build Than The iPhone, Storm And G1 | Main | Incubator Aims to Cook Up Potential Cloud Standards » |
| Sign Up Now For InformationWeek News Alerts |
This is a public forum. United Business Media and its affiliates are not responsible for and do not control what is posted herein. United Business Media makes no warranties or guarantees concerning any advice dispensed by its staff members or readers.
Community standards in this comment area do not permit hate language, excessive profanity, or other patently offensive language. Please be aware that all information posted to this comment area becomes the property of United Business Media LLC and may be edited and republished in print or electronic format as outlined in United Business Media's Terms of Service.
Important Note: This comment area is NOT intended for commercial messages or solicitations of business.
