New ProCurve Threat Module: Flexibility Requires Planning

HP ProCurve announced a new module for their ProCurve 8212 and 5400 modular switches. The Threat Management Module offers firewall, VPN, and IPS functions simultaneously on the switch backplane which is unlike Cisco's approach with the Catalyst 6500 requiring separate security modules firewall, VPN, and IPS. The cost, however, is lower performance per module. ProCurve needs to increase module performance to make it a replacement for appliances.

Mike Fratto, Former Network Computing Editor

April 29, 2009

3 Min Read
InformationWeek logo in a gray background | InformationWeek

HP ProCurve announced a new module for their ProCurve 8212 and 5400 modular switches. The Threat Management Module offers firewall, VPN, and IPS functions simultaneously on the switch backplane which is unlike Cisco's approach with the Catalyst 6500 requiring separate security modules firewall, VPN, and IPS. The cost, however, is lower performance per module. ProCurve needs to increase module performance to make it a replacement for appliances.The Threat Management Module can support up to 3Gb/s firewall throughput and 300Mb/s IPSec VPN using AES encryption. The capacity for Firewall and VPN are more than adequate for protecting WAN connections, but may pose a potential bottle neck for internal use. In particular, the firewall function is designed to be used between internal zones, or regions of your network, and 3Gbps could be overrun quickly. VPN functionality is targeted for LAN to LAN VPN over a wide area network and should be sufficient for most installations. The 300 Mb/s limit poses a significant bottleneck for VPN over the LAN so if internal encryption is needed a separate VPN appliance will be needed. Otherwise, you can wait for 802.1X-REV and 802.1AE, which standardize key management and network encryption, to be finalized and deployed in products.

Jennifer Jabbusch, CISO of Carolina Advanced Digital, a network design and consulting firm, who is familiar with ProCurve's product line points out that the Threat Management Module doesn't process all the traffic traversing the switch, only the traffic that is sent between zones through the module, so the interzone traffic load may be far less than the total switch traffic. Jabbusch notes that deploying the Threat Management Module does require redesigning your network topology since instead of a physical choke point, a firewall with a limited number of interfaces through which traffic funnels through, the Threat Management Module can support many more interfaces--any interface on the switch. The increased flexibility, if you are careful with capacity planning, is pretty useful.

The Threat Management Module lists for $16,999 for firewall and VPN services. Adding IPS, with a capacity of 1.5 Gb/s, tacks on an addition $2,600 to the price bringing the total to $19,599, which includes one year of IPS signature updates. Subsequent three year updates list for $9,399. The bundled functionality comes at an attractive price compared to purchasing a firewall, VPN, and IPS separately were each appliance can start at $10,000, but the capacity of the Threat Management Module is relatively low considering the port density of the 8212 and 5400 switches.

Four Threat Management Modules can be added to the system and managed through ProCurve Immunity Manager in clusters or individually. The additional modules can be use for active/passive HA or simply to add capacity. Module installation is pretty flexible depending on your needs. In addition, the Threat Management Module can be partitioned into zones so access is controlled as it crosses internal boundaries in the network. Don't confuse zone access control with ProCurve NAC solution, however. The zone based access controls are really designed to act more like network firewalls rather than providing fine grained user based access controls.

Read more about:

20092009

About the Author

Mike Fratto

Former Network Computing Editor

Mike Fratto is a principal analyst at Current Analysis, covering the Enterprise Networking and Data Center Technology markets. Prior to that, Mike was with UBM Tech for 15 years, and served as editor of Network Computing. He was also lead analyst for InformationWeek Analytics and executive editor for Secure Enterprise. He has spoken at several conferences including Interop, MISTI, the Internet Security Conference, as well as to local groups. He served as the chair for Interop's datacenter and storage tracks. He also teaches a network security graduate course at Syracuse University. Prior to Network Computing, Mike was an independent consultant.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights