New ProCurve Threat Module: Flexibility Requires Planning

HP ProCurve announced a new module for their ProCurve 8212 and 5400 modular switches. The Threat Management Module offers firewall, VPN, and IPS functions simultaneously on the switch backplane which is unlike Cisco's approach with the Catalyst 6500 requiring separate security modules firewall, VPN, and IPS. The cost, however, is lower performance per module. ProCurve needs to increase module performance to make it a replacement for appliances.The Threat Management Module can support up to 3Gb/s firewall throughput and 300Mb/s IPSec VPN using AES encryption. The capacity for Firewall and VPN are more than adequate for protecting WAN connections, but may pose a potential bottle neck for internal use. In particular, the firewall function is designed to be used between internal zones, or regions of your network, and 3Gbps could be overrun quickly. VPN functionality is targeted for LAN to LAN VPN over a wide area network and should be sufficient for most installations. The 300 Mb/s limit poses a significant bottleneck for VPN over the LAN so if internal encryption is needed a separate VPN appliance will be needed. Otherwise, you can wait for 802.1X-REV and 802.1AE, which standardize key management and network encryption, to be finalized and deployed in products.

Jennifer Jabbusch, CISO of Carolina Advanced Digital, a network design and consulting firm, who is familiar with ProCurve's product line points out that the Threat Management Module doesn't process all the traffic traversing the switch, only the traffic that is sent between zones through the module, so the interzone traffic load may be far less than the total switch traffic. Jabbusch notes that deploying the Threat Management Module does require redesigning your network topology since instead of a physical choke point, a firewall with a limited number of interfaces through which traffic funnels through, the Threat Management Module can support many more interfaces--any interface on the switch. The increased flexibility, if you are careful with capacity planning, is pretty useful.

The Threat Management Module lists for $16,999 for firewall and VPN services. Adding IPS, with a capacity of 1.5 Gb/s, tacks on an addition $2,600 to the price bringing the total to $19,599, which includes one year of IPS signature updates. Subsequent three year updates list for $9,399. The bundled functionality comes at an attractive price compared to purchasing a firewall, VPN, and IPS separately were each appliance can start at $10,000, but the capacity of the Threat Management Module is relatively low considering the port density of the 8212 and 5400 switches.

Four Threat Management Modules can be added to the system and managed through ProCurve Immunity Manager in clusters or individually. The additional modules can be use for active/passive HA or simply to add capacity. Module installation is pretty flexible depending on your needs. In addition, the Threat Management Module can be partitioned into zones so access is controlled as it crosses internal boundaries in the network. Don't confuse zone access control with ProCurve NAC solution, however. The zone based access controls are really designed to act more like network firewalls rather than providing fine grained user based access controls.