Sean Convery

TechPlanet Asia has a nice interview with HP’s ProCurve CTO Paul Congdon. The interview covers all manner of things centered around NAC and edge security enforcement in switches. I noticed a couple things when reading the interview. First, HP gets it. Paul’s comments taken together with some positive interactions I’ve had with HP’s Mauricio Sanchez have convinced me they understand the opportunity with edge enforcement and are pursuing it aggressively.

Second, HP seems to be pitching this edge play as somehow different from what Cisco is doing which seems a little more like marketing spin. Cisco wants to do edge enforcement just as much as HP does and Paul’s comment that what Cisco is doing is “taking their peripheral security products, putting it on a blade and then shoving it into a high-end chassis at the core of the network” is just plain false. During my time at Cisco I never specified such a design nor did I know anyone who did. It would be like committing architectural seppuku since even if this is something you wanted to do, network cores–as Paul eludes to–are much too fast. Everything was built around enforcement at the wiring closet / distribution layer and then again at the data-center. The core was always meant to be fast and dumb (with the possible exception of basic security techniques like unicast RPF checks and the like). It is clear that HP is trying to differentiate vs. Cisco with security; it will be interesting to see how they do.

Third, Paul is the first major infrastructure spokesman that I’m aware of to discuss the IEEE’s LinkSec work:

With 802.1AE and 802.1AR, it means that I can create trusted infrastructure in a plug-and-play fashion. So I’ll be able to take a ProCurve product out of the box, plug it into the network, and that box already has credentials built into it. And it can automatically authenticate to its peer switch and then you can bring up an encrypted link and now all the traffic - spanning trees, routing protocols - is fully protected.

It will be very interesting to see how quickly customers embrace the notion of hop-by-hop crypto and what sort of policy infrastructure is required to make it work properly. People are balking at migrating their switch infrastructure for NAC; I wonder if line-rate crypto is more or less attractive.

Technorati Tags: Cisco, HP Procurve, Linksec, NAC

This entry was posted on Wednesday, August 2nd, 2006 at 4:10 pm and is filed under Crypto and VPNs, General Security, Network Authentication. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.