In-Depth
Evolution of the LAN: Migrating to an Intelligent Switch
To minimize connectivity costs and ensure your investment addresses future business needs, consider an intelligent switch.
By Koroush Saraf
Network administrators should thoroughly evaluate the available options before deciding on their next switch upgrade for the LAN. Switches can be divided into two categories: access switches and core datacenter switches. With little innovation in the access switching market, we’ve developed the mindset that all switches do the same thing. That is mainly because Layer 2 and Layer 3 switching features have been commoditized, so differentiation among switches eventually falls back to price and brand name. However, several variables have changed in today’s enterprise network, and they are causing IT pain points that require a smarter access edge.
You probably buy new access switches because you are rolling out a new building and deploying new services such as VoIP and wireless, which require Power over Ethernet (PoE) ports, or when you need GigE connectivity at the desktop or 10G uplinks for increased application performance. In addition to providing this connectivity, access switches can also play an important part in reducing risk and increasing productivity, two variables that are often overlooked.
The LAN user community no longer consists of just your employees; it now includes contractors, outsourced personnel, and guests. The traffic that runs across your LAN is no longer made up of just your business applications; it includes P2P, social networking, and file-transfer applications that hide behind well-known Layer 4 ports (e.g., port 80). How can you accurately identify and control users and applications without relying on basic IP addresses and TCP/UDP port information?
If your only reason to upgrade your switches is to reduce connectivity costs, you are in luck. There are so many vendors to choose from; you’ll probably pick the cheapest switch from your reseller’s portfolio. However, if you want to protect your investment for future business needs, consider a more intelligent switch so you won’t have to purchase additional overlay devices that risk your network’s integrity.
What’s needed in an intelligent switch? We can draw an easy analogy. In the past, cities that traded goods with other cities prospered the most, and setting up shipping ports by the water allowed connectivity to other nations, which provided even more rewards. Fast forward to today, when every shipping port is a threat. We saw a scramble to add intelligence to port security by identifying the shipping containers, examining the content in detail to identify it, and segmenting containers and quarantining the risky ones. And all this had to be done without slowing down commerce.
History repeats itself in the LAN: every switch port poses a threat from the inside. The switch you choose should be able to offer integrated services to identify users and map user names to every traffic flow, deliver role-based access based on job roles, examine users’ machines and their traffic for anomalous activity, and fast-track known good applications. The switch should also be able to provide audit trails to aid in troubleshooting as well as executive-level reports.
Once you have selected your connectivity needs, you can determine the specific intelligent capabilities you require from a LAN access switch. Some of these capabilities include, but are not limited to:
- The ability to dynamically segment the network by managing business policies and segmenting by usernames, group memberships, business assets, and application names
- An easy method of network authentication that leverages your existing backend identity databases and desktops
- Centralized awareness showing the overall health of the network and also allows drill-down views of specific policy violations and incidents
- For investment protection, look for a switch that provides a powerful -- and upgradeable -- datapath processor that doesn’t slow down your network
Intelligent capabilities can enhance your LAN access switch with integrated visibility and control for faster incident response, allowing the removal of an offending user from the network by a single click. For example, alerts at the switch port must include the username and the computer name of the person who is hijacking data using man-in-the-middle attacks. You should be able to detect if someone has inadvertently taken down the network by plugging the LAN port of their DSL router into the cube wall just to get a few more Ethernet ports -- and is now handing out fake 192.168 addresses.
Most switch manufacturers can probably provide these enhanced intelligent services via a software upgrade of their control-plane processor, but do you want a LAN that runs at dial-up speed? You don’t have to break the bank to get these features. Look for vendors that custom-built their switches with this vision from the start.
In the midst of challenging economic times, we find that most businesses will benefit from reduced operational complexity and increased acumen in protecting their business assets. Upgrading your access edge is not a simple undertaking, and the upgrade is likely to stay in place for five to seven years (or longer). The operational expense of another upgrade or overlay security solutions far exceeds the expense of spending a little more on your current upgrade. It’s worth ensuring that your access switches provide a simple path to intelligent services, even if your needs today are satisfied with basic connectivity.
- - -
Koroush Saraf co-founded ConSentry Networks in 2003. As the director of product management, Koroush is responsible for creating high-performance intelligent switching products that secure networks from the inside. You can reach the author at koroush@consentry.com.