Network hardware companies continue to snap up technology they can use to make security a standard feature in the switches and routers that comprise the basic network plumbing inside businesses.

The trend continued last week as Juniper Networks grabbed security vendor Funk Software for $122 million. Citrix Systems then bought its way into the application firewall market by acquiring start-up Teros, and Force10 Networks acquired stealthy intrusion-prevention, intrusion-detection system (IPS/IDS) vendor MetaNetworks.

"You can't separate security from infrastructure anymore," says Lawrence Orans, principal analyst with Gartner. "When the present batch of network infrastructure gear on the market was on the drawing board, it was before Blaster and Sasser and heavy-duty malware and worm threats. You now need to have infrastructure that can quickly maintain your network through worm storms and other forms of malware attacks."

Last week's security acquisitions follow 12 months of buyouts where Cisco acquired six security vendors, 3Com acquired IDS/IPS stalwart TippingPoint Technologies, Juniper bought application security firm Peribit, and Citrix bought SSL VPN vendor Net6.

More evidence of network gear assimilating security features can be found by following the money. Infonetics Research reports that third quarter of 2005 sales of secure routers, which consist of WAN routers with VPN/firewall features, jumped 21 percent from the previous quarter, while the overall router market grew at just 8 percent ($859 million for the quarter). Of the $189 million in sales of Layer 4-7 switches last quarter, half came from switches with built-in SSL features.

Switching on security
Juniper's buyout of Funk is in an effort to add switch-port enforcement of policies as an option in Juniper's Unified Access Control (UAC) scheme. UAC verifies that computers meet security policies before they gain network access and that users can reach only those resources for which they have been authorised.

UAC supports policy enforcement using Juniper Layer 3 firewalls placed around the network at strategic points. By using 802.1X authentication supported by Funk products, Juniper will be able to enforce security policies at Layer 2. So if users try to access resources without authorisation or if their machine fails a security scan, they can be stopped at the access switch or redirected to isolated virtual LANs.

While Juniper's first move was at Layer 3, "we intended all along ... to provide an option to use existing switching infrastructure that supported Layer 2 enforcement points," says Hitesh Sheth, Juniper's enterprise products and solutions VP.

Layer 2 enforcement is the cornerstone of Cisco's latest version of its Network Admission Control (NAC) enforcement, as well as Microsoft's Network Access Protection (NAP) in co-operation with switch vendors. These methods use a mix of software and switch hardware to detect dangerous clients and close network access at the LAN-port level.

Juniper lacks access switches in its product line. That had been a criticism of its access-control plan, because Layer 2 enforcement would require co-operation of switch vendors, which would be unlikely in the case of Cisco.

Instead, Juniper is pursuing a standards-based means to impose policies via switches. Funk paves the way with its 802.1X support and its support for standards being developed by the Trusted Computing Group industry association that is working on open interfaces to support secure connections to networks, among other projects.

"Most people have a more pervasive switch architecture than they do a security infrastructure, so it makes sense to try to leverage that," says Rob Whitely, an analyst with Forrester Research.

The drawback is that many businesses have not upgraded to switches that support 802.1X, so they cannot use the Layer 2 option until they do so. The expense and disruption of upgrading switches has been a criticism of Cisco's NAC initiative. Juniper can offer customers Layer 3 enforcement by overlaying protection on existing networks until customers upgrade to 802.1X switches.

Firewall smarts
With its buy of Teros, Citrix gets the start-up's Security Application Gateway, a software-based security appliance that the company says can block attacks against corporate Web-based applications. The application firewall inspects HTTP and XML traffic streams for suspicious activity and unauthorised protocol schemas, and can block or filter such attacks.

This XML inspection and security capability will be rolled into Citrix's NetScaler line of application acceleration switches, according to Wes Wasson, the company's VP of marketing for application networking. In addition to securing XML traffic, he says, the Teros technology also could be used in the future on NetScaler switches to accelerate and optimise XML applications.

The Teros buy also brings Citrix up to speed with top rival F5 Networks, which acquired application firewall vendor Magnifire for $29 million last year, as well as other application acceleration/firewall vendors, such as NetContinuum.

As for Force10's acquisition of MetaNetworks, the deal will give the 10G Ethernet switch start-up its first IPS/IDS capabilities, which it will offer as an appliance, and later build into its 10G Ethernet switches. MetaNetwork's website says its security hardware can perform stateful firewall packet inspection and IDS/IPS capabilities on 10G bit/sec traffic streams without slowing packets. The gear is used in government deployments for securing high-speed networks, MetaNetworks and Force10 say.