By the end of this year, HP ProCurve will have a fleshed-out NAC portfolio to check devices before they are admitted to networks, assign and enforce their access rights as they join networks and monitor their behaviour to restrict them if they misbehave.
All this will be managed under ProCurve's PCM-Plus management platform, giving customers a single interface to set NAC policies rather than jumping from one management application to another as would be the case with a NAC appliance sold by a third party.
Much like Cisco, Nortel and other switch vendors, ProCurve is piecing together its full NAC line using many different components, but ProCurve's promised unified management gives the company a leg up, at least temporarily, says Rob Whiteley, an analyst with Forrester Research.
"It's critical to have a single set of knobs and levers that you tweak," says Whiteley. "That's not unique to ProCurve," in that all the vendors seek unified management.
But ProCurve's reputation for integrating management of new gear indicates that when the NAC bundle is all available by the end of the year, the company likely will lead competitors in management for awhile. "Six to 12 months from now everyone will be on par," he says.
With its NAC push, ProCurve is leveraging its position as the number-two vendor of enterprise-class LAN switch ports, behind Cisco.
HP's networking arm shipped more Layer 3 and Gigabit Ethernet LAN switch ports in 2006 than well-known enterprise switch vendors such as 3Com, Extreme, Foundry and Nortel, according to Synergy Research Group. And while Cisco completely dominated the market with 71 percent of world-wide LAN switch revenue, HP was also the runner up on that score, with over 4 percent of the market.
Two NAC products
To fill out its NAC profile, ProCurve is announcing two products this week starting with ProCurve NAC 800, an appliance that evaluates the security posture of endpoints trying to get onto corporate networks. It also triggers 802.1x port enforcement on network switches.
This is ProCurve's answer to pre-admission NAC, the practice of checking endpoints for operating system patches, antivirus software and the like before they are allowed onto networks. If devices pass pre-admission NAC scans, it means they are less likely to contain malware that can harm networks.
In combination with NAC 800 client software, the device can check for operating system patches, antivirus software, what applications are running on the device and registry settings. If the device comes up short of meeting set policies, NAC 800 can keep it off the network until the policies are met.
NAC 800 works in conjunction with ProCurve's existing Identity Driven Manager (IDM) that authorises devices as they enter the network, defining what resources they have access to. So working together the two products scan devices for the proper configuration and also assigned appropriate access rights.
ProCurve's second new NAC product is ProCurve Network Immunity Manager, software that draws on multiple network devices to gather data about traffic and analyses it for anomalies. This is ProCurve's answer to post-admission NAC, and is a way to find machines that may have been infected when they were admitted to the network and now pose a threat.
When Network Immunity Manager finds traffic that violates network policies, it can shut down the traffic at the switch port where the device is attached. It can lock down the MAC address of the port, switch the device to a quarantine VLAN or shut the port down altogether.
Immunity Manager can also refer suspect traffic to intrusion detection and prevention systems (IDS/IPS) or a unified threat management (UTM) platform for deeper inspection to determine whether it really represents a threat.
Immunity Manager requires that switches support sFlow, the standards-based traffic-monitoring capabilities in routers and switches. The immunity platform can also gather traffic data from other network devices such as firewalls and intrusion detection gear.
Whiteley says that if the evolution of NAC follows that of other ProCurve lines, expect to see the separate NAC hardware offered also as blades that fit into switches and if that becomes popular, that are baked into custom chips. Offering that variety may improve popularity of the equipment.
"Some people don't appreciate more appliances; some people don't like more stuff in their switches," he says. "But as long as ProCurve gets the management set first, it doesn't matter."
Immunity Manager is scheduled to be available June 1 at EUR 4299 (£2922) for 50 licences. NAC 800 is available in the third quarter and the price hasn't been set yet.