HP has announced new policy-based network security and bandwidth management software, as well as upgrades, that the company says will let its ProCurve LANSwitch customers better control end-user access to network resources and bandwidth.

The upgrades include a new version of HP's ProCurve Manager Plus switch software (as we revealed last week) and a new Identity Driven Manager (IDM) application. Together, these two server-based applications can work with a third-party Radius server and let companies control access and bandwidth, HP said.

ProCurve Manager ships with all HP ProCurve switches and lets users configure and manage switch settings from a Windows-based PC. ProCurve Manager Plus is an enhanced version that is purchased as an upgrade (the Plus version is required to run IDM).

When deployed with a Microsoft-based authentication server, this framework provides an easy way to activate security and traffic management features on switches, says Brice Clark, HP ProCurve worldwide director of strategy and business planning. "This lets network managers worry less about network plumbing and concentrate more on larger issues that affect their business," he says.

In an IDM-based network, an end user's log-on credentials first would be checked against a Radius server, then checked again on the Manager/IDM server running on a separate, dedicated server. If the Radius server authenticates, IDM looks at the end-user ID and enforces pre-defined policies on the switch regarding the end user. This could mean putting end users from different departments into separate virtual LANs, where only each respective department's applications were available. Guest log-ons could be created to allow for only Internet access, and only during certain times of the day.

Policies also can give different bandwidth-usage profiles for various end users' identities. Web/print/e-mail users could be limited to a 10Mbit/s connection, for instance, while power users running high-bandwidth applications could get up to 1Gbit/s to the desktop.

HP says the IDM software's directory can be tied to a Microsoft Active Directory scheme, allowing the Microsoft Radius and HP servers to share an end-user database. Policies are created and managed in a Windows-based client application, which lets lower-level IT staff easily make complex changes to a large switch network.

"In the past, you would set VLAN policies manually, and you would have to do that by command line on every device," said Josh Johnson, an analyst with Synergy Research Group. This method of network administration was hard to tie to a company's business processes. "You probably had to keep notes somewhere that VLAN A was for accounting, VLAN B was for HR and so on," he said. "IDM simplifies that."

Setting up this IDM-based infrastructure requires HP ProCurve switches at the LAN edge, a Microsoft Internet Authentication Server - a Radius-based server - and a dedicated server running the HP switch management and IDM software. Since the HP authentication scheme uses media access control (MAC) address filtering, 802.1x authentication and Differentiated Services QoS, a firmware upgrade might be required to add these features to switches.

HP's new policy-based network capabilities are an answer to products such as Enterasys' User Personalized Network and Trusted End System frameworks for mixing network policies, access control and bandwidth management. Alcatel's Automated Quarantine Engine and Cisco's Network Admission Control technologies offer comparable features.

But HP's IDM lacks support for checking anti-virus and client machine software compliance, whereas Enterasys and Alcatel support this on their systems. Cisco does this on routers, and will add switch support next year. HP says IDM will have a way to verify client PC/laptop credentials and compliance in the next release in mid-2005.

In addition to the management software launch, HP introduced an upgrade for its ProCurve 2600 and 2800 10/100/1000Mbit/s wiring closet switches. New features include MAC-address-based authentication and locking, support for more VLANs (raising the maximum from 60 to 256), as well as jumbo frame support. This software upgrade is free for ProCurve switch users.

IDM costs $5,500 and requires ProCurve Manager Plus, which costs $3,200.