Home

Editor's Corner

Akibia Case Study:
Achieving PCI Compliance

Secure Your Virtualized Environment

Network Versus Host-Based Security Approach

Network Management
and Control

eDiscovery Electronics Communications Compliance

Check Point VPN-1
UTM Edge Wireless

Akibia News

Akibia Partners

Contact Akibia

 

akibia

 

 

 

 

Network Management and Control
By Dr. Marc Willebeek-LeMair, PhD - CTO, 3Com® and TippingPoint

 

Introduction

Most current networks and network appliances are built for the strictly utilitarian purpose of moving and directing traffic on an equal basis regardless of the importance or appropriateness of the traffic. All traffic is equivalent to all other traffic.

In a keynote address to attendees of the 2006 RSA Conference, 3Com® and TippingPoint CTO Marc Willebeek-LeMair discussed some of the things this network architecture, which he calls the “Connectivity Plane,” can’t do well, and proposed new ways to manage and control networks to optimize their benefits and minimize both risks and inefficiencies.

Willebeek-LeMair envisions overlaying the “Connectivity Plane” with a “Control Plane” that enables comprehensive network security and application performance. He called this vision the “Bi-Planar” Network. If that term makes you uncomfortable, just think about those bi-planes that appear at air shows around the country. A bi-plane has two wings: one a few feet above the other. It’s that simple.

Inabilities of Current Networks

The Connectivity Plane suffers from the inability:

  • to control what users, devices and traffic are allowed into the network
  • to filter out malicious and unwanted traffic
  • to prioritize and accelerate business critical applications on a converged IP network.

The blurred perimeter, increased IT complexity, evolving threats and the convergence of mission critical data, voice and video onto a single IP network requires a fundamentally different network approach.

Bi-Planar Networks

In a Bi-Planar Network, “purpose-built” network control nodes provide the full access, attack and application control that switches and routers cannot provide. These intelligent network control nodes are capable of fine-grain IP flow classification and policy enforcement, and are deployed seamlessly, cost-effectively and with no change to existing routers, switches or applications. Customers get the best of both worlds—Connectivity Plane investment protection and future investment focus on the higher value functions that evolve their networks to the next level of business protection and performance.

The Control Plane has the intelligence to inspect traffic, classify it, and take an appropriate, policy-based action. Each packet flow entering the network from wired, wireless, local or remote access—whether data, voice, video—is inspected for device, device health, user, and user access rights. Traffic flows are further inspected and handled based on cleanliness, priority, and the need for wide area network (WAN) optimization.

  • Infected devices are quarantined
  • Malicious traffic is filtered out
  • Non-critical traffic is throttled
  • Mission-critical traffic is prioritized and optimized according to business-driven policies.

Access Control

Access control provides a uniform network-based method to enforce policy and compliance for all end points based on user, access rights, compliance, and security posture. It also provides a quarantine function for infected devices, so malicious traffic outbreaks cannot spread internally through the network.

Attack Control

Attack control proactively stops denial-of-service attacks, worms, viruses, Trojans, malware, spyware and other threats from pervading the network and crippling employee productivity and business operations.

Application Control

Application control enables enterprises to maximize their connectivity network investment by ensuring high priority applications, including voice and video, are dynamically prioritized and optimized for WAN performance—a critical objective given increasingly mobile and distributed workforces. It also enables businesses to save valuable bandwidth by limiting non-critical traffic, like peer-to-peer file sharing or instant messaging, according to policy.

 

About the Author
Dr. Willebeek-LeMair is an expert on network systems and security, speaking frequently on the topic of security specific processors on an international basis. He spent 10 years at the T.J. Watson Research Center of IBM where he was responsible for the exploration of Intelligent Infrastructure Technologies, as well as streaming audio and video applications. Dr. Willebeek-LeMair’s extensive background includes research in distributed computing, high speed networking technologies, network caching, personalization and transcoding proxies, network processors and management systems. Having received his doctorate in electrical engineering from Cornell University, he has over 10 patents and has published more than 50 articles. Prior to 3Com, he was chief technology officer for TippingPoint, the leader and pioneer in intrusion prevention systems.