How to fortify your network security while reducing costs

HP ProCurve Networking solution helps PPGM, the second largest pension insurer in the Netherlands, to increase network security and availability while reducing total cost of operation by 30%. By Bruno Hareng, EMEA security solution business development manager, HP ProCurve

ProActive Defense – the future of network security

A complete network security strategy must integrate with the organization’s existing IT infrastructure, enforce internal controls, and report security activities for auditing and forensics purposes.

Such a security strategy returns control to businesses by allowing them to secure their networks, while at the same time enabling easy access by authorized users to the information and resources they need to perform their jobs.

Taking control of network security means that companies must:

• Control access to the network and enforce appropriate use.

• Prevent or eliminate viruses/worms and unwanted network traffic.

• Understand both the internal and external threats.

• Make sense out of the enormous amount of security intelligence available and turn it into actionable items.

• Understand and demonstrate regulatory compliance to internal auditors, government agencies and supply chain partners.

To enable companies to achieve these goals, security solutions should be:

• Based on a trusted IT infrastructure and a sound strategy that mitigates risk and returns control to the organization.

• Comprehensive.

• Easy to deploy and use.

• Standards-based, interoperable and reliable.

The HP ProCurve ProActive Defense strategy addresses these goals by delivering a trusted network infrastructure that is immune to threats, controllable for appropriate use and able to protect data and integrity for all users.

It is implemented through the HP ProCurve Adaptive EDGE Architecture™, which is based around two concepts: control to the edge and command from the center.

• Control to the edge of the network means that intelligent security – the ability for the network to respond and react – is located at the edge of the network, where users and resources connect. With security enforced at the edge – as close to users, applications or devices as possible – administrators can better secure the network against threats, regardless of the source. By moving important access and policy enforcement decisions to the edge of the network, this frees core resources to provide the high-bandwidth interconnect functions they are designed to perform. The result is not only better network security, but also better-performing, more flexible and scalable networks.
• Command from the center gives network managers the ability to set policies based on business needs, driven by user identity, application and device type, and to report alerts and information about the security of the network. This provides unified access to critical network resources based on policies enforced at the individual user level. As a result, organizations can more effectively protect secure data while making sure that authorized users gain access to the network resources they need to be most productive.

Based on those principles, security tools such as ProCurve Identity Driven Manager allow the IT manager or network administrator to manage user access and mitigate security threats from a single console to:

• Define groups – communities of users who share common network access privileges – and then define rules, or policies, that grant the appropriate network access and other resources to members of each group.

• Set policies for detecting and responding to internal network security threats, leveraging technologies embedded into the switch.

An important aspect of the Adaptive EDGE Architecture is that it is built on industry standards. HP ProCurve not only supports standards in its products, but also takes a leading role in the creation and adoption of networking industry standards – notably, the IEEE 802.1X standards for port-based network access control.

PGGM network challenges and solution

With around two million customers, PGGM is the second largest pension insurer in the Netherlands and manages pension funds in excess of €80 billion. The organization’s 1,000 co-workers are spread across four offices, which are all based in Zeist, Netherlands. PGGM puts a great emphasis on innovation and aims to offer its clients products and services which are in line with the latest developments in the market. However, innovation demands state-of-the art technology that offers the flexibility to quickly react to change.

The network infrastructure that PGGM had been using previously was based on Cisco technology which was failing to deliver the required flexibility, as Hans de Harde, ICT architect at the IT Operations department at PGGM explains:

“The infrastructure we were using previously had been put in place eight years ago. Naturally, we had changed a few components over the years, but the network infrastructure itself was never updated. Thus, it was never re-aligned with new technologies such as video streaming and Voice over IP (VoIP), and because our network had grown enormously in recent years, managing it had become ever more problematic.”

The previous network also came with a significant disadvantage: its Total Cost of Ownership (TCO) was disproportionately high.

“Our services to internal customers are annually benchmarked by Gartner. This is used as a basis to determine which prices we may pass on to the departments. The maintenance costs for our previous network were so high that our incomes under those conditions were somewhat lower than our expenditure,” explains De Harde.

PGGM decided to design and implement a new network infrastructure which would resolve these issues. PGGM created the functional and architectural network design itself, and defined the requirements that the new network had to fulfil. One important priority was the need for flexibility, building a future proof network, to cater for video streaming and VoIP. Furthermore, the network had to meet PGGM’s requirements with regards to robustness, security, manageability, scalability and speed. However, the most important condition was that the TCO had to be reduced by at least 30%.

After an extensive selection programme, PGGM decided to implement a new network infrastructure based on HP ProCurve technology. One of the key factors in the decision to use HP ProCurve was the superior return on investment due to the competitive price on initial purchase, and low maintenance costs.

But in addition, HP ProCurve’s Adaptive EDGE Architecture™ was also perfect for integrating with PGGM’s own architecture design. “One of the functional requirements we defined for the new infrastructure, was that intelligence had to be at the edge of the network – and the Adaptive Edge Architecture supports this principle comprehensively,” adds De Harde. HP ProCurve’s Adaptive Edge Architecture enables businesses to complete IT initiatives while turning their networks into strategic assets. To help businesses such as PGGM to achieve this, HP ProCurve offers open standards-based products that fortify security, increase productivity and reduce complexity in the enterprise.

In terms of network management, HP ProCurve offers PGGM many advantages.

“In the past we configured the MAC address of each PC on the network port it was connected to. Therefore, every time we wanted to add or remove PC’s, we had to manually reset network ports. ProCurve’s technology is based on the 802.1X standard, which now makes life a lot simpler. Each PC now has its own digital certificate and can be connected via any network port in the building: the network checks the certificate and if this is recognized, automatically offers the PC access to the appropriate virtual network for that user,” explains De Harde.

Securing access and virtualization of the network with ProCurve Identity Driven Management

ProCurve Identity Driven Management (IDM) makes it possible to automatically connect users to the virtual network from their own business unit. “The various business units within PGGM each have a virtual network which may only be accessed by their employees. In the past, we had to configure user access rights using MAC authentication on each port in combination with centralised Access Control Lists (ACL). If a user wanted to access their business unit’s virtual network from another location, this had to be processed manually. However, with HP ProCurve IDM, both the PC and the user are automatically recognised and connected to the appropriate virtual network. Thus workers have greater flexibility in selecting their work place, without requiring someone from our department to be present,” says De Harde. PGGM’s state-of-the-art network is now equipped with HP ProCurve 5406 switches in the core, various HP ProCurve switches in the distribution and access layer, HP ProCurve 5412 switches for Point of Entry functionality and ProCurve Manager Plus (PCM+) for central network management. The large switches can be found in two computer rooms based at the two most remote parts of the building. The access switches have been placed throughout the building within 50 metres of each other. The various switches are interconnected via Gigabit fibre optic links. In order to guarantee high availability, the entire network has been designed to be fully redundant.

This new HP ProCurve solution fulfils all of PGGM’s expectations.

“Thanks to HP ProCurve we have been able to balance incomes and expenditures and cut back TCO by 30%. Our network bandwidth has also increased ten-fold, which gives our users access to a much more powerful network. Due to the redundant implementation, the HP ProCurve network is considerably more stable than our previous Cisco environment,” says De Harde, who also speaks in glowing terms about ProCurve’s network management.

“ProCurve Manager means that we spend a lot less time managing the network.” According to De Harde, another important business benefit is the enormous cost reduction that PGGM has managed to realise. “As a result of much lower purchase and maintenance costs, we have been able to cut back total cost of operation by 30 per cent,” confirms De Harde.

Ready for future Video and VoIP projects
The upgrade to the new HP ProCurve network took place seamlessly and smoothly.

“For an organisation like ours, which is entirely dependent on well-functioning IT, such a step is a bit like open-heart surgery,” states De Harde. “Not only did the system in question have to be halted, but all other automated IT systems were also brought to a halt. At such a time, the chances of malfunction are incredibly high, and because we were prepared for all eventualities, all our suppliers were on stand-by, however, none of them were called upon.”

“The team at HP ProCurve was very willing and flexible with regards to the times when implementation had to take place.” Other positive aspects in the HP ProCurve partnership were also identified by De Harde.

“HP ProCurve is a lot more flexible than Cisco. In addition to offering free software updates for the life of the product, HP ProCurve is also prepared to implement changes or adjustments to functionality which we regard as necessary or desirable – this would have been unthinkable with Cisco. And furthermore, the comprehensive lifetime warranty provided by HP ProCurve is a great value-add. Naturally, equipment like a switch does not malfunction often but, if it should, we have the consolation that it will be replaced free of charge,” concludes De Harde.

PGGM is currently busy preparing for video streaming and VoIP.

“In the summer, the whole organisation will be able to make use of video conferencing facilities. We have now established VoIP at one of our four premises, and that is where we will test-run this new technology. In 2010 the whole organisation will switch to VoIP, and we have complete confidence that our new HP ProCurve network will ensure a smooth change-over following the impressive results we have already,” says De Harde