Managing a worldwide network can be tough. Node by node, you painstakingly map out the entire structure. And just at the point when you get to know your companys network, your company merges with another business. Now you know only half of what you need to know. What if that merger goes global? Youll know an even smaller fraction of your network.
Such was the case with London-based Smiths Group, a worldwide organization dealing in aerospace systems, medical devices, detection systems, mechanical seals and interconnect products. Half a decade ago, Smiths Group comprised two holding companies—TI Group PLC. and Smiths Industries.
In December 2000, the two merged, resulting in a corporate culture clash between the respective IT groups. TI Groups philosophy was standardization and, as a result, it sought out global procurement deals. On the flip side, Smiths Industries had a more hands-off approach with regard to purchasing, allowing each global office to act independently.
It became clear there would be IT issues, but it wasnt clear exactly which ones. So the Smiths Group IT department surveyed the companys global business units. The department discovered that the merged organization bought WAN services or data connectivity from practically every carrier in the world. That practice meant little to no standardization, which translated into confusion.
"We had roughly 170 Internet points of access out of 400-plus locations. Out of those, we could verify only 35 to 40 firewalls that met anybodys acceptable standards," said John Lytle, Smiths Groups communications project manager. "We knew we had an exposure there from a security standpoint."
Smiths Group asked itself what the WAN should look like. The company decided to go with a single provider. After a round of RFPs (requests for proposals), it chose MCI Inc.
The need to know the network has given rise to a market for network discovery applications—programs that crawl around the network, verifying specified addresses. To know those addresses, network managers must know what they have. "Wed have to trust that some guy at that location was being honest with me and telling me everything he had connected," said Lytle. "In some cases ... there is no local IT staff."
Given the unevenness of local network knowledge, Smiths Group realized it had an incomplete survey. It could not assume that everyone connecting to the network had the companys overall interests in mind. "It may be an engineer or finance person who just wanted Internet access," Lytle said. "So he bought a DSL connection locally, connected his office up, and hes figuring hes good. He didnt necessarily have a firewall in place. He didnt really understand any of the routing rules or the interconnect issues that come up."
As Smiths Group looked further away from the core of the network, it barely knew what it had. The company found an answer in a press release from Lumeta Corp., of Somerset, N.J., the maker of IPsonar—a network discovery tool that can troll worldwide enterprise networks looking for unseen routes, routers, hosts, servers, wireless access points and errant connections.
"The challenge is identifying how the address space is wired together, what are all the paths and routes in the address space, and where does your address space connect to other address spaces on, for example, the outer perimeter of your network," said Dave Arbeitel, Lumetas senior vice president of strategic development.
Most IT managers who want to know whats on their network and what it looks like "really have no clue," said Glenn ODonnell, an analyst at Meta Group Inc., based in Stamford, Conn. "Weve been kind of naive about some of this."
ODonnell said he has been watching the development of IPsonar from the time it was an Internet mapping research project at Bell Labs, before Lumeta was spun off to market the product. From Version 1.0 to the current version, 3.0, IPsonar has been transformed from a service-only security audit to a commoditized product with general improvements to its overall discovery capabilities, he said.
Smiths Groups Lytle said he looked at other infrastructure solutions, such as Hewlett-Packard Co.s OpenView and SolarWinds.Net Inc.s network management tools. "The gap that they have is that they will only report back to you what you already know," said Lytle. "[IPsonar will tell you] whos got a nailed-up VPN connection to a buyer or supplier in Germany that you dont know about and isnt documented anywhere."
Smiths Group found that its network covers 390 sites and 20,000 devices, or about 1.5 Class A address ranges. Three to five times a week, Lytle runs scans that range from a single site to the entire global network.
Although powerful, IPsonar doesnt have all the answers. It can reach only nodes that it can legitimately route to. It can provide clues, but final answers take human detective work. As Lytle said, "If you have a site of 500 users, but you get a report back from IPsonar that said there are only three devices there, theres a firewall."
Freelance writer David Spark is at firstname.lastname@example.org.