Security, Maintenance Top IT Pros Networking Concerns

By eweek  |  Posted 2003-06-11

Security, Maintenance Top IT Pros Networking Concerns

Several members of eWeeks Corporate Partner Advisory Board recently met with eWeek Technology Editor Peter Coffee for a Roundtable discussion about the corporate network. Security and reliability topped both priority and challenge lists, especially as the window for maintenance gets increasingly smaller or even nonexistent.

eWeek: Whats the biggest issue relating to your corporate network that you are expecting to have to deal with during the next six to 18 months?

Nowicke: Theres something thats kind of outside of my control. I work for the U.S. [District] Court, and our organization has launched a project whereby all of the filings done in the court will be done electronically. As a result of that, were inheriting a product that we had no involvement in designing, and we will be dealing with a lot of electronic images and also electronic transmissions. We dont really know how that is going to impact us.

Weve got some concerns about the fact that, right now, were operating in an 8-by-5 [eight hours, five days a week] world, and well be expected to operate in a 24-by-7 world. From the network side of things, that means we are continuously up and available, and our WAN links are up and available, and we also have a lot of new requirements regarding storage. Not all of the solutions are being presented to us.

eWeek: What do you mean by that?

Nowicke: As far as storage, as far as growth, as far as redundancy. Well be inheriting a new responsibility, but we arent also inheriting all the answers on how to support that responsibility.

eWeek: For example, your current backup procedures wont migrate smoothly to a 24-by-7 environment?

Nowicke: Correct. The types of servers that were going to be getting are very different from the servers that we have right now in the fact that we are expected to be up 24-by-7. We now have maintenance windows during which, after-hours or on the weekends, we can safely take the whole system down and no one is impacted. [Moving forward,] taking the system down at any point in time will impact attorneys who are filing documents electronically. Also, people in our remote sites who have to get to our central server at headquarters will be impacted if any WAN links are down or if we need to do maintenance.

eWeek: Do you think that this kind of network operation may lead you to start looking into outside services for some of your uptime assurance and other quality assurance requirements?

Nowicke: I think it might. One thing thats on the radar right now is having an outside force come in and assess our network and the performance of the network and whether or not well be able to meet the demands that are required for performance and response times.

Security, always a work

in progress"> eWeek: Michael Skaff, what are you looking at as the 800-pound gorilla at AdSpace?

Skaff: I think its something that has always been and probably always will be a work in progress--security. As our networks grow--and they are growing pretty much daily at this point, as we add customers both internally and externally--Im increasingly concerned about managing enterprise security and making sure that all of our doors are closed and locked in the right way.

eWeek: The external customers that youre adding--are those supply chain partners or general public?

Skaff: General public, in general. Were actually looking at supply chain partners and adding them as well, but that will probably be more of a tertiary step. Initially, its more the pure internal and external customers that Im concerned with.

eWeek: The external customers you have pretty much no control over--things like client configuration. You just have to be open to all comers?

Skaff: Exactly. We are trying to find ways to lock that down via different methods. Its the age-old balance of security versus usability.

eWeek: How do you feel about your securitys state at this time? Do you feel that youre where you need to be, or are you way behind what youd like to be?

Skaff: I feel were moving in the right direction. I dont think Ill ever be satisfied with where we are--its the nature of the beast. We have work to do, but weve also done a lot of work in that direction, as well. … Were starting to see more vendors pay attention to security as a top priority, but theres still a long way to go. Were still playing catch-up with the black-hat researchers, if you will.

eWeek: Kevin, whats happening up at the S.C. Johnson School of Management?

Baradet: Were going to be doing pervasive wireless very shortly. Were looking at a system from a company called Chantry Networks [Inc.], which is using something they call BeaconPoint, where the radio is separate from the actual LAN switch and you can do policies and authentication and class of service, quality of service.

eWeek: This would let you administer a different set of access policies for wireless users than for wired users?

Baradet: No. Right now, its strictly for the wireless system, but it lets you discriminate among the wireless users. So if youre unauthenticated, anything you try to do gets diverted to a captive portal. You can put Web page links there so that [users] can access internal information or general information and also go and register themselves.

eWeek: This would make it easier for you to have multiple classes of wireless service for different degrees of trust?

Baradet: Correct. We very often have executives who come in to give presentations. We dont always know about it; it happens at night. Theres not always a good way to make sure that the people can get on. Starting with the next fiscal year, were going to be mandated to have every device on our network registered back to a person for accountability purposes.

eWeek: I know youve been a wireless adopter from pretty early on in the emergence of 802.11 technology. When you say "pervasive wireless," what change does that imply from what youve been doing for the last few years?

Baradet: Were going to basically put it down to an access point in every classroom and take it throughout the building from top to bottom. The primary driver for that is Tablet PCs, of which my boss is a fan. She wants to be able to use [her Tablet PC] anywhere in the building as she goes from meeting to meeting, and were seeing great demand from our students. They have their laptops, but they dont always use them in class and dont want to carry them around. So they would like to use a Pocket PC device or something of that nature to schedule meetings, check e-mail and so on while they are in class and as they roam about the building.

eWeek: What about outdoor areas, general campuswide wireless?

Baradet: There is a general campuswide wireless system thats called Red Rover. It was primarily installed in the libraries and common areas [whose wiring was] too expensive to retrofit, primarily because some of these buildings date back to the late 1800s. That system is run by the central IT group. Its been completed, and now they are looking at putting wireless in other areas.

Management, in all its

forms"> eWeek: Ed, whats FN Manufacturings big network radar blip right now?

Benincasa: On the application side, for the stuff thats running on the network, were going to be putting in an [enterprise resource planning] upgrade. Were also looking at online document management, but its not just one facility. For engineering documents, its a worldwide project. That will, obviously, put some demands on the network, the capabilities, the LAN links and storage requirements.

The other issue that were trying to resolve is, like everybody else, security in patches. They are a constant issue for us, and were struggling with them every day to resolve. Were also looking at wireless but havent gotten that heavy into it yet.

Gunnerson: Were looking at lots of different things [at Gannett], but one of those is to try to look at the complete cost factors involved in any circuit, and were trying to change the rules.

eWeek: In terms of being able to bill more accurately across business units?

Gunnerson: In order to drive cost down. What weve been looking at is methods of consolidating--bringing groups together where they might not have been together before--regionalization where it makes sense, splitting out the cost of a circuit and then figuring out ways that we can work within the system to make it cost less.

eWeek: Have any of you made a decision as to whether youre going to try to handle things such as patch management of your PC and other rich clients by a push technology, where the network is the means by which you get patches, security updates and other things out to the client devices?

Benincasa: Were looking it at. Originally, we were running [Microsoft Corp.s] SMS [System Management Server], but were pretty much shutting that off because it just didnt perform well for us. So were back at square one, looking for something to use.

eWeek: The performance problem being what?

Benincasa: There were all kinds of issues with SMS. As a matter of fact, the server right now is just off in oblivion--it has to be completely reinstalled again. Were relooking at other options, but we have not come up with a list at this point. We do need something automated, and its not just the patch management; its also, how do we successfully test all of this, especially on application servers, before we roll them out? Weve got a lot of issues, and I imagine everybody else does.

eWeek: It sounds as if one of the key problems for all of you is the need for a stable, reliable 24-by-7 client network while at the same time being constantly in a position of needing to evaluate and test and install changes driven in large part by the security concerns.

Nowicke: Were planning to set up an independent network so that we can test some of that stuff. Even though we have a pretty heavy staff load to help do that, you reach a point where there are only so many hours in a day. It gets to the point where, do you have time that you can sacrifice to do the testing and the patching, or do you need to really rob from that activity and go back to doing the maintenance and the setup and all of the other stuff?

At the same time, youre constantly trying to keep pace with disk requirements and memory requirements and user requirements and supporting users. It just gets to the point where you kind of hit your head on the ceiling.

Maintenance 24x7

eWeek: Michael Skaff, when you talk about security, are you talking about making sure that the network is protected from things that could hurt it or about using the network proactively as a tool for delivering and enforcing security?

Skaff: Both, actually. I also wanted to comment about what Susan said. Im seeing the same thing: Im seeing maintenance windows disappear, essentially; there is no longer time for that. Its really having to try and figure out how to get around that idea whenever possible and maintain the 24-by-7 network.

eWeek: You have to tune the engine while its running.

Skaff: Pretty much.

eWeek: Ed, you talked about your move toward using the network for engineering document availability for a worldwide engineering project. It sounds as if theres more than a little in common between what you have to do and what Susan is looking at doing with becoming the host for electronic filings and document access. What are some of the architectural choices that youve made as far as that document availability goal is concerned?

Benincasa: Weve actually been looking at site vaulting, like live vaulting, which Susan might find interesting. Were definitely very interested in the full online backups that are done, basically, over the wire. Then the issue becomes the pipe and making sure that you have a wide-enough pipe to support all the data that needs to flow over there. … We actually have it easier than a lot of organizations because our critical data is actually stored at multiple points in our architecture redundantly. That solves a lot of potential problems there.

eWeek: How many of you are dealing with heterogeneous networks because youve got branches of the network that are using older technology?

Nowicke: Were pretty much single standard.

eWeek: Which is?

Nowicke: Ethernet, and our local connections are [100M-bps] or gigabit uplinks. Our wide-area connections are T-1 frame relay, and its pretty consistent throughout the enterprise.

eWeek: Internally, youve preinvested in cabling thats capable of moving to that kind of bandwidth?

Nowicke: Correct. [Category] 5 for the [100M bps] and then fiber, obviously, for the gigabit.

eWeek: Do you feel youve pretty much got the cable plant in place that you need to meet your foreseeable needs?

Nowicke: Yes, we do. Plus, in the infrastructure, were using all Cisco [Systems Inc.] routers and switches. Theyre all within a year old; that part is in good shape.

eWeek: So, Ethernet is pretty much universal at this point?

Baradet: Yes, for us. There are areas of the campus where theres probably still some AppleTalk running around, but most of those folks are switching over to Mac OS X, so everything will be over Ethernet. There might be some older stuff floating around, but thats pretty much confined to a specific lab or a machine room area. We shut off AppleTalk about five years ago.

We still have a little bit of IPX running around, but thats mainly because weve got some older [Hewlett-Packard Co.] LaserJets that only do IPX, and they refuse to die. As long as they crank out paper, were not going to replace them. Its relatively low cost to keep the IPX running and to service them from print queues.

Bandwidth challenges

eWeek: Ed, is bandwidth for some of your remote sites a more difficult challenge?

Benincasa: Were not having too much trouble because the remote sites are smaller sales-office-type situations, so there isnt a huge load. Were pretty much running VPNs [virtual private networks] to all facilities worldwide today. Its easy for us to up the bandwidth; we havent had too much trouble there.

eWeek: Those remotes sites, are they coming in by dial-up?

Benincasa: No, these are site-to-site VPNs.

eWeek: So far weve been talking about the network pretty much as if it were a single platform. We havent really talked about the notion of whether there should be one network for general use and one network for storage.

Skaff: Were doing primarily JBOD [just a bunch of disks] right now, but were moving toward separating off a network for storage because our storage needs are going through the roof right now.

eWeek: Do you expect thats likely to be Fibre Channel or IP-based or what?

Skaff: We havent decided yet. Were still reviewing the technologies, but a change is probably coming in the next three to six months.

eWeek: The reason for splitting the functions is to maintain performance on your general-purpose network while the storage network demand grows?

Skaff: Very nicely summarized, yes.

Baradet: We are in the process of putting in a separate network in our machine room area, to run backups and move data disk to disk so we can get the traffic off of the network that the end users hit against. We havent quite figured out what were going to do as far as the disk interfaces. My guess is well probably go with iSCSI simply because, that way, we can do two disk backups overnight and then from disk to tape during the day.

eWeek: This would address one of the questions about doing things in your shrinking or nonexistent maintenance windows?

Baradet: Correct. By restricting it, were most likely going to do it all on fiber, so were not going to have to worry about changing out any wiring as the bandwidth needs go up. Then it will also be secure because it will all be contained, and there will be no outside access to this particular network.

eWeek: Ed, do you try to provide centralized backup for your outlying offices, or do you leave that to them?

Benincasa: The backup is at the actual facility itself. We use cartridge units, and we just manage it from this facility here.

eWeek: Its remotely managed but locally stored?

Benincasa: Yes, because theres too much data to push over a VPN line.

eWeek: In your larger facilities, are you using a unified network or a separate storage network?

Benincasa: Its a unified network.

eWeek: Do you expect that to be sufficient for the foreseeable future?

Benincasa: Yes, I do. Weve got some extra capacity still in it, so we think were okay.

Gunnerson: We have everything. What Kevin said about putting your backup on anther network, we do that in our data centers all of the time. It just makes a lot of sense and keeps the collisions down when you have to run 24-by-7.

Each one of our newspapers has its own systems, and they all do their own backups--so were distributed that way. In a regional environment, where were consolidating resources, we have a dark fiber network that uses DWDM [Dense Wavelength Division Multiplexing], which means I can use an optical wavelength to segment that one pair of glass fibers to multiple virtual optical channels. I can use those for my storage area network.

eWeek: You can have virtually separate networks on a single piece of fiber?

Gunnerson: Thats correct.

eWeek: And divide their functions between general-purpose network activity and more specific storage functions, for example?

Gunnerson: Weve got design plans that show Fibre Channel running right over the top of the same pair of fibers as everything else in the DWDM network.

eWeek: You have protocol diversity as well as multiple channels?

Gunnerson: Protocol diversity, and I can also spin up additional IP circuits that are dedicated specifically to running over IP.

eWeek: How do you feel about the maturity of the DWDM offerings available now?

Gunnerson: I think theyre great--if we didnt have an ROI on it, we wouldnt have done it. The nice thing about it is once you explain how that works to everybody in the networking and storage business, they all go, OK, Ill get my own, and we have a shared infrastructure, and theyre all happy. It works out really well.

Storage management

eWeek: Michael Schwedhelm, how is storage being handled at United Labor Bank?

Schwedhelm: Every day, we have tapes that go off-site.

eWeek: Are you able to do those backups while the network remains up, or do you have a maintenance window when services are reduced?

Schwedhelm: Were able to do it with the network being up. We do the backups starting from about 10 p.m. to 6 a.m., when weve got little to no traffic.

eWeek: Although youre a 24-by-7 network, your activity pattern is such that youve got resources to spare during that long period of time?

Schwedhelm: Thats correct.

eWeek: Is that changing a lot, in terms of people expecting more online services? Are you using more services on a 24-hour basis?

Schwedhelm: Yes. Weve recently come out with our Internet banking product, so were beginning to see additional off-hour activity. Were [still able to] do the backing up. Things run a little bit slower, but the traffic is so much less than during the day that it hasnt been an issue yet.

eWeek: Michael Skaff, youve mentioned security as being high on your priority list. I would guess that wireless is a big part of that picture for you.

Skaff: That is very definitely true.

eWeek: Do you have a lot of rogue access points coming in, or have you put policies into place regarding that?

Skaff: We do have a policy in place, and it has been very successful internally. Externally, were actually using wireless more, for our customers, because there is more of a demand for it. What we have to do is test it extensively internally so that when we deploy to our customers we are basically resident experts.

eWeek: When you talk about deploying wireless to your customers, does that mean making access available to them through a third-party network, or do you actually assist them in configuring that?

Skaff: We are assisting them in configuration. A lot of times with our customers, we will work with them to integrate the access points into their architecture. But with the way we install, a lot of times its either were recommending best practices to them in terms of security or they just ask us to go ahead and implement that ourselves for them.

eWeek: Is the typical environment for that a retail store floor?

Skaff: Correct. Thats why theyre so concerned about security. Theyre worried about someone coming by with a laptop and hoping on.

eWeek: What do you feel is the current state of the art in terms of providing that kind of security for wireless access in a public space?

Skaff: So far, I think Cisco has the lead, but other vendors are starting to catch up a little bit. It looks like theres a lot of research being done in this direction, and Im hoping that it continues. As things are developed, they are cracked. So, like every other part of security, its sort of a constant catch-up game.

Enhancing authentication

eWeek: Kevin, you talked about enhancing your authentication to tie up more closely to users. I guess you mean as opposed to just authenticating the device?

Baradet: Or as opposed to just wide open, as it is now.

eWeek: Whenever we talk about this kind of mobility thing, I always think about IPv6, which incorporates mobile IP as part of the upgrade. Knowing what IPv6 is capable of doing, do you wish the vendors would get on the ball, or is it a cost that you just dont feel that you need to incur?

Baradet: Theres nothing driving me there at the moment.

eWeek: Gary, you guys work on a very large network and in an environment where I would think some of the things IPv6 brings to the table would be useful. Do you feel youve already gotten those things by other means, or is it just not an issue?

Gunnerson: Most people know that your internal network can be separate from your advertised external network, and we dont have a big issue with running out of address space.

eWeek: Are any of you currently looking at how things like the USA Patriot Act will affect the network and network requirements--things like storage capacity, storage availability, the ability to differentiate between business data or data that might have to be revealed to government investigators?

Baradet: The general policy thats out there now is that when someone shows up at the door, just pick up the phone and call the university counsels office, and they will then deal with the situation.

I do get cease-and-desist notices from the [Motion Picture Association of America] and the [Recording Industry Association of America] to take things down, and we do have to track and have the material removed. Thats part of the driving [force] behind the registration of devices and being able to trace something back to a user.

eWeek: Do you believe, one way or anther, that youre going to be held to a higher standard for being able to account for who did what at what time on your network?

Baradet: Thats a good question. I dont know, but I think that the civil hammer is one that people are more worried about, because no one has really been sued civilly yet and so damages havent been awarded. So theres no way of really gauging what your exposure is.

eWeek: What about the general question of increasingly complex rules on record retention?

Gunnerson: We have a rule that we started about 10 years ago that is pretty simple: If you delete an e-mail record, its gone in three days.

eWeek: Gone, gone?

Gunnerson: Gone.

eWeek: You have a system in place that says its gone from the backup--its gone from everything?

Gunnerson: We do a three-day rotation backup on e-mail records, and if it leaves your post office box, its gone.

Data security

eWeek: What about security on the side of making sure youve gotten rid of what you have no business reason to keep?

Skaff: We have a similar policy in terms of e-mail retention. Its something weve just started to address and have started to look into as an important focus. In terms of document destruction, weve actually looked at other forms of protection--more specifically, around encryption, hard disk encryption and those areas, as sort of an alternate method. In terms of a clean sweep, it hasnt been as much of a priority for us--up until now, at least. It is something that I am aware of.

Gunnerson: Do you use key destruction as a way of getting rid of the ability to read documents or read hard drives?

Skaff: That is the easiest way, so, yes. Thats what weve been using so far. I dont really think of it as the best solution, by any means. Its certainly the simplest in the short run.

Schwedhelm: On July 1, a new California law will require us to publicly disclose if were hacked. Any business in California is going to be required to do this.

eWeek: Is it falling on your shoulders to become the force for user and business unit education in this area?

Schwedhelm: Yes. Im also the banks security officer, in addition to being IT, so this falls in my neck of the woods.

eWeek: Where do you see yourself being challenged to develop new capabilities or to develop new skills in your people?

Schwedhelm: Security, specifically intrusion detection. A good deal of this, again, is being driven by SB 1386. The way this law is written, if you are aware, or just believe, youve been breached, you have to disclose it.

eWeek: Do you anticipate that California law becoming a model for other states?

Schwedhelm: Actually, it would be wonderful if it were to become a national law. … It will become a nightmare if, for example, you have one law in Nevada and in Arizona youve got another.

eWeek: Are you seeing initiatives in other states that would be similar but different enough to be a problem?

Schwedhelm: We havent heard of anything yet. The latest Ive heard is this is kind of the trendsetter.

Rocket Fuel