The network has become the most important component of the technology stack. It goes down and everyone goes home. It needs to be monitored and managed along with everything connected to it.
First there was the computer. Then came the network. Now everything from telephone handsets to GPS systems are connected. How does one securely manage this all, especially given the heterogeneity of the technology involved? Your network probably consists of a number of disparate devices that have TCP/IP compatibility in common, but little else. Is it possible to manage the whole or must focus be placed on the parts?
“You are all running accidental architectures,” states Gartner analyst Andy Kyte, speaking at his company’s annual Symposium in 2008 and referring to the mash-up of technology that currently represents most organisation’s networks.
“It is time to start running planned architectures,” he says. But until those planned architectures are a reality, network management means dealing with a cluster of disparate systems for most. One must also take the growing skills shortage into consideration and look at how technology can be used to make the task of management simpler.
“Everyone will be doing more work in the next five years than they did in the last five,” says Kyte. “But with less skills. So we need to look at service orientated architecture and business process management and how these can be used to our advantage and in light of a shrinking skills pool.”
Automation is key. Everyone’s time is at a premium and management needs to be intuitive, quick and easy. The solution involves good planning, controlling access to the network and banking on standards that allow for third party devices to be cohesively managed from a central point. And of course, security must be maintained.
An integral part of modern network management is in controlling access to the network. This was not as much of a problem when computers were sizeable, immobile devices and nothing else had network support. But now business networks are accessed by laptops, mobile phones, PDAs and the likes of voice over IP handsets. Everything is hitting the IP network and presenting new challenges in terms of network access control (NAC) and management.
“Most access control solutions do a certain amount of post-remediation assessment,” says Andy Robb, CTO of Duxbury Networks. “Many NAC solutions out there require that a client is loaded onto end-user systems in order to work effectively, but this is not always possible and is not the best way of tackling the problem.”
“On a voice over IP handset, for example, installing a client will usually be impossible,” he continues. “Devices like handsets are usually rather simple devices and vendors do not make it possible to load third-party client software for them.”
But Robb says that the real threat is not even the device itself, but in the vulnerability it creates within the network. This is because these devices are easy to spoof.
“To someone who knows what they are doing it is really easy to spoof a device on the network,” says Robb. “It is as simple as acquiring a device’s MAC address, cloning it, and immediately gaining all the network access afforded the authenticated device. Most network access control systems would be oblivious to the intrusion.”
In fact, many organisations would not even bother with placing limits on simple devices as they are hard locked on to specific network ports. Spoofing them could lead to comprehensive network access.
“So to ensure that access control systems are doing their jobs effectively it is necessary to have some form of post-authentication behavioural analysis,” explains Robb. “This entails monitoring a device’s activity on the network and attempting to detect any particular activities that would be deemed untoward. This brings us one step closer to detecting devices such as our spoofed VoIP handset, mentioned above.”
He says that once a device is validated on the network it is then necessary to ensure that it only receives access to the services it needs. For example, a VoIP handset should never need access to the enterprise’s file server. While the handset itself would probably not be able to even attempt to access such a server, a laptop spoofing the handset’s address certainly would.
“This becomes tricky when the likes of VoIP handsets that have LCD monitors built in to them, for example, and are equipped with the likes of web browsers,” says Robb. “This enables access to http ports over the corporate network. But sensitive systems should still only be opened up to the relevant devices and users that require them. This is another example of why proactive monitoring is a must.”
Network access control should be holistic and architecturally integral to the network, with all bases covered in terms of access control, monitoring, detection and prevention. Part of managing devices is knowing what they are and accurately provisioning them with network access.
Keep it open
Standards are an important element in network management. While computing devices may be disparate and from a number of different vendors, if they adhere to standards they can be easily managed using tools that leverage these standards.
The fact that all of these devices are connected in the first place is thanks to the common support they have for IP protocol. If they also support open standards that can be used by management tools then it really does not matter who made them.
“It is important that core network infrastructure has effective management built-in and that it is able to manage third-party devices from this central point,” says Gavin Zackey, regional sales director of 3Com South Africa. “This is why compliance to standards is important and why 3Com has committed itself to supplying standards-compliant networking products that are both able to manage and be managed by third party devices that also comply to standards.”
He says that network devices can also be embedded with open source software, adding the advantage of them being customisable in meeting specific business needs.
“At 3Com we talk about Open Services Networking,” explains Zackey. “And this enables differentiators for customers who are able to develop their own network environments according to their specific demands, and open standards allow for effective management of the entire environment.”
Networks are often grown organically with components added as required. While it may be impossible for many businesses to plan this expansion to ensure single-vendor or related device use, standards are a key way to ensure that management remains effective. Knowledge of standards is key in identifying them in vendor offerings. By relying on standards centralised management that stretches from end-to-end in the network is possible, even in a heterogeneous environment.