Network security

Open source networking hums along, quietly

Open source has been buzzing lately: Gartner identified it as one of the top 10 trends for 2008, and last week Microsoft announced it was publishing 30,000 pages of documentation for Windows Server 2008 and Windows Vista and launching an “Interoperability Initiative.” Google is pushing open applications and development of the new Android operating system, while Verizon claims to be opening its network.

In the networking industry, however, while open source adoption seems to be growing at a good clip, I don’t see much hoopla about it. So I’ll forgive you if you missed Shamus McGillicuddy’s article about the launch of ZipForge, a new website Alterpoint developed to support its ZipTie open source network configuration product. The ZipForge site provides a place where AlterPoint vendor partners can post interoperable ZipTie components that developers and users can download, review, and contribute to.

It would be great to see users take advantage of this repository to consolidate other networking-specific software tools, much like a true SourceForge (from which the new site partly takes its name) for networking pros. According to the article, networking has experienced less of an upsurge in open source because the technology itself is so reliant on hardware. While that may be true in a basic sense, software is becoming far more important and familiar. There are already several open source programs that networking folks use regularly, and that list is bound to expand.

Network engineers have long used open source software to run routers, VPNs and VLANs on run-of-the mill servers. Snort, OpenNMS, Nagios and Nessus are staples in networks big and small. And the popularity of Asterisk, the open source IP telephony platform, continues to grow in leaps and bounds.

Open source is definitely a part of the network, but I think that’s how most networking pros view it — as just a part of the network. They choose it because it works well, it interoperates, or it’s cheap, and they don’t get too caught up in the idealism and spreading the word about the benefits of open source. Also, most networking pros wear so many hats that they can’t spend a lot of time thinking about one system or product. They are even less likely to use that time evangelizing or flaming posts over at Slashdot.

I recall a network administrator I met a while back at a trade show. He had installed a few Vyatta routers, and he thought they were fantastic. But he was also in the throes of rolling out Avaya IP telephony to multiple locations and installing a new supply chain automation system. So while he was happy with his open source routers, they probably weren’t the first thing on his mind. The buzz about open source in the network is there, but sometimes you have to listen hard to hear it.

Network security concerns: Mo’ remote workers mo’ problems

When the network was built like a castle, located in one static location, it was easier to have perimeter defense–the castle walls, the moat and hill (i.e., the firewalls)–protecting the royalty… I mean, data. Nowadays, there’s more royalty (information) to keep track of and they don’t stay put within the safe walls of their core network/abode.

Needless to say, security is a primary networking concern (as was seen in a SearchNetworking.com survey conducted last fall polling more than 1,200 readers). I blame this largely on the increase of wireless (many wireless network security best practices are mysteries to most), the growing deployment of mobile devices (anywhere access), and the fact that not only are corporate devices travelling well beyond office-building walls, but the workers are too.

Sixty percent of enterprises have wide-spread remote access–where 50% or more of the workforce have remote access to the internal network–according to Yankee Group who surveyed 200 enterprises last summer. Senior Analyst of Enterprise Research in Network Security Phil Hochmuth of Yankee Group reported that three years prior, less than 25% of organizations supported wide-spread remote access.

With such an increase in such short amount of time, it’s no wonder network administrators are worried about how to secure and manage all these people. I realize I’m one of them: in the past three years, the companies I have worked for either allowed me to work remotely or involved me working from home entirely; I’m living this statistic, as many of you now are too, I’m sure.

Office space can be costly for an enterprise, and for the workers–so can gas, auto-repairs, and overall transportation. But on top of avoiding commutes, there’s a business benefit; mobile workers in jobs like sales or consulting, which require them to travel, are able to access data, fill orders more quickly, and quicken the overall pace of business transactions because they no longer lose as much time when they’re on the road. Unfortunately for the system administrator, all of this remote interaction puts stress on the network.

Hochmuth said “increased employee productivity is the main driver behind the move to open up internal networks for anywhere access, and SSL VPNs are emerging as the main tool enterprises use to provide this type of access.”

Independent research firm Amplitude Research commissioned by VanDyke Software found in their Fourth Annual Enterprise Security Survey that organizations are heightening their commitment to securing data communications. Secure remote access was the number one security management issue facing their company, according to their 2007 survey.

“The survey findings correlate to what we see happening in the field,” said Jeff P. Van Dyke, president and founder of VanDyke Software: “There’s a lot on the plates of the systems administrators, and with securing remote access a top issue and secure file transfer showing significant increase as a top issue to manage within the enterprise, VanDyke Software focused on new features for SecureCRT 6.0 and SecureFX 6.0 that make life in these areas so much easier for IT and network administrators.”

Hochmuth said “enterprises are literally opening up for business when it comes to supporting the ability of their employees to work from anywhere.” And VanDyke Software is one such company “opening up for business” to meet the needs of floundering network administrator’s who have to implement and support the increasing number of remote workers for their companies.

I suspect many more are aiming to follow suit.

Server sabotage plot backfires on sys admin

Bridget Botelho has an interesting post on the DataCenter.com ServerSpecs blog about a recent story from Reuters covering a sys admin sentenced to 30 months in prison after his plot to wipe out his pharmacy benefit management company’s servers with a logic bomb — out of fear he was about to lose his job.

Network managers spend a lot of time protecting the network from common insider user threats such as sharing sensitive data over P2P or careless use of public wireless networks… (see Five common insider threats and how to mitigate them as an example). But who protects the network from trusted IT pros who do something irresponsible or intentionally harmful?

I don’t like it (but find it fascinating) when geeks perpetuate negative stereotypes about geeks — for example, the story of Hans Reiser, the Linux visionary accused of murdering his wife. In Reiser’s case, he didn’t use technology as his weapon, he used it as his defense: The “geek defense,” or “I’m a geek; I’m socially inept, but that doesn’t make me a murderer.”

I once knew a boy who hacked into a library’s computer network through a public terminal (this was back in the green text-on-a-black screen days) just to impress a girl. He sent all the terminals in the library into some kind of diagnostic that would tie them up for hours, and the girl was not amused. His reasoning seemed to be that if he was smart enough to do that and the library staff was dumb enough not to prevent him, then they deserved what they got.

I suspect that boy’s attitude was shared by the logic bombing sys admin, and tends to be common among disgruntled computer geeks everywhere. And it is probably perpetuated every day by the kinds of non-IT co-workers who say things like, “I don’t care how it works, just fix it.” So maybe the moral of the story is: Be nice to your IT guy, because you never know if he’s an evil genius with a chip on his shoulder (or a misguided impulse to impress a girl).

Wireless security major networking concern for 2008

A few weeks ago, I asked our readers to tell me the number one networking issue you’d like to learn more about in the new year. It was no surprise that “security” appeared again and again in the comments, but I thought it was interesting how many people wanted to learn more about wireless network security. That really shouldn’t be a surprise, given that the increased demand for mobility and flexibility is driving up the number of wireless deployments, and subsequently, the need for wireless security.

Rest assured that SearchNetworking has planned lots of wireless security coverage for 2008. But in the meantime, (if you don’t mind a little plug) I’ll point out a couple resources that are available to you now:

• This guide to wireless security covers the basics.

• The Advanced Network Workshop, “Integrating Networking and Security — Wireless Security” features a podcast, webcast and tip by wireless networking expert Lisa Phifer.

There were a few other themes that stood out amongst the comments. For starters, it sounds like the majority of readers are using Cisco products and want to learn more about those, or about networking heterogeneous environments in which Cisco hardware sits side-by-side with other vendors’ products. Keeping with the network security theme, some readers wanted to learn more about Cisco security and security automation.

A couple of people mentioned that they would like to learn more about implementing VoIP for SMBs. I would point you toward this brand new guide on SearchCIO.com to learn more about VoIP in SMBs: VoIP’s midmarket play.

Some of the themes we’d pegged for 2008 coverage already came up, including IPv6, virtualization, and MPLS. Watch this space (and SearchNetworking.com) for more tips and advice on those topics in the coming months.

And now for the winners of our feedback contest:

• Dmorley
• StewartC
  
• Sarku
• Swhuffman96
• Elysium
• Bfsteel
• Accarlson
• Aarchangel
• Snipe
  
• Indie1138

Thanks to everyone for your comments!

It’s a phone, it’s a computer — no! It’s your mobile device! (A comment on form factor)

You really can’t call mobile phones “phones” anymore, what with all the Web 2.0 applications springing up, such as FaceBook for BlackBerrys. These phones, or devices, have really become more like miniature computers, and this shift has its benefits and drawbacks.

I’m not suggesting the technology itself is a problem; what I mean is that users have to change the way they think about their devices. Even calling these devices “smartphones” does the products some disservice by keeping “phone” in the name. Sure, the device looks similar to a phone and it has voice capabilities, but that doesn’t mean a user can think it is merely a phone.

What happens is that users may often practice the same disregard for their mobile device that they would their old cellular phone, like leaving it in their hotel room or cab, or wherever you’ve lost a phone before. (I’ve had the strange misfortune of dropping mine into a bowl of soup.)

When we lose mobile devices, it presents a very real threat for enterprises: whatever corporate information is stored in the device can be compromised. It may not be the end of the world (depending on what mobile security precautions you’ve put in place beforehand), but treating a mobile device like a phone can cost a company.

The conundrum at the other end of the spectrum lies in thinking your mobile device is a computer. I know people don’t use these two words interchangeably or have a sudden relapse and think their computer is a phone. What I mean is that we want to do all the computer-esque actions on our devices — such as typing — and this is physically impossible. In this way, a handheld is very much like a spork: A spork saves you the trouble of carrying a fork and a spoon, but fails to really fork your meal or contain liquids; a mobile device brings portability to network data, but seriously lacks keyboard functionality and ergonomic earpieces (they’re about as comfortable as pressing a brick to your head).

I find a lot of irony in the fact that we want, and still try, to type on our handhelds. Logically, whatever we’re typing on must expanse the length of our two hands across — and this optimal typing size (we’ll say 11″x4″) could never fit into the palms of our hands. How will a handheld contain something at least twice the size of the hand (and fit into a pocket or purse)?

There are some remedies for the situation: foldout keyboards, for example — but having this extra piece of equipment does bulk up your load. Unless you have the deep pockets of a trench coat (which I’ve seen many a techie wear) it’s inconvenient to bring a foldout keyboard with you everywhere. QWERTY keys on smartphones work faster than traditional touch-dial phones, but typing with thumbs severely sacrifices the speed you get out of typing with all 10 fingers. Let’s not forget voice recognition software either; it has come a long way and might be the best solution for this problem.

If you’ve had no issues with the form factor of your mobile device, by all means, stop me now. There are plenty of wish-list gadgets out there that work great. But if you’re struggling like the rest of us, I’m all ears to your horror story or solution. Maybe we’re stuck for now — until someone invents an inflatable keyboard.

Is NAC stuck in the mud?

Around this time last year, network access control (NAC) was the be-all, end-all for network security. Performing pre- and post-admission checks on devices before allowing them access to the network and applications was still a relatively fresh concept.

And, as with every new thing, vendors scrambled and clawed to get their solutions to market and offer a new or different form of NAC, adding in one or two new components, but keeping the rest pretty much status quo.

Now, however, it seems it’s all been done. While many key vendors offer some form of NAC — Cisco, Microsoft, Juniper and others — it’s getting increasingly harder to differentiate between them, since NAC has entered the realm of commoditization. There are also still a number of vendors — Vernier, Nevis and many more – offering point-based NAC appliances and tools to fill the gap, but even those solutions vary in only minuscule ways.

I didn’t really see things that way until a recent chat with Current Analysis senior analyst Andrew Braunberg. While we discussed some additions and enhancements to Juniper’s Unified Access Control (UAC) NAC products, Braunberg quickly pointed out that NAC has gotten to the point where there isn’t much that can be added to it that isn’t already there. Sure, vendors can enhance certain elements and integrate NAC with other tools, but the core functionality of a NAC solution is likely not to change much for a while.

“There’s not really going to be anything new under the sun in the NAC market over the next few years,” he said. “Most of it is already available. Vendors will continue fortifying their NAC solutions.”

I have to agree. It seems the time for radical developments in NAC has stopped. That’s not necessarily a good thing or a bad thing. It just is. I’m curious, however, what that next big NAC development will be a few years from now. I’d like to ask you. Do you have any predictions on where NAC is heading? Do you agree or disagree that NAC solutions have reached a plateau? How will that affect your NAC purchases moving forward?