Securing The Center

Computerworld - Heightened concerns about cyberterrorism and the increasing need to open internal networks to outside access are pushing corporations to bolster data center security, both on the IT front and physically.

The goal is to add multiple layers of protection and redundancy around the data center infrastructure and software while still maintaining the levels of service demanded by the business.

On the physical side, companies are boosting their business continuity and disaster recovery capabilities by buying and building redundant hardware and facilities and geographically separating their IT assets. The technology effort, meanwhile, is focused on supplementing traditional firewall protection with newer intrusion monitors, access control tools and tougher IT usage polices.

The need for such protection is being driven by cyberthreats and the growing use of the Internet to link companies with partners and customers, says David Rymal, director of technology at Providence Health Systems in Everett, Wash.

"There is an increasing pressure to enable wide and unfettered access from our business units. We are getting so many requests to open up ports in our firewall that pretty soon it is going to look like Swiss cheese," Rymal says. "The more of them you have open, the more vulnerabilities you create."

The whole notion of Web services, under which companies link their systems with those of external partners and suppliers, is only going to increase the need for better security, users say.

Adding to the pressures is the growing number of remote workers and the trend toward wireless applications. This has meant finding better ways of identifying and authenticating users and controlling the access they have on the network.

"You have to keep in mind that the minute you open your servers or services to the Internet, you are going to have bad people trying to get in," says Edward Rabbinovitch, vice president of global networks and infrastructure operations at Cervalis Inc., a Stamford, Conn.-based Internet hosting service.

While it's impossible to guarantee 100% security, companies should make things as difficult as possible for outsiders or insiders to steal or damage IT assets, IT managers say.

Cervalis' security, for instance, begins at its ingress points—where the Internet meets its networks. The company uses strict port control and management on all of its Internet-facing routers to ensure that open ports don't provide easy access for malicious attackers.

Redundant, load-balanced firewalls that are sandwiched between two layers of content switches filter all traffic coming in from the Internet. Network-based intrusion-detection systems are sprinkled throughout the Cervalis network.

Cervalis is beta-testing an anti-denial-of-service attack tool from Israeli start-up Riverhead Networks. The tool will let Cervalis quickly isolate denial-of-service traffic that's directed against a particular Web site or server belonging to a hosted customer, without affecting the rest of the network.