Network management, security make for happy bedfellows

More companies are turning to strategies that address network management and security at the same time

With the walls between IT domains crumbling, companies are increasingly putting in place policies, processes and technologies that serve the twofold purpose of managing and securing networks.

That was one theme among speakers at Network World's IT Roadmap: Boston conference this week, which drew close to 700 attendees and 75 exhibitors. While network management has long been perceived as the "Rodney Dangerfield of IT," said Jim Metzler, analyst and vice president at Ashton, Metzler & Associates, the technology plays such a large role in other IT domains that it demands attention.

"There is a sort of negative buzz around network management," Metzler told attendees. "But I see innovation."

Technologies, processes and products that help companies respond in a "real-time-enough fashion to threats, opportunities and situations that impact the health and well-being of the organization" represent the wave of innovation in management, Metzler said.

IT automation software, Web services management technologies and best practices frameworks such as the IT Infrastructure Library are among the areas of innovation in management.

For David Hauser, automating the process of provisioning and patching some 500 servers with an IT operations staff of fewer than five people is what he considers management innovation. To start, the chief technology officer and co-founder of GotVMail Communications LLC wanted to be able to quickly roll out desktops to new staffers. Founded in 2003, the Weston, Mass., company currently has 35 employees, but Hauser said he expects that number to double in the next 12 months.

"Automation was never intended to replace IT staff, just shift their attention to more compelling tasks," he said.

Hauser shared with show attendees how he selected, deployed and currently maintains a pair of appliances from Kace to reduce manual labor, and more importantly secure his growing network of distributed data centers.

"Patch management and policy enforcement were two of the big factors we had in selecting a network management system," Hauser said.

The Kace system enables Hauser's staff to set policies and control application deployments on user machines. "We had a big security problem with people downloading and setting up applications to their machines themselves," he said.

To minimize user backlash, Hauser set up a self-provisioning feature within Kace that lets users select popular applications they would like to download to their desktop and later that day or overnight the pretested and screened application would be provisioned to the machine. "We make sure it works and aligns with our policies before they download it, but you don't want to completely restrict what they put on their machines," he said.

Similarly, Curtis Simonson, senior technologist at the University of New Hampshire InterOperability Lab in Durham, told attendees how his organization explored network access control (NAC) technologies to ensure PCs didn't spread viruses across the network.

"We wanted to prevent systems with viruses from getting on our network. And if they were on our network already, we wanted to prevent the spread of viruses," he said. "We also wanted to prevent access to those we don't want on our network."

Simonson tested and deployed Vernier Networks Inc.'s stand-alone NAC appliances to monitor machines gaining access to the network and assessing their patch and security status. The product works using single sign-on technologies in conjunction with his Windows domain authentication systems and checks if machines attempting to gain access to the network meet predefined security settings.

The product is currently running in a relatively passive mode, tracking traffic and access attempts and alerting lab IT staffers to anomalies. Simonson said he has yet to put Vernier's technology to work blocking access to unauthorized devices or placing potentially infected machines on a virtual LAN to prevent a virus outbreak.

"We are using NAC in a more protective than enforcement manner," Simonson said.

According to Opus One senior partner Joel Snyder, part of the reason NAC projects can be categorized as active or passive, protective or enforcement is because the technology spans several domains within IT and relies upon knowledge of the network, the user and the access controls in place to function properly.

"NAC is user-focused, network-based access control," he explained. "The difference between firewall technology and NAC is the decision-making elements in NAC. NAC wants to be as close to the user as possible. NAC cares about who you are."

Snyder, who moderated a NAC panel and Simonson's presentation, said NAC technologies will be daunting to even the most sophisticated IT shops because they cross multiple domains. Among the four primary requirements of NAC -- authentication, environment, access control and management -- management poses the most significant challenges, he said.

"Inherently, NAC is impossible to manage because it combines authentication with network gear with end-point security with a policy server. All teams have to come together to manage this one solution," Snyder said. "NAC is 'big picture' hard."

This story, "Network management, security make for happy bedfellows" was originally published by Network World.

Copyright © 2007 IDG Communications, Inc.

Shop Tech Products at Amazon