Dynamic business world needs intelligent LAN switches, says report

By Ron Condon, U.K. Bureau Chief 06 Aug 2009 | SearchSecurity.co.uk

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

According to the analysis, a combination of factors will force a different approach: the rise of mobile and remote workers, greater use of outside contractors, the deployment of Web 2.0 applications, and virtualisation of systems, to name a few.

"Today's more dynamic network requirements are driven in large part by a 'virtualization' of corporate employees—their location, the blurring between their work and personal life, and the technologies they use at home and in the office," the report stated.

Traditional LAN switches, which work low down in the network stack, operate on limited information, such as the MAC address and access control lists. They can be moulded into supporting a more dynamic business environment, but as the research suggested, the process takes a lot of time and effort from IT operations to make it happen:

"The rigid subnetting, DMZs, virtual LANs and access control lists (ACLs) used in LANs today are not flexible enough to accommodate the rapid provisioning and deprovisioning of services […] that businesses need to support ad hoc groups and other aspects of the virtualized organization,".

CISSP Essentials In this video, get a free introduction to Domain 2 of the CISSP exam's "Common Body of Knowledge" covering access control topics like administration, practices, models and more.

The report, which was sponsored by ConSentry Networks, Inc. and authored by Phil Hochmuth, is entitled "The Era of the Virtualized Organization Demands Context-Aware LANs." Hochmuth proposes that the LAN itself needs to become more aware of the context of any traffic because the users, their location, the application they are using, and even the time of day, may influence how their traffic is handled.

For instance, IT may need to distinguish between a user who is accessing a Web-based ERP system and one who is just browsing the Internet. And a staff may want to detect where users are running their own applications, possibly using their own devices, and using collaborative tools like Google Apps, perhaps to bypass corporate controls.

Network access, however, is usually governed by the location of the user's desk, what ports the PC is plugged into and which servers it can access on that subnet.

"This topology-based construct is due in large part to existing network forwarding and routing techniques—the MAC forwarding table at Layer 2 and the IP routing table at Layer 3," according to the Yankee Group analysis. "Decisions as to where traffic can and cannot go, at what rate it moves and how long it can remain connected, all happen based on these parameters."

Virtualisation of systems, which allows server images and their workloads to be moved to different parts of a network, also creates problems for static network-based server access controls, which rely on IP addresses, server names or MAC addresses.

The answer, Hochmuth suggests, is to build more intelligence and context-awareness into the network, arguing that this is the logical place to enforce policy.

"Most companies are running on 20-year-old switch technology, but LANs are no longer static," said Jeff Prince, chief technology of ConSentry. "We now have different ways of connecting, with guest users, offshore partners needing to access the network. Businesses need to keep up with this virtualised world."

He said the network, far from being a collection of "dumb pipes," was the logical place to enforce policy and provide security. For instance, he said network access control should not be a one-off process at the network gateway, but should be enforced continuously by having the LAN ensure that all traffic complies with policy.

ConSentry's own intelligent LAN switches offer these features, but Prince acknowledged that other products, such as HP's Adaptive EDGE networking technology and Cisco's PISA range, also adopt the same approach by inspecting the traffic they manage.

The changing LAN environment is confirmed in new research by the London-based agency Loudhouse Research Ltd, also commissioned by ConSentry.

In June 2009, the company interviewed 200 IT decision makers, half in the U.K. and the other half in the US, about the implications of what it called "LAN sprawl". The findings showed that:

• 93 percent said their users are now more likely to require access to different parts of the network at different times for business reasons.
• 92 percent reported an increase in the need to manage users with multiple profiles/IDs to support cross-functional needs of their organisation.
• 66 percent said the proliferation of devices and applications made it harder to audit their networks.
• Two-thirds believed that decisions to innovate business processes are often made without considering the impact to the network.

Tags: Network Security Monitoring: Tools and Systems,  User Identities and Provisioning,  Secure User Authentication and Authorization,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Security Monitoring: Tools and Systems In schools, free online Web proxies thwart enterprise Web filtering Microsoft security tools: MBSA and MSAT explained Network security 101: Default router settings, network hardening Network security 101: Password policy best practices, security documents Adobe vulnerability: Pen test firm finds ColdFusion admin page flaw First of data loss prevention vendors touts downloadable DLP software Law firm security gets positive verdict with UTM device Database activity monitoring technology vs. SIEM tools Security event log management streamlines netsec for call centre Single sign-on technology for health care helps medics roam securely User Identities and Provisioning Data security in financial services, IT security jobs in UK on the rise Using Windows software restriction policies to stop executable code Microsoft's Charney details new botnet protection, IdM technology at RSA How to perform an Active Directory health check Windows management tips: How to backup and restore Active Directory Will physical security integrators work with IT departments? Tokenless two-factor authentication helps council with CoCo compliance Risk-based multifactor authentication implementation best practices Group to shed light on secure identity management threats Poor privileged account management practices leave security gap Secure User Authentication and Authorization Trojan virus attack using hijacked Web browser sessions hits UK banks Single sign-on technology for health care helps medics roam securely Two-factor authentication service launched for emergencies SMS two-factor authentication for electronic identity verification How to configure IIS authorization and manager permissions Gridsure finds global deal for its pattern-based authentication Physical security threats: Don't gift your data away Using unique device identification for bank website security Yahoo login credentials at risk to hijacking attack Single sign-on system removes password chaos at East Kent NHS Trust

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Chip and PIN  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary