AlterPoint

Network Security: Another Day, Another Hack

British poet, scholar, and journalist Gilbert Keith Chesterton once mused on the subject of progress:

“New roads; new ruts.”

Ah, leave it to an early 20th century British poet to keep things airy and light. However, Chesterton’s feelings may not be that far off from those in much of the business world. To many, it seems that every technological step we take forward simply leads to a slew of new problems. These days, each advance and each new technology does seem to come with a range of new security issues. VoIP is just one of the latest trends to feel the burn:

“The arrest of a wholesale VoIP entrepreneur last week for fraud and hacking points to much more than a criminal mind cheating the system - it brings to light the oft-unspoken fact that VoIP networks have a long way to go in terms of security. The publicity also scares providers and security vendors because they fear losing customers.” (From New Telephony)

Those in the business of VoIP, like those in any business, can’t afford to have their security questioned, because as we’ve pointed out several times, reputation does affect the bottom line. However, many believe that VoIP is simply undergoing the trials and tribulations of a relatively new field. It’s even suggested in the article that:

“IT folks have all but plugged security holes in data networks; the trouble is, they didn’t look at voice over the Internet in the same way.”


Unfortunately, there are still many holes left to be plugged:

“Imperva’s Application Defense Center reported on June 12 that it had discovered the vulnerability-which allows any attacker with network access to the database server to bring it down or to run arbitrary code-in DB2 Version 8…The flaw’s severity is magnified by the fact that an attacker doesn’t need database credentials to exploit the weakness, according to Imperva.” (From CIO Insight)

So, with attacks, hacks, and frauds occurring in both the data and voice network does it mean we should simply call off progress and go back to the way things were? (You know, where important information was stacked miles high in a storage room beneath thousands of file folders, and it took at least days for that information to circulate to the necessary parties in the enterprise.) Of course not. It just means that companies still have to be diligent about security and comprehensive network management. When vulnerabilities are recognized and corrected immediately, you can avoid wide-scale fraud, broad external/internal attacks, and whatever new risks progress may bring.

Daily Network Management Links for 2006-06-16

[Post from Roger Castillo, AlterPoint CTO] Network Management Evolution: The Beauty of Self-Organizing Systems, Part 3: Qualities of Good Policy Driven Management

“Figuring out the Who, What, When, Where and How requires a good set of rules that everyone can understand and respect. From my experience, I’d suggest a few guidelines, that if followed, can streamline maintenance, freeing your systems to beautify themselves through learning and self-organization.”

ComputerWorld: 10 ways to protect yourself with ‘pragmatic network security’

“Security Policy: This defines exactly who sees what information on theblack_tower_computer2.jpg enterprise network. The beauty of modern, network-based IT architectures is that all information is potentially available on the network. The problem is that all information, including information regulated by Sarbanes-Oxley and other regulations, is potentially available to anyone who can get on the network.”

ComputerWorld: Best Practices for Configuring Group Policy Objects

“Although group policies are an extremely powerful security mechanism, it can be a bit tricky to deploy them in an effective manner. That’s because the effective group policy is made up of multiple and sometimes contradictory group policy elements that are applied to the user object and/or to the computer that the user is working from.” While more focused on Active Directory, this article has good points you can apply to any policy/rule paradigm.

informit.com: Troubleshooting Cisco Secure ACS on Windows

“For many security administrators, the robust and powerful AAA engine, along with CS ACS’s ability to flexibly integrate with a number of external user databases, makes the CS ACS software the first and sometimes only choice for an AAA server-side solution.”

TechRepublic: Why Infrastructure Change Automation Is a Cornerstone to Effective IT Service Management (ITSM)

White paper (reg. required): “There are many areas of concern for senior IT executives these days - choosing which technologies will have the greatest reach into those areas is critical and can give a company competitive advantage through both efficiencies and protection of resources. Network Change and Configuration Management (NCCM) is one such technology - it has the ability to positively impact security, performance, compliance, and availability management as well as workflow, IT governance, service provisioning, and planning.”

The Beauty of Self-Organizing Systems, Part 3: Qualities of Good Policy Driven Management

By Roger H. Castillo

In Part 1 of this series, I discussed the inherent beauty of self-organizing systems that grow smarter with each iteration. Part 2 went a bit further in outlining potentialRoger Castillo4.jpg drawbacks–basically, to minimize system maintenance your policy system needs strong and accurate rules. But how do you create good rules?

In my thirteen years in network technology, I’ve worked with a variety of organizations–from start ups to Fortune 20 goliaths–and I’ve come to learn that policy systems are not worth much unless you can vouch for the strength and accuracy of your rules.

Dave Kearns in Network World writes that policies:

“…allow you to control who can do what, when and where they can do it, and the means they can use (i.e., the ‘how’). That’s Who, What, When, Where and How. Noticeably absent from that list is ‘Why”, but we can’t give the software and hardware the ability to read the user’s mind just yet. Still, by knowing Who did What, When they did it and Where they did it we can both deduce a probable Why as well as ask the user ‘Why?’”

Figuring out the Who, What, When, Where and How requires a good set of rules that everyone can understand and respect. From my experience, I’d suggest a few guidelines, that if followed, can streamline maintenance, freeing your systems to beautify themselves through learning and self-organization.

Here’s four guidelines to bring out their inner beauty:

  • Require Transparency: In order for people to trust the results, a system must complete visibility around how feedback was computed. There must be a map between rules and business drivers or otherwise users and stakeholders will see them as arbitrary and not follow policy. Also, transparency allows end-users to ‘debug’ the system easily to improve the accuracy of the results.
  • Know your Domain: If you don’t have the depth to understand the business processes and needs, then the rules and policy you create will have little use.
  • Answer the “so what” question: If you can’t understand the output and use it to improve your business, nothing is going to happen
  • Intelligent: Policy systems require the ability to auto-correct and normalize results and data. Without this, maintaining the policy is hard and the value of the system is undermined. Intelligence will be the differentiator among management systems in the future.

Given these criteria, Policy Mangement can fulfill the promise of being able to effectively automate management tasks.

Daily Network Management Links for 2006-06-15

[Daily Post from AlterPoint] Network Management Evolution: Yes, NCCM DOES Matter

“Doug raises several interesting points, and his belief that network management must transcend simple integration is absolutely correct. However, as AlterPoint is mentioned directly, we thought we could shed some light on just a few of the ways that our customers–enterprise IT organizations ranging from huge banks to the world’s largest technology manufacturers–are utilizing and integrating network configuration management technology and process into their greater strategies.”

Cisco Blog: CallManager on Non-MCS Equipment

“I’m talking about a hack that allows you to install the Cisco CallManagernetwork_cables2.jpg Windows image straight from the CD-ROM, setting all the correct permissions and giving you a working Cisco CallManager on a non-MCS server. Here’s what I did…”

Security Park: The traditional approach to network security leaves IP-based network devices within the VLAN open to attack

“The security challenge posed by the dramatic increase in the number and diversity of end devices connecting to the network is clearly identified in the technology pages. These challenges are driving the need to apply security within the network infrastructure itself, independent of - and in addition to - the point or perimeter security platforms already deployed, which may include firewalls and anti-virus software.”

Security Park - How to reduce network security risks without incurring a penalty on your network

“Download this free in-depth “Best Practices for Protecting Network Data ” white paper to understand how to reduce risk without incurring a penalty on your network.”

New Telephony: VoIP Network Security: How a Hacker Took Advantage of Vulnerabilities

“IT folks have all but plugged security holes in data networks; the trouble is, they didn’t look at voice over the Internet in the same way. ‘They haven’t viewed it as an application that goes over the Internet,’ says Graydon. ‘As soon as you see voice as an application, you start to protect it the way you protect e-mail.’”

Skybox Security and Internet Security Solutions Enter into Technology Alliance; Alliance Combines the Industry-Leading Vulnerability Management and IPS Solutions with the Industry-Leading Security Risk Management Solution

“Over the past two years, IT Security Risk Management (IT SRM) has emerged as the complete process of understanding threats, quantifying risk, prioritizing vulnerabilities, auditing security controls and reducing unnecessary patches through a continuously refreshed security risk profile. According to IDC estimates, the IT SRM market is expected to grow from $328 million in 2005 to $500 million in 2007.”

Yes, NCCM DOES Matter

Last week, Doug McClure posed the question, “Does network configuration management matter?” Among other things, he suggested that today’s CMDB will have to evolve lest it quickly be rendered obsolete:

“I’m not too sure on the takeup rates of any one vendor’s solution (Voyance, AlterPoint, Intelliden, Emprisa Networks, etc.), but I’ve yet to see anyone really focus on one of these platforms to really complement application discovery and mapping within the CMDB other than the “we integrate with X” statement.

The CMDB of the future will need the same rich level of information just like in the application and service domains - even more so as networks become more complex with many more logical configurations (tunnels, VPNs, QoS, CoS, advanced ACL’s, routing protocols, etc.). The same can be said of security/firewall change and configuration management. (I don’t know anyone playing in this space.) Any CMDB without this type of information will be seriously incomplete.”

Doug raises several interesting points, and his belief that network management must transcend simple integration is absolutely correct. However, as AlterPoint is mentioned directly, we thought we could shed some light on just a few of the ways that our customers–enterprise IT organizations ranging from huge banks to the world’s largest technology manufacturers–are utilizing and integrating network configuration management technology and process into their greater strategies.

Consolidated Asset Management
There’s a common need for a “de facto” source of network inventory. One that can be easily synchronized with management solutions and provides audit-ready output. Practical uses include providing a “what changed” context to event correlation to speed trouble shooting. In effect, AlterPoint’s DeviceAuthority acts as the mediation layer for network access.

Integrated Trouble Ticketing
Closed-loop change processes are the Holy Grail for many IT shops, so it’s critical that network infrastructure change and policy events can be integrated to open/close trouble tickets into existing change management workflows based on systems like BMC Remedy AR System and HP OpenView Service Desk.

Network Discovery and Monitoring
Real-time inventory is required in many cases to provide an accurate picture for performance/fault management and subsequent decision support. DeviceAuthority’s accurate, real-time discovery and data model are integrated with systems like HP OpenView to improve monitoring and trouble shooting.

So we know that network configuration management does indeed matter, and not just to the guys in the NOC. That’s why AlterPoint thoughtfully designed the Network Information Model and SDK to accommodate the kinds of technologies, like a federated CMDB, that require easy access to accurate, detailed network inventory and configuration information.

Daily Network Management Links for 2006-06-14

[Post from Roger Castillo, AlterPoint CTO] Network Management Evolution: The Beauty of Self-Organizing Systems, Part 2: Hamster Wheel Out of Control

“It seems that policy is only as good as those who create the policy and the expressiveness of the policy system. In other words, you’re only as good as the strength and accuracy of your rules. The fallout from bad policy or a lack of trust in the policy is that the structured is ignored and rogue activity springs up again.”

IT Business: Embedded security

“…most enterprise networks use hardware from multiple equipment vendors,server_back2.jpg and manufacturers take varying approaches to building security smarts into network gear. So building security into the network isn’t always simple. And some argue that, given that complexity and the fact that security needs change faster than basic network infrastructure, security functions are better separated from the basic building blocks.”

eWeek: BMC, Relicore Hone Configuration Management

“Two vendors in the growing configuration management arena last week sought to fill in missing pieces of their products’ capabilities.” Relicore “added new capabilities that help the tool scale and that fit into a large enterprise’s overall management infrastructure.” BMC “added new discovery capabilities that allow its software to automatically discover elements that make up an application infrastructure along with their dependencies.”

Masood Ahmad Shah : TCL (Tool Control Language) & Cisco

“Somewhere during testing any successful Network Reachability, it will be necessary to test the reachability of addresses from each device in your network. Some people use cut and paste techniques coupled with Notepad to ping the addresses. Unfortunately, there are numerous drawbacks to this technique.”

The Beauty of Self-Organizing Systems, Part 2: Hamster Wheel Out of Control

By Roger H. Castillo

Yesterday, in Part 1, I discussed the inherent beauty of systems that are structured to get better as you interact with them.

There is, however, a downside to these types of systems. And Wikipedia is a good Roger Castillo3.jpg example. Despite the purity of their system, problems remain. Recently two scandals involving erroneous entries to this popular online service (See “Growing pains for Wikipedia “) forced the founders to make some changes. The role of an intelligent moderator cannot be underestimated.

It seems that policy is only as good as those who create the policy and the expressiveness of the policy system. In other words, you’re only as good as the strength and accuracy of your rules. The fallout from bad policy or a lack of trust in the policy is that the structured is ignored and rogue activity springs up again. The judgment of domain experts is critical in establishing the proper policy context and the logic has to be transparent, or else it looks arbitrary. IT operations personnel are very leary of security policies because they generally have not been analyzed for their impact on availability or performance.

Another downside of policy monitoring is false-positives, which are one of the toughest problems in IT management. (See “Anomaly detection falls short.”) They compromise the credibility of the management system and they undermine the trust in the system. Besides the false-positive problem, ringing is another issue with feedback loops. If the feedback cycle creates more feedback cycles, this cascade of feedback can create storms of feedback. We all have seen trap storms in network management. Similar problems can be created with the next generation of IT automation. As funny as this sounds: “ticket storms” are possible, in cases of self-referencing policy.

InfoWorld’s Harper Mann writes:

“The bottom line across all intelligent agents and alerting systems is that they’re only as good as the human touch on the back end that’s fine-tuning them. Each require constant input — alerting the system to new resources in an environment; correcting false-positives or false-negatives as they happen so the system can ‘learn;’ etc. So while organizations are sold on the autonomic / automated functionality of these systems, each typically require a significant tax in the form of human labor for babying them along and teaching them about the desired result.”

A policy system with accurate rules is key to minimizing system maintenance, but how do you create good rules? Please come back later for Part 3, “Qualities of Good Policy Driven Management.”

Daily Network Management Links for 2006-06-13

[Post from Roger Castillo, AlterPoint CTO] Network Management Evolution: The Beauty of Self-Organizing Systems, Part 1

“Systems with this closure property are able converge to optimal outcomes on3d2.jpg the basis of orchestrated behavior modifications. If the conditions are correct, with each turn the system gets smarter. But what’s the downside?”

Dilbert Collaborates with Cisco’s MeetingPlace

Flash required. Humor Optional.

Juniper Networks Bolsters Intrusion Prevention and Security Management With Enhanced Application Visibility and Control

Juniper announces that its “next-generation Intrusion Detection and Prevention (IDP) platform and new security management software [is] designed to provide increased application visibility and control across the network. The new IDP version 4.0 software provides advanced control over enterprise applications including voice-over-Internet-protocol (VoIP), internal local area network (LAN) and cellular communications.”

Network World: Compatibility with legacy equipment key to NAC’s future

“Security vendors also are looking to capitalize on a booming market in which one in three IT shops plans to buy or implement NAC this year, according to a Forrester Research survey of North American companies. About half of the world’s 2,000 largest corporations already have some form of NAC.”

Business Week: Is our VoIP Phone Vulnerable?

“It’s become a familiar pattern in online security. A groundbreaking way to communicate emerges, spreads like wildfire, and then hackers find a way to use it to their advantage. Security companies react—but not before the problem has succeeded in wreaking havoc.”

The Beauty of Self-Organizing Systems, Part 1

By Roger H. Castillo

Over the last five years powerful new strategies for solving tough problems have emerged. One of the most interesting has been the rise of systems that are structured toRoger Castillo2.jpg get better as you interact with them. Great examples of this principle are Google, Wikipedia and Yahoo. They leverage “group think” in order to build value with each use. Google searches get better with each new search, because search relevance and ranking are adjusted on the basis of new searches. Wikipedia is continuously edited by the Internet users to provide more detail for each entry and Yahoo tailors the end-user experience to their likes/dislikes on the basis of web clicks.

Wikipedia works due to “this mechanism of editing and undoing meaningless changes or graffiti, an evolutionary process is fostered and only the best contributions survive the selection.” For more, see this article, “Phantom authority, self–selective recruitment and retention of members in virtual communities: The case of Wikipedia” by Andrea Ciffolilli.

Each of these Web 2.0 services is an example of a self-learning or self-organizing system.

The Policy Circle of Life

Enter policy driven management. The goal of policy driven management is to establish broad parameters for a management domain, which all policy makers use to manage the domain at a high-level. Good policy management systems use the “closed-loop” concept to drive feedback into the system. This feedback incents or disincents those in the system appropriately and, as a result, behavior modification occurs. With each turn, the domain is brought into compliance with policy baselines resulting in greater efficiency and less risk. A great software example of this principle is Skybox Security, whose integrated family of Security Risk Management applications can test your network through modeling, analysis, simulation, visualization and workflow management. (case study available here as a PDF).

As vulnerabilities are brought under control on the basis of security policy, the vulnerability index for the network is updated. Visibility drives awareness and action. Assessment drives the next set of actions. (Full Disclosure: AlterPoint partners with Skybox to deliver detailed network device configuration data to enrich Skybox modeling and analytics and AlterPoint, in turn, executes changes and remediates network devices based on assessment and priority.)

Systems with this closure property are able converge to optimal outcomes on the basis of orchestrated behavior modifications. If the conditions are correct, with each turn the system gets smarter.

But what’s the downside? Come back tomorrow for my next installment, “Hamster Wheel Out of Control.”

Daily Network Management Links for 2006-06-12

[Daily Post from AlterPoint] Network Management Evolution: Network Security in the Financial Sector

Earlier, “we discussed the effect on reputation, customer confidence, and the bottom line that true or even perceived security risks could have on a company. To boil it down to it’s most basic form, if people aren’t sure a business can protect their vital data, they’re going to take their business elsewhere.”

Enterprise Networking Planet: Cisco Spends $47.8 Million on Comm Startups

“Communications experts believe IMS will be a multi-billion-dollar market forswitch_and_cables2.jpg years to come as corporations scramble to meld their communications gear with IT infrastructure. Embracing IMS is another way for Cisco to broaden its portfolio to stave off stagnant, traditional networking gear sales and pace the competition. Rivals Nortel, Alcatel and Juniper Networks are all building or acquiring their own IMS portfolios.”

dougmcclure.net: End-to-End Service Monitoring - The Holy Grail

“In my past life, I ran no fewer than five different QoE tools to try and provide visibility into what our external and internal customers experienced. While I believe in using these capabilities to “tie” together all of the traditional monitoring, I spent more time defending the quality of the data than providing any realy value to the business with the tools. Every organization/functional silo in IT had to save face, defend their turf and find a way to point their finger and someone else in the service delivery chain.”

N-tiers without the tears!: Have you ever been Experienced?

“QoE is absolutely consistent with best practice. However, when investing in QoE technologies one should be careful of who is defining QoE (i.e., QoE of what services?). It should be the customer (read business process).”

erp4it: The hosting “zone of contention”

“Designing and building solutions is often equated with software development and integration/configuration. However, any solution requires platforming, and in larger organizations the engineering of computing and network platforms capable of supporting the desired software solutions becomes a significant activity in its own right, albeit one less well covered in the popular computing press. The value chain can be seen as having both application and infrastructure tracks, with a hosting “zone of contention” in between them.”