I will take credit here for coining a new word, “mobulation.” I hope mobulation will someday be added to Webster’s Dictionary and make me famous. In the mean time, I will write some thoughts about the pending mobulation explosion.

Let’s start with a clear definition. Mobulation is the population of mobile network connected devices including cell phones, smart phones, tablets and laptops. The mobulation explosion is my term for the incredible growth in mobile devices and the network traffic they create. Cisco predicts that by the end of 2012 there will be more mobile devices than people on this earth we all share. This prediction will have a near term critical impact on the networking industry. The report is the Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update, 2011 – 2016.

As more phones are put into service, more data will be generated. However, in addition to phone traffic, smart mobile devices are generating data and video traffic at a much greater rate. Here are some interesting numbers:
• Smartphones represent only 12 percent of global handsets in use today but they use over 82 percent of total handset traffic.
• The number of mobile-connected tablets tripled in 2011 to 34 million. Each tablet generates 3.4 times the network traffic than the average smartphone.
• Mobile connected laptops generate 22 times more traffic than smartphones. Mobile data traffic per laptop was 2.1GB per month, up 46 percent from 2010.
• Global mobile data traffic will increase 18-fold between 2011 and 2016 reaching 10.8 exabytes per month. (1 exabyte = 1 quintillion bytes or 10¹⁸ bytes)

These numbers remind me of when I was taking Astronomy in college. It is difficult to comprehend the magnitude of the numbers. Imagine, though, what will happen to network traffic when smartphones represent 40% of the global handset market. Imagine the mobile data traffic loads when the tablet market, which is still very young, matures to ubiquity.

These events will have enormous impact on today’s networks and not just for service providers. As smart mobile devices blur the line between corporate and private data traffic, the increased throughput will impact enterprise as well as carrier networks. New strategies will be needed for network monitoring, management and security. More specialized and faster appliances will be required to protect corporate assets and keep confidential information secured.

The glue holding all these appliances together is the network access device. A well-planned monitoring strategy built around permanent network access equipment will help keep appliance port costs down and maintain high network availability. The AFS by Network Critical is one example of this foundational piece for network monitoring and security. The AFS provides access, aggregation, filtering and load-balanced distribution in a small 1U package.

The experts at Network Critical are working with enterprise and carrier clients every day designing intelligent, next generation access strategies. The Mobulation Explosion is happening now. Do not wait until your network is overwhelmed by an onslaught of mobile data traffic. Plan your high speed/high availability network access strategy now.

Live simple. What a nice concept. Our lives in the technology industry, however, seem to be all about conquering the complicated rather than pursuing the simple.

Mobility, virtualization, more data, faster links, new applications and increasing vulnerability all require complex and sophisticated systems to manage and protect networks. Virtualized Desktop Infrastructure growth is increasing bandwidth requirements. Appliances are becoming more specialized so more are required. Connecting the tools without impacting network availability and managing all the appliances at 10Gbps link speeds is now becoming its own specialty.

A Gartner report, “Emerging Technology Analysis: Hosted Virtual Desktops” says the number of virtual desktops worldwide will increase to 66 million by 2014. While this growth of virtual technology is efficient for businesses, it adds complexity to network and application management. The need for greater visibility into network performance and application performance will increase just as dramatically as the growth of network bandwidth and virtual desktops.

Boiling it all down, there is a need to pursue simplicity in this ever more complicated environment. Time spent chasing network issues when the problem is with an application is time wasted. Time spent drilling down through layers and layers of analysis on 10Gbps link traffic can be frustrating while clients are experiencing outages or response time issues. Resolving performance issues proactively and optimizing network performance are more worthy pursuits than troubleshooting problems.

A side note on the business perspective of simple proactive network management…A team focused on trouble shooting is considered a cost center. A team focused on improving network performance and IT ROI is considered a strategic asset to the company.

So, in pursuit of a simple answer, what about a unified system providing end-to-end performance visibility across the network, allowing quick isolation of the root cause of performance issues? What about a solution that solves complex application issues simply? What about a couple of simple tools that are easy to deploy and take only a few RUs of rack space? What about connecting all your 1Gbps links through a port aggregator rolling them up to a few high-speed links for consolidated management? What about proactive network management, resolving issues before the clients even notice problems?

The Network Critical AFS port aggregator and the Visual Networks VPM Xpress 10G combine to provide a complete yet simple solution for link aggregation, network and application management. The AFS and Xpress solution allows network managers in virtual environments, carrier and cloud networks an efficient, simple solution to proactive network and application management.

Simple is good. Follow the links below for more information:

View the Network Critical AFS port aggregator here
Download the Network Critical Aggregating Filtering System (AFS) datasheet here
View the Visual Networks VPM Xpress 10G here
Download the Visual Networks VPM Xpress brochure here

Remember Rodney Dangerfield, the comedian whose signature line was “I don’t get no respect.” Those with jobs in IT, Cyber Security, Networking and the like know the feeling. When things go right (which takes a lot of dedication, specialized knowledge and hard work) nobody notices. When things go wrong (which can happen no matter how hard you work to keep things humming) the entire company is screaming like a banshee on steroids. Suddenly, everyone knows your name.

Sales guys get noticed when they sell things. They get trips to Tahiti, awards and a lot of positive recognition. Marketing develops programs and ads that are creative and widely publicized. Engineering develops cool designs that turn into products everyone can see. Even the guys from Finance are always making charts and presentations to the CEO showing their ROI calculations and how to finance new projects.

How can IT and Networking demonstrate their positive contributions to the organization? The key is to look at your job in a new way. Categorize, quantify and report on your contributions. Network Security, for example, keeps bad things from happening that could ruin a company. Theft of confidential customer information, leakage of classified product designs, external hacks that slow or block system access are a few examples of bad things that the Network Security group helps prevent. When things go right these issues do not exist so it is hard to quantify the contributions. However, there are industry reports that track these trends that can be used to set baselines.

Using the Network Security example, a department head can develop a set of indices setting Key Performance Indicators based on industry norms for a variety of network and security metrics. Then correlate the economic impact of meeting and exceeding these metrics. What you will have is a report that shows the ongoing financial benefit that sound security practices and procedures can bring to the company every day. Remember, money not spent, is profit.

The idea here is to quantify and report on the positive contributions that are made every day. Take the technical jargon out of the reports. Resist the urge to discuss the benefits of dual stack routers for IPv6 conversion (save that for departmental meetings). The CEO is less interested in how you do it but keenly interested in the contribution to the bottom line. The CEO is a business person and his/her interest is shareholder return. Show that your ideas are necessary to protect the company brand, to create revenue, or to reduce risk and liability.

Finally, be proactive with these ideas. Develop your business oriented reports and ask for time to present. In 2012, resolve to take a quarterly trip in the elevator to the top floor. Show your value to the company. Perhaps, you too, will be on a plane to Tahiti with the Sales leaders.

Welcome to 2012. As the technology parade winds its way down Main Street, pay attention to the little float called Tap and Access. It has been in the parade for a number of years but fresh flowers and new designs are causing a buzz in the curbside crowd.

During the last four years or so, there has been a quiet storm brewing in network monitoring solutions. The tap market has been growing dramatically. The primary driver for this architectural revolution has been broad market acceptance of taps as a permanent architectural element in network monitoring and management solutions.

Why are networks so universally transitioning from Span ports to tap solutions? Here are a few ideas:

• Too few Span ports – With the introduction of many specialized network appliances that all need 24/7 link access, there are not enough Span ports to go around
• In-Line Access – Many new security appliances provide network protection by taking immediate action to resolve threats. These appliances are installed risk-free on network links by connecting through reliable, hardware-based In-Line taps. This method of connecting active appliances is often called a “Virtual In-Line” connection.
• Data Switching and Port Aggregation – As link speed migrates from 100Mbps to 1Gbps to 10Gbps and beyond, there is an increasing need to aggregate multiple lower speed links up to higher end tools. Conversely, there is also a need to distribute core high speed access to multiple lower speed links. These port switching devices provide many sophisticated access features and take their input from taps on the links. This practice provides risk free fail-safe access to the links while the data switches manage and distribute the traffic.
• Next-Generation Firewalls (NGFW) – This will be a big, big, big transition for 2012. Next Gen Firewalls are ready for prime time. These new versions of firewalls are addressing the more sophisticated threat environment with higher level visibility and control and will be the perimeter security cornerstone of networks. The transition is underway now and the best practice for NGFW connectivity is using In-Line taps.

Network Critical, a global innovator of permanent, modular taps and high speed data switches, aggregators and load balancers, is leading the network access revolution. Tap solutions from simple access to complex aggregation and distribution architectures can be found in the Network Critical product portfolio.

As network operators develop plans for upgrading to NGFW, high speed port aggregation, In-Line security appliances and other specialized access applications, Network Critical will be supporting their access requirements.

Taps and access devices may not be the Grand Marshall of the technology parade in 2012, but the tap market may very well win the Sweepstakes Trophy for fastest growing support technology. Happy New Year!

It is time to get my crystal ball out of the safe and see what is in store for us in 2012 and beyond. 2011 was a year steeped in gloom and doom with headlines about international defaults, political instability, hacktivism, cyber theft and unrelenting unemployment. I am here to tell you there is cause for an optimistic outlook for the future.

Here are some silver bullets for your new year:

• Network Security: Hacks and cyber thefts will continue. However, with advances in IPS, DLP, next generation firewalls and improved tap and aggregation architectures, networks can be better protected from attacks than ever before.
• Network Speeds: Look for rapid advancement in core network speeds. 1Gbps is quickly giving way to 10Gbps. The big networks are looking into 40Gbps and 100Gbps core links.
• Technology: Intel will introduce a new chip in the spring that has three billion transistors. That is “Billion” with “B” transistors on a single chip.
• Talking to Machines: You will be able to talk to your phone as much as you talk on your phone. Voice recognition interfaces for phones and other computing equipment is ready for prime time. It will soon expand beyond phones to coffee makers, TVs and video games. Less mouse, more mouth!
• Europe will figure it out: All parliamentary egos aside, the economic realities will prevail. The Euro zone is “too big to fail.” The strong will help the weak and new rules will lead to the beginning of a more stable and vibrant market in Europe.
• U. S. Oil Independence: This long sought after goal is becoming a reality. Over the next five years and beyond, new extraction technology in the Bakken Oil Fields will completely change the geopolitical relationship between the U. S. and the Middle East. Google “Bakken Oil Fields” for more information.
• Unemployment Improvement: I am an optimist here. As stubborn as the unemployment rate has been, 2012 is the year the fever will break. After all, 2012 is an election year. For more good employment news Google “North Dakota Employment.” Hint: 3.5% unemployment with 16,000 open positions.
• More Technology: Network Critical is shrinking size and cost of Next Generation Port Aggregators and Network Devices. Our new AFS solution for port aggregation, filtering and distribution has reached 48 ports of non-blocking 10Gbps access in 1U of rack space, using only 150 Watts AC of power. Now that is good news!

Network Critical is bullish on 2012. We will continue to provide the best products and uncompromised attention to our customers around the globe. We will work to make our towns and the world a better place in 2012 and beyond.

Finally, we wish all our partners and customers a prosperous and happy New Year!

I have worn glasses since I was ten. It started when I could not read the blackboard from my desk. I asked to be put in the first row. Then I would scoot my desk up closer to the blackboard a little at a time so no one would notice. Eventually, I was so close to the blackboard that everyone noticed and my teacher recommended to my parents that I see an eye doctor.

On the way home from the eye doctor, fitted with my new glasses, I was amazed at the world around me. The full moon was not really a fuzzy, white ball. There were edges and shadows that I never saw before. My view of the moon was skewed and I did not know it. I saw the fuzzy ball and I believed that was the moon. However, the moon was actually quite different than what I saw and believed.

Today, Communications Service Providers (CSP) typically use surveys from customer contacts with various departments such as Billing, Support, Service and Sales. These surveys are compared to Key Performance Indicators (KPI) and attempt to gauge customer satisfaction and retention likelihood. There are questions with this methodology including the accuracy of the survey data, the timeliness of the reporting and whether the data truly reflects the customer experience.

Accurate measurement and true understanding of the customer experience is the most critical component of CSP business management. Delighting customers with a positive experience every time is the key to customer retention, selling new services, increasing the customer base and growing revenue. Here comes the exciting news…a better way to see and understand the customer experience is being developed.

CSPs have a very rich source of customer experience data at their fingertips. It is their network. The problem, heretofore, has been accessing, capturing, retrieving, analyzing and presenting the massive amounts of data on the network. There are billions of calls set up and torn down every day. There are petabytes of data passing through the network every second. Surfacing KPIs from live data can provide a clear, timely and actionable picture of the customer experience.

Through a collaboration sponsored by the TM Forum and championed by Telecom Italia, Network Critical, Ventraq, IBM Netezza, and The Now Factory are developing a CEM solution that integrates data analytics to better understand and improve the customer experience. Phase I of the project was presented at Management World Americas in Orlando last week and received keen interest from the CSP community.

This ground breaking work allows massive amounts of data to be analyzed and crystallized into manageable, understandable indices for executive reporting and follow-up action. This is not just network performance and dropped calls. This system will also analyze protocols and applications that are beyond network control yet have a significant impact on the customer. It will also help CSPs understand how their network is being used. Are people downloading music, playing games, checking email, connecting with others over social media? This data goes beyond network level performance and provides critical information for network dimensioning and helping the CSP manage the user experience.

Advancing CEM using data analytics puts the focus on the customer first. It allows CSPs to see a new, clearer view of their customers that was not possible before. The fuzzy, white ball that was the customer is now a very sharp circle with shadows, hills and valleys. With the customer in clear focus, the opportunities to enhance the customer experience are endless.

The Blackhat Briefings consistently impacts the computer security landscape year after year, and 2011 is no different. One of the most important talks this year was Moxie Marlinspike’sSSL And The Future Of Authenticity. This talk blew the doors off of the entire Certificate Authority system that is place today for the Secure Sockets Layer (SSL), and proposed a viable (and better I might add) alternative called Convergence. The basic idea behind Convergence is that certificate authorities have too much power in the SSL system in that they cannot easily be distrusted and continue to have the Internet function properly. That is, once a CA becomes rather large and is used by the major browsers to verify SSL certificates for a significant portion of the Internet, there is no mechanism in SSL to be able to remove the CA from the browsers if the CA becomes untrustworthy. A bad CA can just be deleted from the browser CA list, but then the browser would generate SSL certificate warnings for any site that uses a cert that is supposed to be validated by the CA. This, by itself, may not sound so bad, but the real problem is that without a way to validate site certificates, anyone could issue a “valid” cert for a site and the hapless user would have no way to know it isn’t real. SSL essentially forces users to trust CA’s indefinitely. So, if a CA does something that demonstrates to users that it is untrustworthy – such as getting hacked, behaving badly, or both as in Comodo’s case - there is no alternative but to continue “trusting” the CA.

This is where Convergence comes in. Under the Convergence model, SSL certificates are no longer required to be verified by a CA. So, how can a user be confident that SSL communications with a site are using the proper certificates? The answer is that Convergence uses a set of intermediate nodes called “Notaries” that exist on various locations around the Internet. For any SSL connection initiated by a user to an SSL-protected site, Convergence downloads the site certificate from all of the configured Notaries and a comparison is performed. If the certificate is identical across all Notaries, then the user can have a lot of confidence that a MITM attack is not underway. At least, the user can certainly have more confidence in this validation than the validation performed by any hacked certificate authority. And, even if a user trusts that a CA hasn’t been hacked, the user doesn’t really know for sure. (Can any entity prove that it isn’t hacked at any given time?) For any given CA, there is an excellent chance that it will be hacked at some point in the future too.

Convergence offers some nice additional features, such as anonymization of SSL connections made through the Notaries, and it is easy for users to change the list of trusted Notaries. Moxie refers to the later as “trust agility”, and is one of the key reasons that replacing the CA system with Convergence is not just a different architecture – it fundamentally means that the power is put in the hands of users instead of the CA’s. What happens if a Notary is hacked? No problem – the user can simply remove that one from the list (and maybe add a new one) and everything continues to work.

What are the downsides to Convergence? In the short term there will be some growing pains as Convergence is ported to all of the major browsers. The version of Firefox that I run on Ubuntu is not supported yet for example. Some people have concerns over performance because now instead of a single SSL connection there are multiple connections involved as a site certificate is validated by multiple Notaries. However, Moxie has implemented a robust caching mechanism that addresses this concern, and in some cases this makes SSL connections faster.

Incidentally, according to Moxie, Comodo currently signs over one quarter of the SSL-enabled sites on the Internet. So, in the current model, if a user deletes Comodo from the browser CA list then one quarter of Internet SSL sites break. Comodo is not the only instance of a certificate authority getting hacked either – just two months ago in mid-July, 2011, a Dutch CA called “DigiNotar” was hacked as well and has gone bankrupt as a result. Just imagine would would happen if Verisign – which had over 47% of the SSL verification market in 2009 and was acquired by Symantec – were to get hacked as well. Users need an alternative for SSL certificate verification, and Convergence looks like an excellent solution. The bottom line is that even if the current CA system remains in place, as a frequent user of SSL, I would still want a way to verify that an SSL certificate looks the same from multiple locations regardless of what a CA tells me. In this sense, there is a good case for Convergence whether or not it is broadly adopted.

On a final note, Moxie presented Convergence at both Blackhat and Defcon, and as a bonus he was asked to participate on a panel discussion at Defcon with the legendary Whitfield Diffie of Diffie-Hellman key exchange fame. During this panel, Moxie hinted that a current CA is looking at deploying Convergence. This is perhaps a validation that Convergence is a shot across the bow of certificate authorities in general, and that they should pay close attention.

Many health organizations are looking at the potential of Electronic Health Records. Some are already converting. There can be significant productivity increases, particularly in the largest of organizations by upgrading medical record management, storage and distribution to a digital format. There are also financial incentives in the form of grants and loans from the federal government to encourage this movement. The transition will not be easy and, as with any new technology, there are risks to be managed.

First the good news…The HITECH Act SEC. 3011 provides for “Immediate Funding to Strengthen the Health Information Technology Infrastructure.” This section provides for grants and loans to upgrade information technology architecture, develop Electronic Health Records (EHR) systems, improve and expand the use of health information technology, promote interoperability of clinical data repositories and provide training on the integration of electronic health records into a provider’s delivery of care.

The move to EHR carries some potential liability as well. We are all familiar with physical security in the paper world. Park a guard in front of the door and sign everyone with proper credentials in and out. In the cyber world, network security and protection of confidential information is more complex. Most EHR systems have security features that comply with HIPAA but that might not be enough.

The HIPAA Security Rule for Technical Safeguards states, among other things, that Information Systems housing Protected Health Information (PHI) must be protected from intrusion. It also requires that organizations implement and document risk analysis and risk management programs. This places the responsibility of risk management on the health organization. This point is important. It is not enough just to comply with the minimum standard. If a breach occurs, the health organization may still be liable if reasonable precautions have not been taken to protect the compromised protected information. A comprehensive program should be in place to prevent PHI from being used for non-health purposes or from being leaked through malicious attacks or employee conduct.

There is very little guidance in these laws and regulations exactly how to configure and use the security features that are incorporated in the EHR systems. So here are a few ideas. In addition to endpoint authentication, encryption and integrity protection of the data itself, give some thought to the network architecture, specifically protecting your perimeter.

The Big Three of network perimeter security are Intrusion Prevention Systems (IPS) to prevent attacks from the outside, Data Leakage Protection (DLP) to protect confidential data with strict access policies and a strong Network Monitoring appliance. The glue that holds all this together is a permanent Network Access solution. The appliances need access to the data. The Network Access system provides the access and also protects the reliability and availability to your network without introducing any delay. As an example configuration, the Smart Network Access system by Network Critical allows in-line connectivity to the IPS and DLP appliances and also makes a copy of all the data to the Monitor Appliance all with a single connection into the live link.

For maximum network performance, security and compliance when working with very sensitive and confidential data protect the perimeter with the Big Three and a flexible Network Access System. A final thought…Electronic Health Records systems are the future. Providing personal record privacy and information security are critical to building and maintaining client trust in the system.

It is time to take a trip in the Wayback Machine. Do you remember your first cell phone? It weighed a few pounds, was as big as a brick and had no apps. But you marveled over the new invention and the clarity of the communication. That was because, compared to the pay phone, walkie-talkie or pager, it was a technological leap of unimaginable proportion. On top of that, it was a major status symbol to have that little antenna on your back windshield. So, comparing that cell phone to previous technology, it looked pretty good.

Now what happens when you compare it forward to, say, an iPhone? Obviously, it does not compare nearly as favorable. It looks heavy, awkward, expensive and of extremely limited functionality.

Here is another 80’s communication marvel, the Digital PBX. Wow, if you were working in an office at that time it changed the way you did business. There were features like integrated Voice Mail so you could get detailed voice messages if you were not at your desk rather than a stack of those little paper slips stuck on a sharp pole near an inbox. There were also a host of other productivity improving features for the office worker. The Digital PBX was smaller than its analog predecessors (1 refrigerator-sized cabinet compared to 7 refrigerators for analog), used less power and could easily add lines by plugging in additional cards on the shelf.

Once again, let’s compare it to today’s soft switches and VoIP systems. Of course, the forward comparison has the old Digital PBX looking expansive, expensive, slow and inflexible.

Now let’s reset the time machine to present day and look at a typical data access switch architecture using shelf and cards in a rack. Compared to the expensive, refrigerator-sized cabinets of the past, the shelf and cards look pretty good. Over the years, they have increased density up to about 8, sometimes 12, ports per card allowing perhaps 48+ ports per shelf. Each shelf uses only about 5 Rack Units for its row of cards and less power than the standalone cabinets. The feature content allows for increased productivity in the data center by enabling efficient utilization of network tools and appliances.

Looking forward, however, the shelf and card systems may be going the way of the refrigerator-sized cabinets and cell phone bricks of the 80’s. As new technology and innovative designs update architecture, density, power consumption and flexibility continue to improve. One example is the AFS system by Network Critical. The AFS is a new data access switch that provides a non-blocking 960Gbps backplane with 48 10Gbps access ports in a single, yes ONE, rack unit of valuable data center space. The fully-functional, fully-loaded system consumes only 150 watts using its dual redundant power supplies. The cost per port is a dramatic reduction from the legacy shelf and card systems as well.

It is fun to look back in time to gauge our technological progress. However, the moral of this story is that it is easy to compare today to yesterday because we have 100% visibility. When investing for the future, whether it is equipment, money or people, one is well served by changing the paradigm of analysis. Do not use yesterday as your baseline, use tomorrow.

The past few months have seen a significant increase in “hacktivism”, a word derived from hacking and activism. Loosely organized groups like Anonymous and LulzSec seem to be playing a game of “one-ups”. These groups are so bold as to taunt law enforcement from Twitter and to go after the highest profile targets such as the US Senate and the CIA.

Who loses? We all do. Businesses lose because a loss of personal information, say from a credit card company, erodes confidence and they lose customers. Individuals lose when their personal information is made public or sold to those who would use it illegally. Additionally, money will be spent: to investigate the crimes, to investigate the security posture of the targeted organizations, and finally to add legislation. History tells us this legislation will do little or nothing to stem the tide of hacktivism, but will add costs to businesses, which in turn pass those costs to the consumer. You and me.

At one time, perimeter security seemed to be the dominant solution to prevent attacks. After all, hackers must come from the outside. Today, firewalls aren’t even a speed bump to hackers. Many external firewalls look more like a pegboard. In fact, more than ever the attacks are “client side”– your users visit websites that serve up malware like extra-cheese on your favorite pizza. Spyware, adware and other types of malware are consumed by our users when they visit their favorite gaming or movie download site. Those are just two examples, but malware has been hidden in everything from openly malicious sites to advertisements on the most popular news sites.

Some would claim that our defenses are useless, but the truth is, there are a number of things we can do to either prevent our companies from becoming the next victim or to give us a chance at detecting and responding to the security incident. Let me offer the following four steps as a “quick-start”.

1. Get the basics done. Too many companies today still don’t have a complete grasp on the basic security processes, such as patch management, firewall audits, password changes and protection, security logging, anti-malware updates, etc.
2. Lock down your systems and keep backup images so that systems can be restored quickly in the case of failure or a complete compromise. One of the most secure organizations for whom I have ever done consulting kept a complete set of clean virtual images and compared them nightly against the desktops and servers to make sure nothing changed or was added. If there was any variance, the variance was recorded and copied for forensic purposes and a fresh instance was immediately loaded.
3. Deploy monitoring tools at the perimeter and internally. This would include IPS, web application monitoring, network intelligence tools, next generation firewalls, etc. Many companies will stop after deploying firewalls and IPS at the perimeter or maybe even at a secondary perimeter that protects against partner networks, VPN connections, etc. I say that’s not enough. If you aren’t monitoring internally, you are missing all the traffic passing between your desktops and between desktops and internal servers. Overlooking these links could be a fatal mistake. I’ll explain more later.
4. Train your users. Professionals have known forever that security is only as strong as the weakest link. If security is not a part of your corporate culture, you need to change your culture. Contrary to some opinions, it won’t stifle creativity and won’t hurt productivity for people to understand the importance of security as well as the practical steps to protect corporate information.

The truth is, these may all sound like basics and number 4 should probably be done at the same time as number 1, but too many companies don’t make the effort to get all of these functions done effectively.

For example, let’s take firewall audits as just one part of #1 above. It is difficult for organizations with over 10 firewalls to regularly audit the rules on the firewalls. It is time consuming, complicated and often not very productive. However, with good firewall configurations, many vulnerabilities are completely mitigated. For example, in the typical e-commerce environment, a web front end processes transactions and then sends those transactions to a back end database via an encrypted SQL connection. By using a firewall to prevent any communications except SQL over SSL between the web front end and the database you eliminate virtually all the vulnerabilities except those that can be exploited via that SQL over SSL channel, or locally. (Stay tuned to later blog entries for more on auditing firewalls.)

Locking down system configurations is an important part of security. In the past, we have relied on patch management systems and antivirus products to keep us safe. These products have not evolved fast enough and are horribly inadequate to protect us from the most basic viruses, spyware, adware and other malware. They are even less effective against advanced persistent threats (APT) or even from the dreaded hacktivist. New technologies that provide cloud based software authentication, reputation services and application whitelisting are proving to be significantly more effective and are likely to replace traditional antivirus products. (Again, stay tuned to later blog entries for more information on anti-malware.)

Network monitoring is not an easy task. For mid-sized companies, the process can seem overwhelming. Auditors might require it and yet maintaining the expertise is difficult. However, this is often the most revealing part of the security process. By monitoring the network at the perimeter and internally, you not only identify what attacks are coming at you from the outside, but you also see what your users are doing to compromise security internally. Using IPS and internal network intelligence tools, I have discovered dozens, wait, hundreds if not thousands of systems that were infected with insidious malware. I’ve found multiple laptops that were completely compromised while on the home network and then carried into the corporate environment where they started replicating their maliciousness. I’ve discovered users unknowingly downloading malicious code and I’ve discovered devices inappropriately placed on the internal network. One major key to internal monitoring is proper deployment. A good deployment requires the use of TAPs, also known as Traffic Access Points. TAPs are used for a number of purposes. They copy traffic from a network link to a network monitoring tool. They replicate data from a SPAN port to multiple network tools. They aggregate the information from multiple links to a single tool. They eliminate a single point of failure or reduce downtime by providing an alternate traffic path for inline devices like IPS systems. They convert from 10G to 1G or from 1G to multiple 100Mb links. They can be used to filter traffic, and the list goes on and on. The point here is that with a little engineering workand by using the right taps, you can maximize monitoring capability for your network tools and save a ton of money.

Finally, nothing will provide a better return on investment when it comes to security than training your users. Teaching your users to look for security issues, to recognize poor security practices and to practice good security is essential for any organization to maintain high levels of security.

A final recommendation…don’t wait for government to mandate the measures you take, because by the time they send down a new requirement, the hacktivists have already figured out how to get around it.

NOTE TO THE READER:

Thomason Technologies, LLC is an authorized reseller of Network Critical products.