RP | BM | BM | TRWG | HI | MWD | MFB | TZ | CU | I2U | PH | TAW | ID | AAB | FSB | RR | TCU | TAW | PH | Q | QTC | MYD | BBBS | BBS | Network Advisor: October 2007

Tuesday, October 30, 2007

IPS gaining ground over IDS

IT security managers say the dangers posed by computer worms and hacker attacks have compelled them to shift defenses from passively monitoring their networks to actively blocking attacks, even though legitimate traffic sometimes gets blocked.

With the growth of intrusion-prevention systems, established IPS vendors and start-ups are introducing an ever-widening array of products.

However, while IPSs appears to be usurping intrusion-detection systems (IDS) in more organizations, they come with the risk of blocking good traffic and bad.

"It's a calculated risk," says Chris Hoff, information security officer at Western Corporate Federal Credit Union (WesCorp) in San Dimas, Calif., about his company's decision to shift from IDS to IPS over the last six months.

WesCorp, which has $25 billion in assets and provides back-office management services to about 1,000 credit unions, deployed the Internet Security Systems (ISS) Proventia G-100 IPS appliance to start automatically blocking attack traffic. The main reason is that even one hit from the growing number of worms and hacker attempts would be too high a price to pay, Hoff says. However, the downside is that legitimate traffic occasionally is blocked along with attack traffic, he adds.

"Legitimate traffic can be blocked, and we spend an enormous amount of time tracking down false positives and false negatives," Hoff says. He adds that there needs to be improvement in IPS blocking to filter out the "harmful stuff" while allowing good traffic through.

In spite of the problems false positives cause - the same kind that plagued passive IDS sensors over the years - Hoff says he has no intention of giving up intrusion prevention. He adds that WesCorp isn't buying network-based IDS any more. Instead, the company is using vulnerability-assessment much more than it did in the past, and deploying products from Skybox Technologies and Qualys to determine which server and desktops require patching and updates.

Hoff says he's interested in host-based IPS, too, but is waiting for prices to drop. Costs typically run into the hundreds of dollars for the software for each server that needs protection.

According to IDC, the market for IDS and IPS together - collectively known as intrusion detection and prevention (IDP) - is about $730 million, with host-based software half of network-based software and hardware last year.

Several analyst firms, including Infonetics Research and IDC, say it's admittedly hard to figure out the exact number of blocking-capable IPS products that were sold in any year vs. IDS. This is because some of the larger IDP vendors, including ISS and Symantec, are reluctant to break this out. The reason often given is that IPS typically includes passive IDS functionality, and sometimes customers use IPS for passive monitoring or in a "mixed mode" where they block some traffic but monitor other portions.

Nevertheless, there's strong reason to believe IPS is gaining ground among enterprise customers, says Charles Kolodgy, research director for security products at IDC. He predicts that within a matter of a few years "IPS will eventually be the predominant technology."

IPS is selling better than IDS, confirms Clarence Morey, senior manager for product strategy at ISS, adding IPS is often preferred for the most mission-critical networks. ISS, which focused on software-based intrusion detection until the launch of its Proventia appliance line in mid-2003, declines to offer more detail on numbers. But in its latest quarterly legal filing at the Securities and Exchange Commission, ISS indicated that the Proventia line of IPS appliances accounted for 61% of product and license sales in the third quarter of this year, and 53% of sales revenue for the nine months of the year. ISS stated its nine-month revenue as $88.9 million, as opposed to $76.1 million for the same period a year ago. According to this statement, IPS has overtaken sales of traditional IDS.

IDC also points out that several of the top vendors in the IDP market - McAfee, NetScreen Technologies (which Juniper bought last year) and Top Layer Networks - generate their revenue through IPS products alone. IDC also cites the explosion of new market entries in the last six months as an indicator of growing demand for IPS.

On the host-based IPS side, eEye Digital Security's Blink software and products from start-ups such as Bodacion and Determina were introduced this year.

On the network-based IPS side, the new-product barrage came from start-ups such as Barrier Group, Beadwindow and Captus Networks. A few, such as Sentryware, offer network- and host-based IPS.

McAfee recently unveiled two new versions of its IntruShield IPS, the multi-gigabit models 4010 and 3000 with expanded ports for large corporations and ISPs.

Amid this cornucopia of IPS offerings, there's no shortage of early adopters willing to try network-based IPS to protect their networks through blocking.

"I look at it as a disaster-prevention element," says Eben Berry, manager of IS at managed healthcare provider Network Health in Cambridge, Mass., which serves 60,000 Medicaid recipients. The healthcare organization uses V-Secure's 100M bit/sec V-100 appliance at the perimeter to block attacks on its Web site.

Berry says the V-100 appliance doesn't rely on signatures to pinpoint attacks but instead monitors patterns of activity. On its internal LAN, Network Health deployed a different IPS: Juniper's NetScreen IDP-100, because it can filter on a bidirectional basis, something V-Secure's appliance only recently added.

Todd Woyke, engineer at Diversico Industries, a tool manufacturer in Minneapolis, decided to use Barrier Group's IPS after being blitzed repeatedly by dozens of computer worms and hackers that broke into servers. "So far, all I can say is we aren't seeing any intrusions," Woyke says, and adds he's sold on intrusion prevention.

Unclassified but Sensitive Internet Protocol Router Network Security Policy

The Unclassified but Sensitive Internet Protocol Router Network is a network of government-owned Internet protocol routers used to exchange unclassified but sensitive information between DoD users. The Unclassified but Sensitive Internet Protocol Router Network is also the primary entrance into the Internet. As of August 2000, over 70 percent of Unclassified but Sensitive Internet Protocol Router Network traffic is directed toward the Internet. As the growth and usage of the Internet surge, so do the dangers of intrusion into sensitive networks. In a policy memorandum on "Increasing the Security Posture of the Unclassified but Sensitive Internet Protocol Router Network," August 22, 1999, the Assistant Secretary of Defense (Command, Control, Communications, and Intelligence) expressed interest and concern over the multitude of interconnections between the Unclassified but Sensitive Internet Protocol Router Network and the Internet.

Secret Internet Protocol Router Network (SIPRNET)

SIPRNET replaces the DDN DSNET1 as the SECRET portion of DISN. Its complete architecture will be achieved by constructing a new worldwide backbone router system. The primary method for secret-level network connectivity is via Base secret-level networks which in turn provide Base Router connectivity to SIPRNET. Various DOD router services and systems will migrate onto the SIPRNET backbone router network to serve the long-haul data transmission needs of the users. Transmission services will use smart multiplexer and 512 kilobits per second (kbps) channels. Other transmission services will be acquired or leased as needed. Future expansion will progress to the T1 circuit data rate of 1.544 Megabits (Mbps) and potentially to the T3 data rate of 45 Mbps. High speed packet switched service will be provided through the use of IP routers. This SECRET router layer of the DISN is intended to support national defense C3I requirements, to include the issuing of COMSEC keys used with the STU-III to make secure dial-up SIPRNET comm server connections.
The Secret Internet Protocol Router Network (SIPRNET) has matured to be the core of our warfighting command and control capability. Many expeditionary commanders ask for SIPRNET ahead of secure voice when deploying their forces. SIPRNET is fast becoming the defacto standard of preferred data services, even over NIPRNET. The SIPRNET is the new, worldwide router-based network replacing the older X.25-based packet switched network (the Defense Secure Network One (DSNET1) of the Defense Data Network (DDN)). The initial SIPRNET backbone router network went online 3 March 1994. Subscribers started coming on line shortly thereafter. The SIPRNET WAN (as of 31 May 1995) consisted of a collection of 31 backbone routers interconnected by high-speed serial links to serve the long-haul data transport needs of secret-level DoD subscribers. Additional SIPRNET backbone routers are being planned to meet increased customer requirements. SIPRNET supports the DoD standard Transmission Control Protocol/Internet Protocol (TCP/IP) protocol service. Subscribers within the DoD and other Government Agencies are able to use the SIPRNET for passing datagrams at the Secret-Not Releasable to Foreign Nationals (SECRET-NOFORN) classification level.

Tuesday, October 23, 2007

Security and VPN Management Solution

As today's enterprises transform their networks into a tool that enables employees to be more productive, they must find ways to protect the network and the data that traverses it. The Cisco Self-Defending Network leverages integrated Cisco security infrastructure to ensure the enterprise network defends against external security threats, protects systems and information through internal trust and identity policies, and provides secure business communications. The result is security assurance and protection of company profits and assets.

The Cisco Security Management Suite is a framework of products and technologies designed for scalable policy administration and enforcement for the Cisco Self-Defending Network. This integrated solution can simplify and automate the tasks associated with security management operations, including: configuration, monitoring, analysis, and response. The key components of this suite are the Cisco Security Manager and the Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS).

1. Cisco Security Manager is a powerful but easy-to-use solution for configuring firewall, VPN, and intrusion prevention system (IPS) policies on Cisco security appliances, firewalls, routers, and switch modules.

2. Cisco Security MARS, is an appliance-based, all-inclusive solution that allows network and security administrators to monitor, identify, isolate, and counter security threats.


Cisco Security Manager and Cisco Security MARS can be deployed separately to provide flexibility for any network environment. However, when used together, an administrator can achieve even greater value and productivity benefits. These applications are integrated to provide an outstanding ability to continuously monitor and improve the security of the network as threats arise. This allows organizations to realize the following business benefits:
1. Simplified management of an integrated security fabric
2. Higher network availability through faster threat mitigation
3. Reduced complexity across multiple security platforms
4. IT Investment preservation

With a powerful set of applications, an integrated architecture, and a comprehensive ecosystem partner strategy, the Cisco Security Management Suite is positioned as the ideal management solution for the Cisco Self-Defending Network

Monday, October 22, 2007

Cisco Cable High Speed Data (HSD) Solutions

Add DOCSIS-Based High-Speed Data Services
Cable operators have enjoyed great success offering Internet access. Cisco has the real-world experience, proven products, and advanced technologies to help you supply cable high-speed data (HSD) services, based on DOCSIS standards, for homes and businesses.

Cisco HSD solutions (Figure 1) blend broadband cable RF technology with Cisco’s highly scalable, secure, and flexible IP core technology. The Cisco portfolio includes industry-leading, DOCSIS-compliant CMTSs, leading-edge business and home CPE, and advanced IP backbone and edge products. Along with residential HSD products, Cisco offers tested business service solutions, including VPNs, Metro Ethernet, and virtual LANs, that can generate higher margins and higher revenue.

Cisco works with you to integrate its broad array of products into a single, highly productive HSD solution tailored to your needs.

How the DOCSIS-Based Solution Works
Your high-speed data backbone can be used for interconnection between different regional networks, as well as to external networks. High-speed trunks using DWDM and SONET/SDH technologies support Ethernet interfaces used by both routers and switches. The statistically multiplexed links can, in turn, use Dynamic Packet Transport (DPT), Resilient Packet Rings (RPRs), or other Ethernet transport standards such as 10 Gigabit Ethernet links.

Next-generation technology incorporates Modular CMTS architectures (M-CMTS) based on DOCSIS 3.0 downstream channel-bonding techniques that more effectively use bandwidth. Your customers can receive 100 Mbps services and beyond via your existing cable plant. You can add this new technology on a node-by-node basis, responding to competition as it arises. Our solutions let you take advantage of DOCSIS 3.0 channel bonding without a major infrastructure upgrade and also allow you to support DOCSIS 1.x, 2.0, and 3.0 simultaneously.


Figure 1 Cisco Cable DOCSIS-Based High-Speed Data Solutions
Click on a product name for more information

Thursday, October 18, 2007

Best Practices for Software Performance Testing

Many organizations fail to utilize automated tools as a means to test the large scale performance of applications. This significantly limits their ability to adequately measure the capabilities of programs under various user loads, network conditions and server and database utilization rates. This Podcast details best practices for performance testing, highlighting the various errors that such testing can bring to light.

This Podcast highlights the best practices necessary for effective software performance testing. In this Podcast, you will learn about:

The components of performance testing
Issues performance testing uncovers
Important factors affecting software performance
The impact of Web 2.0 and Ajax on software performance testing

CLICK HERE TO PLAY THE AUDIO
--------------------------
SPEAKERS:

Paul Gillin
Principal, Paul Gillin Communications
Paul Gillin is a veteran technology journalist with more than 23 years of editorial leadership, including positions as chief editor of TechTarget and Computerworld. He is now a content marketing consultant specializing in technology and new media. He advises business-to-business marketers on how to optimize online channels to reach buyers most cost-effectively. His forthcoming book about social media, The New Influencers, will be published by Quill Driver Books in Spring, 2007.

Siva Darivemula
Director of Product Marketing, Hewlett-Packard Company
Siva Darivemula is the Director of Product Marketing for the HP Performance Center software product line. In this role, he is responsible for the go-to-market strategy of performance testing solutions. He has many years of experience with enterprise software and solutions and product marketing. He has worked at IBM, Microsoft and Adobe Systems with industry-leading solutions such as WebSphere, Microsoft Office, and Flex.

Small Business Networking

By James Gaskin

HP's c3000 aims at medium and small businesses.

If you're drooling over the advances in the world of blade servers, wishing you could afford a rack or two of them, that day may arrive sooner than you think. Looking to replace the jumble of servers stacked in the storage closet, er, server room? Don't have a fancy raised floor and heavy duty air conditioner? No problem.

Of course, if you read about the heavy power requirements for a rack full of blades, such as three phase power modules, you figure blades will elude you forever. When you read about problems large companies have cooling a cabinet full of 64 blade servers, all with two processors and 32GBs of RAM generating heat like the August sun, you may be glad to avoid such headaches.

But the truth is blade servers create less heat, and require less power, than stand-alone servers with the same horsepower. They just need the power and cool air in one small spot. Second generation blade server chassis now do a better job dispersing the heat generated by blades than ever before, and cooling product vendors have adapted their tools to better handle the heat created by racks of blade servers. Still takes work, but it is getting easier.

Even better, HP now has a smaller blade enclosure system called the c3000, or Shorty. The company based the unit on the enterprise class c7000 blade enclosure used by the big data centers, so many parts from the high end system work in the c3000, such as the special cooling fans. Aiming at branch offices of large companies, HP actually made a great “introductory” blade server system for small and midsize businesses.

The best thing about the c3000 for small businesses is its ability to run in the same kind of environment your current servers do: the “nothing special” environment. It runs on power from a normal 120 volt wall socket. It runs in rooms cooled by standard office air conditioning. In other words, you can get a blade system and treat it as badly as you treat your current servers. There's no need to upgrade your storage closet/server room.

Blade system vendors say the price for blades evens out with stand-alone servers when buying five servers. You have to amortize the cost of the chassis over five servers to get the individual server cost down to match similar stand-alone server pricing. While it's more efficient to provide power and cooling fans in the chassis for multiple servers rather than in each case for stand-alone servers, that does drive up the cost of the chassis. Blade production volumes continue to increase, but traditional servers still get lower pricing from higher volume production runs.

Full height blade servers aren't much smaller than the rackable 1U pizza box style servers they replace. They moved the cooling and power supplies off the server motherboard into the chassis, but they didn't make a huge leap in server density. Blades reduced management overhead and did away with 9 of 10 cables used inside a normal rack, but the server density didn't jump way up.

HP's half height blades, however, pack two complete servers into the same space as one of their full height blade slots. Since the c3000 Shorty chassis can handle four full height blades, eight half height blades, or any combination that works mathematically, you can choose exactly what your blade server system includes.

These second generation blade servers, both full and half height, include more storage options onboard and storage blades, packed with hard disks rather than processors, provide additional capacity as well. The release of 3.5 inch hard drives with 1 terabyte of data space really allows you to pack plenty of storage into a small space. In this case, pack it into a small slot.

Blade technology dominates future plans in large data centers. For the first time, small and growing businesses can jump into blade territory without worrying about concentrated cooling and power demands faced by the enterprise data centers.

Keep an eye on Network World's review pages. Tom Henderson, a fellow member of the Test Alliance, has a c3000 on his testing bench for review right now.

Although vendors only promise you'll come out even price-wise if you buy five blade servers, you should plan ahead a little. If you need three servers now, or even two, check out the c3000, especially if you know your next server purchase will be within a few months.

Like the book from the '70s said, small is beautiful. Small and powerful, however, is gorgeous.

Wednesday, October 17, 2007

Juniper unveils giant router

Juniper claims router surpasses Cisco offering

Juniper Networks Monday announced a eight-slot core router for service providers that boasts bandwidth of 1.6Tbps, more than twice that of the company’s previous high-end system.

The vendor’s T1600, in a half-rack configuration, blows past the 5-year-old T640, which tops out at 640Gbps. Juniper claims its new box provides 2.5 times the capacity of Cisco’s CRS-1 router with 30% less power and cooling requirements.

T640 customers can upgrade to the new router in 90 minutes without service interruption, Juniper says.

Given that the T640 came out in 2002, they might be eager to do just that.

“The T640 is old,” says Mark Seery, an analyst at Ovum. “Five years is a long time in this business.”

Service-aware routers
The T1600 is also “service aware,” according to Juniper, meaning that it can provide content-specific transmission quality depending on the traffic type – voice and video, in addition to data. Core networks that are not service aware delay new service introduction, lead to inefficient use of resources, force the construction of complex network architectures, and ultimately limit an operator’s competitiveness, according to Juniper.

Service awareness is achieved through in-depth packet processing and policy control. Policy is enabled by Juniper’s recently announced Session Resource Control products, hardware-based controllers running applications which mange subscribers and network resources.

The T1600 also supports the recently introduced point-to-multipoint MPLS (P2MP) feature in the JUNOS operating system. P2MP is intended to provide efficient core video distribution and enhanced optical network integration at 10G and 40Gbps.

A potential downside to the T1600 is its initial lack of support on Juniper’s TX switching matrix, a centralized fabric designed to connect T-series routers into a multiterabit-per-second virtual megarouter. Juniper says customers are demanding higher density and capacity in individual elements for scale rather than connecting multiple lower density systems together.

Juniper also says TX will require an upgrade to support the 100Gbps-per-slot capacity of the T1600. Company officials did not say when this upgrade would be unveiled.

What carriers think
Ovum’s Seery says carriers are not yet confident in the multichassis interconnect options from their vendors.

“I believe all carriers are trying to assess whether they are comfortable with multichassis configurations,” he says. Some carriers are looking for redundancy features, such as the ability to deploy dual distributed switch fabrics, to eliminate the single point of failure current offerings present, Seery says.

Juniper’s hoping carriers won’t wait for the TX support before buying the T1600. Juniper’s deployed 2,500 T640s to date but the company’s share in the core router market slipped from 37% to 30% over the past year.

And Cisco, which announced Monday that it shipped 900 CRS-1s since the product’s launch in 2004, stole some thunder when AT&T picked the CRS-1 to replace its Avici Systems installation after Avici announced it was exiting the core router market.

“The T1600 will help defend Juniper against [Cisco’s] CRS-1,” Seery says. “But it’s not in a strong position until it’s in a TX configuration.”

The T1600 is slated for fourth quarter availability.

The vendor’s T1600, in a half-rack configuration, blows past the 5-year-old T640, which tops out at 640Gbps. Juniper claims its new box provides 2.5 times the capacity of Cisco’s CRS-1 router with 30% less power and cooling requirements.

The Right Fit for Your Business—Versatile Value and Premium Power Networks

3Com® secure converged networks are unique in terms of value and performance. They let customers address their individual needs with choices that feature advanced, end-to-end solutions backed by years of networking experience, robust research, focused development and global support services—all with an emphasis on reduced complexity and cost.

With increasing dependence on meeting business challenges using secure converged networks, organizations need to align performance requirements and budget limits. How can they affordably help people thousands of miles apart meet online to solve a problem, undergo training, edit documents or serve customers—using voice, video or web conferencing technologies and an IP network? How can mobile workers be assured of instant access to critical applications and data? How can communications and business assets be kept safe and secure? How can budgets and resources be stretched?

3Com helps address these challenges. Standards-based, best-in-class security, wireline and wireless switching, routing and Voice over IP technology deliver sophisticated solutions with minimal complexity to ensure fast returns on investment, increased productivity and high-performance communications.