En Garde!

The Role of Identity in the LAN

2009-08-13T17:16:17-07:00

By Michelle McLean

In recent posts, we’ve been discussing the reality of LAN sprawl – the multi-dimensional growth of users, applications, and devices – and the challenges of maintaining control in such a dynamic environment. Context, with a full understanding of who’s doing what, is key to regaining that control.

One of the primary attributes of context is user identity. The question of “who” is doing the activity, particularly tied to the role or roles of that user, is one of the most critical elements in enabling appropriate access control.

Analyst firm Gartner has also been talking about the role that identity must play, particularly in the recent report entitled “Introducing the Identity-aware Network.” In that report, Gartner analysts write:

“... because networks are blind to a user's identity, the risk is that users "see” applications that they are not authorized to access. For example, a contractor who has been granted network access could 'go exploring' (undetected) and attempt to access sensitive information.”

Gartner goes on to recommend that organizations make their networks identity aware, noting:

“Network managers can add identity-aware networking solutions to the network infrastructure. If they are deploying a new network infrastructure, then they should consider newer infrastructure solutions that embed identity-aware technology."

Why do organizations need identity in the LAN? Gartner cites these key drivers...

Guest networking
Protecting intellectual property
Regulatory compliance
Xenophobia threat

Chances are your organization is struggling with at least one of these issues. If you’re able to access the Gartner research, I highly recommend this report. It provides some good insight on how to build identity into your LAN to help you meet these challenges.

ConSentry’s context-driven switching makes identity, and role, paramount in its visibility and control capabilities, tying into Active Directory or whatever the existing identity store is to tie flows back to a user. You can read more about how context-driven switching can help you deliver identity-based networking in your environment here.

How could identity help your network? We’d love to hear your thoughts – submit a comment to start the dialogue. Thanks,
--Michelle

Survey Says… IT Managers Concerned About LAN Sprawl

2009-07-30T11:35:47-07:00

By Rod Kay

Knowing what’s happening on the LAN, much less controlling it, is becoming quite complex. We hear concerns about managing access rights and other control issues all the time from our customers, across every industry, and the message is always the same. With the rapid increase in the number and types of users, applications and devices on LANs today, IT managers are losing visibility and control at an alarming rate. To better understand this situation, and to get from anecdote to real data, we commissioned Loudhouse, an independent research consultancy, to interview IT decision makers in both the US and UK on these issues.

Loudhouse asked respondents to consider how their LAN had grown over the last two years and about anticipated growth over the next two years. A key finding is that LANs have grown at fairly consistent rates across a wide range of axes and are expected to maintain this multi-dimensional growth over the next two years. Loudhouse calls this multi-dimensional growth “LAN Sprawl” – the combined effect of more and different types of users, applications, and devices and their inter-dependencies. Cross-functional users, third-parties, more diverse applications, and corporate, personal, and non-user IP devices are all in the mix, contributing to LAN Sprawl.

For IT organizations being asked to do more with less, this sprawl has become quite a problem. The video below provides survey results on the LAN Sprawl issue and some of the concerns IT has in dealing with this situation. If you’re having trouble viewing this video or text, click here for a larger slideshow with the full results.

We’d love to hear from you on this topic – are you feeling the effects of LAN sprawl? What steps are taking to regain control?

The survey, conducted in June 2009, is based on 200 interviews with IT decision makers from mid-size (250+ employees) to large enterprises (1000+ employees) across the US (100) and UK (100) regions.

Key Findings: LAN Sprawl Growth

1. 30% average growth in LAN size from 2007-2011 (average across all areas of growth)
2. The largest areas of growth in the network overall over the last two years are:
         *Number of applications (16.8%)
         *Smart/mobile devices (16.6%)
         *Remote working employees (16.6%)
3. The greatest area of risk for UK respondents: ability to control access in remote locations (50%)
4. The greatest risk for US respondents: inability to enforce appropriate usage policies (40%)

Key Findings: Resources and Growth

Key Findings: Resources and Growth
1. The greatest areas of growth are increases in:
         *Approved business applications
         *Number of applications supported by the network
         *Smart/mobile devices
         *Remote working employees
2. Over next two years, 55% of US companies expecting greater growth, and 44% of UK
         *The largest growers are also more likely to increase the pace of LAN growth
3. However only 42% of businesses have sufficient investment for IT to support their business goals
         *37% say that staffing levels have increased to support LAN growth

The Rise of the Virtual Organization

2009-07-26T14:00:00-07:00

By Michelle McLean

Yankee Group recently published a report entitled “The Era of the Virtualized Organization Demands Context-aware LANs.” ConSentry commissioned the report after extensive discussions with customers about how their businesses have been changing and the ways in which today’s static LANs have made it difficult for them to keep up with those changes.

What does Yankee mean by the virtualized organization? The term refers to the constant coming and going of different “workers” – including employees, guests, contractors, partners, even competitors – as well as those workers’ devices and applications. It also encompasses the idea of ad hoc groups, where people from different parts of the business, both inside and outside, come together to work on a given project (M&A activity, for example, or a CRM customization).

The Yankee report contends that given the rise of the virtualized organization, IT needs a more dynamic and knowledgeable infrastructure to accurately assign user access rights on the LAN. The report argues that to regain control, IT needs context in the LAN – deep knowledge of the user, role, device, application at Layer 7, destination, and environmental factors such as location and time of day. Based on this richer set of information, the LAN becomes an orchestrator – delivering the right services to the right people at the right time. And IT has the info needed to better manage the interactions amongst users, applications, and devices.

Essentially, with context-driven switching, policy becomes the new forwarding table.

You can read the full report on the ConSentry site, and hear Yankee Analyst Zeus Kerravala discuss what organizations require to solve this problem.

Clearly the LAN edge isn’t the only place to need context – the data center and the LAN/WAN boundary are two other places that would benefit greatly from a richer understanding of the users, applications, and devices traversing them.

Where else do you think context matters? And what other attributes will it encompass? I look forward to reading your comments.

Tales of Woe: IT Challenges on the LAN

2009-07-26T13:48:27-07:00

By Joe Golden

While at the Interop show in Las Vegas last May, I was able to catch up with a number of IT managers walking the show floor in search of solutions for some of the issues they face on a daily basis. Although the faces were different, the stories were the same – tales of woe about remote users coming into the corporate network from unsecured home computers, new applications being introduced (often without IT’s knowledge), and the need to keep up with the constant influx of new devices on the network.

While these IT managers hail from organizations varying in scope and size, they share a common set of problems. Moreover, they share a common need for more visibility and control over the users, applications and devices on their LANs.

To find out firsthand what IT managers are saying about challenges they face on the LAN, take a look at this video, “Growth Challenges on the LAN: Insights from IT Managers at Interop 2009.”

An Educated Guess

2009-07-16T11:20:00-07:00

By Jeff Prince

Over the last decade, networking devices have been slowly moving up the protocol stack to deliver transformational business benefits. For example, load balancers moved up the stack from L4 to L7 as they became application front ends that actually understood applications well enough to improve services for them. As a result, companies were able to take advantage of distributed resources much more effectively. This is what happens when companies invest in sophisticated products - things work better – it’s not rocket science.

More recently, WAN acceleration companies realized that load balancers were on to something, and they developed and deployed L7 knowledge to transform WAN application use and business practices. While the idea of adding L7 intelligence to your product is obviously one of the best ways to get ahead of the competition, developing the technology isn’t easy (in fact, that part might be considered rocket science).

Now L7 application understanding – tied to individual users – is offered in LAN switches. It’s not in every LAN switch, of course – the majority of switch vendors are still selling 15-year old technology based on L3/L4 information. These switches, based on the legacy architecture, are actually becoming business-limiting in their lack of support for today’s needs for visibility and application and access control. If you ask IT managers, “Would you like to simplify the process of controlling network resources and have the ability to direct LAN policy to users according to their different roles in the organization?” my guess is they would probably say “yes.” It’s just an educated guess though.

Part 2: If you could only see what was REALLY happening on your network!

2009-07-07T11:45:00-07:00

By Derek Granath

My last post focused on how seemingly harmless user activity can threaten the security of the corporate LAN. What follows here are some of the more malicious activities we’ve seen take place when users are able to take advantage of corporate resources. If you don’t have the right level of visibility on your LAN, you cannot adequately enforce policy or control users. Are things like this happening on your network? Do you really know?

Nobody will notice if I use this port: IT staff for this customer had an IP address that they thought was a service port on one of their switches, so they white-listed it into a role for network devices. When they then locked down the role to only the management functions, they began to see a stream of policy incidents: this switch service port was talking to a buddy on AIM, surfing the web, copying files to the file server, and using Outlook – clearly it wasn’t a switch port! By watching the traffic in more detail via the ConSentry InSight Command Center, the IT staff determined the address belonged to a user, not a switch, and were able to hone in and identify the user by name. In the process, they also learned how severely out-of-date the manually maintained IP address spreadsheet was, and they found several servers out on the edge network, a deployment model that violated company policy. They even discovered several duplicate IP addresses shared by both the network devices that are statically assigned and the DHCP pool used to assign user IP addresses. The customer was lucky that the duplicate IP addresses hadn’t interrupted network service; however, service disruption might have been the inevitable outcome had ConSentry not uncovered the problem.
It’s my time, not my money, I’m wasting: Another customer recently reported that after deploying our gear and reviewing the top applications at the call center, the IT staff uncovered extensive use of web-based Pogo and Yahoo games. In some cases, calls had been left on hold while call center employees were gaming, inflating charge times for their unsuspecting customers. By tying this inappropriate application use to individual users, the IT staff was able to eliminate this illicit usage and thus more accurately bill its customers.

The bottom line for both inadvertent and blatant misuse is the same: you need Layer 7 visibility, tying together users, applications, and devices, to enforce policy and control over your LAN.