Site iconSite icon IFSEC Insider | Security and Fire News and Resources

Regaining control of the network

According to a recent independent survey in the UK, IT managers are losing control over what applications are running on their networks. Over half of the network managers questioned stated that the IT Department in their organisation knows about less than 60% of the applications being run on the corporate network.

It’s scary to even contemplate the amount of valuable bandwidth capacity that’s being wasted, not to mention the potential loss of productivity for the users waiting for their data when non-business traffic is using the available space in the pipe.

For too long, network administrators, security managers and application experts have been locked in a battle, each party fighting for their own budgets. That process sometimes pulls IT in different directions.

Today, so many applications use the browser as the user front end and the same IP port numbers (and often HTTPS encryption), thus packet-level devices cannot identify the applications.

Now, just to add to the difficulties facing IT managers, the growing use of resource-heavy applications such as software-as-a-service (SaaS), videoconferencing and Web 2.0 technologies – many of which look the same to the firewall and routers – means that just when we need the clearest view of traffic, we’re actually obscuring the information.

The organisation must come first

For most people, the boundaries between the home and office are becoming ever more blurred. An element of trust now pervades most companies which means that, contrary to popular opinion, most IT managers don’t want to prevent staff from using the organisation’s network for private purposes.

Allowing personal use at the office keeps users at their desk instead of going out shopping at break-times. If members of staff spend two minutes of their lunch hour doing private stuff, they’ll probably spend the other 58 minutes on work.

However, the rapid growth of Web 2.0 technologies such as Facebook and Twitter has made it increasingly difficult for the IT manager to manage their network and to ensure the prioritisation of work traffic. This was highlighted from the survey findings, which revealed that IT managers believe around 40% of traffic on company networks was non-work-related.

This traffic is often delivered with the same priority as mission-critical traffic, such as the Order Processing Department accessing the ordering application.

From the IT manager’s perspective, even at a basic level a web-hosted application, a standard web page, a YouTube video and a browser-based access to Oracle may all look very similar, making it very difficult for them to track applications and their impact on the network.

In conjunction with the rise of service oriented architecture and the growing popularity of Web 2.0 applications, this prompted at least half of respondents to confess they could account for less than 60% of the applications on their networks.

Security concerns are raised

What does all that mean in the real world? Well, it doesn’t just pose direct cost implications for network expenses, but also raises security concerns with the threats from malware, trojans, botnets and phishing attacks.

Sadly, hackers, spammers and phishers see Web 2.0 applications as a great resource. Placing malware on social networking pages (and employee social networking posts) can inadvertently send confidential information out of the organisation.

By identifying and limiting the social bandwidth hogs and inspecting traffic for unknown applications entering the organisation (often malware), the IT security manager can ensure response times for critical business applications will be quicker – thereby resulting in greater IT value to the business.

The truth is that companies need to identify the traffic that’s going across the network in order to identify those applications ‘clogging the company pipes’. They should then use the available tools and technologies to prioritise the business-critical traffic.

Furthermore, in a time of economic woe, strong decisions have to be made that put the company first. This shouldn’t necessarily be about cutting off staff access to applications such as Facebook, YouTube and iPlayer. After all, this can result in dissatisfied employees. Rather, it’s about putting the organisation before the requirements of the individual.

Enabling the complete business process

For IT security managers, it should be less about pure numbers or Service Level Agreements and more about enabling the complete business process. Therefore, IT managers can potentially save the organisation money by limiting recreational use of corporate networks by staff and accelerating the business-critical applications to provide the best possible balance of work productivity and efficiency.

The $64,000 question is: ‘How can this be done?’

The nature of business applications is changing fast, with most key network applications available via a web-browser front end. Network measurement is moving from simple connectivity and uptime to performance, response-time and consistency for office workers, home workers and those accessing computing services while outside the office.

That being the case, organisations should look to adopt application-level intelligence solutions to identify and track all traffic on the network. When traffic can be identified using multiple simultaneous parameters, real knowledge can lead to priority decisions that align with the business.

The types of parameters include (but are not limited to) application, user and group, bandwidth usage, response-time, network and server delays, source of the requests and the requesting user application.

As more traffic is SSL-encrypted, the IT manager needs to be able to inspect inside the encrypted wrappers to be successful. In addition, there’s little point in being able to identify traffic unless optimisation and bandwidth management decisions can be made on that data. A set of simple probes that pass information on but do not act on it simply isn’t enough.

Increasing bandwidth capacity as a response

When recreational applications or traffic hijack an organisation’s network, the IT manager may respond by increasing bandwidth capacity. Without other controls in place, throwing more bandwidth at the problem will not resolve matters or prevent the problem from recurring. Indeed, in many cases it provides no improvement to the individual user.

Recreational applications often absorb the additional bandwidth, while critical applications still suffer from poor response times.

The good news is that there are now solutions available which can provide the level of visibility and act on changing attributes – accelerating critical applications and changing bandwidth priorities proactively when response times increase past a certain level.

This capability enables the IT manager to administer appropriate policy controls to contain unsanctioned traffic, protect mission-critical applications and optimise demanding business applications. Through simple policy-setting, this provides complete visibility and control over all the applications, users and content on the organisations network.

However, an increasing number of applications and web sites are in a grey area. They’re used for both personal and business purposes, so it’s difficult to classify them as strictly one or the other. As mentioned earlier, popular services such as instant messaging (IM), some social networking sites and even YouTube are increasingly used by businesses because that’s where their customers are to be found.

Classification of different applications

The IT manager now has the capacity to diagnose today’s response times and where the bottlenecks are, then classify all the different applications (potentially with differences based on other parameters than just application) and set WAN optimisation priorities.

This gives the IT manager the choice on whether or not to allow the use of sites such as LinkedIn at off-peak times, and enable them to quickly determine which key applications to protect and where to allocate appropriate network resources.

With this technology deployed, the organisation can manage the increase in recreational applications. The tools mentioned are essential in ensuring how organisations look to anticipate and protect their network from the next wave of Internet phenomena – whetavere this may prove to be.

Nigel Hawthorn is vice-president of marketing EMEA at Blue Coat Systems

Subscribe to the IFSEC Insider weekly newsletters

Enjoy the latest fire and security news, updates and expert opinions sent straight to your inbox with IFSEC Insider's essential weekly newsletters. Subscribe today to make sure you're never left behind by the fast-evolving industry landscape.

Sign up now!

man reading a tablet, probably the IFSEC Global newsletter
Exit mobile version