With the walls between IT domains crumbling, companies increasingly are putting in place policies, processes and technologies that serve the twofold purpose of managing and securing networks.
That was one theme among speakers at Network World's IT Roadmap conference last week, which drew close to 700 attendees and 75 exhibitors. While network management has long been perceived as the poor man of IT, said Jim Metzler, analyst and vice president at Ashton, Metzler & Associates, the technology plays such a large role in other IT domains that it demands attention.
"There is a sort of negative buzz around network management," Metzler told attendees. "But I see innovation."
Technologies, processes and products that help companies respond in a "real-time-enough fashion to threats, opportunities and situations that impact the health and well-being of the organisation" represent the wave of innovation in management, Metzler said.
IT automation software, Web services management technologies and best practices frameworks such as the IT Infrastructure Library are among the areas of innovation in management.
For David Hauser, automating the process of provisioning and patching some 500 servers with an IT operations staff of less than five people is what he considers management innovation. To start, the CTO and co-founder of GotVMail wanted to be able to quickly roll out desktops to new staff. Founded in 2003, the company currently has 35 employees, but Hauser said he expects that number to double in the next 12 months.
"Automation was never intended to replace IT staff, just shift their attention to more compelling tasks," he said.
Hauser shared with show attendees how he selected, deployed and currently maintains a pair of appliances from Kace to reduce manual labour, and more importantly secure his growing network of distributed data centres.
"Patch management and policy enforcement were two of the big factors we had in selecting a network management system," he said.
The Kace system enables Hauser's staff to set policies and control application deployments on user machines. "We had a big security problem with people downloading and setting up applications to their machines themselves," he said.
To minimise user backlash, Hauser set up a self-provisioning feature within Kace that lets users select popular applications they would like to download to their desktop and later that day or overnight the pre-tested and screened application would be provisioned to the machine. "We make sure it works and aligns with our policies before they download it, but you don't want to completely restrict what they put on their machines," he said.
Similarly, Curtis Simonson, senior technologist at the University of New Hampshire Interoperability Lab, told attendees how his organisation explored network access control (NAC) technologies to ensure PCs didn't spread viruses across the network.
"We wanted to prevent systems with viruses from getting on our network. And if they were on our network already, we wanted to prevent the spread of viruses," he said. "We also wanted to prevent access to those we don't want on our network."
Simonson tested and deployed Vernier Networks' stand-alone NAC appliances to monitor machines gaining access to the network and assessing their patch and security status. The product works using single sign-on technologies in conjunction with his Windows domain authentication systems and checks if machines attempting to gain access to the network meet pre-defined security settings.
The product is currently running in a relatively passive mode, tracking traffic and access attempts and alerting lab IT staff to anomalies. Simonson said he has yet to put Vernier's technology to work blocking access to unauthorised devices or placing potentially infected machines on a virtual LAN to prevent a virus outbreak.
"We are using NAC in a more protective than enforcement manner," Simonson said.
Part of the reason NAC projects can be categorised as active or passive, protective or enforcement, said Opus One senior partner Joel Snyder, is because the technology spans several domains within IT and relies upon knowledge of the network, the user and the access controls in place to function properly.
"NAC is user-focused, network-based access control," he explained. "The difference between firewall technology and NAC is the decision-making elements in NAC. NAC wants to be as close to the user as possible. NAC cares about who you are."
Snyder, who moderated a NAC panel and Simonson's presentation, said NAC technologies will be daunting to even the most sophisticated IT shops because they cross multiple domains. Among the four primary requirements of NAC -- authentication, environment, access control and management -- management poses the most significant challenges, he said.
"Inherently NAC is impossible to manage because it combines authentication with network gear with end-point security with a policy server. All teams have to come together to manage this one solution," he added. "NAC is 'big picture' hard."