No. 1: Fine-tune your IPS.
"There's a lot of set-it-and-forget-it mentality in intrusion-prevention system marketing, and it's dangerous," says David Newman, president of testing facility Network Test and a Network World Lab Alliance member.
Fuzzing, in which the exploit is changed just enough for the security mechanism to miss it, trips up many IPSs, Network World's recent IPS test showed.
Network managers need to understand how each exploit works and how their IPS detects them, and then upgrade that protection routinely.
No. 2: Sell security by its benefits.
Start selling security to the purse-holders the way you do all other technology investments -- in measurable terms that relate to the business, recommends Mandy Andress, president of testing facility ArcSec Technologies. Rather than saying how dangerous viruses are as a method to gain the budget for a reputation services anti-spam defence, for example, illustrate how much productivity could be gained by adding another layer of anti-spam control.
No. 3: Automate desktop and network access.
Wireless badges can come in handy for automated access control to desktop PCs, particularly those shared by multiple users in medical exam rooms, warehouses, call centres and the like.
For example, North-western Memorial Physicians Group implemented Ensure Technologies' XyLoc MD, which uses 900MHz radio-frequency technology encoded on staff ID badges for authentication, says Guy Fuller, IT manager at the Chicago healthcare organisation. This saves the staff time while ensuring that network access and sensitive information are not available to other users.
No. 4: Link physical access to enterprise applications.
IP-based building-access systems built on industry-standard servers and using the existing data network are more affordable than ever because of open architecture products. Advances in server-management technology mean these systems not only are deployable by network (rather than the physical security) staff but are centrally manageable. Plus, they can integrate with ERP applications and network access-control systems.
Georgia-Pacific, a US$20 billion paper manufacturer in Atlanta, is rolling out Automated Management Technologies' WebBrix, an IP-based building-access system, to the majority of its 400 locations. IT used WebBrix's open application interface to write a custom application called Mysecurity that integrates the system with SAP, among other duties. When employees swipe their badges to gain access to the building, they also are sending data to SAP for time and attendance tracking, says Steven Mobley, senior systems analyst at Georgia-Pacific.
No. 5: Delegate an operating systems guru.
"Operating systems configuration can seem to some like a black art," says Tom Henderson, principle researcher for testing facility ExtremeLabs. Setting the wrong combination is bad news. For example, large memory-block move options can affect the amount of dirty cache with which the operating system must deal, he says. If memory/caching options are balanced incorrectly, the machine could freeze. By assigning a stiff member to master the voluminous documentation published by mainstream operating system vendors, servers can be safely fine-tuned to optimal performance for every application. The guru also should master Web server and BIOS setting options.
No. 6: Use VMware server memory smartly.
Without spending a dime, you may be able to boost the amount of memory available on virtualised Windows 2003 physical servers, thereby improving performance of the virtual machines. If all the virtual machines on the same physical box need the same memory-resident code, such as a dynamic link library (DLL), you can load the DLL once into the physical server's main memory and share that DLL with all virtual machines, says Wendy Cebula, COO at VistaPrint, an international online printer with US operations headquartered in Massachusetts. "We've gotten big memory usage benefits by caching once per physical box rather than once per usage," she says.
No. 7: Move applications to a Linux grid.
If you have compute-intensive mainframe applications, don't shy away from lower-cost alternatives such as grid computing because the applications were written in COBOL, says Brian Cucci, manager of the Advanced Technology Group at UPS, which has such a grid. The application will likely have to be redesigned somewhat for the new hardware platform. But vendors can be counted on to help, as they'll want to ally on the new technology.
No. 8: Recognise WAN links may degrade VoIP QoS.
This is particularly true in areas of the country where the public infrastructure is ageing, says Bruce Bartolf, principal and CTO of architecture firm Gensler, in San Francisco. Having completed VoIP installation at seven of 35 sites, Bartolf found unexpectedly high error rates or complete failure on many links. To provide the kind of uptime and quality demanded of phone service, you need to design with alternative fail-over paths on the WAN. Cable may not be much better, but Metro Ethernet, if available, could work well, he says.
No. 9: Ease IP management with an appliance.
Although the tasks that appliances perform can be done with each vendor's gear, "with something as important as IP management, if you don't do it well, you can really hurt your five-nines," Gensler's Bartolf says. He chose Infoblox appliances, which manage numerous tasks, including Trivial File Transfer Protocol (TFTP) firmware upgrades. "Rather than dealing with Microsoft distributed file system, loading a TFTP server on a Microsoft server, running DHCP on a Microsoft server, running SMS on top of that, and managing it all, I have an appliance," he says. "I put it in, and it works."
No. 10: Shelve the fancy visuals.
"We found it highly impractical to make our monitoring visual," VistaPrint's Cebula says. VistaPrint relies on remote monitoring to manage its data centres, including one in Bermuda. It uses home-grown tools to track everything from CPU usage to event correlation. Visual graphing of events slowed down detection and analysis, taking network operations staff an average of five to seven minutes per event to use, Cebula says. When the tools used simple red, yellow and green lights, detection and correlation dropped to one or two minutes per event, she says.
And don't forget to keep your monitoring tools on at all times and run spot checks, advises independent consultant Barry Nance. The most common mistake is not to turn them on until an event occurs.