Internet Network Security Blog

IBM and NEC are collaborating on high-performance OpenFlow deployments. OpenFlow, developed at Stanford University, has enjoyed acceptance in university networks because an OpenFlow network can run alongside the campus production network without impacting it. In 2011, OpenFlow broke out of its education niche into the mainstream with announcements from Big Switch, Fulcrum and NEC. IBM's and NEC's announcement is a proof point that OpenFlow has a role in enterprise IT and can be used in high-performance applications.

There are a number of myths surrounding OpenFlow, including that there is a delay on the first packet of a flow to perform a lookup and that the controller is a single point of failure. Both are easily addressed through sound management practices. In fact, the upsides of using OpenFlow--such as simplified traffic management, policy-based networking that creates paths through the network based on higher-level decisions than the destination address, and software-defined networking where there is tight integration between applications and network configuration--can far outweigh any downsides. The IBM and NEC announcement describes how enterprises are overcoming these obstacles in OpenFlow on their production networks

One customer of the combined IBM and NEC products is Selerity which provides financial information from primary sources to their subscribers. Their service-level commitments are on the order of microseconds, required so that all subscribers receive the same information at the same time. In addition, Selerity has to manage subscription entitlements to its customers to ensure they are getting what they paid for. Selerity's entitlement application needs to make those decisions and dispatch the data in near real time. The challenge Selerity faces in meeting all of those competing goals is in maintaining low latency and traffic separation.

Selerity satisfied those requirements using a convoluted set of VLANs and high-end firewalls to forward traffic to the proper locations, or by using an application-level process to make the forwarding decisions. In either case, the solution was complex, inflexible and expensive. Adding a new subscription to a customer meant making a number of changes to networking equipment, which took time and was error-prone.

Using OpenFlow on NEC's Programmable Flow Controller, Selerity was able to move the forwarding decision off the servers and firewall/switch layer into an OpenFlow-controlled network. Using flow rules defined once on the Programmable Flow Controller, the UDP packets coming from Selerity's servers are rewritten, added to a multicast group and forwarded to the destination ports corresponding with individual customers in a few micro-seconds. Selerity ensures that the correct data goes only to intended customers and that all of the customers receive the data at the same time. Selerity was also able to easily add more redundancy to its delivery network since an OpenFlow network isn't hobbled by Ethernet constraints like having a loop-free network.

Selerity's application and SLA requirements are unique to the financial industry, but many enterprises have similar demands that could be addressed using an OpenFlow-managed network.

IBM and NEC also described unnamed customers using OpenFlow to solve common issues such as forwarding network traffic to multiple analysis devices and forwarding traffic to load balancers. Companies like Anue Systems, Gigamon and NetOptics offer in-line network taps that can combine many network connections into a single output or split a single input into many outputs, either replicating all frames across all output ports or slicing the output stream based on data in the frame like addresses and port numbers. These taps work well but are expensive and require that they sit in-line with the monitored link. The security customer connected taps and switch span ports to an IBM G8264 OpenFlow switch, ran the traffic though a deep packet inspection engine and then forwarded the flows to one or more analysis tools. The monitoring is much more flexible than a fixed tap.

More vendors are hopping on the OpenFlow bandwagon, including networking giants Cisco and HP. Juniper Networks added OpenFlow to its Junos SDK in 2011, while OpenFlow controller vendor Big Switch introduced an open source OpenFlow controller early this year. We will continue to see interesting use cases of OpenFlow in production environments.

Learn more about OpenFlow vs. Traditional Networks by subscribing to Network Computing Pro Reports (free, registration required).

HTML5 is the new "it" protocol on the Internet. Among other things, it is an alternative to Adobe's Flash for displaying content through a Web browser. No less an industry authority than the late Steve Jobs declared in 2010 that browsers on Apple devices such as the iPad would support HTML5 and not Flash. But as HTML5 gains wider adoption some of its security flaws are beginning to get noticed, including the WebSocket specification that renders Web pages more quickly than does Flash.

"Anything new comes with some new security concerns," said Joe Bulman, systems architect for Wedge Networks, a network security company specializing in what it calls "deep content inspection" of traffic on Web networks.

HTML5 security issues have drawn the attention of the European Network and Information Security Agency (ENISA), which studied thirteen HTML5 specifications, defined by the World Wide Web Consortium (W3C), and identified fifty one security threats.

A recent alert from security vendor Sophos stated HTML5 provides far more access to the computer's resources than its predecessor, offering capabilities like location awareness, local data storage, graphics rendering and system information queries, which are built in and quite powerful. However, the alert cautions that while the enhancements are great, "they radically change the attack model for the browser. We always hope new technologies can close old avenues of attack. Unfortunately, they can also present new opportunities for cybercriminals."

Bulman identified four main concerns. First is the problem of cross-origin resource sharing (CORS), in which a web server can allow its resources to be accessed by web page from a different domain. While useful in aggregating content from several sites, he said there is a risk that some content may be shared that shouldn't be. Second is the problem of click-jacking, in which malicious code is surreptitiously placed on a web page image behind a digital mask that makes an item appear to be safe and invites the user to click on it. Third, HTML5 has unique geolocation and privacy issues that need to be addressed, although he added that HTML5 standards bodies as well as browser vendors are addressing them.

In fact, to its credit, the HTML5 community is responsive and "transparent" in how it operates, he said. Also, HTML5 applications have more restricted access to system resources than with Flash while HTML5 protocol updates are delivered through browser updates, so they're more likely to be applied. All the major browser vendors are working on HTML5 security issues and the HTML5 community enjoys the support of the Internet's biggest brands, including Facebook, Google, PayPal and Bing, which means that use of HTML5 should be on a strong growth curve.The fourth potential flaw relates to one of the HTML5's best features. The WebSocket API enables two-way communication over one transmission control protocol (TCP) socket. The Websocket.org web site uses the example of a stock ticker Web application to explain how WebSocket works. In a traditional HTTP designed browser, in order to display the most current price for a stock, the browser constantly pings the web server for new information, a process called "polling." Because that wastes time and compute resources, WebSocket allows the web server to push the information out to the browser only when it has new information to share.

The feature, called asynchronous full duplex communication, drastically reduces the amount of unnecessary traffic between server and browser, said Bulman. In the example of the stock ticker app accessed by 10,000 end users in the experiment, the data traffic reduction ratio was 500:1.

The downside is that WebSocket disables a number of important network security tools. It takes over key network ports such as Port 80 that screen packets for any maladies and, in a WebSocket port, the packets lack the traditional headers that would be seen by a web application firewall to block suspicious packets. Reputation-based defenses also fail with WebSocket deployed.

Wedge Networks' solution to this dilemma is an approach it calls "deep content inspection," a feature, introduced in November 2011, of its WedgeOS operating system that powers its security appliances.

"We judge the content, the structure and the intent of the data in motion," said Hongwen Zhang, CEO of Wedge Networks.

Wedge offers a "unique architecture" to deliver high performance deep packet inspection, wrote Chenxi Wang, a Forrester analyst, in a report providing a market overview for the content security space for the third quarter of 2011.

"Using this deep content inspection engine, customers can conduct in-depth malware detection, DLP processing, and content classification at line speed," Wang noted.

But Wedge competes with a number of well known players in this space, including Cisco, Google, McAfee, Microsoft, Sophos and Symantec, among others, she said.

Learn more about Data Encryption by subscribing to Network Computing Pro Reports (free, registration required).

Mainstream network players and those chasing them are all out to erase the lines between wireless and wired networking. As the network edge gets redefined and the cloud makes its presence felt in LAN and WLAN spaces, announcements like Meraki's latest update are getting to be more commonplace, and exciting. With a number of interesting product updates to share, Meraki is starting 2012 with a bang.

As mentioned before in this blog, I am a single-site Meraki customer. Though my main wired and wireless networks are built on Cisco gear, last year I opted to run with Meraki in one of my overseas locations for a campus deployment that features site-to-site VPN back to our main campus, routing, and thirty-five access points in a framework that is all-Meraki except for the handful of Cisco edge switches that handle Layer 2 duties. The Meraki deployment has been rock-solid and reliable, but soon will be even better.

Meraki has just announced new hardware and features that bode well for existing and prospective customers, and for the industry in general as a sign of things to come. In my own little corner of the Meraki cloud-managed world, I manage wired and wireless networks via a common dashboard on the web. Though effective, I have found areas where Meraki could do better by their customers. One of these minor pain points is in managing my site-to-site VPN, as the current UI is pretty sparse on relevant information for this important function. Thankfully, the latest incarnation of the Meraki cloud-based management system rectifies this with two-click site-to-site VPN configuration and welcome details on each tunnel's latency and status.

Even bigger to me, no-extra-cost WAN acceleration has come to the Meraki MX series. Legacy customers like me who use the MX 50 or 70 will see modest gains in WAN acceleration after our free and automatic code upgrade, but customers who get in on the latest MX hardware series also get the benefit of increased processing, memory, and a 1 TB hard disk cache for what Meraki estimates to be "up to 197x improved" WAN transfer times. As enterprises like mine continue to globalize, squeezing the most from site-connecting over-the-Internet WAN links is of paramount importance. That you get WAN optimization as part of the MX purchase without additional licensing is huge.

Also part of the latest release, Meraki is introducing their new cloud-managed Layer 2/3 switches with Power over Ethernet. In my own current deployment, I can manage my Meraki MX appliances (routing, security, DHCP, traffic classification and control, guest access, etc) and wireless APs, but not my Cisco switches through my cloud-based dashboard. When I rolled out my environment, Meraki did not offer an edge switch. The new MS series switch comes in branch and campus network flavors, and other than not having redundant and field-replaceable fans and power supplies (hint to Meraki), seem to have good feature parity with the big expensive competitors and some nice trouble-shooting value adds not typically found in other switching products . The beauty here is that wired and wireless users alike are identified, classified, controlled, and supported through the same administrative dashboard, regardless of whether they use a patch cable or wireless adapter to connect.

Given that wireless networking is fast coming to equaling or even surpass Ethernet in terms of criticality for user access across different business networks, it's not surprising that vendors are moving into even deeper "whole solution managed under single pain of glass" waters. Meraki may not be the biggest fish in the networking pond, but I can speak first hand on their effectiveness at providing a turn-key, cloud-managed solution that makes managing a network easy (and in my case, it's a network on another continent that tightly integrates with my main network). I'm tickled that a good thing is getting even better with Meraki's latest announcements, and am hopeful that others in the networking space are working on similar strategies.

Gone should be the days of thinking of wired and wireless networking as unique spaces, and needing racks full of appliances to gain VPN and enterprise-class security capabilities. Meraki has proven that for the right environments, a tremendous amount can be done with minimal box requirements and that installation and management don't need a team of IT pros to accomplish. Here's hoping we see more of the same from the competition.

Disclaimer: I am a single-site Meraki customer.

Boys and girls, today's homework assignment is a thought experiment. I want you all to put yourselves in the shoes of the CxO team making a decision to move to private cloud. There is of course one catch; you may not factor in ROI. We're dropping ROI because it clouds the subject (bad pun intended.) Let's skip the why should I do this experiment; I'd of course default to 'Because I told you so.'

Let's work through this together; it may be a tough one. Many of us have been trained to make all IT-related decisions based on ROI. Some of this is self-induced, some may come from vendors with ROI spreadsheets utilizing amazing formulas, industry data and handfuls of pixie dust to show how much money you'll save over the next 3 years with widget X.15. For whatever reason, ROI is a big part of most IT-related decisions.

IT decisions weren't originally made this way; instead they were made based on the business value that would be gained from an IT system. IT was purchased based on how it would enable the business to increase profits, build better products, or better service its customers. That's really what the technology should be about.

The decision to move to private cloud should be based on the competitive advantage it can provide. If we can justify that private cloud can give us the ability to do something better, faster, or at lower cost than the competition we're halfway there. Let's take a look at gaining competitive advantage with private cloud.

Let's start with some example numbers for the time it takes to bring a new service online:

1 week - Design and validate a BOM (bill of materials)

1 week - Receive approvals and submit PO

2 weeks - Wait on required gear

1 week - Rack, stack, cable and configure

3 weeks - Build service, test and validate

2 months - Total time

This is just an example; some of these times may be laughably short or long depending on your organization. Using these example numbers you have a 2-month period between identifying a new service that will enable your business and having that service online. This doesn't take into account the rollout and training of the service once online. If you could cut that time in half would that provide competitive advantage?

By using a private cloud model for delivery of IT services, this process can be trimmed to 3 weeks (using the same example numbers.) The infrastructure would be in place, carved into flexible pools and the tools to automate deployment of the required subset would be available to IT staff, developers, or both. Through a self-service portal the first 4 steps above can take place in minutes.

Additionally, scale is simplified through standardized infrastructure components. Rather than deciding on which server, storage, or switch is required per project, pre-defined components are purchased and plugged into the resource pools as capacity is required. Is your network at capacity? Add a switch to the mesh. The hardware itself becomes nothing more than CPU, RAM, storage and I/O capacity for the delivery model you've built.

The flip side of the above model is removing old or under-performing services. When an application or service is removed from the cloud the resources are returned to the pools. In a legacy data center build, it is difficult to repurpose hardware when a service is no longer needed, and as such often doesn't happen. Scaling down occurs, and services are eventually retired. This model allows for seamless return of the underlying hardware resources to the cloud.

The last piece of competitive advantage is of course cost. Any reduction in cost without a reduction in revenue will inherently increase profits. This is why the ROI model persists so strongly. Private cloud can, and does in many cases, reduce costs but this depends on how mature your IT organization is at the onset. Much of private cloud's cost reduction comes from the virtualization of the underlying hardware; automation and orchestration are not required for that, but help provide the business value shown here.

While cost is always a factor, and quite important, it should not be the first or most important criteria. Cost is more easily modeled and budgeted for once the end goal has been defined. If you begin with an attempt to show ROI you end up with models of very subjective soft costs showing savings over time. These are not solid foundations for such a large change. Define the advantages private cloud can provide your organization, decide whether they provide enough value to embark on the journey, and then model the costs into your budget.

Faced with rapid growth and increases in the amount and complexity of data and its IT operations, RJ Lee Group went looking for a way to simplify its computing infrastructure. The company ended up selecting Spiceworks as an alternative to adding staff or spending a lot of money on network and system management software.

"By moving to Spiceworks, we were able to manage our infrastructure more effectively without increasing our expenses," says Justin Davison, senior systems engineer at RJ Lee Group. In business since 1980, the company is an industrial forensics laboratory offering specialized materials characterization, forensic engineering, and information management services. For instance, it helped the United States Environmental Protection Agency (EPA) develop a method to analyze asbestos.

The company's research-based services chew up a lot of IT resources: they have 30 Terabytes of data stored on a Storage Area Network (SAN), and servers primarily running Microsoft's Windows operating system. The 300-person operation works mainly in Monroeville, PA, but has spread its wings to more than half a dozen satellite locations, including New York City and Quebec City.

The small IT staff oversees the dispersed computing infrastructure. Traditionally, this group relied on each component's (server, router) inherent management functions to ensure that its applications were up, and its network connections were functioning well.

By 2008 that approach was proving to be inadequate. "Our applications and IT infrastructure were growing and becoming more dispersed," says Davison. Consequently, tasks such as determining what might be causing a slowdown on a network link, were taking more time to complete. "We needed a tool that would automate some of our routine administrative tasks," he says.

There was no shortage of options available, but the company wanted to keeps its expenses as low as possible. So Davison started searching on the Web for free management tools and Spiceworks emerged as an intriguing option because of its all-encompassing nature. Although it began life in 2006 as a basic network inventory and scan tool, the offering has grown into a full-fledged help desk and IT support community with more than 1.5 million users. To stand out from the competition, it uses an advertising-based model: customers do not pay for the product but are exposed to Google-like advertisements.

"Spiceworks is like a 'Swiss Army knife' for system and network management," notes Davison. The product includes a series of modules that can be used autonomously or in conjunction with one another.

After making the decision to go with Spiceworks in the spring of 2008, RJ Lee had the product up and running in a few weeks. "Spiceworks includes an intuitive user interface, so the initial configuration was straightforward," he says.Once the tool was installed, the company streamlined a few of its management functions. The product's core management features automatically track configurations and report any changes, so technicians no longer had to manually enter that information. A network monitoring feature correlated network activity so the staff had more insight into any performance issues.

While some companies may view the ads as annoying, Davison has found them helpful. His company has purchased more than half a dozen products after seeing various ads.

Another benefit from the freeware is its substantial use of social networking to encourage users to interact with one another. "The Spiceworks community gives me a million people I can reach out to and ask for and share advice," says Davison. The community has become an ad hoc extension to the firm's IT department, offering advice that has remedied a handful of problems that the staff could not figure out on its own.

In the spring of 2010, RJ Lee augmented its use of the system through Spiceworks' Reach program, which enables cloud services vendors to create custom plug-ins so customers can add, manage, and monitor cloud services within its software. Hundreds of management plug-ins are available from vendors such as HP, LogMeIn, Rackspace, and Symantec. "With Spiceworks, we don't have to work with different Web-based portals to monitor and provision any of our cloud resources," he says.

Next on the agenda is to create a portal so employees can submit trouble requests. Spiceworks IT Help Desk Portal's trouble ticket module organizes and prioritizes tickets based on customized criteria, such as due dates. A project management function will enable RJ Lee to delegate, prioritize, and track time spent on various initiatives.

To date, the management tool has been a good fit for the company. One potential concern is the possible lack of the scalability and features mid-size and large companies desire from their management tool. Also, as a relatively new player in the management space, Spiceworks may encounter skepticism about its long term viability, especially since it has a non-traditional business model.

However, RJ Lee has no qualms about the vendor or its product. "Companies do not need to be scared off from free software," concludes Davison. "We have found one that meets our needs."

Learn more about IT Pro Ranking: Data Center Networking by subscribing to Network Computing Pro Reports (free, registration required).

Atlantis Computing has announced Atlantis ILIO Diskless VDI, a virtual desktop infrastructure product that makes use of server-based blade storage that it claims eliminates storage for Citrix and VMware virtual desktop operating system images. This means that users can reduce the capital expenses associated with VDI to less than $200 per desktop while providing boot times of 12 seconds. The company has particularly tested the product with Cisco UCS blade servers, which can deploy up to 6,400 virtual desktops in one rack, and is promoting it with Cisco, but it is server-agnostic.

"So far it's really interesting, really good," says Steven Bell, infrastructure systems architect for PAETEC Communications Inc., now a part of Windstream Communications, a telecommunications company based in Fairport, NY. "It's definitely a paradigm shift compared to traditional storage. We have yet to deploy it on a larger scale, but we're hoping it'll be able to fulfill those needs."

The company was looking for alternatives to big-box vendor storage arrays, because it wanted to treat its storage in the same non-persistent way it treats its virtual desktop – that is, information is destroyed once a user logs off. "We didn't want to buy a huge expensive frame for something that's here one second and gone the next," he says. It expects to save both operational and capital expenses but does not yet know the amount.

The Mountain View, Calif.-based Atlantis has been selling the ILIO product for some time; what is new is the ability for it to run only on server-based memory, says Seth Knox, director of marketing.

The Atlantis implementation reviewed both with the company and the user is the highest-performing real-world VDI installation seen to date, says James Bagley, senior analyst and business development consultant for Storage Strategies NOW. In particular, the combination of Atlantis' input-out reduction with the Cisco blades creates phenomenal performance, especially since the end-user already used Cisco for switching fabric across its network.

While other VDI implementations have used flash memory appliances, Atlantis is the first to demonstrate such an implementation on blade servers without using a storage appliance or disk array, he says. This is unique and is responsible for the high performance which is 10 to 20 times the speed of other implementations in terms of IOPs, he says.

However, the "diskless" aspect is a bit misleading, says Henry Baltazar, senior analyst of storage and systems for 451 Research. While the technology is good for storing the operating system and applications, it does not account for user-generated data, such as spreadsheets, presentations, videos, pictures, pdfs, and so on, which ultimately need to be stored on some sort of disk storage system, he says.

VDI has been very popular with vendors and industry pundits, but the market traction has not met expectations. Gartner estimated that there will be as many as 20 million virtual desktops in place by 2014 and last year CDW found that 90 percent of businesses were considering or implementing client virtualization projects. CDW also found that companies were having a number of problems with VDI, from far more than expected complexity, to hard-to-calculate ROI and the challenge of training end users. According to IDC, U.S. thin-client sales will amount to less than 2 million units by 2013.

The product is shipping now. It is priced per named user, in the same way as Citrix and VMware, at $100 per desktop for the first user and at varying prices per user after that, depending on how many users there are, says Bernard Harguindeguy, president and CEO. It is delivered through Atlantis' 60 resellers and partners.

For a VDI alternative, see The Win 8 Transition by subscribing to Network Computing Pro Reports (free, registration required).

System Center 2012 can do bare metal provisioning using IPMI. Relying heavily on templates through System Center 2012, you define the skeleton options like MAC address, networking, storage, etc which are resolved either at runtime, such as an IP address via DHCP or are taken from a template like a host name. What is interesting is that System Center can discover server hardware and make it available.

Inside Virtual Machine Manager, we defined our new hardware host and applied it to a server. You can readily track the progress of the deployment.In this lab, the hardware wasn't actually available, so it failed. However, you can drill into the task and see exactly which step failed and which steps remain. In our case, PXE boot failed, so we couldn't talk to the server. Not that VMM used BMC to power on the host.Creating a cloud is performed after you define the templates for the underlying hardware. A cloud is just a set of resources that are grouped into a unit. You can then assign them to users and roles. In our case, PrivateCloud20 Is using a logical network called Contoso and the lb01.contoso.com load balancer.

We set the capacity for this cloud offering at 12 GB of ram, total, unlimited storage, and a maximum of 10 virtual machines. All the VM's for this cloud service are based on Hyper-V but cloud have included Citrix XEN or VMware.

Microsoft's private cloud offering is multi-tenant by its very nature. IT defines the capacity of a cloud service and then users and roles are assigned capacity and rights within that cloud. You can define many cloud services that are ultimately shared across the physical infrastructure.Using quotas, you can offer control how cloud resources are consumed. In this case, this particular role is allowed to as much virtual CPU's, RAM, or storage as needed, but role is limited to five VM's total. That means that role can only run five VM's regardless of how many users are in the role.

Quotas can be further restricted on a per user basis. In our case, each member of the role can use 1024 bytes or RAM and may only use a single VM. This leaves room for other role members to use VM's and allows us to add additional roles that can use the same cloud service.

Quota management is very dynamic and administrators with the right access privileges can change these quotas at any time. You will have to think about your quota strategy so that you are managing your resources effectively.Users can also be restricted to the actions they can take with the cloud service. Consumers of your cloud service should only be allowed limited access to start and stop their VM's and deploy software. Different administrative roles can be defined. Access controls like these means IT can delegate cloud management to distributed staff and offload workflows.Once we define the hardware templates, we configure the OS images that we will deploy. If you have ever installed Windows Server 2008, or any Windows server for that matter, these options will be familiar to you. Tick off what you want. Fill in the server name (which itself can be pre-defined via a template), and you have a stock golden image ready to deploy. What is interesting is that you can patch and reconfigure the image and when it is active, you can then deploy it to your cloud automatically if you desire.This is where we begin to see the dynamism of the System Center. We define the underlying OS and assign an application template, defined elsewhere, to the host. The application template can also have user submitted fields which are filled out when requesting a new service or can be defined for the application.Must of the output from System Center 2012 are, behind the scenes, Powershell scripts that that get executed. From what I saw, there is no need to ever look at a script, which is great those who don't know Powershell. If you do however, you can customize the scripts to suit your needs. In fact with Powershell, you can do anything in the GUI in a script giving IT the potential for deep integration with existing IT systems without relying on third parties. Writing your own Powershell scripts isn't for everyone, however.In the VMM Service Template, you can visually arrange the various services and customize the options for them quickly and easily. This is one of the final steps before publishing the service in the service catalog and self service portal. All of the components are already built, here we are just putting them together. You can easily add more applications as needed.

Bear in mind that we are simply arranging systems together and we are not affecting application code in any way. The application code has to be written to talk amongst the various services. The best practice is to use names for systems and services and never to hard code dependencies. The templates should be able to build and resolve service names and locations dynamically.

While we don't show it, when we publish this application to the self-service portal, users can come to the portal, request an application and fill just a few relevant bits of information such as application name. The tehcincal bits should all be buried out of site. When they request the service, their permissions are validated and the request kicks off a workflow. That work flow could be fully automated or at any point, you could interject a person to take actions. It's entirely up to you.

Information systems and communications security vendor Thales has integrated its nShield hardware security module (HSM) with the Infoblox DNS platform to provide customers with simple deployment of Domain Name System Security Extensions (DNSSEC), a security protocol designed to protect the Internet from attacks like cache poisoning.

Adoption of DNSSEC within the enterprise has been slow, and according to Cricket Liu, VP of architecture at Infoblox, enterprises have run out of excuses to adopt the technology. The threats DNSSEC protects enterprises from are very real and getting worse. Liu says now is the time for enterprises to start deploying DNSSEC, which is where Infoblox and the Thales nShield integration can help.

"The threat of cache poisoning is very real. We've seen cache poisoning attacks out on the Internet. The consequences are very serious," Liu says. Cache poisoning (also known as DNS poisoning) is a form of attack that corrupts a domain's DNS and replaces it with another DNS, pointing potential victims to a site that looks very much like the one they're trying to reach but that has malicious ends in mind.

DNSSEC has been gathering momentum fast, but it's on such a small base that adoption is still almost non-existent. According to the sixth annual survey of the DNS infrastructure, adoption soared 340% last year. However, the number of zones that have been DNSSEC-signed is only 0.02%, and almost a quarter of them, 23%, failed validation due to expired signatures.

For a long time, businesses of all sizes have been waiting for top-level zones and root zones to deploy DNSSEC. Since the technology works only with a top-down deployment approach (starting with top-level domains such as .com, .net and .org), there was no sense in an enterprise deploying it except for internal use, says Richard Moulds, VP of product management and strategy at Thales e-Security.

"Virtually all of the top-level domains have stepped up to use DNSSEC," Moulds says.

DNSSEC has moved down the stack and is now starting to see early adoption by ISPs. ISP Comcast announced the completion of its DNSSEC deployment in early January. As the largest ISP in the United States, its adoption of DNSSEC sets a precedent that others are sure to follow, Liu says. He compares Comcast's adoption of DNSSEC to GoDaddy's full deployment of IPv6 in 2010, which caused the adoption rate of Ipv6 to explode from 1.5% to 25% of the market in a single year.

Uptake in the enterprise has been incremental so far, and some businesses (particularly those with websites that process financial transactions and those that fall under various regulatory and compliance requirements) are starting to take notice of DNSSEC. Depending on the type of business and the function of the individual enterprise's website, interest in DNSSEC can be high or low.

There are still a few hurdles to overcome in the deployment of DNSSEC, but some of them are more easily dealt with than others. For instance, not every domain name registrar yet supports DNSSEC, but Liu notes it's a simple process to move a domain name from one registrar to another. In time, support for DNSSEC could be a competitive advantage in the domain name registrar business, he believes.

As enterprises do begin to adopt DNSSEC, which Liu expects to happen more frequently this year, they will look for the easiest way to deploy it. Although IT administrators could do all the work manually, companies like Infoblox present an automated solution to the configuration problem.

When Infoblox systems are used with Thales nShield HSM, customers achieve the benefits of having all cryptographic processing and protection of critically important signing keys for validation of the integrity of DNSSEC-protected records, which Moulds says significantly reduces cache poisoning vulnerability.

"This is a big step that the Internet community has taken to strengthen DNS, which is one of the weakest elements of Internet security," Moulds says.

Learn more about Research: Physical and Logical Security Convergence by subscribing to Network Computing Pro Reports (free, registration required).

A few years ago, Brad O'Neill, then an analyst with the Taneja Group, coined the term FAN (file area network) to describe a virtualized file storage system. Organizations that build FANs that integrate multiple heterogeneous file stores presenting a single unified, optimized name space should be able to save a significant amount of time, effort and money. The collapse this month of AutoVirt is just another example of how this promising technology has never gained any traction with paying customers.

Having spent much of my career bringing order to the chaos of mismanaged SME data centers, I've been excited by the idea of FANs ever since I saw a demo of the Z-Force switch, which not only distributed files across multiple file servers but distributed data RAID-like across multiple filers so a dozen little one-drive SNAP servers could deliver 1,000 IOPs.

After all, a FAN would let me transparently migrate data from an old NAS to a new one, even as users access the data. Without a FAN, migrating several million files from one NAS system to another, especially if the new NAS is from a different vendor, is a major project involving late nights running ROBOCOPY while the users are locked out of their stuff.

Even better, a FAN can consolidate files from multiple departmental file servers to a new file store while preserving their UNCs. That way, all the embedded links in the spreadsheet from hell that accounting uses to close the quarter will still work even though we've long retired the file servers called HAN and CHEWIE. The FAN's global name space also means the FAN can spread data across multiple file stores while it looks like a single big filer.

Finally, I can run a policy engine in the FAN that puts the low-value data, like the home directories of all the folks that no longer work at FunCo, on a low-cost tier device that won't need to be backed up as frequently as the active data stores.

Despite all those advantages, sales of FAN systems have been exceptionally unsuccessful. Even if we don't count data classification/ILM vendors like Abrevity and Scentric, the graveyard of FAN companies is well populated. Several tried the hardware approach, building server/switches that sat in front of file stores--Z-Force, Attune, which was built from the ashes of Z-Force, NeoPath Networks, which was bought by Cisco and immediately shut down, and Acopia, which was acquired by F5 to create its last-man-standing ARX file virtualization platform. EMC bought Rainfinity and basically gave it to its professional services group to use during migration projects. Rainfinity's tech recently reappeared in EMC's Cloud Tiering Appliance, which FAN-like migrates data to a storage cloud. AutoVirt isn't the first FAN software vendor to go to boot hill, either. NuView's StorageX was snapped up by Brocade in one of its early attempts to diversify beyond Fibre Channel, but it lasted only about a year as a Brocade product.

In AutoVirt's short life (the company was founded in 2007), it used its reported $25 million in venture money to develop AutoMigrate, a migration tool, and AutoManage, a full-blown policy-driven FAN implementation. Unfortunately, the company never sold enough software to make money and is going to the FAN graveyard.

ESG's Steve Duplessie blogged that AutoVirt's crucial mistake was targeting Windows file servers and their data. That meant that their tools made life easy for the Windows admins, and no one in management was going to spend money for that. He may be right.

Have you considered a FAN? If so, what kept you from pulling the trigger?

Disclaimer: Josh Klein and Klavs Landberg of AutoVirt spent a few of those VC dollars to buy me meals and drinks. Brocade and EMC are clients of DeepStorage. The rest of the companies mentioned are dead.

If IT security professionals think that by securing Port 80 on their network -- the firewall port through which Web traffic passes -- that they are protected from Web application-related threats, they need to think again, according to a new report from a network security provider. The latest "Applications Usage and Risk Report" from Palo Alto Networks discloses that 35 percent of the Web applications and 51 percent of the Web traffic in enterprises does not traverse Port 80.

"There are some risky applications in there," warned Matt Keil, senior threat analyst at Palo Alto Networks, including ones that enable remote access to a computer or that enable file-sharing. "The focus on Port 80 is absolutely a requirement, but too much of a focus on it is short-sighted." The risk to enterprise networks increases as companies use more Web-based applications and as companies use more social networking apps that are delivered over the Web, such as Facebook, Keil said.

The report is based on an analysis of the actual aggregate network activity of 1,636 Palo Alto Networks customers globally. The monitoring tracks all the applications used on each network -- whether in a traditional client-server environment or, increasingly, via the Web -- the amount of bandwidth consumed, and other factors. Each of eight reports the company has published over the last four years analyzes the previous six months of network activity; the latest report covered the six months ending in November 2011.

The report showed that only 25 percent of applications and 32 percent of all traffic used Port 80 exclusively, while another 41 percent of applications and 17 percent of traffic used Port 80 sometimes but also other ports, a practice called "port hopping".

Palo Alto Networks is a provider of what is called a next-generation firewall, technology that delivers application, user and content-based security for corporate networks. The company was identified as a "leader" in a December 2011 Gartner "Magic Quadrant" report identifying key players in the next-gen firewall market, along with competitor Check Point Software Technologies. Other players identified as "challengers" in the space include Cisco Systems, McAfee and Juniper Networks.

The risk to networks of Web-based apps is driven in large part by business use of social networking sites such as Facebook and Twitter. A conclusion we also found in Rebooting the Antisocial Network.

Initially, most enterprise use of social networking was "voyeuristic," said Keil, in that employees merely viewed content on those sites. The latest report reveals more active use of social networking for posting content, downloading Facebook apps and games and installing Facebook plug-ins. This happened as companies developed business uses for Facebook, he said, citing examples of heavy equipment maker Caterpillar using Facebook to communicate with dealers, or the Ford Motor Co. loaning several of its new Focus compact cars to drivers and inviting them to post their experience with the cars on Facebook. Twitter use soared to 22 percent in the latest survey from 3 percent in the year-ago survey.

While the use of social media by its clients is likely a mix of business and employee personal use, the company is still taking on increased risk, Keil said.

"Social networking has trained the user community to be far too trusting," he said. "Cybercriminals have figured that out."

Also increasing risk is the wider adoption of file sharing on corporate networks, through such services as Box.net or Dropbox, to share files with employees working from home, for example, he said.

Palo Alto Networks was sharing the results of one analysis with a customer and noted that a number of employees were circumventing corporate security policy to run a utility called "remote desktop protocol" on a non-secured port to remotely manage servers or PCs. Keil said some of the offending employees were in the room when the presentation was being made.

"It was somewhat uncomfortable for those folks," he said.

Learn more about Rebooting The Antisocial Network by subscribing to Network Computing Pro Reports (free, registration required).