As today’s Enterprises become more and more reliant on the Internet it will be very interesting how users behaviour will affect businesses and their use of the Internet.  Moreover, as the business community is being courted by the world of SaaS… could it show the vulnerability of public cloud service level agreements.

What’s the impact?  If a video stream is 300kbit/s (ITV’s low resolution) and you have 1,000 staff and 30 are viewing this on your 10Mbit/s Internet connection, they will eat almost all your bandwidth!

So to help you, we have a few pointers:

Try QoS on your router:  This will stop some users, but with the raft of proxies and annonimisers access to World Cup footage is easy.

Don’t forget Audio:  Same issues as video just 30kbp/s per flow.

Throttle don’t Block:  If you block outright, staff will find a way around your block.  Emails will fly from Enterprise to Enterprise with URLs and tricks on how to view a game.  However, if you limit the maximum bandwidth available it will simply slow down and become unwatchable.  At this point users typically give up!

It’s not just media:  Having just watched Apples WWDC 2010, rich media blogging is the next best thing to live audio and video.  There are literally millions of would be broadcasters pushing live Blogs, Twitter and Facebook updates with photo and video clips attached every second of the game!

However, if you want to control of these applications, the only guaranteed way is Next Generation Firewall technology.  They operate by identifying and prioritising the data passed, regardless of the evasion tactic used.  Speak to Varidion today and we will demonstrate how a Palo Alto Next Generation Firewall will strike a happy balance between World Cup viewers and business need.

It’s very simple.  You can’t stop staff trying to extend their days or be available 24 x 7,  and it’s not just the younger Generation Y workers.  Gen X and even boomers have now shifted from work life balance to work life integration…..  So what’s this got to do with passwords? 

It’s data loss… 

Todays connected staff want to carry on their good work on that important spreadsheet or presentation at home, and the best way is the simplest way, email it or upload it to their home and personal account.  Instant data loss!  What protects this corporate data?  A weak password.

Probably their wife’s name,  kid’s name, a pet’s name or if they are security conscious they may have included their date of birth to help throw in a few numbers.  And this is all very public information, but if you don’t know it just ask for it. 

A recent blog claimed that as long as general questions are used as a ‘forgot password’ backup, most web authentication is no more secure than personal knowledge questions.

Joseph Bonneau from the University of Cambridge wrote that with incidents such as Sarah Palin‘s web mail account being hacked and the taking of Twitter documents from a Gmail account, the questions and answers for forgotten passwords are easy to look up online, often found in public records, and easy for friends and acquaintances to guess.

So Security Manager –  do you know what data is leaving your network?  No?   Speak to Varidion and we will show you…..

In order to better support the delivery of email to more users cost effectively, the designers of network equipment built in over subscription; basically to deliver more ports, at a lower price, but each port will never have full bandwidth capability.  This was perfectly fine for the e-mail application and many devices were oversubscribed at 4:1 or more and deployed in a classic Access – Distribution – Core  model.  This is essentially 64:1 over-subscription in each direction – again not a problem for a bursty, non-real-time and asymmetric traffic flow.  We all assumed VoIP would change LANs, but a 64kb/s traffic flow doesn’t get congested too often on a GbE LAN and if it does some simple QoS prioritisation can deal with it.

But the adoption of Web2.0 applications will kill your Infrastructure…..  If its Social Enterprise, SOA, VM, Grids, Clouds – public or private your data no longer goes North South, in fact it travels in every conceivable direction and as you move towards a Cloud based application model your nice local predicable data is now various IP hops away over your 64:1 contended network…  And as all network managers know jitter and latency kills applications.

So, in summary, today’s applications require a new infrastructure, a 2.0 Infrastructure – low latency, low hops, flat and simple network.  If you don’t have one, best you get one…..

This is simply unacceptable. Industry analysts like Gartner have noted this as well, and have recommended that customers move to next-generation network security infrastructure.

Not only do next-generation firewalls vastly increase the visibility and control you have over the applications, users, and content you have on your network – they also save you lots of money on IPS.  With today’s highly segmented networks, this can result in multi-million pound purchases for large organizations – but ironically you still can’t manage threats well.

One of the principal reasons for Gartner’s recommendations is that traditional IPS can’t effectively manage applications and can’t detect threats in SSL-encrypted and compressed content.

Our next-generation firewalls do all of the above, and deliver industrial-strength intrusion prevention capabilities while saving you money.  In fact, the cost of our solution averages under £3,000 per protected network segment – a savings of at least 75% over TippingPoint and ISS.  Don’t take our word for it…  Drop into InfoSec and see for yourself; at the same time get measured up for a bespoke shirt.

Tailored security from Varidion

The traditional three tier switching model of Access, Distribution and Core was conceived by Cisco in the days where data thus traffic flowed vertically to a single point, gathering speed on the way.  100Mbp/s access to GbE uplinks aggregated on 10GbE switches at the core, these in turn fed big fat application specific hosts with GbE network adaptors pushing and pulling very similar data types – mostly all fat clients.

The world is now flat….. Well, its getting flatter by the day.  Applications will no longer live in private data centres; Enterprises will use a mix of SaaS and Private Cloud solutions to meet tomorrow’s demands.  Virtualisation will allow business to turn up and down IT resources to meet with demand.  This has a huge effect on your network infrastructure.

To add to your woes, your staff are using more and more Social Applications, not just Facebook and YouTube but Google Apps, Internet chat and Blogging are all seeing a huge increase within the Enterprise.

So what do I do?

The concern with the traditional model is latency – forcing packets to stop at every layer.  Enterprises should build networks with a distribution layer of 10 GbE switches that is flattened out, becoming the communication link between servers with as few hops as possible, thus killing network latency.

Leaf-spine topology for computing network architecture

Some describe this two-layer switching method as leaf-spine switching topology or, similarly, a fat-tree switching topology.  In this scenario, servers are connected to leaf switches, which are then connected to a broad web of spine switches that provide interconnected bandwidth between leafs and spines.

This fabric of switches, which includes as many ports as possible, allows equal bandwidth access to every connection, enabling non-blocked movement data in an any-to-any server environment. Cloud leaf fabric controls the flow of traffic between servers, while the spine switching fabric moves traffic between nodes bi-directionally.

Very little is static in a cloud environment. Instances of servers and networks are provisioned at the drop of a hat.  To this end, the network architect must seek out a partner that understands the end-to-end solution from Application to User.  Varidion are a next generation service provider that builds and operates fully managed Infrastructure as a service that allows Enterprises to focus on the business elements of IT and not the technology end.

Remember – The network is the Computer!

HTML 5 will blur the line between desktop and online applications. This, along with the release of Google Chrome OS, will create another opportunity for malware writers to prey on users,” McAfee said.

As the browser becomes an integrated part of the desktop and its communication language can access local resources, security devices such as firewalls and Intrusion Detection Systems will be ineffective against these threats in 2010.

Speak to Varidion today about implementing a Next Generation Firewall, that understands these applications and can prevent your data leaving from under your nose.

Read the full report.

It’s this trust that allowed the Koobface worm to spread throughout Facebook and led to a rash of direct-message attacks on Twitter.  The worm connects to a site using log-in credentials stored in the gathered cookies and sends messages to the friends of an infected user.  It also sends and receives information from an infected machine by connecting to remote servers and allows attackers to execute commands on infected machines.  The worm is also targeting users of other social-networking sites, including MySpace, Bebo, Friendster, hi5, MyYearbook, Tagged.com, Netlog, Fubar, and LiveJournal.com.

It’s all part of the next round of social enterprise attacks and the Enterprise must be prepared.  Social Networking applications are more than just another website, many have plug-ins and modules that push and pull information via HTTP while others use SSL and port hopping to bypass the corporate firewall.  So if your protection, i.e. your firewall, doesn’t understand the applications your not protected.  Assuming that all port 80 is HTTP is wrong.  Assuming that all SSL traffic must be official because it’s encrypted is also wrong.  Assuming you also block these sites via URL checking is also wrong.

The only way to protect yourself is by properly identifying the applications entering and leaving your network, by actual name and type not by IP address and port.

Just think what could be leaving your network…  as you embrace the social enterprise because of the good benefits like productivity gains and cost savings, don’t inherit the bad bits such as data loss and theft.  Speak to us about auditing your network and the applications using it and I bet we find applications in use you thought were blocked.

With today’s dynamic applications, a next generation of network security device is required;

• One that can identify the applications in use, even when they are trying to hide.
• One that can identify who has these applications, either through choice or via malware infection.
• One that will control what’s entering and leaving your network, even if it’s encrypted inside SSL.

And until recently you needed to add another point solution or applicance to protect your network.

Next Generation Firewall vendor, Palo Alto Networks, has grasped the nettle and created a Multi-Gigabit Firewall that can identify, control and report on over 1000 applications right down to a user level and even if shrouded in encryption.  Refreshingly, implementing a Palo Alto Next Generation Firewall from Varidion will reduce your appliance sprawl as this single device delivers URL control; Spam filtering; Remote Access (IPSEC and SSL) and Malware detection all for less than £1,000 per month.

Can you afford not to implement one?  Call us today..

So what?

Well its simple, if today you detect and remove the use of file-sharing software within your business by managing and removing applications loaded onto your PCs, then this method is now redundant.  That is, unless you plan to remove browsers from your PCs?

Browser-based file sharing applications are a direct avenue for the transfer of confidential data and allows user download of infected files and malware-infested advertising.

The remedy is simple; you need to identify and control your applications at the network layer.  By their very nature, P2P, Malware and many Web2.0 applications masquerade as valid web and SSL traffic by hiding within their ports and protocols.  So unless your firewall can identify these rogue applications you have no way of controlling them.  Can your firewall distinguish between valid http and file-sharing http?

At Varidion, our Next Generation Firewall can identify and classify some 900 applications so control and protection is simple.  If you still managing by port & protocol speak to us about a free trial of our service, we will even give you a report outlining all the applications in use on your network.  I guarantee we’ll find something you don’t like!